Summary:


NtCreateMutant(>)  1 
NtNotifyChangeKey(>)  2 
NtOpenProcessToken(>)  9 
NtOpenFile(>)  52 

NtDuplicateToken(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessTokenEx(>)  11 
NtUnmapViewOfSection(>)  53 

NtEnumerateValueKey(>)  1 
NtQueryPerformanceCounter(>)  2 
NtOpenThreadTokenEx(>)  11 
NtOpenSection(>)  57 

NtGdiCreateBitmap(>)  1 
NtSetSecurityObject(>)  2 
NtQueryDefaultUILanguage(>)  12 
NtQueryVirtualMemory(>)  58 

NtGdiInit(>)  1 
NtUserGetDC(>)  2 
NtUserSystemParametersInfo(>)  12 
NtQueryAttributesFile(>)  59 

NtGdiQueryFontAssocInfo(>)  1 
NtConnectPort(>)  3 
NtDelayExecution(>)  13 
NtUserRegisterClassExWOW(>)  61 

NtGdiSelectBitmap(>)  1 
NtDeleteValueKey(>)  3 
NtQueryInformationFile(>)  13 
NtCreateSection(>)  81 

NtOpenEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQuerySection(>)  13 
NtFlushInstructionCache(>)  90 

NtOpenKeyedEvent(>)  1 
NtReleaseSemaphore(>)  3 
NtQueryDirectoryFile(>)  14 
NtMapViewOfSection(>)  114 

NtOpenSymbolicLinkObject(>)  1 
NtSecureConnectPort(>)  3 
NtReadFile(>)  14 
NtWriteVirtualMemory(>)  116 

NtQueryEvent(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationToken(>)  16 
NtQuerySystemInformation(>)  122 

NtQueryInstallUILanguage(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtWriteFile(>)  16 
NtContinue(>)  135 

NtQueryObject(>)  1 
NtWaitForMultipleObjects(>)  3 
NtSetValueKey(>)  19 
NtResumeThread(>)  150 

NtQuerySymbolicLinkObject(>)  1 
NtAccessCheck(>)  4 
NtCreateKey(>)  20 
NtCreateThread(>)  153 

NtQuerySystemTime(>)  1 
NtEnumerateKey(>)  4 
NtQueryDebugFilterState(>)  21 
NtQueryInformationThread(>)  158 

NtRaiseException(>)  1 
NtOpenMutant(>)  4 
NtSetEventBoostPriority(>)  26 
NtTestAlert(>)  163 

NtSetInformationProcess(>)  1 
NtSetEvent(>)  4 
NtFreeVirtualMemory(>)  29 
NtRegisterThreadTerminatePort(>)  165 

NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtOpenProcess(>)  30 
NtWaitForSingleObject(>)  171 

NtUserCallOneParam(>)  1 
NtCreateSemaphore(>)  6 
NtFsControlFile(>)  34 
NtRequestWaitReplyPort(>)  184 

NtUserGetThreadDesktop(>)  1 
NtQueryDefaultLocale(>)  6 
NtOpenThreadToken(>)  36 
NtOpenKey(>)  218 

NtUserGetThreadState(>)  1 
NtQueryVolumeInformationFile(>)  6 
NtCreateFile(>)  37 
NtQueryValueKey(>)  257 

NtAddAtom(>)  2 
NtQueryInformationProcess(>)  7 
NtDeviceIoControlFile(>)  43 
NtSetInformationThread(>)  282 

NtCallbackReturn(>)  2 
NtReleaseMutant(>)  7 
NtSetInformationFile(>)  44 
NtProtectVirtualMemory(>)  452 

NtCreateIoCompletion(>)  2 
NtDuplicateObject(>)  8 
NtCreateEvent(>)  50 
NtClose(>)  456 

NtGdiCreateSolidBrush(>)  2 
NtAdjustPrivilegesToken(>)  9 
NtUserFindExistingCursorIcon(>)  50 
NtAllocateVirtualMemory(>)  467 


Trace:
 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482748, {status=0x0, info=1}, ) }, 0, 32, ... -2147482748, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147482748, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147482748, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482748, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147482748, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482748, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482748, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147482748, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147482748, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147482748, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147482748, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147482748, 0, 0x0, 0x0, 0x90120,  (-2147482748, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147481484, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147481484, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147481484, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147481484, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147481484, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00037   896   NtClose  (-2147482104, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147481628, ) == 0x0
 00053   896   NtClose  (-2147481628, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147482760, ) == 0x0
 00055   896   NtClose  (-2147482760, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147482764, ) == 0x0
 00057   896   NtClose  (-2147482764, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00059   896   NtClose  (-2147482688, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482136, ) == 0x0
 00061   896   NtClose  (-2147482136, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482136, ... -2147481480, ) == 0x0
 00063   896   NtClose  (-2147481480, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481480, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147481484, ... ) == 0x0
 00093   896   NtClose  (-2147482104, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147481628, ... ) == 0x0
 00102   896   NtClose  (-2147482760, ... ) == 0x0
 00103   896   NtClose  (-2147482764, ... ) == 0x0
 00104   896   NtClose  (-2147482688, ... ) == 0x0
 00105   896   NtClose  (-2147482136, ... ) == 0x0
 00106   896   NtClose  (-2147481480, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481480, ) == 0x0
 00145   896   NtClose  (-2147481480, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481480, ... -2147482136, ) == 0x0
 00147   896   NtClose  (-2147482136, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482136, ... -2147482688, ) == 0x0
 00149   896   NtClose  (-2147482688, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482688, ... -2147482764, ) == 0x0
 00151   896   NtClose  (-2147482764, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482764, ... -2147482760, ) == 0x0
 00153   896   NtClose  (-2147482760, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147481628, ) == 0x0
 00155   896   NtClose  (-2147481628, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147481480, ... ) == 0x0
 00178   896   NtClose  (-2147482136, ... ) == 0x0
 00179   896   NtClose  (-2147482688, ... ) == 0x0
 00180   896   NtClose  (-2147482764, ... ) == 0x0
 00181   896   NtClose  (-2147482760, ... ) == 0x0
 00182   896   NtClose  (-2147481628, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147482748, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81841, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81842, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81842, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81842, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81843, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81843, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81843, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x408000), 131072, 4, ... (0x408000), 131072, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x408000), 131072, 128, ... (0x408000), 131072, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 4227072, 131072, ... ) == 0x0
 00249   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00251   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00252   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00253   896   NtClose  (16, ... ) == 0x0
 00254   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00255   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   896   NtClose  (16, ... ) == 0x0
 00257   896   NtTestAlert  (... ) == 0x0
 00258   896   NtContinue  (1244464, 1, ...
 00259   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x418000,}, 4, ... ) == 0x0
 00260   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00261   896   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "Vx_4"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00262   896   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\VtSect"}, {29464, 0}, 64, 134217728, 0, ... 32, ) }, {29464, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00263   896   NtMapViewOfSection  (32, -1, (0x0), 0, 29464, 0x0, 29464, 2, 0, 64, ... (0x320000), 0x0, 32768, ) == 0x0
 00264   896   NtOpenProcessToken  (-1, 0x20, ... 36, ) == 0x0
 00265   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 40, ) }, ... 40, ) == 0x0
 00266   896   NtQueryValueKey  (40,  (40, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   896   NtClose  (40, ... ) == 0x0
 00268   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00269   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 40, ) }, ... 40, ) == 0x0
 00270   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00271   896   NtClose  (40, ... ) == 0x0
 00272   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00273   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00274   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00275   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00276   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00277   896   NtClose  (40, ... ) == 0x0
 00278   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00279   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00280   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00281   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00282   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00283   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00284   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00285   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00286   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00287   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00288   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00289   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00290   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00292   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 40, ) }, ... 40, ) == 0x0
 00294   896   NtQueryValueKey  (40,  (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00295   896   NtQueryValueKey  (40,  (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00296   896   NtClose  (40, ... ) == 0x0
 00297   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 40, ) }, ... 40, ) == 0x0
 00298   896   NtQueryValueKey  (40,  (40, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   896   NtClose  (40, ... ) == 0x0
 00300   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 40, ) }, ... 40, ) == 0x0
 00301   896   NtSetInformationObject  (40, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00302   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00306   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00308   896   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   896   NtClose  (44, ... ) == 0x0
 00310   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00312   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00313   896   NtQuerySystemTime  (... {1441797914, 29929616}, ) == 0x0
 00314   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00315   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00317   896   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00318   896   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00319   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00320   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00321   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00322   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00323   896   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00324   896   NtClose  (68, ... ) == 0x0
 00325   896   NtClose  (64, ... ) == 0x0
 00326   896   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00327   896   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00328   896   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00329   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00330   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00331   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00332   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00333   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00334   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243236,  (0xc0100080, {24, 0, 0x40, 0, 1243236, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00335   896   NtSetInformationFile  (80, 1243292, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00336   896   NtSetInformationFile  (80, 1243280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00337   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00338   896   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00339   896   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00340   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0,\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0,\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00341   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) == 0x103
 00342   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00343   896   NtClose  (76, ... ) == 0x0
 00344   896   NtClose  (80, ... ) == 0x0
 00345   896   NtAdjustPrivilegesToken  (36, 0, 1245080, 0, 0, 0, ... ) == 0x0
 00346   896   NtClose  (36, ... ) == 0x0
 00347   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00348   896   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00349   896   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 36, ) == 0x0
 00350   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00351   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00352   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00353   896   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00354   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00355   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00356   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00357   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00358   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00359   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00360   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00361   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00362   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00363   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00364   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00365   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00366   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 76, ) }, ... 76, ) == 0x0
 00367   896   NtMapViewOfSection  (76, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ff90000), 0x0, 32768, ) == 0x0
 00368   896   NtClose  (76, ... ) == 0x0
 00369   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00370   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00371   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00372   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00373   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00374   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00375   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00376   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00377   896   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00378   896   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00379   896   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00380   896   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 2016}, ) == 0x0
 00381   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81844, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" )  ) == 0x0
 00382   896   NtResumeThread  (76, ... 1, ) == 0x0
 00383   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00384   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00385   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00386   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00387   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00388   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00389   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00390   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00391   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00392   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00393   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00394   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00395   896   NtClose  (80, ... ) == 0x0
 00396   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00397   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00398   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00399   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00400   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ff90000), 0x0, 32768, ) == 0x0
 00401   896   NtClose  (84, ... ) == 0x0
 00402   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00403   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00404   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00405   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00406   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00407   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00408   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00409   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00410   896   NtClose  (80, ... ) == 0x0
 00411   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00412   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00413   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00414   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00415   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ff90000), 0x0, 32768, ) == 0x0
 00416   896   NtClose  (84, ... ) == 0x0
 00417   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00418   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00419   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00420   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00421   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00422   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00423   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00424   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00425   896   NtClose  (80, ... ) == 0x0
 00426   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00427   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00428   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00429   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00430   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00431   896   NtClose  (84, ... ) == 0x0
 00432   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00433   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00434   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00435   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00436   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00437   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00438   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00439   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00440   896   NtClose  (80, ... ) == 0x0
 00441   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00442   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00443   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00444   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00445   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00446   896   NtClose  (84, ... ) == 0x0
 00447   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00448   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00449   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00450   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00451   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00452   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00453   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00454   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00455   896   NtClose  (80, ... ) == 0x0
 00456   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00457   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00458   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00459   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00460   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ff50000), 0x0, 32768, ) == 0x0
 00461   896   NtClose  (84, ... ) == 0x0
 00462   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00463   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Rd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00464   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00465   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00466   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00467   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Rd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00468   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00469   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00470   896   NtClose  (80, ... ) == 0x0
 00471   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00472   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00473   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00474   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00475   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00476   896   NtClose  (84, ... ) == 0x0
 00477   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00478   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00479   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00480   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00481   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00482   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00483   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00484   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00485   896   NtClose  (80, ... ) == 0x0
 00486   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00487   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00488   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00489   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00490   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00491   896   NtClose  (84, ... ) == 0x0
 00492   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00493   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00494   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00495   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00496   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00497   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00498   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00499   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00500   896   NtClose  (80, ... ) == 0x0
 00501   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00502   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00503   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00504   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00505   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00506   896   NtClose  (84, ... ) == 0x0
 00507   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00508   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00509   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00510   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00511   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00512   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00513   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00514   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00515   896   NtClose  (80, ... ) == 0x0
 00516   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00517   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00518   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00519   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00520   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00521   896   NtClose  (84, ... ) == 0x0
 00522   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00523   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00524   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00525   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00526   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00527   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00528   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00529   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00530   896   NtClose  (80, ... ) == 0x0
 00531   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00532   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00533   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00534   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00535   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00536   896   NtClose  (84, ... ) == 0x0
 00537   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00538   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00539   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00540   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00541   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00542   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00543   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00544   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00545   896   NtClose  (80, ... ) == 0x0
 00546   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00547   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00548   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00549   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00550   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00551   896   NtClose  (84, ... ) == 0x0
 00552   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00553   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00554   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00555   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00556   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00557   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00558   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00559   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00560   896   NtClose  (80, ... ) == 0x0
 00561   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00562   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00563   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00564   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00565   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00566   896   NtClose  (84, ... ) == 0x0
 00567   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00568   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00569   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00570   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00571   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00572   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00573   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00574   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00575   896   NtClose  (80, ... ) == 0x0
 00576   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00577   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00578   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00579   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00580   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00581   896   NtClose  (84, ... ) == 0x0
 00582   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00583   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00584   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00585   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00586   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00587   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00588   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00589   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00590   896   NtClose  (80, ... ) == 0x0
 00591   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00592   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00593   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00594   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00595   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00596   896   NtClose  (84, ... ) == 0x0
 00597   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00598   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00599   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00600   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00601   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00602   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00603   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00604   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00605   896   NtClose  (80, ... ) == 0x0
 00606   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00607   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00608   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00609   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00610   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00611   896   NtClose  (84, ... ) == 0x0
 00612   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00613   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00614   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00615   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00616   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00617   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00618   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00619   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00620   896   NtClose  (80, ... ) == 0x0
 00621   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00622   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00623   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00624   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00625   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00626   896   NtClose  (84, ... ) == 0x0
 00627   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00628   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00629   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00630   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00631   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00632   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00633   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00634   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00635   896   NtClose  (80, ... ) == 0x0
 00636   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00637   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00638   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00639   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00640   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00641   896   NtClose  (84, ... ) == 0x0
 00642   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00643   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00644   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00645   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00646   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00647   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00648   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00649   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00650   896   NtClose  (80, ... ) == 0x0
 00651   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00652   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00653   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00654   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00655   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00656   896   NtClose  (84, ... ) == 0x0
 00657   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00658   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00659   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00660   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00661   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00662   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00663   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00664   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00665   896   NtClose  (80, ... ) == 0x0
 00666   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00667   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00668   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00669   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00670   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00671   896   NtClose  (84, ... ) == 0x0
 00672   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00673   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00674   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00675   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00676   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00677   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00678   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00679   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00680   896   NtClose  (80, ... ) == 0x0
 00681   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00682   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00683   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00684   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00685   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00686   896   NtClose  (84, ... ) == 0x0
 00687   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00688   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00689   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00690   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00691   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00692   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00693   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00694   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00695   896   NtClose  (80, ... ) == 0x0
 00696   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00697   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00698   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {784, 0}, ... 80, ) == 0x0
 00699   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00700   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00701   896   NtClose  (84, ... ) == 0x0
 00702   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00703   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00704   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00705   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00706   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00707   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00708   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00709   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00710   896   NtClose  (80, ... ) == 0x0
 00711   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00712   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00713   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {488, 0}, ... 80, ) == 0x0
 00714   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00715   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00716   896   NtClose  (84, ... ) == 0x0
 00717   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00718   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00719   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00720   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00721   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00722   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00723   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00724   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00725   896   NtClose  (80, ... ) == 0x0
 00726   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00727   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00728   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1208, 0}, ... 80, ) == 0x0
 00729   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00730   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00731   896   NtClose  (84, ... ) == 0x0
 00732   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00733   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00734   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00735   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00736   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00737   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00738   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00739   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00740   896   NtClose  (80, ... ) == 0x0
 00741   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00742   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00743   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {168, 0}, ... 80, ) == 0x0
 00744   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00745   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00746   896   NtClose  (84, ... ) == 0x0
 00747   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00748   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00749   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00750   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00751   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00752   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00753   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00754   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00755   896   NtClose  (80, ... ) == 0x0
 00756   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00757   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00758   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {764, 0}, ... 80, ) == 0x0
 00759   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00760   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00761   896   NtClose  (84, ... ) == 0x0
 00762   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00763   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00764   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00765   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00766   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00767   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00768   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00769   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00770   896   NtClose  (80, ... ) == 0x0
 00771   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00772   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00773   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {868, 0}, ... 80, ) == 0x0
 00774   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00775   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00776   896   NtClose  (84, ... ) == 0x0
 00777   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00778   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00779   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00780   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00781   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00782   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00783   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00784   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00785   896   NtClose  (80, ... ) == 0x0
 00786   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00787   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00788   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {808, 0}, ... 80, ) == 0x0
 00789   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00790   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00791   896   NtClose  (84, ... ) == 0x0
 00792   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00793   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00794   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00795   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00796   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00797   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00798   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00799   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00800   896   NtClose  (80, ... ) == 0x0
 00801   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00802   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00803   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 80, ) == 0x0
 00804   896   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 84, ) }, ... 84, ) == 0x0
 00805   896   NtMapViewOfSection  (84, 80, (0x0), 0, 29464, 0x0, 29464, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00806   896   NtClose  (84, ... ) == 0x0
 00807   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00808   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\177Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00809   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00810   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350QLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00811   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00812   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\1Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00813   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00814   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\371Qi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00815   896   NtClose  (80, ... ) == 0x0
 00816   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00817   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00818   896   NtClose  (36, ... ) == 0x0
 00819   896   NtClose  (28, ... ) == 0x0
 00820   896   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "Vx_4"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == STATUS_OBJECT_NAME_EXISTS
 00821   896   NtClose  (28, ... ) == 0x0
 00822   896   NtQueryVirtualMemory  (-1, 0x408729, Basic, 28, ... {BaseAddress=0x408000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00823   896   NtContinue  (1244400, 0, ...
 00824   896   NtAllocateVirtualMemory  (-1, 0, 0, 2398, 4096, 64, ... 3342336, 4096, ) == 0x0
 00825   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00826   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00827   896   NtClose  (28, ... ) == 0x0
 00828   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00829   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00830   896   NtClose  (28, ... ) == 0x0
 00831   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00832   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00833   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00834   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00835   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00836   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00837   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00838   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00839   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00840   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00841   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00842   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00843   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00844   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00845   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00846   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00847   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00848   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00849   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00852   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81892, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00853   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00854   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00855   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00856   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00857   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 36, ) == 0x0
 00858   896   NtClose  (28, ... ) == 0x0
 00859   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00860   896   NtClose  (36, ... ) == 0x0
 00861   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00862   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00863   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00864   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 36, ... 28, ) == 0x0
 00865   896   NtClose  (36, ... ) == 0x0
 00866   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00867   896   NtClose  (28, ... ) == 0x0
 00868   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00869   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00870   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00871   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 36, ) == 0x0
 00872   896   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00873   896   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00874   896   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00875   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00877   896   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00878   896   NtClose  (84, ... ) == 0x0
 00879   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00880   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00881   896   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00882   896   NtClose  (84, ... ) == 0x0
 00883   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   896   NtClose  (80, ... ) == 0x0
 00885   896   NtClose  (28, ... ) == 0x0
 00886   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00887   896   NtClose  (36, ... ) == 0x0
 00888   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00889   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00890   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00891   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00892   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00893   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00894   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00895   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00896   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00897   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00899   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00900   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00901   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00902   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 36, ) }, ... 36, ) == 0x0
 00904   896   NtQueryValueKey  (36,  (36, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   896   NtClose  (36, ... ) == 0x0
 00906   896   NtMapViewOfSection  (-2147482748, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00907   896   NtClose  (-2147482748, ... ) == 0x0
 00908   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00909   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00910   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482748, ) == 0x0
 00911   896   NtQueryInformationToken  (-2147482748, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00912   896   NtQueryInformationToken  (-2147482748, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00913   896   NtClose  (-2147482748, ... ) == 0x0
 00914   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00915   896   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00916   896   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00917   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00918   896   NtQueryValueKey  (-2147482748,  (-2147482748, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   896   NtClose  (-2147482748, ... ) == 0x0
 00920   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00921   896   NtQueryValueKey  (-2147482748,  (-2147482748, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   896   NtClose  (-2147482748, ... ) == 0x0
 00923   896   NtQueryDefaultLocale  (0, -142628532, ... ) == 0x0
 00924   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00925   896   NtUserCallNoParam  (24, ... ) == 0x0
 00926   896   NtGdiCreateCompatibleDC  (0, ...
 00927   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00926   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00928   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00929   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00930   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00931   896   NtGdiCreateSolidBrush  (0, 0, ...
 00932   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00931   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00933   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00934   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00935   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00936   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x50
 00937   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00938   896   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00939   896   NtClose  (88, ... ) == 0x0
 00940   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00941   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8177c017
 00942   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00943   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8177c01c
 00944   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00945   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8177c01e
 00946   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00947   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81778002
 00948   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00949   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8177c018
 00950   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00951   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8177c01a
 00952   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00953   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8177c01d
 00954   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00955   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8177c026
 00956   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00957   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8177c019
 00958   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c020
 00959   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c022
 00960   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c023
 00961   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c024
 00962   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c025
 00963   896   NtCallbackReturn  (0, 0, 0, ...
 00964   896   NtGdiInit  (... ) == 0x1
 00965   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00966   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00967   896   NtAllocateVirtualMemory  (-1, 0, 0, 27136, 4096, 64, ... 3538944, 28672, ) == 0x0
 00968   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00971   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00972   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00973   896   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00974   896   NtClose  (88, ... ) == 0x0
 00975   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00976   896   NtClose  (92, ... ) == 0x0
 00977   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00978   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00979   896   NtClose  (92, ... ) == 0x0
 00980   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00981   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00982   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00983   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00984   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00985   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00986   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00989   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00990   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00991   896   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00992   896   NtClose  (92, ... ) == 0x0
 00993   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00994   896   NtClose  (88, ... ) == 0x0
 00995   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00996   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00997   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00998   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00999   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 01000   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 01001   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01003   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 01004   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 01005   896   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 01006   896   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 01007   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 88, ) }, ... 88, ) == 0x0
 01008   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 01009   896   NtClose  (88, ... ) == 0x0
 01010   896   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 01011   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01012   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01013   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01014   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 01015   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01017   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01018   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01019   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01020   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 01021   896   NtClose  (88, ... ) == 0x0
 01022   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01023   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01024   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01025   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01026   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01027   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01028   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01029   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01030   896   NtClose  (88, ... ) == 0x0
 01031   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01032   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01033   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01034   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01035   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01036   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01037   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01038   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01039   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01040   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01041   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01042   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01043   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01044   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01045   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01046   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01047   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01048   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01049   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01050   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01051   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01052   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01053   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01054   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01055   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01056   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01057   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01058   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01059   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x390000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 01060   896   NtProtectVirtualMemory  (-1, (0x391000), 18944, 4, ... (0x391000), 20480, 32, ) == 0x0
 01061   896   NtProtectVirtualMemory  (-1, (0x397000), 1024, 4, ... (0x397000), 4096, 2, ) == 0x0
 01062   896   NtProtectVirtualMemory  (-1, (0x398000), 1536, 4, ... (0x398000), 4096, 2, ) == 0x0
 01063   896   NtMapViewOfSection  (88, -1, (0x390000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01064   896   NtProtectVirtualMemory  (-1, (0x391000), 18944, 16, ... (0x391000), 20480, 4, ) == 0x0
 01065   896   NtProtectVirtualMemory  (-1, (0x397000), 1024, 2, ... (0x397000), 4096, 8, ) == 0x0
 01066   896   NtProtectVirtualMemory  (-1, (0x398000), 1536, 2, ... (0x398000), 4096, 8, ) == 0x0
 01067   896   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01068   896   NtClose  (88, ... ) == 0x0
 01069   896   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 01070   896   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 01071   896   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 01072   896   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 01073   896   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 01074   896   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 01075   896   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 01076   896   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 01077   896   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 01078   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01079   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01080   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01081   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01082   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 01083   896   NtClose  (88, ... ) == 0x0
 01084   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01085   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01086   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01087   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01088   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01089   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01090   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01091   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01092   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01093   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01094   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01095   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01096   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01097   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01098   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01099   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01100   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01101   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01102   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01103   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01104   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01105   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   896   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   896   NtCreateSemaphore  (0x1f0003, {24, 16, 0x80, 1338216, 0,  (0x1f0003, {24, 16, 0x80, 1338216, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 88, ) }, 0, 2147483647, ... 88, ) == STATUS_OBJECT_NAME_EXISTS
 01108   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   896   NtQueryPerformanceCounter  (... {-1436628242, 16}, {3579545, 0}, ) == 0x0
 01111   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   896   NtQueryPerformanceCounter  (... {-1436627421, 16}, {3579545, 0}, ) == 0x0
 01113   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 01114   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01115   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9502720, 1048576, ) == 0x0
 01116   896   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 01117   896   NtAllocateVirtualMemory  (-1, 9506816, 0, 8192, 4096, 4, ... 9506816, 8192, ) == 0x0
 01118   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 01119   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242348,  (0xc0100080, {24, 0, 0x40, 0, 1242348, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 96, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 96, {status=0x0, info=0}, ) == 0x0
 01120   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0
 01121   896   NtDeviceIoControlFile  (96, 100, 0x0, 0x12f54c, 0x22414c,  (96, 100, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01122   896   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 01123   896   NtQueryValueKey  (-2147482748,  (-2147482748, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   896   NtQueryValueKey  (-2147482748,  (-2147482748, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   896   NtClose  (-2147482748, ... ) == 0x0
 01126   896   NtClose  (900, ... ) == 0x0
 01121   896   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\320+_\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#u\0l\0t\0Nm\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01127   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242564,  (0xc0100080, {24, 0, 0x40, 0, 1242564, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 108, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 108, {status=0x0, info=0}, ) == 0x0
 01128   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 01129   896   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 116, ) == 0x0
 01130   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01131   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 01132   896   NtAllocateVirtualMemory  (-1, 9515008, 0, 8192, 4096, 4, ... 9515008, 8192, ) == 0x0
 01133   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10551296, 1048576, ) == 0x0
 01134   896   NtAllocateVirtualMemory  (-1, 11591680, 0, 8192, 4096, 4, ... 11591680, 8192, ) == 0x0
 01135   896   NtProtectVirtualMemory  (-1, (0xb0e000), 4096, 260, ... (0xb0e000), 4096, 4, ) == 0x0
 01136   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1241648, 1241592, 1, ... 128, {1252, 1104}, ) == 0x0
 01137   896   NtQueryInformationThread  (128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1252,Tid=1104,}, 0x0, ) == 0x0
 01138   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9503096}  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9503096} "\0\0\0\0\1\0\1\0\200\0\0\0(\2\0\0\200\0\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\200\0\0\0\344\4\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81893, 0}  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9503096} "\0\0\0\0\1\0\1\0\200\0\0\0(\2\0\0\200\0\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\200\0\0\0\344\4\0\0P\4\0\0" )  ) == 0x0
 01139   896   NtResumeThread  (128, ... 1, ) == 0x0
 01140   896   NtClose  (128, ... ) == 0x0
 01141  1104   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 128, ) == 0x0
 01142  1104   NtWaitForSingleObject  (128, 0, 0x0, ...
 01143   896   NtSetEvent  (112, ... 0x0, ) == 0x0
 01144   896   NtSetEvent  (92, ... 0x0, ) == 0x0
 01145   896   NtClose  (92, ... ) == 0x0
 01146   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 01147   896   NtAllocateVirtualMemory  (-1, 9523200, 0, 4096, 4096, 4, ... 9523200, 4096, ) == 0x0
 01148   896   NtDeviceIoControlFile  (96, 100, 0x0, 0x12f54c, 0x22414c,  (96, 100, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01149   896   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 01150   896   NtQueryValueKey  (-2147482748,  (-2147482748, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   896   NtQueryValueKey  (-2147482748,  (-2147482748, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   896   NtClose  (-2147482748, ... ) == 0x0
 01153   896   NtClose  (900, ... ) == 0x0
 01148   896   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, " xF\342\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344c\0e\0s\0s\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01154   896   NtSetEvent  (112, ... 0x0, ) == 0x0
 01155   896   NtSetEvent  (92, ... 0x0, ) == 0x0
 01156   896   NtClose  (92, ... ) == 0x0
 01157   896   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01158   896   NtOpenProcessToken  (-1, 0xa, ... 92, ) == 0x0
 01159   896   NtDuplicateToken  (92, 0xc, {24, 0, 0x0, 0, 1242832, 0x0}, 0, 2, ... 136, ) == 0x0
 01160   896   NtClose  (92, ... ) == 0x0
 01161   896   NtAccessCheck  (1344040, 136, 0x1, 1242908, 1242960, 56, 1242940, ... (0x1), ) == 0x0
 01162   896   NtClose  (136, ... ) == 0x0
 01163   896   NtQueryDefaultUILanguage  (1241712, ...
 01164   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01165   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 01166   896   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01167   896   NtClose  (-2147482748, ... ) == 0x0
 01168   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 01169   896   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   896   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01171   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   896   NtClose  (-2147481452, ... ) == 0x0
 01173   896   NtClose  (-2147482748, ... ) == 0x0
 01163   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01174   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   896   NtQueryDefaultUILanguage  (2090319928, ...
 01176   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01177   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 01178   896   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01179   896   NtClose  (-2147482748, ... ) == 0x0
 01180   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 01181   896   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   896   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01183   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   896   NtClose  (-2147481452, ... ) == 0x0
 01185   896   NtClose  (-2147482748, ... ) == 0x0
 01175   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01186   896   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 01187   896   NtQueryDefaultLocale  (1, 1239808, ... ) == 0x0
 01188   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81894, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81894, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81894, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ) == 0x0
 01190   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01191   896   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01193   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01194   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239036, ... ) }, 1239036, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01196   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01197   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01198   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239100, ... ) }, 1239100, ... ) == 0x0
 01199   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 136, {status=0x0, info=1}, ) }, 3, 33, ... 136, {status=0x0, info=1}, ) == 0x0
 01200   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01201   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01202   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 140, ) == 0x0
 01203   896   NtClose  (92, ... ) == 0x0
 01204   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb10000), 0x0, 1056768, ) == 0x0
 01205   896   NtClose  (140, ... ) == 0x0
 01206   896   NtUnmapViewOfSection  (-1, 0xb10000, ... ) == 0x0
 01207   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01208   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 140, ... 92, ) == 0x0
 01209   896   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01210   896   NtClose  (140, ... ) == 0x0
 01211   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01212   896   NtClose  (92, ... ) == 0x0
 01213   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01214   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01215   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01216   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01217   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01218   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01219   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01220   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01221   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01222   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01223   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01224   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01225   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01226   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01227   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01228   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01229   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01230   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01231   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01232   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01233   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01234   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   896   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240580, ... ) , 42, 1240580, ... ) == 0x0
 01236   896   NtQueryDefaultUILanguage  (1239264, ...
 01237   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01238   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 01239   896   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01240   896   NtClose  (-2147482748, ... ) == 0x0
 01241   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 01242   896   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01243   896   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01244   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   896   NtClose  (-2147481452, ... ) == 0x0
 01246   896   NtClose  (-2147482748, ... ) == 0x0
 01236   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01247   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238104, ... ) }, 1238104, ... ) == 0x0
 01248   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01249   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 140, ) == 0x0
 01250   896   NtClose  (92, ... ) == 0x0
 01251   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 4096, ) == 0x0
 01252   896   NtClose  (140, ... ) == 0x0
 01253   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01254   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237700, ... ) }, 1237700, ... ) == 0x0
 01255   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238444,  (0x80100080, {24, 0, 0x40, 0, 1238444, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 140, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 140, {status=0x0, info=1}, ) == 0x0
 01256   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 140, ... 92, ) == 0x0
 01257   896   NtClose  (140, ... ) == 0x0
 01258   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3b0000), {0, 0}, 4096, ) == 0x0
 01259   896   NtClose  (92, ... ) == 0x0
 01260   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01261   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01262   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 140, ) == 0x0
 01263   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3b0000), 0x0, 4096, ) == 0x0
 01264   896   NtQueryInformationFile  (92, 1238096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01265   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81896, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81896, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81896, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ) == 0x0
 01267   896   NtClose  (92, ... ) == 0x0
 01268   896   NtClose  (140, ... ) == 0x0
 01269   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01270   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01271   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01272   896   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01273   896   NtUserGetDC  (0, ... ) == 0x1010052
 01274   896   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01275   896   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01276   896   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01277   896   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01278   896   NtContinue  (1238304, 0, ...
 01279   896   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01280   896   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 01281   896   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01282   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01283   896   NtClose  (136, ... ) == 0x0
 01284   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 136, ) }, ... 136, ) == 0x0
 01285   896   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 01286   896   NtClose  (136, ... ) == 0x0
 01287   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01288   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01289   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01290   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01291   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01292   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01293   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01294   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01295   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01296   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01297   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01298   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01299   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01300   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01301   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01302   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01304   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3801088, 65536, ) == 0x0
 01305   896   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 01306   896   NtAllocateVirtualMemory  (-1, 3805184, 0, 8192, 4096, 4, ... 3805184, 8192, ) == 0x0
 01307   896   NtAllocateVirtualMemory  (-1, 3813376, 0, 4096, 4096, 4, ... 3813376, 4096, ) == 0x0
 01308   896   NtAllocateVirtualMemory  (-1, 3817472, 0, 4096, 4096, 4, ... 3817472, 4096, ) == 0x0
 01309   896   NtQueryDefaultUILanguage  (1238736, ...
 01310   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01311   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482748, ) == 0x0
 01312   896   NtQueryInformationToken  (-2147482748, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01313   896   NtClose  (-2147482748, ... ) == 0x0
 01314   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 01315   896   NtOpenKey  (0x80000000, {24, -2147482748, 0x240, 0, 0,  (0x80000000, {24, -2147482748, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01316   896   NtOpenKey  (0x80000000, {24, -2147482748, 0x640, 0, 0,  (0x80000000, {24, -2147482748, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01317   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   896   NtClose  (-2147481452, ... ) == 0x0
 01319   896   NtClose  (-2147482748, ... ) == 0x0
 01309   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01320   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 136, {status=0x0, info=1}, ) }, 1, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01321   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 136, ... 140, ) == 0x0
 01322   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb10000), 0x0, 618496, ) == 0x0
 01323   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   896   NtQueryDefaultLocale  (1, 1236832, ... ) == 0x0
 01325   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\270\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81897, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\270\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81897, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\270\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81897, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\270\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ) == 0x0
 01327   896   NtClose  (136, ... ) == 0x0
 01328   896   NtClose  (140, ... ) == 0x0
 01329   896   NtUnmapViewOfSection  (-1, 0xb10000, ... ) == 0x0
 01330   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01331   896   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 140, ) == 0x0
 01332   896   NtQueryInformationProcess  (140, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01333   896   NtClose  (140, ... ) == 0x0
 01334   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01335   896   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01336   896   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01337   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01338   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 01339   896   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01340   896   NtClose  (140, ... ) == 0x0
 01341   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 140, ) }, ... 140, ) == 0x0
 01342   896   NtOpenProcessToken  (-1, 0x8, ... 136, ) == 0x0
 01343   896   NtAccessCheck  (1344040, 136, 0x1, 1239928, 1239980, 56, 1239960, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01344   896   NtClose  (136, ... ) == 0x0
 01345   896   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Control Panel\Desktop"}, ... 136, ) }, ... 136, ) == 0x0
 01346   896   NtQueryValueKey  (136,  (136, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347   896   NtClose  (136, ... ) == 0x0
 01348   896   NtUserSystemParametersInfo  (41, 500, 1240108, 0, ... ) == 0x1
 01349   896   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01350   896   NtClose  (140, ... ) == 0x0
 01351   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01352   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c03b
 01353   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c03d
 01354   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01355   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c03f
 01356   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01357   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c041
 01358   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01359   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c043
 01360   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c045
 01361   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01362   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c047
 01363   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01364   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c049
 01365   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01366   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c04b
 01367   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01368   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c04d
 01369   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01370   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c04f
 01371   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c051
 01372   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01373   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c053
 01374   896   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 01375   896   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x8177c055
 01376   896   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 01377   896   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x8177c057
 01378   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01379   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c059
 01380   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10013
 01381   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c05b
 01382   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01383   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c05d
 01384   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01385   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c05f
 01386   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01387   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 01388   896   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01389   896   NtClose  (140, ... ) == 0x0
 01390   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 140, ) }, ... 140, ) == 0x0
 01391   896   NtSetInformationObject  (140, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01392   896   NtCreateKey  (0x2001f, {24, 140, 0x40, 0, 0,  (0x2001f, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 01393   896   NtSetEventBoostPriority  (128, ...
 01142  1104   NtWaitForSingleObject  ... ) == 0x0
 01394  1104   NtTestAlert  (... ) == 0x0
 01395  1104   NtContinue  (11599152, 1, ...
 01396  1104   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01397  1104   NtDeviceIoControlFile  (108, 120, 0x0, 0x77e466a0, 0x228144,  (108, 120, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0t\0\0\0\0\0\0\0\204\0\0\0\0\0\0\0h\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01398  1104   NtWaitForMultipleObjects  (2, (112, 120, ), 1, 1, {1294967296, -1}, ...
 01393   896   NtSetEventBoostPriority  ... ) == 0x0
 01398  1104   NtWaitForMultipleObjects  ... ) == 0x0
 01399  1104   NtDeviceIoControlFile  (108, 124, 0x0, 0x77e46680, 0x228144,  (108, 124, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0t\0\0\0\0\0\0\0\204\0\0\0\0\0\0\0h\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01400  1104   NtWaitForMultipleObjects  (2, (112, 124, ), 1, 1, {1294967296, -1}, ...
 01401   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 01404   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01405   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 144, ) == 0x0
 01406   896   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01407   896   NtClose  (92, ... ) == 0x0
 01408   896   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 01409   896   NtClose  (144, ... ) == 0x0
 01410   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01411   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01412   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01413   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01414   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01415   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01416   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01417   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01418   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01419   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01420   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01421   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01422   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01423   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01424   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01425   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01426   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01427   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01428   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01430   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3997696, 65536, ) == 0x0
 01431   896   NtAllocateVirtualMemory  (-1, 3997696, 0, 4096, 4096, 4, ... 3997696, 4096, ) == 0x0
 01432   896   NtAllocateVirtualMemory  (-1, 4001792, 0, 8192, 4096, 4, ... 4001792, 8192, ) == 0x0
 01433   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 144, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 144, {status=0x0, info=0}, ) == 0x0
 01434   896   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 92, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 92, {status=0x0, info=0}, ) == 0x0
 01435   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) == 0x0
 01436   896   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 152, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 152, {status=0x0, info=0}, ) == 0x0
 01437   896   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242836,  (0x20100080, {24, 0, 0x40, 0, 1242836, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=0}, ) == 0x0
 01438   896   NtAllocateVirtualMemory  (-1, 4009984, 0, 36864, 4096, 4, ... 4009984, 36864, ) == 0x0
 01439   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01440   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01441   896   NtClose  (160, ... ) == 0x0
 01442   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01443   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01444   896   NtClose  (160, ... ) == 0x0
 01445   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01446   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363n\201\1\0\0\0\5\0\0\0\232A\250\25\227|\242\6\10\206\1\0\331\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\205\314l\0g\222\0\0\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363n\201\1\0\0\0\5\0\0\0\232A\250\25\227|\242\6\10\206\1\0\331\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\205\314l\0g\222\0\0\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01447   896   NtClose  (160, ... ) == 0x0
 01448   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01449   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01450   896   NtClose  (160, ... ) == 0x0
 01451   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01452   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01453   896   NtClose  (160, ... ) == 0x0
 01454   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01455   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01456   896   NtClose  (160, ... ) == 0x0
 01457   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 160, ) == 0x0
 01458   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 164, ) == 0x0
 01459   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01460   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01461   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01462   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01463   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01464   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01465   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01466   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01467   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01468   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01469   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01470   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01471   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01472   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01473   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01474   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01475   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01476   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01477   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01478   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01479   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01480   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01481   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01482   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01483   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01484   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01485   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01486   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01487   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01488   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01489   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01490   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01491   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01492   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01493   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01494   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01495   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01496   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01497   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01498   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01499   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01500   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01501   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01502   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01503   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01504   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01505   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01506   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01507   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01508   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01509   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01510   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01511   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01512   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01513   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01514   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01515   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01516   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01517   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01518   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01519   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01520   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01521   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01522   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01523   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01524   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01525   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01526   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01527   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01528   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01529   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01530   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01531   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01532   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01533   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01534   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01535   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01536   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01537   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01538   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01539   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01540   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01541   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01542   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01543   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01544   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01545   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01546   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01547   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01548   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01549   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01550   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01551   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01552   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01553   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01554   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01555   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01556   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01557   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01558   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01559   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01560   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01561   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01562   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01563   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01564   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01565   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01566   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01567   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01568   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01569   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01570   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01571   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01572   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01573   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01574   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01575   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01576   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01577   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01578   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01579   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01580   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01581   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01582   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01583   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01584   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 168, ) }, ... 168, ) == 0x0
 01585   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 172, ) }, ... 172, ) == 0x0
 01586   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 176, ) }, ... 176, ) == 0x0
 01587   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 180, ) }, ... 180, ) == 0x0
 01588   896   NtQueryDefaultLocale  (1, 1242816, ... ) == 0x0
 01589   896   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 01590   896   NtFreeVirtualMemory  (-1, (0x330147), 0, 32768, ... (0x330000), 4096, ) == 0x0
 01591   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01592   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 01593   896   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 01594   896   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 01595   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11599872, 1048576, ) == 0x0
 01596   896   NtAllocateVirtualMemory  (-1, 11599872, 0, 32768, 4096, 4, ... 11599872, 32768, ) == 0x0
 01597   896   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01598   896   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01599   896   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01600   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 01601   896   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "Protocol_Catalog9"}, ... 192, ) }, ... 192, ) == 0x0
 01602   896   NtQueryValueKey  (192,  (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01603   896   NtNotifyChangeKey  (192, 188, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01604   896   NtQueryValueKey  (192,  (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01605   896   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   896   NtQueryValueKey  (192,  (192, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 01607   896   NtQueryValueKey  (192,  (192, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 01608   896   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "Catalog_Entries"}, ... 196, ) }, ... 196, ) == 0x0
 01609   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01610   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000001"}, ... 200, ) }, ... 200, ) == 0x0
 01611   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01612   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01613   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0N\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0N\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0O\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0O\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0N\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0N\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0O\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0O\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0N\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0N\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0O\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0O\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01614   896   NtClose  (200, ... ) == 0x0
 01615   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000002"}, ... 200, ) }, ... 200, ) == 0x0
 01616   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01617   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01618   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0S\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0S\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0T\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0T\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0V\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0S\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0S\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0T\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0T\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0V\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0V\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0S\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0S\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0T\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0T\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0V\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01619   896   NtClose  (200, ... ) == 0x0
 01620   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000003"}, ... 200, ) }, ... 200, ) == 0x0
 01621   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01622   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01623   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01624   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0Y\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0[\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0Y\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0[\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Y\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0Y\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0Z\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0[\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01625   896   NtClose  (200, ... ) == 0x0
 01626   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000004"}, ... 200, ) }, ... 200, ) == 0x0
 01627   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01628   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01629   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0^\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0^\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0_\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0`\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0^\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0^\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0_\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0`\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0^\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0^\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0_\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0`\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01630   896   NtClose  (200, ... ) == 0x0
 01631   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000005"}, ... 200, ) }, ... 200, ) == 0x0
 01632   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01633   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01634   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0c\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0c\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0d\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0c\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0c\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0d\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0c\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0c\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0d\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01635   896   NtClose  (200, ... ) == 0x0
 01636   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000006"}, ... 200, ) }, ... 200, ) == 0x0
 01637   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01638   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01639   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0h\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0h\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0i\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0i\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0k\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0h\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0h\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0i\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0i\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0k\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0k\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0h\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0h\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0i\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0i\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0k\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01640   896   NtClose  (200, ... ) == 0x0
 01641   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000007"}, ... 200, ) }, ... 200, ) == 0x0
 01642   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01643   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01644   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0m\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0m\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0n\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0m\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0m\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0n\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0m\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0m\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0n\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01645   896   NtClose  (200, ... ) == 0x0
 01646   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000008"}, ... 200, ) }, ... 200, ) == 0x0
 01647   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01648   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01649   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01650   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0s\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0u\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0s\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0u\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0s\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0s\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0t\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0u\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01651   896   NtClose  (200, ... ) == 0x0
 01652   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000009"}, ... 200, ) }, ... 200, ) == 0x0
 01653   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01654   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01655   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0x\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0x\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0y\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0x\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0x\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0y\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0x\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0x\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0y\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01656   896   NtClose  (200, ... ) == 0x0
 01657   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000010"}, ... 200, ) }, ... 200, ) == 0x0
 01658   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01659   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01660   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0}\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0}\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0~\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0}\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0}\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0~\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0}\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0}\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0~\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01661   896   NtClose  (200, ... ) == 0x0
 01662   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000011"}, ... 200, ) }, ... 200, ) == 0x0
 01663   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01664   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01665   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\202\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\202\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\203\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\202\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\202\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\203\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\202\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\202\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\203\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01666   896   NtClose  (200, ... ) == 0x0
 01667   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000012"}, ... 200, ) }, ... 200, ) == 0x0
 01668   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01669   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01670   896   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01671   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\210\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\210\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\210\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\210\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\211\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01672   896   NtClose  (200, ... ) == 0x0
 01673   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000013"}, ... 200, ) }, ... 200, ) == 0x0
 01674   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01675   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01676   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\215\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\215\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\216\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\215\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\215\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\216\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\215\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\215\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\216\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01677   896   NtClose  (200, ... ) == 0x0
 01678   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000014"}, ... 200, ) }, ... 200, ) == 0x0
 01679   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01680   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01681   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\222\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\222\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\223\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\222\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\222\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\223\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\222\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\222\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\223\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01682   896   NtClose  (200, ... ) == 0x0
 01683   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000015"}, ... 200, ) }, ... 200, ) == 0x0
 01684   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01685   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01686   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\227\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\227\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\230\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\227\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\227\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\230\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\227\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\227\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\230\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01687   896   NtClose  (200, ... ) == 0x0
 01688   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000016"}, ... 200, ) }, ... 200, ) == 0x0
 01689   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01690   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01691   896   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01692   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\235\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\235\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\235\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\235\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\236\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01693   896   NtClose  (200, ... ) == 0x0
 01694   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000017"}, ... 200, ) }, ... 200, ) == 0x0
 01695   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01696   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01697   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\242\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\242\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\242\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\242\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\243\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01698   896   NtClose  (200, ... ) == 0x0
 01699   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000018"}, ... 200, ) }, ... 200, ) == 0x0
 01700   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01701   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01702   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\247\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\247\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\250\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\247\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\247\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\250\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\247\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\247\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\250\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01703   896   NtClose  (200, ... ) == 0x0
 01704   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000019"}, ... 200, ) }, ... 200, ) == 0x0
 01705   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01706   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01707   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\254\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\254\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\255\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\254\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\254\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\255\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\254\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\254\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\255\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01708   896   NtClose  (200, ... ) == 0x0
 01709   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000020"}, ... 200, ) }, ... 200, ) == 0x0
 01710   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01711   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01712   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\261\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\263\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\261\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\263\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\261\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\263\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01713   896   NtClose  (200, ... ) == 0x0
 01714   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000021"}, ... 200, ) }, ... 200, ) == 0x0
 01715   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01716   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01717   896   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01718   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\267\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\271\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\267\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\271\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\267\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\267\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\270\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\271\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01719   896   NtClose  (200, ... ) == 0x0
 01720   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000022"}, ... 200, ) }, ... 200, ) == 0x0
 01721   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01722   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01723   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\274\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\274\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\275\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\277\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\277\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\274\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\274\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\275\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\277\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\277\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\274\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\274\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\275\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\277\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\277\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\300\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01724   896   NtClose  (200, ... ) == 0x0
 01725   896   NtClose  (196, ... ) == 0x0
 01726   896   NtWaitForSingleObject  (188, 0, {0, 0}, ... ) == 0x102
 01727   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01728   896   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 200, ) }, ... 200, ) == 0x0
 01729   896   NtQueryValueKey  (200,  (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01730   896   NtNotifyChangeKey  (200, 196, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01731   896   NtQueryValueKey  (200,  (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01732   896   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01733   896   NtQueryValueKey  (200,  (200, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01734   896   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "Catalog_Entries"}, ... 204, ) }, ... 204, ) == 0x0
 01735   896   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000001"}, ... 208, ) }, ... 208, ) == 0x0
 01736   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01737   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01738   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01739   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01740   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01741   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01742   896   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01743   896   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01744   896   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01745   896   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01746   896   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01747   896   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01748   896   NtClose  (208, ... ) == 0x0
 01749   896   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000002"}, ... 208, ) }, ... 208, ) == 0x0
 01750   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01751   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01752   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01753   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01754   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01755   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01756   896   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01757   896   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   896   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01759   896   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01760   896   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01761   896   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01762   896   NtClose  (208, ... ) == 0x0
 01763   896   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000003"}, ... 208, ) }, ... 208, ) == 0x0
 01764   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01765   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01766   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01767   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01768   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01769   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01770   896   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01771   896   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772   896   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01773   896   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01774   896   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01775   896   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01776   896   NtClose  (208, ... ) == 0x0
 01777   896   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000004"}, ... 208, ) }, ... 208, ) == 0x0
 01778   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01779   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01780   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01781   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01782   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01783   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01784   896   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01785   896   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01786   896   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01787   896   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01788   896   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01789   896   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01790   896   NtClose  (208, ... ) == 0x0
 01791   896   NtClose  (204, ... ) == 0x0
 01792   896   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x102
 01793   896   NtClose  (184, ... ) == 0x0
 01794   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01795   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01796   896   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01797   896   NtQueryValueKey  (184,  (184, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   896   NtClose  (184, ... ) == 0x0
 01799   896   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01800   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0
 01801   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241392, ... ) }, 1241392, ... ) == 0x0
 01802   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 204, {status=0x0, info=1}, ) }, 7, 2113568, ... 204, {status=0x0, info=1}, ) == 0x0
 01803   896   NtSetInformationFile  (204, 1241368, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01804   896   NtClose  (204, ... ) == 0x0
 01805   896   NtOpenProcessToken  (-1, 0x28, ... 204, ) == 0x0
 01806   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01807   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 208, ) == 0x0
 01808   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01809   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01810   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239620,  (0xc0100080, {24, 0, 0x40, 0, 1239620, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 01811   896   NtSetInformationFile  (212, 1239676, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01812   896   NtSetInformationFile  (212, 1239664, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01813   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01814   896   NtWriteFile  (212, 57, 0, 0,  (212, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01815   896   NtReadFile  (212, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (212, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01816   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01817   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\3640\02\0\240\363\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364\0\0\0\0", ) N}\323XAC\252\21H\231\344K\241\3640\02\0\240\363\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\3640\02\0\240\363\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367 (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\3640\02\0\240\363\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364\0\0\0\0", ) , ) == 0x103
 01818   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) N}\323XAC\252\21H\231\344K\241\364 (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) \5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) == 0x103
 01819   896   NtClose  (208, ... ) == 0x0
 01820   896   NtClose  (212, ... ) == 0x0
 01821   896   NtAdjustPrivilegesToken  (204, 0, 1241464, 0, 0, 0, ... ) == 0x0
 01822   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01823   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01824   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01825   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01826   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239620,  (0xc0100080, {24, 0, 0x40, 0, 1239620, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 208, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 208, {status=0x0, info=1}, ) == 0x0
 01827   896   NtSetInformationFile  (208, 1239676, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01828   896   NtSetInformationFile  (208, 1239664, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01829   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01830   896   NtWriteFile  (208, 57, 0, 0,  (208, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01831   896   NtReadFile  (208, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (208, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01832   896   NtFsControlFile  (208, 57, 0x0, 0x0, 0x11c017,  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01833   896   NtFsControlFile  (208, 57, 0x0, 0x0, 0x11c017,  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337$\0&\08\211\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337\0\0\0\0", ) , 100, 1024, ... {status=0x103, info=48},  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337$\0&\08\211\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337\0\0\0\0", ) , ) == 0x103
 01834   896   NtFsControlFile  (208, 57, 0x0, 0x0, 0x11c017,  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01835   896   NtClose  (212, ... ) == 0x0
 01836   896   NtClose  (208, ... ) == 0x0
 01837   896   NtAdjustPrivilegesToken  (204, 0, 1241464, 0, 0, 0, ... ) == 0x0
 01838   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01839   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 208, ) == 0x0
 01840   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01841   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01842   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239620,  (0xc0100080, {24, 0, 0x40, 0, 1239620, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 01843   896   NtSetInformationFile  (212, 1239676, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01844   896   NtSetInformationFile  (212, 1239664, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01845   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01846   896   NtWriteFile  (212, 57, 0, 0,  (212, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01847   896   NtReadFile  (212, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (212, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01848   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01849   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H"\0$\08\211\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H\0\0\0\0", ) \0$\08\211\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H"\0$\08\211\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H\0\0\0\0", ) == 0x103
 01850   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01851   896   NtClose  (208, ... ) == 0x0
 01852   896   NtClose  (212, ... ) == 0x0
 01853   896   NtAdjustPrivilegesToken  (204, 0, 1241464, 0, 0, 0, ... ) == 0x0
 01854   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01855   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01856   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01857   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01858   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239620,  (0xc0100080, {24, 0, 0x40, 0, 1239620, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 208, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 208, {status=0x0, info=1}, ) == 0x0
 01859   896   NtSetInformationFile  (208, 1239676, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01860   896   NtSetInformationFile  (208, 1239664, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01861   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01862   896   NtWriteFile  (208, 57, 0, 0,  (208, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01863   896   NtReadFile  (208, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (208, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01864   896   NtFsControlFile  (208, 57, 0x0, 0x0, 0x11c017,  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01865   896   NtFsControlFile  (208, 57, 0x0, 0x0, 0x11c017,  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[.\00\0x\365\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[\0\0\0\0", ) , 110, 1024, ... {status=0x103, info=48},  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[.\00\0x\365\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[\0\0\0\0", ) , ) == 0x103
 01866   896   NtFsControlFile  (208, 57, 0x0, 0x0, 0x11c017,  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (208, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01867   896   NtClose  (212, ... ) == 0x0
 01868   896   NtClose  (208, ... ) == 0x0
 01869   896   NtAdjustPrivilegesToken  (204, 0, 1241464, 0, 0, 0, ... ) == 0x0
 01870   896   NtQueryInformationToken  (204, User, 100, ... {token info, class 1, size 36}, 36, ) == 0x0
 01871   896   NtClose  (204, ... ) == 0x0
 01872   896   NtOpenFile  (0x80000, {24, 0, 0x40, 0, 0,  (0x80000, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2097152, ... 204, {status=0x0, info=1}, ) }, 7, 2097152, ... 204, {status=0x0, info=1}, ) == 0x0
 01873   896   NtSetSecurityObject  (204, 1, {1, 0, 0x4, 2147102148, 0, 0, 0}, ... ) == STATUS_ACCESS_DENIED
 01874   896   NtClose  (204, ... ) == 0x0
 01875   896   NtOpenFile  (0x40000, {24, 0, 0x40, 0, 0,  (0x40000, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2097152, ... 204, {status=0x0, info=1}, ) }, 7, 2097152, ... 204, {status=0x0, info=1}, ) == 0x0
 01876   896   NtSetSecurityObject  (204, 4, {1, 0, 0x4, 2147102148, 0, 0, 0}, ... ) == 0x0
 01877   896   NtClose  (204, ... ) == 0x0
 01878   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241392, ... ) }, 1241392, ... ) == 0x0
 01879   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 204, {status=0x0, info=1}, ) }, 7, 2113568, ... 204, {status=0x0, info=1}, ) == 0x0
 01880   896   NtSetInformationFile  (204, 1241368, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01881   896   NtClose  (204, ... ) == 0x0
 01882   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241640,  (0x80100080, {24, 0, 0x40, 0, 1241640, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 204, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 204, {status=0x0, info=1}, ) == 0x0
 01883   896   NtQueryInformationFile  (204, 1242076, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01884   896   NtQueryInformationFile  (204, 1241992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01885   896   NtQueryInformationFile  (204, 1241808, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01886   896   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 01887   896   NtQueryInformationFile  (204, 1373656, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01888   896   NtQueryInformationFile  (204, 1240256, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01889   896   NtQueryInformationFile  (204, 1240532, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01890   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\LSASSS.EXE"}, 1239728, ... ) }, 1239728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891   896   NtOpenProcessToken  (-1, 0x28, ... 208, ) == 0x0
 01892   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01893   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01894   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01895   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01896   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237956,  (0xc0100080, {24, 0, 0x40, 0, 1237956, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 216, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 216, {status=0x0, info=1}, ) == 0x0
 01897   896   NtSetInformationFile  (216, 1238012, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01898   896   NtSetInformationFile  (216, 1238000, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01899   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01900   896   NtWriteFile  (216, 57, 0, 0,  (216, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01901   896   NtReadFile  (216, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (216, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01902   896   NtFsControlFile  (216, 57, 0x0, 0x0, 0x11c017,  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01903   896   NtFsControlFile  (216, 57, 0x0, 0x0, 0x11c017,  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\2760\02\0\240\363\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276\0\0\0\0", ) , 112, 1024, ... {status=0x103, info=48},  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\2760\02\0\240\363\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276\0\0\0\0", ) , ) == 0x103
 01904   896   NtFsControlFile  (216, 57, 0x0, 0x0, 0x11c017,  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01905   896   NtClose  (212, ... ) == 0x0
 01906   896   NtClose  (216, ... ) == 0x0
 01907   896   NtAdjustPrivilegesToken  (208, 0, 1239800, 0, 0, 0, ... ) == 0x0
 01908   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01909   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01910   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01911   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01912   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237956,  (0xc0100080, {24, 0, 0x40, 0, 1237956, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 01913   896   NtSetInformationFile  (212, 1238012, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01914   896   NtSetInformationFile  (212, 1238000, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01915   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01916   896   NtWriteFile  (212, 57, 0, 0,  (212, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01917   896   NtReadFile  (212, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (212, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20s+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01918   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20s+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20s+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01919   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w$\0&\08\211\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w\0\0\0\0", ) , 100, 1024, ... {status=0x103, info=48},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w$\0&\08\211\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w\0\0\0\0", ) , ) == 0x103
 01920   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01921   896   NtClose  (216, ... ) == 0x0
 01922   896   NtClose  (212, ... ) == 0x0
 01923   896   NtAdjustPrivilegesToken  (208, 0, 1239800, 0, 0, 0, ... ) == 0x0
 01924   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01925   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01926   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01927   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01928   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237956,  (0xc0100080, {24, 0, 0x40, 0, 1237956, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 216, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 216, {status=0x0, info=1}, ) == 0x0
 01929   896   NtSetInformationFile  (216, 1238012, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01930   896   NtSetInformationFile  (216, 1238000, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01931   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01932   896   NtWriteFile  (216, 57, 0, 0,  (216, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01933   896   NtReadFile  (216, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (216, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01934   896   NtFsControlFile  (216, 57, 0x0, 0x0, 0x11c017,  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01935   896   NtFsControlFile  (216, 57, 0x0, 0x0, 0x11c017,  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G"\0$\08\211\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G\0\0\0\0", ) \0$\08\211\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G"\0$\08\211\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G\0\0\0\0", ) == 0x103
 01936   896   NtFsControlFile  (216, 57, 0x0, 0x0, 0x11c017,  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (216, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01937   896   NtClose  (212, ... ) == 0x0
 01938   896   NtClose  (216, ... ) == 0x0
 01939   896   NtAdjustPrivilegesToken  (208, 0, 1239800, 0, 0, 0, ... ) == 0x0
 01940   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01941   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01942   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01943   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01944   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237956,  (0xc0100080, {24, 0, 0x40, 0, 1237956, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 01945   896   NtSetInformationFile  (212, 1238012, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01946   896   NtSetInformationFile  (212, 1238000, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01947   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01948   896   NtWriteFile  (212, 57, 0, 0,  (212, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01949   896   NtReadFile  (212, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (212, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01950   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01951   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231.\00\0x\365\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231\0\0\0\0", ) , 110, 1024, ... {status=0x103, info=48},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231.\00\0x\365\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231\0\0\0\0", ) , ) == 0x103
 01952   896   NtFsControlFile  (212, 57, 0x0, 0x0, 0x11c017,  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (212, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01953   896   NtClose  (216, ... ) == 0x0
 01954   896   NtClose  (212, ... ) == 0x0
 01955   896   NtAdjustPrivilegesToken  (208, 0, 1239800, 0, 0, 0, ... ) == 0x0
 01956   896   NtQueryInformationToken  (208, User, 100, ... {token info, class 1, size 36}, 36, ) == 0x0
 01957   896   NtClose  (208, ... ) == 0x0
 01958   896   NtOpenFile  (0x80000, {24, 0, 0x40, 0, 0,  (0x80000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\LSASSS.EXE"}, 7, 2097152, ... ) }, 7, 2097152, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01959   896   NtOpenFile  (0x40000, {24, 0, 0x40, 0, 0,  (0x40000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\LSASSS.EXE"}, 7, 2097152, ... ) }, 7, 2097152, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01960   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\LSASSS.EXE"}, 1239728, ... ) }, 1239728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240408,  (0x40110080, {24, 0, 0x40, 0, 1240408, "\??\C:\WINDOWS\lsasss.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01962   896   NtClose  (-2147482748, ... ) == 0x0
 01961   896   NtCreateFile  ... 208, {status=0x0, info=2}, ) == 0x0
 01963   896   NtQueryVolumeInformationFile  (208, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01964   896   NtQueryInformationFile  (208, 1240144, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01965   896   NtQueryVolumeInformationFile  (204, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01966   896   NtQueryVolumeInformationFile  (204, 1239904, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01967   896   NtSetInformationFile  (208, 1240460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01968   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 204, ... 212, ) == 0x0
 01969   896   NtMapViewOfSection  (212, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 126976, ) == 0x0
 01970   896   NtClose  (212, ... ) == 0x0
 01971   896   NtWriteFile  (208, 0, 0, 0,  (208, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0i8\366\222-Y\230\301-Y\230\301-Y\230\301\256Q\305\301/Y\230\301-Y\230\301.Y\230\301\305F\222\3017Y\230\301\256E\226\301&Y\230\301-Y\231\301}Y\230\301OF\213\301$Y\230\301\305F\223\301)Y\230\301Rich-Y\230\301\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\240\240\240\240\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\0\200\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\0\200\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01972   896   NtWriteFile  (208, 0, 0, 0,  (208, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01973   896   NtWriteFile  (208, 0, 0, 0,  (208, 0, 0, 0, "r\306\236l\370n5\243{|\15v\11\202y~\351\255]\17Gs\211\206v\214\25\220\30b\323\370\24W\14\226\32\206\232\223\224\224 \234\237\27~\3743\2350\3\237\17\153\311\254\2555\212y\255;\7\330\311?\211\264\244\272\34\264D\231H\233\272\301\245K\240\277\303S\35\356\333\375\215]Q\210\321\322\323\227\\261\2508\260(\240\24\33\14\244\203\370\223\211\330PQ\330\253b\250 \31\361\210\0\270\360\363<|\324\274\354\2219\330\227J\220\10\12\200\37\21`\330\331\200;\3520\250\240\221\370\374\10\3\210\31\11X\3203\312\3038\330\311\30\220\223\334\21rs{-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 512, 0x0, 0, ... {status=0x0, info=512}, ) , 512, 0x0, 0, ... {status=0x0, info=512}, ) == 0x0
 01974   896   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01975   896   NtSetInformationFile  (208, 1241808, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01976   896   NtClose  (204, ... ) == 0x0
 01977   896   NtClose  (208, ... ) == 0x0
 01978   896   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 208, ) }, ... 208, ) == 0x0
 01979   896   NtSetValueKey  (208,  (208, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 0, 1,  (208, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 44, ...
 01980   896   NtSetInformationFile  (-2147482448, -142629072, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01981   896   NtSetInformationFile  (-2147482448, -142629164, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01982   896   NtSetInformationFile  (-2147482448, -142629472, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01983   896   NtSetInformationFile  (-2147482448, -142629568, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01979   896   NtSetValueKey  ... ) == 0x0
 01984   896   NtClose  (208, ... ) == 0x0
 01985   896   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 208, ) }, ... 208, ) == 0x0
 01986   896   NtDeleteValueKey  (208,  (208, "ssgrate.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01987   896   NtClose  (208, ... ) == 0x0
 01988   896   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 208, ) }, ... 208, ) == 0x0
 01989   896   NtDeleteValueKey  (208,  (208, "drvsys.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01990   896   NtClose  (208, ... ) == 0x0
 01991   896   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 208, ) }, ... 208, ) == 0x0
 01992   896   NtDeleteValueKey  (208,  (208, "Drvddll_exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01993   896   NtClose  (208, ... ) == 0x0
 01994   896   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "SkynetNotice"}, 0, ... 208, ) }, 0, ... 208, ) == 0x0
 01995   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12648448, 1048576, ) == 0x0
 01996   896   NtAllocateVirtualMemory  (-1, 13688832, 0, 8192, 4096, 4, ... 13688832, 8192, ) == 0x0
 01997   896   NtProtectVirtualMemory  (-1, (0xd0e000), 4096, 260, ... (0xd0e000), 4096, 4, ) == 0x0
 01998   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {1252, 1696}, ) == 0x0
 01999   896   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1252,Tid=1696,}, 0x0, ) == 0x0
 02000   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\240\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\240\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81901, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\240\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\240\6\0\0" )  ) == 0x0
 02001   896   NtResumeThread  (204, ... 1, ) == 0x0
 02002  1696   NtTestAlert  (... ) == 0x0
 02003  1696   NtContinue  (13696304, 1, ...
 02004  1696   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02005  1696   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 212, ) == 0x0
 02006  1696   NtWaitForSingleObject  (188, 0, {0, 0}, ... ) == 0x102
 02007  1696   NtAllocateVirtualMemory  (-1, 13684736, 0, 4096, 4096, 260, ...
 02008   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 02009   896   NtAllocateVirtualMemory  (-1, 14737408, 0, 8192, 4096, 4, ... 14737408, 8192, ) == 0x0
 02010   896   NtProtectVirtualMemory  (-1, (0xe0e000), 4096, 260, ... (0xe0e000), 4096, 4, ) == 0x0
 02011   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1252, 1200}, ) == 0x0
 02012   896   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1252,Tid=1200,}, 0x0, ) == 0x0
 02013   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\260\4\0\0" ...  ...
 02007  1696   NtAllocateVirtualMemory  ... 13684736, 4096, ) == 0x0
 02014  1696   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13693428, ... ) }, 13693428, ... ) == 0x0
 02015  1696   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 02016  1696   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 220, ...
 02013   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81902, 0}  ... {28, 56, reply, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\260\4\0\0" )  ) == 0x0
 02017   896   NtResumeThread  (216, ... 1, ) == 0x0
 02018   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 02019   896   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 02020   896   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 02021   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1252, 1396}, ) == 0x0
 02022   896   NtQueryInformationThread  (224, Basic, 28, ...
 02016  1696   NtCreateSection  ... 228, ) == 0x0
 02023  1200   NtWaitForSingleObject  (128, 0, 0x0, ...
 02024  1696   NtClose  (220, ... ) == 0x0
 02025  1696   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf10000), 0x0, 245760, ) == 0x0
 02026  1696   NtClose  (228, ... ) == 0x0
 02027  1696   NtUnmapViewOfSection  (-1, 0xf10000, ... ) == 0x0
 02028  1696   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13693736, ... ) }, 13693736, ... ) == 0x0
 02029  1696   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 02022   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1252,Tid=1396,}, 0x0, ) == 0x0
 02030   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0t\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0t\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81903, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0t\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0t\5\0\0" )  ) == 0x0
 02031   896   NtResumeThread  (224, ... 1, ) == 0x0
 02032   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 02033   896   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ... 16834560, 8192, ) == 0x0
 02034   896   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ... (0x100e000), 4096, 4, ) == 0x0
 02029  1696   NtOpenFile  ... 228, {status=0x0, info=1}, ) == 0x0
 02035  1396   NtWaitForSingleObject  (128, 0, 0x0, ...
 02036  1696   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 220, ) == 0x0
 02037  1696   NtQuerySection  (220, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02038  1696   NtClose  (228, ... ) == 0x0
 02039  1696   NtMapViewOfSection  (220, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 02040  1696   NtClose  (220, ... ) == 0x0
 02041  1696   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 02042   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1252, 1852}, ) == 0x0
 02043   896   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1252,Tid=1852,}, 0x0, ) == 0x0
 02044   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81904, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0<\7\0\0" )  ) == 0x0
 02045   896   NtResumeThread  (220, ... 1, ) == 0x0
 02046   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16842752, 1048576, ) == 0x0
 02047   896   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ...
 02041  1696   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 02048  1852   NtWaitForSingleObject  (128, 0, 0x0, ...
 02049  1696   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02050  1696   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02051  1696   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 02052  1696   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02053  1696   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02054  1696   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 02047   896   NtAllocateVirtualMemory  ... 17883136, 8192, ) == 0x0
 02055   896   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ... (0x110e000), 4096, 4, ) == 0x0
 02056   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1252, 504}, ) == 0x0
 02057   896   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1252,Tid=504,}, 0x0, ) == 0x0
 02058   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\370\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81905, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\370\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\370\1\0\0" )  ) == 0x0
 02059   896   NtResumeThread  (228, ... 1, ) == 0x0
 02054  1696   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 02060   504   NtWaitForSingleObject  (128, 0, 0x0, ...
 02061  1696   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 02062  1696   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 02063  1696   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02064  1696   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02065  1696   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02066  1696   NtSetEventBoostPriority  (128, ...
 02067   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17891328, 1048576, ) == 0x0
 02068   896   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ... 18931712, 8192, ) == 0x0
 02069   896   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 02070   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1252, 1740}, ) == 0x0
 02071   896   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1252,Tid=1740,}, 0x0, ) == 0x0
 02072   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81905, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\314\6\0\0" ...  ...
 02023  1200   NtWaitForSingleObject  ... ) == 0x0
 02073  1200   NtSetEventBoostPriority  (128, ...
 02035  1396   NtWaitForSingleObject  ... ) == 0x0
 02074  1396   NtSetEventBoostPriority  (128, ...
 02048  1852   NtWaitForSingleObject  ... ) == 0x0
 02075  1852   NtSetEventBoostPriority  (128, ...
 02060   504   NtWaitForSingleObject  ... ) == 0x0
 02076   504   NtTestAlert  (... ) == 0x0
 02075  1852   NtSetEventBoostPriority  ... ) == 0x0
 02074  1396   NtSetEventBoostPriority  ... ) == 0x0
 02073  1200   NtSetEventBoostPriority  ... ) == 0x0
 02066  1696   NtSetEventBoostPriority  ... ) == 0x0
 02072   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81906, 0}  ... {28, 56, reply, 0, 1252, 896, 81906, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\314\6\0\0" )  ) == 0x0
 02077   504   NtContinue  (17890608, 1, ...
 02078  1852   NtTestAlert  (...
 02079  1396   NtTestAlert  (...
 02080  1696   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02081   896   NtResumeThread  (232, ...
 02082   504   NtRegisterThreadTerminatePort  (24, ...
 02078  1852   NtTestAlert  ... ) == 0x0
 02079  1396   NtTestAlert  ... ) == 0x0
 02080  1696   NtCreateEvent  ... 236, ) == 0x0
 02081   896   NtResumeThread  ... 1, ) == 0x0
 02082   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 02083  1852   NtContinue  (16842032, 1, ...
 02084  1396   NtContinue  (15793456, 1, ...
 02085  1696   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 02086   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02087   504   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02088  1852   NtRegisterThreadTerminatePort  (24, ...
 02089  1396   NtRegisterThreadTerminatePort  (24, ...
 02085  1696   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02086   896   NtAllocateVirtualMemory  ... 18939904, 1048576, ) == 0x0
 02088  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 02089  1396   NtRegisterThreadTerminatePort  ... ) == 0x0
 02090  1696   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 13693348, ... }, 13693348, ...
 02091   896   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ...
 02092  1852   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02093  1396   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02094  1200   NtTestAlert  (...
 02095  1740   NtWaitForSingleObject  (128, 0, 0x0, ...
 02087   504   NtSetInformationThread  ... ) == 0x0
 02091   896   NtAllocateVirtualMemory  ... 19980288, 8192, ) == 0x0
 02094  1200   NtTestAlert  ... ) == 0x0
 02096   896   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ...
 02097  1200   NtContinue  (14744880, 1, ...
 02096   896   NtProtectVirtualMemory  ... (0x130e000), 4096, 4, ) == 0x0
 02098  1200   NtRegisterThreadTerminatePort  (24, ...
 02099   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02098  1200   NtRegisterThreadTerminatePort  ... ) == 0x0
 02099   896   NtCreateThread  ... 240, {1252, 1700}, ) == 0x0
 02100  1200   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02101   896   NtQueryInformationThread  (240, Basic, 28, ...
 02102   504   NtQueryValueKey  (136,  (136, "FromCacheTimeout", Partial, 144, ... , Partial, 144, ...
 02090  1696   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02101   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1252,Tid=1700,}, 0x0, ) == 0x0
 02102   504   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81906, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81906, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\244\6\0\0" ...  ...
 02104  1696   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 13693348, ... }, 13693348, ...
 02103   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81907, 0}  ... {28, 56, reply, 0, 1252, 896, 81907, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\244\6\0\0" )  ) == 0x0
 02104  1696   NtQueryAttributesFile  ... ) == 0x0
 02105   896   NtResumeThread  (240, ...
 02106  1696   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 02105   896   NtResumeThread  ... 1, ) == 0x0
 02106  1696   NtOpenFile  ... 244, {status=0x0, info=1}, ) == 0x0
 02107   504   NtQueryValueKey  (136,  (136, "SecureProtocols", Partial, 144, ... , Partial, 144, ...
 02108  1700   NtWaitForSingleObject  (128, 0, 0x0, ...
 02109  1696   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ...
 02110   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02109  1696   NtCreateSection  ... 248, ) == 0x0
 02110   896   NtAllocateVirtualMemory  ... 19988480, 1048576, ) == 0x0
 02107   504   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 02111   896   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ...
 02112  1696   NtQuerySection  (248, Image, 48, ...
 02111   896   NtAllocateVirtualMemory  ... 21028864, 8192, ) == 0x0
 02112  1696   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02113   896   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ...
 02114  1696   NtClose  (244, ...
 02113   896   NtProtectVirtualMemory  ... (0x140e000), 4096, 4, ) == 0x0
 02114  1696   NtClose  ... ) == 0x0
 02115   504   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 02116  1696   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02117   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02092  1852   NtSetInformationThread  ... ) == 0x0
 02093  1396   NtSetInformationThread  ... ) == 0x0
 02100  1200   NtSetInformationThread  ... ) == 0x0
 02116  1696   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 02117   896   NtCreateThread  ... 244, {1252, 1028}, ) == 0x0
 02118  1852   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02119  1396   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02120  1200   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02121   896   NtQueryInformationThread  (244, Basic, 28, ...
 02122  1696   NtClose  (248, ...
 02118  1852   NtCreateEvent  ... 252, ) == 0x0
 02119  1396   NtCreateEvent  ... 256, ) == 0x0
 02121   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1252,Tid=1028,}, 0x0, ) == 0x0
 02122  1696   NtClose  ... ) == 0x0
 02120  1200   NtCreateEvent  ... 248, ) == 0x0
 02123  1852   NtWaitForSingleObject  (252, 0, 0x0, ...
 02124   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81907, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81907, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\4\4\0\0" ...  ...
 02125  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 02126  1396   NtClose  (256, ...
 02127  1200   NtClose  (248, ...
 02125  1696   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 02124   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81908, 0}  ... {28, 56, reply, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\4\4\0\0" )  ) == 0x0
 02126  1396   NtClose  ... ) == 0x0
 02128  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 02129   896   NtResumeThread  (244, ...
 02127  1200   NtClose  ... ) == 0x0
 02128  1696   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 02129   896   NtResumeThread  ... 1, ) == 0x0
 02130  1396   NtWaitForSingleObject  (252, 0, 0x0, ...
 02131  1200   NtWaitForSingleObject  (252, 0, 0x0, ...
 02132  1028   NtWaitForSingleObject  (128, 0, 0x0, ...
 02133   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02134  1696   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 02115   504   NtOpenKey  ... 248, ) == 0x0
 02133   896   NtAllocateVirtualMemory  ... 21037056, 1048576, ) == 0x0
 02134  1696   NtFlushInstructionCache  ... ) == 0x0
 02135   896   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ...
 02136  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 02137   504   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 02136  1696   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 02135   896   NtAllocateVirtualMemory  ... 22077440, 8192, ) == 0x0
 02138  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 02139   896   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ...
 02138  1696   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 02139   896   NtProtectVirtualMemory  ... (0x150e000), 4096, 4, ) == 0x0
 02137   504   NtOpenKey  ... 256, ) == 0x0
 02140   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02141  1696   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 02140   896   NtCreateThread  ... 260, {1252, 428}, ) == 0x0
 02141  1696   NtFlushInstructionCache  ... ) == 0x0
 02142   896   NtQueryInformationThread  (260, Basic, 28, ...
 02143  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 02144   504   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software"}, ... }, ...
 02143  1696   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 02142   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1252,Tid=428,}, 0x0, ) == 0x0
 02145  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 02146   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81908, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\0\254\1\0\0" ...  ...
 02145  1696   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 02146   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81909, 0}  ... {28, 56, reply, 0, 1252, 896, 81909, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\0\254\1\0\0" )  ) == 0x0
 02144   504   NtOpenKey  ... 264, ) == 0x0
 02147   896   NtResumeThread  (260, ...
 02148  1696   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 02147   896   NtResumeThread  ... 1, ) == 0x0
 02148  1696   NtFlushInstructionCache  ... ) == 0x0
 02149   504   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software"}, ... }, ...
 02150   428   NtWaitForSingleObject  (128, 0, 0x0, ...
 02151  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 02152   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02151  1696   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 02152   896   NtAllocateVirtualMemory  ... 22085632, 1048576, ) == 0x0
 02153  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 02154   896   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ...
 02153  1696   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 02154   896   NtAllocateVirtualMemory  ... 23126016, 8192, ) == 0x0
 02155   896   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ... (0x160e000), 4096, 4, ) == 0x0
 02156   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 268, {1252, 1732}, ) == 0x0
 02157   896   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1252,Tid=1732,}, 0x0, ) == 0x0
 02158   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81909, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81909, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\344\4\0\0\304\6\0\0" ...  ...
 02159  1696   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 02160  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 02161  1696   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 02158   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81910, 0}  ... {28, 56, reply, 0, 1252, 896, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\344\4\0\0\304\6\0\0" )  ) == 0x0
 02162   896   NtResumeThread  (268, ... 1, ) == 0x0
 02163   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23134208, 1048576, ) == 0x0
 02164   896   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ... 24174592, 8192, ) == 0x0
 02165   896   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ... (0x170e000), 4096, 4, ) == 0x0
 02166   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 272, {1252, 748}, ) == 0x0
 02167   896   NtQueryInformationThread  (272, Basic, 28, ...
 02168  1696   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 02169  1732   NtWaitForSingleObject  (128, 0, 0x0, ...
 02168  1696   NtFlushInstructionCache  ... ) == 0x0
 02170  1696   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171  1696   NtSetEventBoostPriority  (128, ...
 02095  1740   NtWaitForSingleObject  ... ) == 0x0
 02172  1740   NtSetEventBoostPriority  (128, ...
 02108  1700   NtWaitForSingleObject  ... ) == 0x0
 02173  1700   NtSetEventBoostPriority  (128, ...
 02132  1028   NtWaitForSingleObject  ... ) == 0x0
 02174  1028   NtSetEventBoostPriority  (128, ...
 02150   428   NtWaitForSingleObject  ... ) == 0x0
 02175   428   NtSetEventBoostPriority  (128, ...
 02169  1732   NtWaitForSingleObject  ... ) == 0x0
 02176  1732   NtTestAlert  (... ) == 0x0
 02175   428   NtSetEventBoostPriority  ... ) == 0x0
 02174  1028   NtSetEventBoostPriority  ... ) == 0x0
 02173  1700   NtSetEventBoostPriority  ... ) == 0x0
 02172  1740   NtSetEventBoostPriority  ... ) == 0x0
 02171  1696   NtSetEventBoostPriority  ... ) == 0x0
 02167   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1252,Tid=748,}, 0x0, ) == 0x0
 02177  1732   NtContinue  (23133488, 1, ...
 02178   428   NtTestAlert  (...
 02179  1028   NtTestAlert  (...
 02180  1700   NtTestAlert  (...
 02181  1740   NtTestAlert  (...
 02182   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81910, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\344\4\0\0\354\2\0\0" ...  ...
 02183  1732   NtRegisterThreadTerminatePort  (24, ...
 02178   428   NtTestAlert  ... ) == 0x0
 02179  1028   NtTestAlert  ... ) == 0x0
 02180  1700   NtTestAlert  ... ) == 0x0
 02181  1740   NtTestAlert  ... ) == 0x0
 02182   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81911, 0}  ... {28, 56, reply, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\344\4\0\0\354\2\0\0" )  ) == 0x0
 02183  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02184   428   NtContinue  (22084912, 1, ...
 02185  1028   NtContinue  (21036336, 1, ...
 02186  1700   NtContinue  (19987760, 1, ...
 02187  1740   NtContinue  (18939184, 1, ...
 02188   896   NtResumeThread  (272, ...
 02189  1732   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02190   428   NtRegisterThreadTerminatePort  (24, ...
 02191  1028   NtRegisterThreadTerminatePort  (24, ...
 02192  1700   NtRegisterThreadTerminatePort  (24, ...
 02193  1740   NtRegisterThreadTerminatePort  (24, ...
 02188   896   NtResumeThread  ... 1, ) == 0x0
 02190   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 02191  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 02192  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 02193  1740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02194  1696   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02195   748   NtTestAlert  (...
 02189  1732   NtSetInformationThread  ... ) == 0x0
 02196   428   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02197  1028   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02198  1700   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02199  1740   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02194  1696   NtCreateEvent  ... 276, ) == 0x0
 02195   748   NtTestAlert  ... ) == 0x0
 02200   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02201  1732   NtWaitForSingleObject  (252, 0, 0x0, ...
 02202  1696   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02203   748   NtContinue  (24182064, 1, ...
 02200   896   NtAllocateVirtualMemory  ... 24182784, 1048576, ) == 0x0
 02202  1696   NtDuplicateObject  ... 280, ) == 0x0
 02204   748   NtRegisterThreadTerminatePort  (24, ...
 02205   896   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ...
 02206  1696   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 02204   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 02205   896   NtAllocateVirtualMemory  ... 25223168, 8192, ) == 0x0
 02206  1696   NtOpenKey  ... 284, ) == 0x0
 02207   896   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ...
 02208   748   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02207   896   NtProtectVirtualMemory  ... (0x180e000), 4096, 4, ) == 0x0
 02208   748   NtSetInformationThread  ... ) == 0x0
 02209  1696   NtQueryValueKey  (284,  (284, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 02210   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02209  1696   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   896   NtCreateThread  ... 288, {1252, 1372}, ) == 0x0
 02211  1696   NtClose  (284, ...
 02212   896   NtQueryInformationThread  (288, Basic, 28, ...
 02211  1696   NtClose  ... ) == 0x0
 02212   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1252,Tid=1372,}, 0x0, ) == 0x0
 02213  1696   NtOpenThreadToken  (-2, 0xc, 1, ...
 02214   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\344\4\0\0\\5\0\0" ...  ...
 02213  1696   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02214   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81912, 0}  ... {28, 56, reply, 0, 1252, 896, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\344\4\0\0\\5\0\0" )  ) == 0x0
 02215   748   NtWaitForSingleObject  (252, 0, 0x0, ...
 02216   896   NtResumeThread  (288, ...
 02217  1696   NtOpenThreadToken  (-2, 0x20008, 1, ...
 02216   896   NtResumeThread  ... 1, ) == 0x0
 02217  1696   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02218   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02219  1696   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13693040, ... }, 13693040, ...
 02218   896   NtAllocateVirtualMemory  ... 25231360, 1048576, ) == 0x0
 02219  1696   NtQueryAttributesFile  ... ) == 0x0
 02220   896   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ...
 02221  1696   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 02222  1372   NtTestAlert  (...
 02221  1696   NtOpenKey  ... 284, ) == 0x0
 02222  1372   NtTestAlert  ... ) == 0x0
 02220   896   NtAllocateVirtualMemory  ... 26271744, 8192, ) == 0x0
 02223  1372   NtContinue  (25230640, 1, ...
 02224   896   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ...
 02225  1372   NtRegisterThreadTerminatePort  (24, ...
 02224   896   NtProtectVirtualMemory  ... (0x190e000), 4096, 4, ) == 0x0
 02225  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 02226   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02227  1696   NtQueryValueKey  (284,  (284, "Transports", Partial, 144, ... , Partial, 144, ...
 02226   896   NtCreateThread  ... 292, {1252, 1600}, ) == 0x0
 02227  1696   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 02228   896   NtQueryInformationThread  (292, Basic, 28, ...
 02229  1696   NtQueryValueKey  (284,  (284, "Transports", Partial, 144, ... , Partial, 144, ...
 02230  1372   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02229  1696   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 02231  1696   NtClose  (284, ... ) == 0x0
 02232  1696   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 284, ) }, ... 284, ) == 0x0
 02233  1696   NtQueryValueKey  (284,  (284, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02234  1696   NtQueryValueKey  (284,  (284, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02228   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1252,Tid=1600,}, 0x0, ) == 0x0
 02230  1372   NtSetInformationThread  ... ) == 0x0
 02235   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81912, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\344\4\0\0@\6\0\0" ...  ...
 02236  1696   NtQueryValueKey  (284,  (284, "Mapping", Partial, 152, ... , Partial, 152, ...
 02235   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81913, 0}  ... {28, 56, reply, 0, 1252, 896, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\344\4\0\0@\6\0\0" )  ) == 0x0
 02236  1696   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 02237   896   NtResumeThread  (292, ...
 02238  1696   NtClose  (284, ...
 02237   896   NtResumeThread  ... 1, ) == 0x0
 02238  1696   NtClose  ... ) == 0x0
 02239  1372   NtWaitForSingleObject  (252, 0, 0x0, ...
 02240  1600   NtTestAlert  (...
 02241  1696   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 02242   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02240  1600   NtTestAlert  ... ) == 0x0
 02241  1696   NtOpenKey  ... 284, ) == 0x0
 02242   896   NtAllocateVirtualMemory  ... 26279936, 1048576, ) == 0x0
 02243  1600   NtContinue  (26279216, 1, ...
 02244   896   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ...
 02245  1600   NtRegisterThreadTerminatePort  (24, ...
 02244   896   NtAllocateVirtualMemory  ... 27320320, 8192, ) == 0x0
 02245  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 02246   896   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ...
 02247  1696   NtQueryValueKey  (284,  (284, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 02246   896   NtProtectVirtualMemory  ... (0x1a0e000), 4096, 4, ) == 0x0
 02247  1696   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02248  1600   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02249  1696   NtQueryValueKey  (284,  (284, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (284, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02250  1696   NtQueryValueKey  (284,  (284, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (284, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02251  1696   NtQueryValueKey  (284,  (284, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (284, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02252  1696   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13693996, ... ) }, 13693996, ... ) == 0x0
 02253  1696   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 296, {status=0x0, info=1}, ) }, 5, 96, ... 296, {status=0x0, info=1}, ) == 0x0
 02254   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02248  1600   NtSetInformationThread  ... ) == 0x0
 02254   896   NtCreateThread  ... 300, {1252, 1300}, ) == 0x0
 02255  1696   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 296, ...
 02256   896   NtQueryInformationThread  (300, Basic, 28, ...
 02255  1696   NtCreateSection  ... 304, ) == 0x0
 02256   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1252,Tid=1300,}, 0x0, ) == 0x0
 02257  1696   NtClose  (296, ...
 02258   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81913, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\344\4\0\0\24\5\0\0" ...  ...
 02257  1696   NtClose  ... ) == 0x0
 02259  1696   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 20480, ) == 0x0
 02260  1696   NtClose  (304, ... ) == 0x0
 02261  1600   NtWaitForSingleObject  (252, 0, 0x0, ...
 02258   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81914, 0}  ... {28, 56, reply, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\344\4\0\0\24\5\0\0" )  ) == 0x0
 02262   896   NtResumeThread  (300, ... 1, ) == 0x0
 02263   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27328512, 1048576, ) == 0x0
 02264   896   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ...
 02265  1300   NtWaitForSingleObject  (128, 0, 0x0, ...
 02264   896   NtAllocateVirtualMemory  ... 28368896, 8192, ) == 0x0
 02266   896   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ... (0x1b0e000), 4096, 4, ) == 0x0
 02267   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 304, {1252, 1096}, ) == 0x0
 02268   896   NtQueryInformationThread  (304, Basic, 28, ...
 02269  1696   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 02270  1696   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13694304, ... ) }, 13694304, ... ) == 0x0
 02271  1696   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 296, {status=0x0, info=1}, ) }, 5, 96, ... 296, {status=0x0, info=1}, ) == 0x0
 02272  1696   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 296, ... 308, ) == 0x0
 02268   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1252,Tid=1096,}, 0x0, ) == 0x0
 02273   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81915, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0H\4\0\0" )  ) == 0x0
 02274   896   NtResumeThread  (304, ... 1, ) == 0x0
 02275   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28377088, 1048576, ) == 0x0
 02276   896   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ... 29417472, 8192, ) == 0x0
 02277   896   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 02278  1696   NtQuerySection  (308, Image, 48, ...
 02279  1096   NtWaitForSingleObject  (128, 0, 0x0, ...
 02278  1696   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02280  1696   NtClose  (296, ... ) == 0x0
 02281  1696   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 02282  1696   NtClose  (308, ... ) == 0x0
 02283  1696   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 02284   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 308, {1252, 1024}, ) == 0x0
 02285   896   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1252,Tid=1024,}, 0x0, ) == 0x0
 02286   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\344\4\0\0\0\4\0\0" ...  ...
 02287  1696   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 02288  1696   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 02286   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81916, 0}  ... {28, 56, reply, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\344\4\0\0\0\4\0\0" )  ) == 0x0
 02289   896   NtResumeThread  (308, ... 1, ) == 0x0
 02290   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29425664, 1048576, ) == 0x0
 02291   896   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ...
 02292  1696   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 02293  1024   NtWaitForSingleObject  (128, 0, 0x0, ...
 02292  1696   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294  1696   NtSetEventBoostPriority  (128, ...
 02265  1300   NtWaitForSingleObject  ... ) == 0x0
 02295  1300   NtSetEventBoostPriority  (128, ...
 02279  1096   NtWaitForSingleObject  ... ) == 0x0
 02296  1096   NtSetEventBoostPriority  (128, ...
 02293  1024   NtWaitForSingleObject  ... ) == 0x0
 02297  1024   NtTestAlert  (... ) == 0x0
 02296  1096   NtSetEventBoostPriority  ... ) == 0x0
 02295  1300   NtSetEventBoostPriority  ... ) == 0x0
 02294  1696   NtSetEventBoostPriority  ... ) == 0x0
 02291   896   NtAllocateVirtualMemory  ... 30466048, 8192, ) == 0x0
 02298  1024   NtContinue  (29424944, 1, ...
 02299  1096   NtTestAlert  (...
 02300  1696   NtClose  (284, ...
 02301   896   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ...
 02302  1024   NtRegisterThreadTerminatePort  (24, ...
 02299  1096   NtTestAlert  ... ) == 0x0
 02300  1696   NtClose  ... ) == 0x0
 02301   896   NtProtectVirtualMemory  ... (0x1d0e000), 4096, 4, ) == 0x0
 02302  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 02303  1096   NtContinue  (28376368, 1, ...
 02304  1300   NtTestAlert  (...
 02305   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02306  1024   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02307  1096   NtRegisterThreadTerminatePort  (24, ...
 02304  1300   NtTestAlert  ... ) == 0x0
 02305   896   NtCreateThread  ... 284, {1252, 500}, ) == 0x0
 02307  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 02308  1300   NtContinue  (27327792, 1, ...
 02309   896   NtQueryInformationThread  (284, Basic, 28, ...
 02310  1096   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02311  1300   NtRegisterThreadTerminatePort  (24, ...
 02312  1696   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 13696640, 67, ... }, 0x0, 0, 3, 3, 0, 13696640, 67, ...
 02306  1024   NtSetInformationThread  ... ) == 0x0
 02309   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1252,Tid=500,}, 0x0, ) == 0x0
 02311  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 02312  1696   NtCreateFile  ... 296, {status=0x0, info=0}, ) == 0x0
 02313   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\344\4\0\0\364\1\0\0" ...  ...
 02314  1300   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02315  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x1207b,  (296, 236, 0x0, 0x0, 0x1207b, "\7\0\0\0\250q\250q%\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 02313   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81917, 0}  ... {28, 56, reply, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\344\4\0\0\364\1\0\0" )  ) == 0x0
 02316  1024   NtWaitForSingleObject  (252, 0, 0x0, ...
 02315  1696   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\30*m\201", ) , ) == 0x0
 02317   896   NtResumeThread  (284, ...
 02318  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x1207b,  (296, 236, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\30*m\201", 16, 16, ... , 16, 16, ...
 02317   896   NtResumeThread  ... 1, ) == 0x0
 02318  1696   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\30*m\201", ) , ) == 0x0
 02319   500   NtTestAlert  (...
 02320   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02319   500   NtTestAlert  ... ) == 0x0
 02320   896   NtAllocateVirtualMemory  ... 30474240, 1048576, ) == 0x0
 02321   500   NtContinue  (30473520, 1, ...
 02322   896   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ...
 02323   500   NtRegisterThreadTerminatePort  (24, ...
 02322   896   NtAllocateVirtualMemory  ... 31514624, 8192, ) == 0x0
 02323   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02324   896   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ...
 02325  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x12047,  (296, 236, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\224\375\320\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02324   896   NtProtectVirtualMemory  ... (0x1e0e000), 4096, 4, ) == 0x0
 02325  1696   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02326   500   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02327  1696   NtWaitForSingleObject  (188, 0, {0, 0}, ... ) == 0x102
 02328  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x12003,  (296, 236, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=312}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=312},  (296, 236, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=312}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02329  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x12047,  (296, 236, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02330  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x12037,  (296, 236, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (296, 236, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02331   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02326   500   NtSetInformationThread  ... ) == 0x0
 02331   896   NtCreateThread  ... 316, {1252, 1884}, ) == 0x0
 02332  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x1200b,  (296, 236, 0x0, 0x0, 0x1200b, "\0\376\320\0\5\0\0\0\0\357\24\0", 12, 0, ... , 12, 0, ...
 02333   896   NtQueryInformationThread  (316, Basic, 28, ...
 02332  1696   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02333   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1252,Tid=1884,}, 0x0, ) == 0x0
 02334  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x12047,  (296, 236, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\320\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02335   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81917, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\4\0\0\\7\0\0" ...  ...
 02334  1696   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02336  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (296, 236, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02337  1696   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02338  1696   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 320, {status=0x0, info=0}, ) }, 7, 16, ... 320, {status=0x0, info=0}, ) == 0x0
 02339  1696   NtDeviceIoControlFile  (320, 0, 0x0, 0x0, 0x390008,  (320, 0, 0x0, 0x0, 0x390008, "k\347k\355\7Xa;\264\234\201Y)\366\2036\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02340  1696   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02341   500   NtWaitForSingleObject  (252, 0, 0x0, ...
 02335   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81918, 0}  ... {28, 56, reply, 0, 1252, 896, 81918, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\4\0\0\\7\0\0" )  ) == 0x0
 02340  1696   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02342   896   NtResumeThread  (316, ...
 02343  1696   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02342   896   NtResumeThread  ... 1, ) == 0x0
 02343  1696   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02344   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02345  1696   NtQuerySystemInformation  (Performance, 312, ...
 02344   896   NtAllocateVirtualMemory  ... 31522816, 1048576, ) == 0x0
 02345  1696   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02346   896   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ...
 02347  1696   NtQuerySystemInformation  (Exception, 16, ...
 02348  1884   NtTestAlert  (...
 02346   896   NtAllocateVirtualMemory  ... 32563200, 8192, ) == 0x0
 02348  1884   NtTestAlert  ... ) == 0x0
 02349   896   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ...
 02350  1884   NtContinue  (31522096, 1, ...
 02349   896   NtProtectVirtualMemory  ... (0x1f0e000), 4096, 4, ) == 0x0
 02351  1884   NtRegisterThreadTerminatePort  (24, ...
 02352   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02351  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 02352   896   NtCreateThread  ... 324, {1252, 1620}, ) == 0x0
 02347  1696   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02353   896   NtQueryInformationThread  (324, Basic, 28, ...
 02354  1696   NtQuerySystemInformation  (Lookaside, 32, ...
 02355  1884   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02354  1696   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02356  1696   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02357  1696   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02358  1696   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482764, 2, ) }, 0, 0x0, 0, ... -2147482764, 2, ) == 0x0
 02353   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1252,Tid=1620,}, 0x0, ) == 0x0
 02355  1884   NtSetInformationThread  ... ) == 0x0
 02359   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81918, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81918, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0T\6\0\0" ...  ...
 02360  1696   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "\267\323\27\21{X\3032"4\220M)48\270\251Q)\376\214\207\370+\373\13\310m9&\245\13\235+\353\264\270\4MU\3\271V(\13RB#S\266\233\264\342\2068\242\312\222T\320\371\361\335\342z\271\26\266\203\16Y\321\354\20F\350\367\34\303\326", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "\267\323\27\21{X\3032"4\220M)48\270\251Q)\376\214\207\370+\373\13\310m9&\245\13\235+\353\264\270\4MU\3\271V(\13RB#S\266\233\264\342\2068\242\312\222T\320\371\361\335\342z\271\26\266\203\16Y\321\354\20F\350\367\34\303\326", 80, ... 4\220M)48\270\251Q)\376\214\207\370+\373\13\310m9&\245\13\235+\353\264\270\4MU\3\271V(\13RB#S\266\233\264\342\2068\242\312\222T\320\371\361\335\342z\271\26\266\203\16Y\321\354\20F\350\367\34\303\326", 80, ...
 02359   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81919, 0}  ... {28, 56, reply, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0T\6\0\0" )  ) == 0x0
 02360  1696   NtSetValueKey  ... ) == 0x0
 02361   896   NtResumeThread  (324, ...
 02362  1696   NtClose  (-2147482764, ...
 02361   896   NtResumeThread  ... 1, ) == 0x0
 02362  1696   NtClose  ... ) == 0x0
 02363  1884   NtWaitForSingleObject  (252, 0, 0x0, ...
 02364  1620   NtTestAlert  (...
 02339  1696   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\347\332\7f\214\4\12\330A\0@P\257\256\216e\306\276\4@K\275\237\365\200\265\202Q}\2229\373n\251F\267\334\36\16Yr%\351\351\360\371\321\350\332>\311\217N\353\345"\323\245\16'\264D\271\317\376\177'\205\314V\207 \271dF\16\206E\16\261\215\315-\335\373\33\214d\10:\333OX\363<6\255\227\263\354,\310\31=\205\3367\220J\260\263\315~\354\312\203ME\336\257\354\365%y\33\201\14\364\17\37\17i\331\373\205E\21\302\344\20\355\11\244\211\367N\341E-\360\17!K\361y\240\373\313*7\31\34\305\340\327\6B\266\226\230[\266\247\325,\302.\263\21O\234\221\346q\301\373\7KI\363\1\35\253C\3541\21P\273\273\10<\334(\217\210\340\254?p\351\3513FRD\216R9\362\250g{`\323\6\263\1s%\303\3625\270\305~J\233\220A\G\364\233\303#5\2\211d\246\325D\361/", ) \323\245\16'\264D\271\317\376\177'\205\314V\207 \271dF\16\206E\16\261\215\315-\335\373\33\214d\10:\333OX\363<6\255\227\263\354,\310\31=\205\3367\220J\260\263\315~\354\312\203ME\336\257\354\365%y\33\201\14\364\17\37\17i\331\373\205E\21\302\344\20\355\11\244\211\367N\341E-\360\17!K\361y\240\373\313*7\31\34\305\340\327\6B\266\226\230[\266\247\325,\302.\263\21O\234\221\346q\301\373\7KI\363\1\35\253C\3541\21P\273\273\10<\334(\217\210\340\254?p\351\3513FRD\216R9\362\250g{`\323\6\263\1s%\303\3625\270\305~J\233\220A\G\364\233\303#5\2\211d\246\325D\361/", ) == 0x0
 02365   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02364  1620   NtTestAlert  ... ) == 0x0
 02366  1696   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02365   896   NtAllocateVirtualMemory  ... 32571392, 1048576, ) == 0x0
 02367  1620   NtContinue  (32570672, 1, ...
 02368   896   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ...
 02369  1620   NtRegisterThreadTerminatePort  (24, ...
 02368   896   NtAllocateVirtualMemory  ... 33611776, 8192, ) == 0x0
 02369  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 02370   896   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ...
 02366  1696   NtCreateEvent  ... 328, ) == 0x0
 02370   896   NtProtectVirtualMemory  ... (0x200e000), 4096, 4, ) == 0x0
 02371  1696   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 13693560, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 13693560, 188, ...
 02372  1620   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02371  1696   NtConnectPort  ... 332, 0x0, 0x0, 0x0, 188, ) == 0x0
 02373  1696   NtRequestWaitReplyPort  (332, {200, 224, new_msg, 0, 2883626, 1372480, 12, 2}  (332, {200, 224, new_msg, 0, 2883626, 1372480, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\107\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0>\277f\320J\234\242t\210#\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`#\25\0\2(\3548x\1\24\0\200#\25\0h\1\24\0\0\0\0\0\0\0\0\0\200#\25\0P\0\0\0\210#\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\320\0\372\31\221|\214\370\320\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02374   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 336, {1252, 1296}, ) == 0x0
 02375   896   NtQueryInformationThread  (336, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1252,Tid=1296,}, 0x0, ) == 0x0
 02376   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0\20\5\0\0" ...  ...
 02372  1620   NtSetInformationThread  ... ) == 0x0
 02377  1620   NtWaitForSingleObject  (252, 0, 0x0, ...
 02373  1696   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1696, 81921, 0}  ... {200, 224, reply, 0, 1252, 1696, 81921, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0>\277f\320J\234\242t\210#\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`#\25\0\2(\3548x\1\24\0\200#\25\0h\1\24\0\0\0\0\0\0\0\0\0\200#\25\0P\0\0\0\210#\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\320\0\372\31\221|\214\370\320\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02378  1696   NtRequestWaitReplyPort  (332, {44, 68, new_msg, 56, 0, 0, 0, 0}  (332, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\350$\25\0\322\0\0\0" ... {40, 64, reply, 0, 1252, 1696, 81923, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\323\1\0\0\350\370\14\0" )  ... {40, 64, reply, 0, 1252, 1696, 81923, 0}  (332, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\350$\25\0\322\0\0\0" ... {40, 64, reply, 0, 1252, 1696, 81923, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02379  1696   NtRequestWaitReplyPort  (332, {64, 88, new_msg, 56, 1310720, 13693428, 1385696, 0}  (332, {64, 88, new_msg, 56, 1310720, 13693428, 1385696, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\340%\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02376   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81922, 0}  ... {28, 56, reply, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0\20\5\0\0" )  ) == 0x0
 02380   896   NtResumeThread  (336, ... 1, ) == 0x0
 02381   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33619968, 1048576, ) == 0x0
 02382   896   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ...
 02379  1696   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1696, 81924, 0}  ... {64, 88, reply, 56, 1252, 1696, 81924, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\340%\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02383  1296   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ...
 02384  1696   NtRequestWaitReplyPort  (332, {44, 68, new_msg, 56, 1252, 1696, 81923, 0}  (332, {44, 68, new_msg, 56, 1252, 1696, 81923, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\350$\25\0\322\0\0\0" ...  ...
 02383  1296   NtAllocateVirtualMemory  ... 3624960, 4096, ) == 0x0
 02385  1296   NtTestAlert  (... ) == 0x0
 02386  1296   NtContinue  (33619248, 1, ...
 02384  1696   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1696, 81925, 0}  ... {40, 64, reply, 0, 1252, 1696, 81925, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02382   896   NtAllocateVirtualMemory  ... 34660352, 8192, ) == 0x0
 02387  1696   NtRequestWaitReplyPort  (332, {64, 88, new_msg, 56, 1310720, 13693428, 13694172, 0}  (332, {64, 88, new_msg, 56, 1310720, 13693428, 13694172, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\250*\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02388   896   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ... (0x210e000), 4096, 4, ) == 0x0
 02389   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 340, {1252, 440}, ) == 0x0
 02390   896   NtQueryInformationThread  (340, Basic, 28, ...
 02391  1296   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02392  1296   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 02393  1296   NtWaitForSingleObject  (252, 0, 0x0, ...
 02390   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1252,Tid=440,}, 0x0, ) == 0x0
 02394   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\270\1\0\0" )  ) == 0x0
 02395   896   NtResumeThread  (340, ... 1, ) == 0x0
 02387  1696   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1696, 81926, 0}  ... {64, 88, reply, 56, 1252, 1696, 81926, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\250*\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02396   440   NtTestAlert  (...
 02397  1696   NtRequestWaitReplyPort  (332, {44, 68, new_msg, 56, 1252, 1696, 81925, 0}  (332, {44, 68, new_msg, 56, 1252, 1696, 81925, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\350$\25\0\322\0\0\0" ...  ...
 02396   440   NtTestAlert  ... ) == 0x0
 02398   440   NtContinue  (34667824, 1, ...
 02399   440   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02397  1696   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1696, 81928, 0}  ... {40, 64, reply, 0, 1252, 1696, 81928, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 02400   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02401  1696   NtRequestWaitReplyPort  (332, {64, 88, new_msg, 56, 1310720, 13693428, 13694172, 0}  (332, {64, 88, new_msg, 56, 1310720, 13693428, 13694172, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\370,\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02400   896   NtAllocateVirtualMemory  ... 34668544, 1048576, ) == 0x0
 02402   896   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ... 35708928, 8192, ) == 0x0
 02403   896   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ... (0x220e000), 4096, 4, ) == 0x0
 02404   440   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 02405   440   NtWaitForSingleObject  (252, 0, 0x0, ...
 02406   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 344, {1252, 2044}, ) == 0x0
 02407   896   NtQueryInformationThread  (344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1252,Tid=2044,}, 0x0, ) == 0x0
 02408   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\344\4\0\0\374\7\0\0" ...  ...
 02401  1696   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1696, 81929, 0}  ... {64, 88, reply, 56, 1252, 1696, 81929, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\370,\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02409  1696   NtClose  (328, ... ) == 0x0
 02410  1696   NtClose  (332, ... ) == 0x0
 02411  1696   NtDeviceIoControlFile  (320, 0, 0x0, 0x0, 0x390008,  (320, 0, 0x0, 0x0, 0x390008, "k\347k\355\7Xa)\337^\377\361uZ8pI\310\246\201\305T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02408   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81930, 0}  ... {28, 56, reply, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\344\4\0\0\374\7\0\0" )  ) == 0x0
 02412   896   NtResumeThread  (344, ... 1, ) == 0x0
 02413   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35717120, 1048576, ) == 0x0
 02414   896   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ... 36757504, 8192, ) == 0x0
 02415   896   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ... (0x230e000), 4096, 4, ) == 0x0
 02416   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 332, {1252, 588}, ) == 0x0
 02417   896   NtQueryInformationThread  (332, Basic, 28, ...
 02418  1696   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02419  2044   NtTestAlert  (...
 02418  1696   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02419  2044   NtTestAlert  ... ) == 0x0
 02420  1696   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02421  2044   NtContinue  (35716400, 1, ...
 02420  1696   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02422  2044   NtRegisterThreadTerminatePort  (24, ...
 02423  1696   NtQuerySystemInformation  (Performance, 312, ...
 02422  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 02423  1696   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02417   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1252,Tid=588,}, 0x0, ) == 0x0
 02424  2044   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02425   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0L\2\0\0" )  ) == 0x0
 02426   896   NtResumeThread  (332, ... 1, ) == 0x0
 02427   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36765696, 1048576, ) == 0x0
 02428   896   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ... 37806080, 8192, ) == 0x0
 02429   896   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ... (0x240e000), 4096, 4, ) == 0x0
 02430  1696   NtQuerySystemInformation  (Exception, 16, ...
 02424  2044   NtSetInformationThread  ... ) == 0x0
 02431   588   NtTestAlert  (...
 02430  1696   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02432   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02431   588   NtTestAlert  ... ) == 0x0
 02433  1696   NtQuerySystemInformation  (Lookaside, 32, ...
 02432   896   NtCreateThread  ... 328, {1252, 1652}, ) == 0x0
 02434   588   NtContinue  (36764976, 1, ...
 02433  1696   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02435   896   NtQueryInformationThread  (328, Basic, 28, ...
 02436   588   NtRegisterThreadTerminatePort  (24, ...
 02437  1696   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02435   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1252,Tid=1652,}, 0x0, ) == 0x0
 02436   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 02437  1696   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02438   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\344\4\0\0t\6\0\0" ...  ...
 02439  2044   NtWaitForSingleObject  (252, 0, 0x0, ...
 02440   588   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02438   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81933, 0}  ... {28, 56, reply, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\344\4\0\0t\6\0\0" )  ) == 0x0
 02441  1696   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02442   896   NtResumeThread  (328, ...
 02441  1696   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02442   896   NtResumeThread  ... 1, ) == 0x0
 02443  1696   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02444   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02443  1696   NtCreateKey  ... -2147482764, 2, ) == 0x0
 02444   896   NtAllocateVirtualMemory  ... 37814272, 1048576, ) == 0x0
 02445  1696   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "\255+Y3I\12\257\205\352"\11px\207\213\337\276\3\320J\37k\231\300\2031\317v\317I\343\306\347;7\21W/\346;f\266l\217D\255K7{\245\206\244\242{\334\6X%\207\35\252e\200\332\366Ge\343\11\27\276\244\351\30Z\354\322\275\374\33", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "\255+Y3I\12\257\205\352"\11px\207\213\337\276\3\320J\37k\231\300\2031\317v\317I\343\306\347;7\21W/\346;f\266l\217D\255K7{\245\206\244\242{\334\6X%\207\35\252e\200\332\366Ge\343\11\27\276\244\351\30Z\354\322\275\374\33", 80, ... \11px\207\213\337\276\3\320J\37k\231\300\2031\317v\317I\343\306\347;7\21W/\346;f\266l\217D\255K7{\245\206\244\242{\334\6X%\207\35\252e\200\332\366Ge\343\11\27\276\244\351\30Z\354\322\275\374\33", 80, ...
 02446   896   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ...
 02445  1696   NtSetValueKey  ... ) == 0x0
 02440   588   NtSetInformationThread  ... ) == 0x0
 02447  1652   NtTestAlert  (...
 02446   896   NtAllocateVirtualMemory  ... 38854656, 8192, ) == 0x0
 02448  1696   NtClose  (-2147482764, ...
 02447  1652   NtTestAlert  ... ) == 0x0
 02449   896   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ...
 02448  1696   NtClose  ... ) == 0x0
 02450  1652   NtContinue  (37813552, 1, ...
 02449   896   NtProtectVirtualMemory  ... (0x250e000), 4096, 4, ) == 0x0
 02411  1696   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\217\365]\346\230\227oy\354H\31\333\360VPj\207\223\30\343\245\334\333\325Q\35\215q0\16\264\306\214]\11P5\242#\35\2\366\2258\334\345\320"W5\365?r|B8a0Q\36\344\37\360\322\256WS\354|\334"kF\330_o\25\372h\6\374\2\2457\374\327\335>\372\306\5\255C\214\300\204\246\230\21z\302\373:^h\374^\224\360\272\300H\357\0/\33\33\330|\207\347cS\201\267\177U\13\303\31\365\230\235\10R\302\240M\330\26\303\247\304a\344h\354\220I\231\252)5\255\230\273\15'\25N\360\17O6\2629\220\300\253]m\365\232\22\27K\2D\62\263r\364\264W\224\213K`\205\306\371i\374\205\215O\346\311\336d(\206\357\261\300\372\237~\241\276\374F\230\200'3\2351\30\316N\205\261*\263~4\256\367\270\233\252\0f;\237'\325\21\11+\72;?\337`\33\351\372\300l\12", ) W5\365?r|B8a0Q\36\344\37\360\322\256WS\354|\334 ... {status=0x0, info=256}, "\217\365]\346\230\227oy\354H\31\333\360VPj\207\223\30\343\245\334\333\325Q\35\215q0\16\264\306\214]\11P5\242#\35\2\366\2258\334\345\320"W5\365?r|B8a0Q\36\344\37\360\322\256WS\354|\334"kF\330_o\25\372h\6\374\2\2457\374\327\335>\372\306\5\255C\214\300\204\246\230\21z\302\373:^h\374^\224\360\272\300H\357\0/\33\33\330|\207\347cS\201\267\177U\13\303\31\365\230\235\10R\302\240M\330\26\303\247\304a\344h\354\220I\231\252)5\255\230\273\15'\25N\360\17O6\2629\220\300\253]m\365\232\22\27K\2D\62\263r\364\264W\224\213K`\205\306\371i\374\205\215O\346\311\336d(\206\357\261\300\372\237~\241\276\374F\230\200'3\2351\30\316N\205\261*\263~4\256\367\270\233\252\0f;\237'\325\21\11+\72;?\337`\33\351\372\300l\12", ) , ) == 0x0
 02451  1652   NtRegisterThreadTerminatePort  (24, ...
 02452   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02453  1696   NtDeviceIoControlFile  (320, 0, 0x0, 0x0, 0x390008,  (320, 0, 0x0, 0x0, 0x390008, "k\347k\355\7Xa)\337^\377\361uZ*\33\213\266\274j-~\22I\310\246\201\305T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02451  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 02452   896   NtCreateThread  ... 348, {1252, 1368}, ) == 0x0
 02454  1696   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02455   588   NtWaitForSingleObject  (252, 0, 0x0, ...
 02456   896   NtQueryInformationThread  (348, Basic, 28, ...
 02454  1696   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02457  1652   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02456   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1252,Tid=1368,}, 0x0, ) == 0x0
 02458   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0X\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0X\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81942, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0X\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0X\5\0\0" )  ) == 0x0
 02459   896   NtResumeThread  (348, ... 1, ) == 0x0
 02460   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38862848, 1048576, ) == 0x0
 02461   896   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ... 39903232, 8192, ) == 0x0
 02462   896   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ... (0x260e000), 4096, 4, ) == 0x0
 02463  1696   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02457  1652   NtSetInformationThread  ... ) == 0x0
 02464  1368   NtTestAlert  (...
 02463  1696   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02465   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02464  1368   NtTestAlert  ... ) == 0x0
 02466  1696   NtQuerySystemInformation  (Performance, 312, ...
 02465   896   NtCreateThread  ... 352, {1252, 220}, ) == 0x0
 02467  1368   NtContinue  (38862128, 1, ...
 02466  1696   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02468   896   NtQueryInformationThread  (352, Basic, 28, ...
 02469  1368   NtRegisterThreadTerminatePort  (24, ...
 02470  1696   NtQuerySystemInformation  (Exception, 16, ...
 02468   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1252,Tid=220,}, 0x0, ) == 0x0
 02469  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 02470  1696   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02471   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\4\0\0\334\0\0\0" ...  ...
 02472  1652   NtWaitForSingleObject  (252, 0, 0x0, ...
 02473  1368   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02471   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81943, 0}  ... {28, 56, reply, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\4\0\0\334\0\0\0" )  ) == 0x0
 02474  1696   NtQuerySystemInformation  (Lookaside, 32, ...
 02475   896   NtResumeThread  (352, ...
 02474  1696   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02475   896   NtResumeThread  ... 1, ) == 0x0
 02476  1696   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02477   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02476  1696   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02477   896   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 02478  1696   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02479   896   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ...
 02478  1696   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02473  1368   NtSetInformationThread  ... ) == 0x0
 02480   220   NtTestAlert  (...
 02479   896   NtAllocateVirtualMemory  ... 40951808, 8192, ) == 0x0
 02481  1696   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02480   220   NtTestAlert  ... ) == 0x0
 02482   896   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 02481  1696   NtCreateKey  ... -2147482764, 2, ) == 0x0
 02483   220   NtContinue  (39910704, 1, ...
 02482   896   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 02484  1696   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, ")\210\253\300[\226\34qYm\334b<\327h\326>n\24\251\227\310!\30351\251\12\31\326:\352\206\22\215D@{\322\3757\3730\221\331\22\272d>~\37d\264\354\2645\342x\346\305I\2\13\363drv\264\14\252[\332`ZW\335\225}w\276", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, ")\210\253\300[\226\34qYm\334b<\327h\326>n\24\251\227\310!\30351\251\12\31\326:\352\206\22\215D@{\322\3757\3730\221\331\22\272d>~\37d\264\354\2645\342x\346\305I\2\13\363drv\264\14\252[\332`ZW\335\225}w\276", 80, ... , 80, ...
 02485   220   NtRegisterThreadTerminatePort  (24, ...
 02486   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02484  1696   NtSetValueKey  ... ) == 0x0
 02485   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 02486   896   NtCreateThread  ... 356, {1252, 704}, ) == 0x0
 02487  1696   NtClose  (-2147482764, ...
 02488  1368   NtWaitForSingleObject  (252, 0, 0x0, ...
 02489   896   NtQueryInformationThread  (356, Basic, 28, ...
 02487  1696   NtClose  ... ) == 0x0
 02490   220   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02489   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1252,Tid=704,}, 0x0, ) == 0x0
 02491   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\300\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81944, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\300\2\0\0" )  ) == 0x0
 02492   896   NtResumeThread  (356, ... 1, ) == 0x0
 02493   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40960000, 1048576, ) == 0x0
 02494   896   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ... 42000384, 8192, ) == 0x0
 02495   896   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ... (0x280e000), 4096, 4, ) == 0x0
 02453  1696   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\260\242\234\351\207s\341\310CA\5,\200D%\26#(\1'\343&\204U\224\34\340\27\20\267\11\306-\355\251\277\321\276}z\1\204\276\346\342\2\0(_\224c\231\106"\341\264/\317w\315\351_IY\35\371\257\342\366\214\354\331\2364\336\375\275\17\260&\23\7l\3369T\344\240B1\322*\5\35&\302}\12\340S\310\343\362\324\341\332\212\241\203w\367\250\37\337\323;\266\301U\340\265-\240\27\316\335'\251\7\245V0}\200\201\342cLP\20\20[(Fd\33\3\352\31\217\307\326v\376\30\365Z\332`\227\342\345g\221\273\203@\306\266H\361\365H\2777\302\246w@\23\370\201Y\307\240f^q\367\235\240\313U\261 \356\307\207u\276\350 \225\36\333\250\11\276F\267\315\250\321\273\2\215 \317\22\367:\353\32\322\273$itE\365\213\357\201\223\277\342\34\257\226-\347V\3609\11\372\236\337*Hl\330T\352", ) \341\264/\317w\315\351_IY\35\371\257\342\366\214\354\331\2364\336\375\275\17\260&\23\7l\3369T\344\240B1\322*\5\35&\302}\12\340S\310\343\362\324\341\332\212\241\203w\367\250\37\337\323;\266\301U\340\265-\240\27\316\335'\251\7\245V0}\200\201\342cLP\20\20[(Fd\33\3\352\31\217\307\326v\376\30\365Z\332`\227\342\345g\221\273\203@\306\266H\361\365H\2777\302\246w@\23\370\201Y\307\240f^q\367\235\240\313U\261 \356\307\207u\276\350 \225\36\333\250\11\276F\267\315\250\321\273\2\215 \317\22\367:\353\32\322\273$itE\365\213\357\201\223\277\342\34\257\226-\347V\3609\11\372\236\337*Hl\330T\352", ) == 0x0
 02490   220   NtSetInformationThread  ... ) == 0x0
 02496   704   NtTestAlert  (...
 02497  1696   NtDeviceIoControlFile  (320, 0, 0x0, 0x0, 0x390008,  (320, 0, 0x0, 0x0, 0x390008, "k\347k\355\7Xa)\337^\377\361uZ*\33\213\266\274j-ly\213\266\274j-~\22I\310\246\201\305T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02498   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02496   704   NtTestAlert  ... ) == 0x0
 02499  1696   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02498   896   NtCreateThread  ... 360, {1252, 792}, ) == 0x0
 02500   704   NtContinue  (40959280, 1, ...
 02499  1696   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02501   896   NtQueryInformationThread  (360, Basic, 28, ...
 02502   704   NtRegisterThreadTerminatePort  (24, ...
 02503  1696   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02501   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1252,Tid=792,}, 0x0, ) == 0x0
 02502   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 02503  1696   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02504   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0\30\3\0\0" ...  ...
 02505   220   NtWaitForSingleObject  (252, 0, 0x0, ...
 02506   704   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02504   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81945, 0}  ... {28, 56, reply, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0\30\3\0\0" )  ) == 0x0
 02507  1696   NtQuerySystemInformation  (Performance, 312, ...
 02508   896   NtResumeThread  (360, ...
 02507  1696   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02508   896   NtResumeThread  ... 1, ) == 0x0
 02509  1696   NtQuerySystemInformation  (Exception, 16, ...
 02510   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02509  1696   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02510   896   NtAllocateVirtualMemory  ... 42008576, 1048576, ) == 0x0
 02511  1696   NtQuerySystemInformation  (Lookaside, 32, ...
 02512   896   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ...
 02511  1696   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02506   704   NtSetInformationThread  ... ) == 0x0
 02513   792   NtTestAlert  (...
 02512   896   NtAllocateVirtualMemory  ... 43048960, 8192, ) == 0x0
 02514  1696   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02513   792   NtTestAlert  ... ) == 0x0
 02515   896   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ...
 02514  1696   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02516   792   NtContinue  (42007856, 1, ...
 02515   896   NtProtectVirtualMemory  ... (0x290e000), 4096, 4, ) == 0x0
 02517  1696   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02518   792   NtRegisterThreadTerminatePort  (24, ...
 02519   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02517  1696   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02518   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02519   896   NtCreateThread  ... 364, {1252, 1120}, ) == 0x0
 02520  1696   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02521   704   NtWaitForSingleObject  (252, 0, 0x0, ...
 02522   896   NtQueryInformationThread  (364, Basic, 28, ...
 02520  1696   NtCreateKey  ... -2147482764, 2, ) == 0x0
 02523   792   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02522   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1252,Tid=1120,}, 0x0, ) == 0x0
 02524   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0`\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0`\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0`\4\0\0" )  ) == 0x0
 02525   896   NtResumeThread  (364, ... 1, ) == 0x0
 02526   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43057152, 1048576, ) == 0x0
 02527   896   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ... 44097536, 8192, ) == 0x0
 02528   896   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ... (0x2a0e000), 4096, 4, ) == 0x0
 02529  1696   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "\227\241\303\344\247\247\206[\306\363\256\241\334z\32\327\0C[S\257\314\360y\3255j\6\313\225kH\250\332h\23&\21\376\204\272\245\353\342$m\316\216\7\2203}O\177\340\37\4$o\354(\23'_\242 \270\15Rt\302\233\271aQt\223\374a\311", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "\227\241\303\344\247\247\206[\306\363\256\241\334z\32\327\0C[S\257\314\360y\3255j\6\313\225kH\250\332h\23&\21\376\204\272\245\353\342$m\316\216\7\2203}O\177\340\37\4$o\354(\23'_\242 \270\15Rt\302\233\271aQt\223\374a\311", 80, ... , 80, ...
 02523   792   NtSetInformationThread  ... ) == 0x0
 02530  1120   NtTestAlert  (...
 02529  1696   NtSetValueKey  ... ) == 0x0
 02531   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02530  1120   NtTestAlert  ... ) == 0x0
 02532  1696   NtClose  (-2147482764, ...
 02531   896   NtCreateThread  ... 368, {1252, 1516}, ) == 0x0
 02533  1120   NtContinue  (43056432, 1, ...
 02532  1696   NtClose  ... ) == 0x0
 02534   896   NtQueryInformationThread  (368, Basic, 28, ...
 02535  1120   NtRegisterThreadTerminatePort  (24, ...
 02497  1696   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "2\254\317\377l\214f\224\205T~\235\326\324\250.\212\10\34\22\201\275::K\237\346['o\5#\20\375\357LtIz\306~\2418\31f\336x\36\207\311\330\367M\252\236G\276\251\205:\361F\325\23M\377\204\14\37\327p\360\373._O\272\357\213b\307\340W\36;\251\316\314w\317\3178\317\340\251\331~\366\237\232\267\302}\320\214Jur\2012\365I2\267\334M\223#\213\33P\216\333\2\371\252)\361\335\312\364:<>\320E\3139\235\316\240\341\206\257\360f\332\365`\273nt\336l\372\202s\261\302\352 \207\24\232\1\203rZ\272\7\314\102\276y\26\362x\254)?\316\13\4\372N\220\231\255\363\310\351\303\220xi\13\331\205\27\207}\0][\24Jp\3669\1\322\317AbbP\4-\6p\210V#\224\201\256\22\210\220\202\252A\340D\14\327\266\35d\277L\214\344]\363\266\365J^U\204\32vj", ) , ) == 0x0
 02534   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1252,Tid=1516,}, 0x0, ) == 0x0
 02535  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02536  1696   NtDeviceIoControlFile  (320, 0, 0x0, 0x0, 0x390008,  (320, 0, 0x0, 0x0, 0x390008, "k\347k\355\7Xa)\337^\377\361uZ*\33\213\266\274j-ly\213\266\274j-ly\213\266\274j-~\22I\310\246\201\305T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02537   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0\354\5\0\0" ...  ...
 02538   792   NtWaitForSingleObject  (252, 0, 0x0, ...
 02539  1120   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02537   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81947, 0}  ... {28, 56, reply, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0\354\5\0\0" )  ) == 0x0
 02540  1696   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02541   896   NtResumeThread  (368, ...
 02540  1696   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02541   896   NtResumeThread  ... 1, ) == 0x0
 02542  1696   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02543   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02542  1696   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02543   896   NtAllocateVirtualMemory  ... 44105728, 1048576, ) == 0x0
 02544  1696   NtQuerySystemInformation  (Performance, 312, ...
 02545   896   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ...
 02544  1696   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02539  1120   NtSetInformationThread  ... ) == 0x0
 02546  1516   NtTestAlert  (...
 02545   896   NtAllocateVirtualMemory  ... 45146112, 8192, ) == 0x0
 02547  1696   NtQuerySystemInformation  (Exception, 16, ...
 02546  1516   NtTestAlert  ... ) == 0x0
 02548   896   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ...
 02547  1696   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02549  1516   NtContinue  (44105008, 1, ...
 02548   896   NtProtectVirtualMemory  ... (0x2b0e000), 4096, 4, ) == 0x0
 02550  1696   NtQuerySystemInformation  (Lookaside, 32, ...
 02551  1516   NtRegisterThreadTerminatePort  (24, ...
 02552   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02550  1696   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02551  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 02552   896   NtCreateThread  ... 372, {1252, 940}, ) == 0x0
 02553  1696   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02554  1120   NtWaitForSingleObject  (252, 0, 0x0, ...
 02555   896   NtQueryInformationThread  (372, Basic, 28, ...
 02553  1696   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02556  1516   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02555   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1252,Tid=940,}, 0x0, ) == 0x0
 02557   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\254\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\254\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\254\3\0\0" )  ) == 0x0
 02558   896   NtResumeThread  (372, ... 1, ) == 0x0
 02559   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45154304, 1048576, ) == 0x0
 02560   896   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ... 46194688, 8192, ) == 0x0
 02561   896   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ... (0x2c0e000), 4096, 4, ) == 0x0
 02562  1696   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02556  1516   NtSetInformationThread  ... ) == 0x0
 02563   940   NtTestAlert  (...
 02562  1696   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02564   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02563   940   NtTestAlert  ... ) == 0x0
 02565  1696   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02564   896   NtCreateThread  ... 376, {1252, 1268}, ) == 0x0
 02566   940   NtContinue  (45153584, 1, ...
 02565  1696   NtCreateKey  ... -2147482764, 2, ) == 0x0
 02567   896   NtQueryInformationThread  (376, Basic, 28, ...
 02568   940   NtRegisterThreadTerminatePort  (24, ...
 02569  1696   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "k\305c\304{}h~\5-$\25\335F\355\34\232H\3\223O\376M\12\7L\314\321?\373t\200\214'\304\370&\242;a\202\364>\216Yv\2304)z\252z\30\243tU\256\211\14l\222\6\24F\241w\353\221?\223\253\20\366z\325\14\230^2&", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "k\305c\304{}h~\5-$\25\335F\355\34\232H\3\223O\376M\12\7L\314\321?\373t\200\214'\304\370&\242;a\202\364>\216Yv\2304)z\252z\30\243tU\256\211\14l\222\6\24F\241w\353\221?\223\253\20\366z\325\14\230^2&", 80, ... , 80, ...
 02567   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1252,Tid=1268,}, 0x0, ) == 0x0
 02568   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 02569  1696   NtSetValueKey  ... ) == 0x0
 02570   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\0\364\4\0\0" ...  ...
 02571  1516   NtWaitForSingleObject  (252, 0, 0x0, ...
 02572   940   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02570   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81949, 0}  ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\0\364\4\0\0" )  ) == 0x0
 02573  1696   NtClose  (-2147482764, ...
 02574   896   NtResumeThread  (376, ...
 02573  1696   NtClose  ... ) == 0x0
 02574   896   NtResumeThread  ... 1, ) == 0x0
 02536  1696   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "vg=\2152\310c\15O.\20\354\330\30K\3616;\227`\213\26\227_8\357z\220\315a\376\346\3I\266,\243\275\277\316,\243\356{~\211\361\341-\376\322\313d\5\4\204df\24y\274\324\230\224a\27N\265QvH\203|\10(L\326Q\355\260eC.\247\224a\302\363\367\311\370\226\206\230\204q\377\331\260P\301\227\335L\305$5\220\341\323\16\325Z\341P?;K\374\370\26\207\2/?\241\314\301+r\270\333T\236\13\32\240r\152h\356}\342\302\253\222\375%\362's\370\236\350\367z\341\361\224\243h\5\270lm\214\202t\37s\11?\350\317V+\317.\256\270\203\362L\372\337\200\334\23R:\21\5\12\255J(\4\374\4|1\257\200\6e:\205\320\313\357 2\230\305~\213\261\177o-\0\3469\1\36\331hG?\324\23\177\317\203\327\373\274rE\262\13\3q\314z\322l\371-\217\20w\13\17", ) , ) == 0x0
 02575   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02576  1696   NtDeviceIoControlFile  (320, 0, 0x0, 0x0, 0x390008,  (320, 0, 0x0, 0x0, 0x390008, "k\347k\355\7Xa)\337^\377\361uZ*\33\213\266\274j-ly\213\266\274j-ly\213\266\274j-ly\213\266\274j-~\22I\310\246\201\305T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02575   896   NtAllocateVirtualMemory  ... 46202880, 1048576, ) == 0x0
 02577  1696   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02578   896   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ...
 02577  1696   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02572   940   NtSetInformationThread  ... ) == 0x0
 02579  1268   NtTestAlert  (...
 02578   896   NtAllocateVirtualMemory  ... 47243264, 8192, ) == 0x0
 02580  1696   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02579  1268   NtTestAlert  ... ) == 0x0
 02581   896   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ...
 02580  1696   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02582  1268   NtContinue  (46202160, 1, ...
 02581   896   NtProtectVirtualMemory  ... (0x2d0e000), 4096, 4, ) == 0x0
 02583  1696   NtQuerySystemInformation  (Performance, 312, ...
 02584  1268   NtRegisterThreadTerminatePort  (24, ...
 02585   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02586   940   NtWaitForSingleObject  (252, 0, 0x0, ...
 02584  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02585   896   NtCreateThread  ... 380, {1252, 644}, ) == 0x0
 02583  1696   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02587   896   NtQueryInformationThread  (380, Basic, 28, ...
 02588  1696   NtQuerySystemInformation  (Exception, 16, ...
 02589  1268   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02588  1696   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02590  1696   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02591  1696   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02592  1696   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02593  1696   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482764, 2, ) }, 0, 0x0, 0, ... -2147482764, 2, ) == 0x0
 02594  1696   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "\226\200V+\206\223\35k@\333\352\13M\342\300\377y0\234\366j\302\206\371jb\250\371\350\250&"Y\265\311\16\235?\232#\375\13S\335\344\216i\366\216JZ\264\350\231o\306\226\241\326\224\314\260s8dX\224\265\312\234\231\275~\10\17\1\202a.\275", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "\226\200V+\206\223\35k@\333\352\13M\342\300\377y0\234\366j\302\206\371jb\250\371\350\250&"Y\265\311\16\235?\232#\375\13S\335\344\216i\366\216JZ\264\350\231o\306\226\241\326\224\314\260s8dX\224\265\312\234\231\275~\10\17\1\202a.\275", 80, ... Y\265\311\16\235?\232#\375\13S\335\344\216i\366\216JZ\264\350\231o\306\226\241\326\224\314\260s8dX\224\265\312\234\231\275~\10\17\1\202a.\275", 80, ...
 02587   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1252,Tid=644,}, 0x0, ) == 0x0
 02589  1268   NtSetInformationThread  ... ) == 0x0
 02595   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0\204\2\0\0" ...  ...
 02594  1696   NtSetValueKey  ... ) == 0x0
 02595   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81950, 0}  ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0\204\2\0\0" )  ) == 0x0
 02596  1696   NtClose  (-2147482764, ...
 02597   896   NtResumeThread  (380, ...
 02596  1696   NtClose  ... ) == 0x0
 02597   896   NtResumeThread  ... 1, ) == 0x0
 02576  1696   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\272\263\266\34%\235=1\0Y\376\226\344\317i\317)\24\216(W\217\305O\316O\355\323j#\317\3360hU_\25.\344\253qO'\316\331\330\351\2470\26\315xk\274g'd\325\262\262W"\331\200~\271-\351\3436\232\352P\2429$s\320o\210\246<\14\267\255\21Ei;\204\330pr?\323\274\275\177\25\21\25\267s\265\272\262\343\240^\353\363\314\275\257A1K\4\32\222\371+~6\251\306r\256\313\3{\341\306W8\367-\305\27\31A\257\307\224\255Lc\230\25:\303\366\13WP*W\237\370\336\203\2\252\335\264y&*\177\211d\204l\357\372+4X\206\220\3127V\24q2\7\347\315\261\165\346\276\322:lu\300[\204!\265\360\206h\207\310\344\263F \364\271\22\26\356*6c\7\223\232)N\375\17%\242\324\373wn\7#\350\244\265'&.\265\2\310\213\236\203\357\346\270s\353\360r\350\274", ) \331\200~\271-\351\3436\232\352P\2429$s\320o\210\246<\14\267\255\21Ei;\204\330pr?\323\274\275\177\25\21\25\267s\265\272\262\343\240^\353\363\314\275\257A1K\4\32\222\371+~6\251\306r\256\313\3{\341\306W8\367-\305\27\31A\257\307\224\255Lc\230\25:\303\366\13WP*W\237\370\336\203\2\252\335\264y&*\177\211d\204l\357\372+4X\206\220\3127V\24q2\7\347\315\261\165\346\276\322:lu\300[\204!\265\360\206h\207\310\344\263F \364\271\22\26\356*6c\7\223\232)N\375\17%\242\324\373wn\7#\350\244\265'&.\265\2\310\213\236\203\357\346\270s\353\360r\350\274", ) == 0x0
 02598  1268   NtWaitForSingleObject  (252, 0, 0x0, ...
 02599   644   NtTestAlert  (...
 02600  1696   NtDeviceIoControlFile  (320, 0, 0x0, 0x0, 0x390008,  (320, 0, 0x0, 0x0, 0x390008, "k\347k\355\7Xa)\337^\377\361uZ*\33\213\266\274j-ly\213\266\274j-ly\213\266\274j-ly\213\266\274j-ly\213\266\274j-~\22I\310\246\201\305T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02601   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02599   644   NtTestAlert  ... ) == 0x0
 02602  1696   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02601   896   NtAllocateVirtualMemory  ... 47251456, 1048576, ) == 0x0
 02603   644   NtContinue  (47250736, 1, ...
 02604   896   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ...
 02605   644   NtRegisterThreadTerminatePort  (24, ...
 02604   896   NtAllocateVirtualMemory  ... 48291840, 8192, ) == 0x0
 02605   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02606   896   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ...
 02602  1696   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02606   896   NtProtectVirtualMemory  ... (0x2e0e000), 4096, 4, ) == 0x0
 02607  1696   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02608   644   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02607  1696   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02609  1696   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02610  1696   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02611  1696   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02612  1696   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02613  1696   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02614   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02608   644   NtSetInformationThread  ... ) == 0x0
 02614   896   NtCreateThread  ... 384, {1252, 380}, ) == 0x0
 02613  1696   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02615   896   NtQueryInformationThread  (384, Basic, 28, ...
 02616  1696   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02615   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1252,Tid=380,}, 0x0, ) == 0x0
 02616  1696   NtCreateKey  ... -2147482764, 2, ) == 0x0
 02617   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0|\1\0\0" ...  ...
 02618  1696   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "\13Z!#\267\270M\277?\376\301%\275E\334\276x\353n=S4\247\347\275\324`F\7+\265\274\227\351U+\306\277\341%(F\344'0\32x\217V\22*@ \370\242\212rM\310\360k\327, 80, ... ) , 0, 3,  (-2147482764, "Seed", 0, 3, "\13Z!#\267\270M\277?\376\301%\275E\334\276x\353n=S4\247\347\275\324`F\7+\265\274\227\351U+\306\277\341%(F\344'0\32x\217V\22*@ \370\242\212rM\310\360k\327, 80, ... ) , 80, ... ) == 0x0
 02619  1696   NtClose  (-2147482764, ... ) == 0x0
 02600  1696   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\235\35\253L~\357\307\15\313\230\1\227\325>B\215\227s?\335\255,q\350\266-H\212\304\236\364D\316a\304\13\200\241\332\351\213\364f\367\265\236\36\34\247\270\300\302)O\177B \231\177C\300\300=\373pHT\224t\223\14\226\270\305m?5\35w\236\2631\207?\336\361t|\304k\226\355F\304"\314\250U\350\3\3678e\330\305%i\241\36\272\14\220\322D\265C\343\340\267\256O\3276\6\7\376\351\20\365F\270\315\2750{\256q\373\227z(\3543\221i\36\277W\20\266\265BN\0_\254X\267\323\225{\341\260=\25\270\324~\343\326\35J\327K\234*py\340\265p\4\254fX\270.{2\306q\370l{\250\217\310\332~\356\36l!\32\\275\302\372R\333\213\25\327c\232o{W\30v\201\341\305\216\336\24\206\3326\357p\3405\231\247p\10\21,)\7\253M\37J;"\201\215\14Vw\245\233%", ) \314\250U\350\3\3678e\330\305%i\241\36\272\14\220\322D\265C\343\340\267\256O\3276\6\7\376\351\20\365F\270\315\2750{\256q\373\227z(\3543\221i\36\277W\20\266\265BN\0_\254X\267\323\225{\341\260=\25\270\324~\343\326\35J\327K\234*py\340\265p\4\254fX\270.{2\306q\370l{\250\217\310\332~\356\36l!\32\\275\302\372R\333\213\25\327c\232o{W\30v\201\341\305\216\336\24\206\3326\357p\3405\231\247p\10\21,)\7\253M\37J; ... {status=0x0, info=256}, "\235\35\253L~\357\307\15\313\230\1\227\325>B\215\227s?\335\255,q\350\266-H\212\304\236\364D\316a\304\13\200\241\332\351\213\364f\367\265\236\36\34\247\270\300\302)O\177B \231\177C\300\300=\373pHT\224t\223\14\226\270\305m?5\35w\236\2631\207?\336\361t|\304k\226\355F\304"\314\250U\350\3\3678e\330\305%i\241\36\272\14\220\322D\265C\343\340\267\256O\3276\6\7\376\351\20\365F\270\315\2750{\256q\373\227z(\3543\221i\36\277W\20\266\265BN\0_\254X\267\323\225{\341\260=\25\270\324~\343\326\35J\327K\234*py\340\265p\4\254fX\270.{2\306q\370l{\250\217\310\332~\356\36l!\32\\275\302\372R\333\213\25\327c\232o{W\30v\201\341\305\216\336\24\206\3326\357p\3405\231\247p\10\21,)\7\253M\37J;"\201\215\14Vw\245\233%", ) , ) == 0x0
 02620  1696   NtDeviceIoControlFile  (320, 0, 0x0, 0x0, 0x390008,  (320, 0, 0x0, 0x0, 0x390008, "k\347k\355\7Xa)\337^\377\361uZ*\33\213\266\274j-ly\213\266\274j-ly\213\266\274j-ly\213\266\274j-ly\213\266\274j-ly\213\266\274j-~\22I\310\246\201\305T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02621  1696   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02622  1696   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02623   644   NtWaitForSingleObject  (252, 0, 0x0, ...
 02617   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81951, 0}  ... {28, 56, reply, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0|\1\0\0" )  ) == 0x0
 02622  1696   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02624   896   NtResumeThread  (384, ...
 02625  1696   NtQuerySystemInformation  (Performance, 312, ...
 02624   896   NtResumeThread  ... 1, ) == 0x0
 02625  1696   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02626   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02627  1696   NtQuerySystemInformation  (Exception, 16, ...
 02626   896   NtAllocateVirtualMemory  ... 48300032, 1048576, ) == 0x0
 02627  1696   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02628   896   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 02629  1696   NtQuerySystemInformation  (Lookaside, 32, ...
 02630   380   NtTestAlert  (...
 02628   896   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 02630   380   NtTestAlert  ... ) == 0x0
 02631   896   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 02632   380   NtContinue  (48299312, 1, ...
 02631   896   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 02633   380   NtRegisterThreadTerminatePort  (24, ...
 02634   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02633   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02634   896   NtCreateThread  ... 388, {1252, 1336}, ) == 0x0
 02629  1696   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02635   896   NtQueryInformationThread  (388, Basic, 28, ...
 02636  1696   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02637   380   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02636  1696   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02638  1696   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02639  1696   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482764, 2, ) }, 0, 0x0, 0, ... -2147482764, 2, ) == 0x0
 02640  1696   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "cs8\3\274bcf\2\355\320L\270{\365jc\224\3ch\1\350:IH\215\204;r\273\203\17\6f/A\242\26\317>V\2344[\205\36\371\365\220\37\22\11ZM\326BPK\371P\3142\35\1w{\244\26\10\240\315HN\332\32198\355", 80, ... ) , 0, 3,  (-2147482764, "Seed", 0, 3, "cs8\3\274bcf\2\355\320L\270{\365jc\224\3ch\1\350:IH\215\204;r\273\203\17\6f/A\242\26\317>V\2344[\205\36\371\365\220\37\22\11ZM\326BPK\371P\3142\35\1w{\244\26\10\240\315HN\332\32198\355", 80, ... ) , 80, ... ) == 0x0
 02641  1696   NtClose  (-2147482764, ... ) == 0x0
 02620  1696   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "v\261\223kmA\307\323D\262E\12\225#a\30\331\350I:U+\13\224\241\207\314o#\267\334B^g?\364\230\251\365\260\31\205\0^\23141\362\34\2300c\215\226\31\26e(\217D7\371\325\3119\313K\203_\24\0\374\326Y\6\303\312\226\240\251\337q\10\266\242\24\237w\254OB9\264;\301Iz\212\210\13\221\224\257\377\204\333_FR\226\231\324\253j\353\350\12]\314\257b\4\331\374\357\365\362a\233\16\25\316B7\33\265\225\200|l<\274\202/\247\200\245\368\364ER\210\305\2012\224\345\202X\21\24\16\260\321\22U\270]\356\202g\341J\305\221v$\306\270Ury\221d\3425\365p\246oo{u\340\364wz\21\23 \321\316\15", ) Iz\212\210\13\221\224\257\377\204\333_FR\226\231\324\253j\353\350\12]\314\257b\4\331\374\357\365\362a\233\16\25\316B7\33\265\225\200|l<\274\202/\247\200\245\368\364ER\210\305\2012\224\345\202X\21\24\16\260\321\22U\270]\356\202g\341J\305\221v$\306\270Ury\221d\3425\365p\246oo{u\340\364wz\21\23 \321\316\15", ) == 0x0
 02635   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1252,Tid=1336,}, 0x0, ) == 0x0
 02637   380   NtSetInformationThread  ... ) == 0x0
 02642   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\08\5\0\0" ...  ...
 02643  1696   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02642   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81952, 0}  ... {28, 56, reply, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\08\5\0\0" )  ) == 0x0
 02643  1696   NtCreateEvent  ... 392, ) == 0x0
 02644   896   NtResumeThread  (388, ...
 02645  1696   NtOpenThreadToken  (-2, 0xc, 1, ...
 02644   896   NtResumeThread  ... 1, ) == 0x0
 02645  1696   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02646   380   NtWaitForSingleObject  (252, 0, 0x0, ...
 02647  1336   NtTestAlert  (...
 02648  1696   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02649   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02647  1336   NtTestAlert  ... ) == 0x0
 02648  1696   NtCreateEvent  ... 396, ) == 0x0
 02649   896   NtAllocateVirtualMemory  ... 49348608, 1048576, ) == 0x0
 02650  1336   NtContinue  (49347888, 1, ...
 02651   896   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ...
 02652  1336   NtRegisterThreadTerminatePort  (24, ...
 02651   896   NtAllocateVirtualMemory  ... 50388992, 8192, ) == 0x0
 02652  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02653   896   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ...
 02654  1696   NtOpenThreadToken  (-2, 0xc, 1, ...
 02653   896   NtProtectVirtualMemory  ... (0x300e000), 4096, 4, ) == 0x0
 02654  1696   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02655  1336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02656  1696   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02657  1696   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 13693120,  (0xc0100080, {24, 0, 0x40, 0, 13693120, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 02658  1696   NtSetInformationFile  (400, 13693176, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02659  1696   NtSetInformationFile  (400, 13693164, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02660  1696   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02661   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02655  1336   NtSetInformationThread  ... ) == 0x0
 02661   896   NtCreateThread  ... 404, {1252, 752}, ) == 0x0
 02662  1696   NtWriteFile  (400, 277, 0, 0,  (400, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02663   896   NtQueryInformationThread  (404, Basic, 28, ...
 02662  1696   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02663   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1252,Tid=752,}, 0x0, ) == 0x0
 02664  1696   NtReadFile  (400, 277, 0, 0, 1024, {0, 0}, 0, ...
 02665   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\360\2\0\0" ...  ...
 02664  1696   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02666  1696   NtFsControlFile  (400, 277, 0x0, 0x0, 0x11c017,  (400, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\320\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (400, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\320\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02667  1696   NtFsControlFile  (400, 277, 0x0, 0x0, 0x11c017,  (400, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31\1\0\0\0\1\0\0\0&\0(\0\230\4\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31\0\0\0\0", ) , 136, 1024, ... {status=0x103, info=48},  (400, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31\1\0\0\0\1\0\0\0&\0(\0\230\4\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31\0\0\0\0", ) , ) == 0x103
 02668  1696   NtFsControlFile  (400, 277, 0x0, 0x0, 0x11c017,  (400, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\320)\25\0\1\0\0\0\334)\25\0 \0\0\0\1\0\0\0\30\0\32\0\350)\25\0\4*\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\250/\25\0\1\0\0\0\5\0i\0\270/\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=156},  (400, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\320)\25\0\1\0\0\0\334)\25\0 \0\0\0\1\0\0\0\30\0\32\0\350)\25\0\4*\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\250/\25\0\1\0\0\0\5\0i\0\270/\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02669  1696   NtClose  (396, ... ) == 0x0
 02670  1336   NtWaitForSingleObject  (252, 0, 0x0, ...
 02665   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81953, 0}  ... {28, 56, reply, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\360\2\0\0" )  ) == 0x0
 02671  1696   NtClose  (400, ...
 02672   896   NtResumeThread  (404, ...
 02671  1696   NtClose  ... ) == 0x0
 02672   896   NtResumeThread  ... 1, ) == 0x0
 02673  1696   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1373088, 0x0, 13695044, 188, ... , {12, 2, 1, 1}, 0x0, 1373088, 0x0, 13695044, 188, ...
 02674   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02673  1696   NtSecureConnectPort  ... 400, 0x0, 0x0, 0x0, 188, ) == 0x0
 02674   896   NtAllocateVirtualMemory  ... 50397184, 1048576, ) == 0x0
 02675  1696   NtOpenThreadToken  (-2, 0xc, 1, ...
 02676   896   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ...
 02677   752   NtTestAlert  (...
 02675  1696   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02677   752   NtTestAlert  ... ) == 0x0
 02678  1696   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02679   752   NtContinue  (50396464, 1, ...
 02678  1696   NtSetInformationThread  ... ) == 0x0
 02680   752   NtRegisterThreadTerminatePort  (24, ...
 02681  1696   NtRequestWaitReplyPort  (400, {200, 224, new_msg, 0, 1372480, 12, 2, 1310977}  (400, {200, 224, new_msg, 0, 1372480, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\320\202y(\214mzh\244\252W#\216<9b\12\0\0\0d\215\326^\325\1\73\0\0\0\0\360\5\25\0`\4s\226\370n\31\372(\0\0\0\303l\0\15\0\0\24\0\240\366\320\0\272/d\17\0\0\0\0\210#\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\320\0\372\31\221|X\376\320\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02680   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02681  1696   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1696, 81955, 0}  ... {200, 224, reply, 0, 1252, 1696, 81955, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\2\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\320\202y(\214mzh\244\252W#\216<9b\12\0\0\0d\215\326^\325\1\73\0\0\0\0\360\5\25\0`\4s\226\370n\31\372(\0\0\0\303l\0\15\0\0\24\0\240\366\320\0\272/d\17\0\0\0\0\210#\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\320\0\372\31\221|X\376\320\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02676   896   NtAllocateVirtualMemory  ... 51437568, 8192, ) == 0x0
 02682   752   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02683   896   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ... (0x310e000), 4096, 4, ) == 0x0
 02684   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 396, {1252, 1564}, ) == 0x0
 02685   896   NtQueryInformationThread  (396, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1252,Tid=1564,}, 0x0, ) == 0x0
 02686   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\34\6\0\0" )  ) == 0x0
 02687   896   NtResumeThread  (396, ... 1, ) == 0x0
 02688  1696   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02682   752   NtSetInformationThread  ... ) == 0x0
 02689  1564   NtTestAlert  (...
 02688  1696   NtSetInformationThread  ... ) == 0x0
 02690   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02689  1564   NtTestAlert  ... ) == 0x0
 02691  1696   NtRequestWaitReplyPort  (400, {56, 80, new_msg, 0, 44, 3, 20, 0}  (400, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0v\242\333N\201\354M\352\300h&\31\1\0\0\0\0\0\0\0&\0(\0(\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02690   896   NtAllocateVirtualMemory  ... 51445760, 1048576, ) == 0x0
 02692  1564   NtContinue  (51445040, 1, ...
 02693   896   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ...
 02694  1564   NtRegisterThreadTerminatePort  (24, ...
 02693   896   NtAllocateVirtualMemory  ... 52486144, 8192, ) == 0x0
 02694  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 02695   896   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ...
 02696   752   NtWaitForSingleObject  (252, 0, 0x0, ...
 02695   896   NtProtectVirtualMemory  ... (0x320e000), 4096, 4, ) == 0x0
 02697  1564   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 02698  1564   NtWaitForSingleObject  (252, 0, 0x0, ...
 02699   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {1252, 1964}, ) == 0x0
 02700   896   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1252,Tid=1964,}, 0x0, ) == 0x0
 02701   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\254\7\0\0" ...  ...
 02691  1696   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1252, 1696, 81957, 0}  ... {44, 68, reply, 0, 1252, 1696, 81957, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02702  1696   NtRaiseException  (13695504, 13694764, 1, ...
 02703  1696   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02704  1696   NtContinue  (13693732, 0, ...
 02705  1696   NtDeviceIoControlFile  (296, 236, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 02706  1696   NtWaitForSingleObject  (236, 1, {-5000000, -1}, ...
 02701   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81958, 0}  ... {28, 56, reply, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\254\7\0\0" )  ) == 0x0
 02707   896   NtResumeThread  (408, ... 1, ) == 0x0
 02708   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52494336, 1048576, ) == 0x0
 02709   896   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ... 53534720, 8192, ) == 0x0
 02710   896   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ... (0x330e000), 4096, 4, ) == 0x0
 02711   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {1252, 1624}, ) == 0x0
 02712   896   NtQueryInformationThread  (412, Basic, 28, ...
 02713  1964   NtTestAlert  (... ) == 0x0
 02714  1964   NtContinue  (52493616, 1, ...
 02715  1964   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02716  1964   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02712   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1252,Tid=1624,}, 0x0, ) == 0x0
 02717   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0X\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0X\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0X\6\0\0" )  ) == 0x0
 02718   896   NtResumeThread  (412, ... 1, ) == 0x0
 02719  1624   NtTestAlert  (... ) == 0x0
 02720  1624   NtContinue  (53542192, 1, ...
 02721  1624   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02722  1624   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02723   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53542912, 1048576, ) == 0x0
 02724   896   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ... 54583296, 8192, ) == 0x0
 02725   896   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ... (0x340e000), 4096, 4, ) == 0x0
 02726   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 416, {1252, 1440}, ) == 0x0
 02727   896   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1252,Tid=1440,}, 0x0, ) == 0x0
 02728   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\240\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\240\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\240\5\0\0" )  ) == 0x0
 02729   896   NtResumeThread  (416, ... 1, ) == 0x0
 02730   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54591488, 1048576, ) == 0x0
 02731   896   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ...
 02732  1440   NtTestAlert  (... ) == 0x0
 02733  1440   NtContinue  (54590768, 1, ...
 02734  1440   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02735  1440   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02731   896   NtAllocateVirtualMemory  ... 55631872, 8192, ) == 0x0
 02736   896   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ... (0x350e000), 4096, 4, ) == 0x0
 02737   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 420, {1252, 1972}, ) == 0x0
 02738   896   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1252,Tid=1972,}, 0x0, ) == 0x0
 02739   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\264\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\264\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\264\7\0\0" )  ) == 0x0
 02740   896   NtResumeThread  (420, ... 1, ) == 0x0
 02741  1972   NtTestAlert  (... ) == 0x0
 02742  1972   NtContinue  (55639344, 1, ...
 02743  1972   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02744  1972   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02745   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55640064, 1048576, ) == 0x0
 02746   896   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ... 56680448, 8192, ) == 0x0
 02747   896   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ... (0x360e000), 4096, 4, ) == 0x0
 02748   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 424, {1252, 1036}, ) == 0x0
 02749   896   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1252,Tid=1036,}, 0x0, ) == 0x0
 02750   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0\14\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0\14\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0\14\4\0\0" )  ) == 0x0
 02751   896   NtResumeThread  (424, ... 1, ) == 0x0
 02752   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56688640, 1048576, ) == 0x0
 02753   896   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ...
 02754  1036   NtTestAlert  (... ) == 0x0
 02755  1036   NtContinue  (56687920, 1, ...
 02756  1036   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02757  1036   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02753   896   NtAllocateVirtualMemory  ... 57729024, 8192, ) == 0x0
 02758   896   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ... (0x370e000), 4096, 4, ) == 0x0
 02759   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {1252, 1664}, ) == 0x0
 02760   896   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1252,Tid=1664,}, 0x0, ) == 0x0
 02761   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\200\6\0\0" )  ) == 0x0
 02762   896   NtResumeThread  (428, ... 1, ) == 0x0
 02763  1664   NtTestAlert  (... ) == 0x0
 02764  1664   NtContinue  (57736496, 1, ...
 02765  1664   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02766  1664   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02767   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57737216, 1048576, ) == 0x0
 02768   896   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ... 58777600, 8192, ) == 0x0
 02769   896   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ... (0x380e000), 4096, 4, ) == 0x0
 02770   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {1252, 1248}, ) == 0x0
 02771   896   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1252,Tid=1248,}, 0x0, ) == 0x0
 02772   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\340\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81964, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\340\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\340\4\0\0" )  ) == 0x0
 02773   896   NtResumeThread  (432, ... 1, ) == 0x0
 02774   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58785792, 1048576, ) == 0x0
 02775   896   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ...
 02776  1248   NtTestAlert  (... ) == 0x0
 02777  1248   NtContinue  (58785072, 1, ...
 02778  1248   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02779  1248   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02775   896   NtAllocateVirtualMemory  ... 59826176, 8192, ) == 0x0
 02780   896   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ... (0x390e000), 4096, 4, ) == 0x0
 02781   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {1252, 1656}, ) == 0x0
 02782   896   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1252,Tid=1656,}, 0x0, ) == 0x0
 02783   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0x\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0x\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81965, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0x\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0x\6\0\0" )  ) == 0x0
 02784   896   NtResumeThread  (436, ... 1, ) == 0x0
 02785  1656   NtTestAlert  (... ) == 0x0
 02786  1656   NtContinue  (59833648, 1, ...
 02787  1656   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02788  1656   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02789   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59834368, 1048576, ) == 0x0
 02790   896   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ... 60874752, 8192, ) == 0x0
 02791   896   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ... (0x3a0e000), 4096, 4, ) == 0x0
 02792   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {1252, 760}, ) == 0x0
 02793   896   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1252,Tid=760,}, 0x0, ) == 0x0
 02794   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\370\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\370\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81966, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\370\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\370\2\0\0" )  ) == 0x0
 02795   896   NtResumeThread  (440, ... 1, ) == 0x0
 02796   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60882944, 1048576, ) == 0x0
 02797   896   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ...
 02798   760   NtTestAlert  (... ) == 0x0
 02799   760   NtContinue  (60882224, 1, ...
 02800   760   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02801   760   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02797   896   NtAllocateVirtualMemory  ... 61923328, 8192, ) == 0x0
 02802   896   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ... (0x3b0e000), 4096, 4, ) == 0x0
 02803   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {1252, 484}, ) == 0x0
 02804   896   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1252,Tid=484,}, 0x0, ) == 0x0
 02805   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0\344\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81967, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0\344\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0\344\1\0\0" )  ) == 0x0
 02806   896   NtResumeThread  (444, ... 1, ) == 0x0
 02807   484   NtTestAlert  (... ) == 0x0
 02808   484   NtContinue  (61930800, 1, ...
 02809   484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02810   484   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02811   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61931520, 1048576, ) == 0x0
 02812   896   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ... 62971904, 8192, ) == 0x0
 02813   896   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ... (0x3c0e000), 4096, 4, ) == 0x0
 02814   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {1252, 1580}, ) == 0x0
 02815   896   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1252,Tid=1580,}, 0x0, ) == 0x0
 02816   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0,\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0,\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81968, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0,\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0,\6\0\0" )  ) == 0x0
 02817   896   NtResumeThread  (448, ... 1, ) == 0x0
 02818   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62980096, 1048576, ) == 0x0
 02819   896   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ...
 02820  1580   NtAllocateVirtualMemory  (-1, 3629056, 0, 4096, 4096, 4, ... 3629056, 4096, ) == 0x0
 02821  1580   NtTestAlert  (... ) == 0x0
 02822  1580   NtContinue  (62979376, 1, ...
 02823  1580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02824  1580   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02819   896   NtAllocateVirtualMemory  ... 64020480, 8192, ) == 0x0
 02825   896   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ... (0x3d0e000), 4096, 4, ) == 0x0
 02826   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {1252, 1756}, ) == 0x0
 02827   896   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1252,Tid=1756,}, 0x0, ) == 0x0
 02828   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\4\0\0\334\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\4\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81969, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\4\0\0\334\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\4\0\0\334\6\0\0" )  ) == 0x0
 02829   896   NtResumeThread  (452, ... 1, ) == 0x0
 02830  1756   NtTestAlert  (... ) == 0x0
 02831  1756   NtContinue  (64027952, 1, ...
 02832  1756   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02833  1756   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02834   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64028672, 1048576, ) == 0x0
 02835   896   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ... 65069056, 8192, ) == 0x0
 02836   896   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ... (0x3e0e000), 4096, 4, ) == 0x0
 02837   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 456, {1252, 1304}, ) == 0x0
 02838   896   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1252,Tid=1304,}, 0x0, ) == 0x0
 02839   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0\30\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0\30\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81970, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0\30\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0\30\5\0\0" )  ) == 0x0
 02840   896   NtResumeThread  (456, ... 1, ) == 0x0
 02841   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65077248, 1048576, ) == 0x0
 02842   896   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ...
 02843  1304   NtTestAlert  (... ) == 0x0
 02844  1304   NtContinue  (65076528, 1, ...
 02845  1304   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02846  1304   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02842   896   NtAllocateVirtualMemory  ... 66117632, 8192, ) == 0x0
 02847   896   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ... (0x3f0e000), 4096, 4, ) == 0x0
 02848   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 460, {1252, 1292}, ) == 0x0
 02849   896   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1252,Tid=1292,}, 0x0, ) == 0x0
 02850   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\4\0\0\14\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\4\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81971, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\4\0\0\14\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\4\0\0\14\5\0\0" )  ) == 0x0
 02851   896   NtResumeThread  (460, ... 1, ) == 0x0
 02852  1292   NtTestAlert  (... ) == 0x0
 02853  1292   NtContinue  (66125104, 1, ...
 02854  1292   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02855  1292   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02856   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66125824, 1048576, ) == 0x0
 02857   896   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ... 67166208, 8192, ) == 0x0
 02858   896   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ... (0x400e000), 4096, 4, ) == 0x0
 02859   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {1252, 1956}, ) == 0x0
 02860   896   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1252,Tid=1956,}, 0x0, ) == 0x0
 02861   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0\244\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81972, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0\244\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0\244\7\0\0" )  ) == 0x0
 02862   896   NtResumeThread  (464, ... 1, ) == 0x0
 02863   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67174400, 1048576, ) == 0x0
 02864   896   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ...
 02865  1956   NtTestAlert  (... ) == 0x0
 02866  1956   NtContinue  (67173680, 1, ...
 02867  1956   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02868  1956   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02864   896   NtAllocateVirtualMemory  ... 68214784, 8192, ) == 0x0
 02869   896   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ... (0x410e000), 4096, 4, ) == 0x0
 02870   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 468, {1252, 1556}, ) == 0x0
 02871   896   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1252,Tid=1556,}, 0x0, ) == 0x0
 02872   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\24\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\24\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81973, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\24\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\24\6\0\0" )  ) == 0x0
 02873   896   NtResumeThread  (468, ... 1, ) == 0x0
 02874  1556   NtTestAlert  (... ) == 0x0
 02875  1556   NtContinue  (68222256, 1, ...
 02876  1556   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02877  1556   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02878   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68222976, 1048576, ) == 0x0
 02879   896   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ... 69263360, 8192, ) == 0x0
 02880   896   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ... (0x420e000), 4096, 4, ) == 0x0
 02881   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 472, {1252, 1480}, ) == 0x0
 02882   896   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1252,Tid=1480,}, 0x0, ) == 0x0
 02883   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\310\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81974, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\310\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\310\5\0\0" )  ) == 0x0
 02884   896   NtResumeThread  (472, ... 1, ) == 0x0
 02885   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69271552, 1048576, ) == 0x0
 02886   896   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ...
 02887  1480   NtTestAlert  (... ) == 0x0
 02888  1480   NtContinue  (69270832, 1, ...
 02889  1480   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02890  1480   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02886   896   NtAllocateVirtualMemory  ... 70311936, 8192, ) == 0x0
 02891   896   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 02892   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 476, {1252, 1784}, ) == 0x0
 02893   896   NtQueryInformationThread  (476, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1252,Tid=1784,}, 0x0, ) == 0x0
 02894   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\370\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81975, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\370\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\370\6\0\0" )  ) == 0x0
 02895   896   NtResumeThread  (476, ... 1, ) == 0x0
 02896  1784   NtTestAlert  (... ) == 0x0
 02897  1784   NtContinue  (70319408, 1, ...
 02898  1784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02899  1784   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02900   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70320128, 1048576, ) == 0x0
 02901   896   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ... 71360512, 8192, ) == 0x0
 02902   896   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ... (0x440e000), 4096, 4, ) == 0x0
 02903   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 480, {1252, 1856}, ) == 0x0
 02904   896   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1252,Tid=1856,}, 0x0, ) == 0x0
 02905   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0@\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81976, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0@\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0@\7\0\0" )  ) == 0x0
 02906   896   NtResumeThread  (480, ... 1, ) == 0x0
 02907   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71368704, 1048576, ) == 0x0
 02908   896   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ...
 02909  1856   NtTestAlert  (... ) == 0x0
 02910  1856   NtContinue  (71367984, 1, ...
 02911  1856   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02912  1856   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02908   896   NtAllocateVirtualMemory  ... 72409088, 8192, ) == 0x0
 02913   896   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ... (0x450e000), 4096, 4, ) == 0x0
 02914   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 484, {1252, 1604}, ) == 0x0
 02915   896   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1252,Tid=1604,}, 0x0, ) == 0x0
 02916   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0D\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0D\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81977, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0D\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0D\6\0\0" )  ) == 0x0
 02917   896   NtResumeThread  (484, ... 1, ) == 0x0
 02918  1604   NtTestAlert  (... ) == 0x0
 02919  1604   NtContinue  (72416560, 1, ...
 02920  1604   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02921  1604   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02922   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72417280, 1048576, ) == 0x0
 02923   896   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ... 73457664, 8192, ) == 0x0
 02924   896   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ... (0x460e000), 4096, 4, ) == 0x0
 02925   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 488, {1252, 1272}, ) == 0x0
 02926   896   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1252,Tid=1272,}, 0x0, ) == 0x0
 02927   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\370\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81978, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\370\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\370\4\0\0" )  ) == 0x0
 02928   896   NtResumeThread  (488, ... 1, ) == 0x0
 02929   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73465856, 1048576, ) == 0x0
 02930   896   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ...
 02931  1272   NtTestAlert  (... ) == 0x0
 02932  1272   NtContinue  (73465136, 1, ...
 02933  1272   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02934  1272   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02930   896   NtAllocateVirtualMemory  ... 74506240, 8192, ) == 0x0
 02935   896   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ... (0x470e000), 4096, 4, ) == 0x0
 02936   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {1252, 1132}, ) == 0x0
 02937   896   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1252,Tid=1132,}, 0x0, ) == 0x0
 02938   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\0l\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\0l\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81979, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\0l\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\0l\4\0\0" )  ) == 0x0
 02939   896   NtResumeThread  (492, ... 1, ) == 0x0
 02940  1132   NtTestAlert  (... ) == 0x0
 02941  1132   NtContinue  (74513712, 1, ...
 02942  1132   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02943  1132   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02944   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02945   896   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02946   896   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02947   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 496, {1252, 184}, ) == 0x0
 02948   896   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1252,Tid=184,}, 0x0, ) == 0x0
 02949   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0\270\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0\270\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81980, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0\270\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0\270\0\0\0" )  ) == 0x0
 02950   896   NtResumeThread  (496, ... 1, ) == 0x0
 02951   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75563008, 1048576, ) == 0x0
 02952   896   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ...
 02953   184   NtTestAlert  (... ) == 0x0
 02954   184   NtContinue  (75562288, 1, ...
 02955   184   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02956   184   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02952   896   NtAllocateVirtualMemory  ... 76603392, 8192, ) == 0x0
 02957   896   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ... (0x490e000), 4096, 4, ) == 0x0
 02958   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 500, {1252, 1064}, ) == 0x0
 02959   896   NtQueryInformationThread  (500, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1252,Tid=1064,}, 0x0, ) == 0x0
 02960   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0(\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0(\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81981, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0(\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0(\4\0\0" )  ) == 0x0
 02961   896   NtResumeThread  (500, ... 1, ) == 0x0
 02962  1064   NtTestAlert  (... ) == 0x0
 02963  1064   NtContinue  (76610864, 1, ...
 02964  1064   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02965  1064   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02966   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76611584, 1048576, ) == 0x0
 02967   896   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ... 77651968, 8192, ) == 0x0
 02968   896   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ... (0x4a0e000), 4096, 4, ) == 0x0
 02969   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 504, {1252, 1384}, ) == 0x0
 02970   896   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1252,Tid=1384,}, 0x0, ) == 0x0
 02971   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0h\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0h\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81982, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0h\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0h\5\0\0" )  ) == 0x0
 02972   896   NtResumeThread  (504, ... 1, ) == 0x0
 02973   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77660160, 1048576, ) == 0x0
 02974   896   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ...
 02975  1384   NtTestAlert  (... ) == 0x0
 02976  1384   NtContinue  (77659440, 1, ...
 02977  1384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02978  1384   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02974   896   NtAllocateVirtualMemory  ... 78700544, 8192, ) == 0x0
 02979   896   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ... (0x4b0e000), 4096, 4, ) == 0x0
 02980   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 508, {1252, 1240}, ) == 0x0
 02981   896   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1252,Tid=1240,}, 0x0, ) == 0x0
 02982   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\4\0\0\330\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\4\0\0\330\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81983, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\4\0\0\330\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\4\0\0\330\4\0\0" )  ) == 0x0
 02983   896   NtResumeThread  (508, ... 1, ) == 0x0
 02984  1240   NtTestAlert  (... ) == 0x0
 02985  1240   NtContinue  (78708016, 1, ...
 02986  1240   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02987  1240   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02988   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02989   896   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02990   896   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ... (0x4c0e000), 4096, 4, ) == 0x0
 02991   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 512, {1252, 296}, ) == 0x0
 02992   896   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1252,Tid=296,}, 0x0, ) == 0x0
 02993   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0(\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0(\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81984, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0(\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0(\1\0\0" )  ) == 0x0
 02994   896   NtResumeThread  (512, ... 1, ) == 0x0
 02995   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79757312, 1048576, ) == 0x0
 02996   896   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ...
 02997   296   NtTestAlert  (... ) == 0x0
 02998   296   NtContinue  (79756592, 1, ...
 02999   296   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03000   296   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02996   896   NtAllocateVirtualMemory  ... 80797696, 8192, ) == 0x0
 03001   896   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ... (0x4d0e000), 4096, 4, ) == 0x0
 03002   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 516, {1252, 740}, ) == 0x0
 03003   896   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1252,Tid=740,}, 0x0, ) == 0x0
 03004   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\344\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81985, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\344\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\344\2\0\0" )  ) == 0x0
 03005   896   NtResumeThread  (516, ... 1, ) == 0x0
 03006   740   NtTestAlert  (... ) == 0x0
 03007   740   NtContinue  (80805168, 1, ...
 03008   740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03009   740   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03010   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80805888, 1048576, ) == 0x0
 03011   896   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ... 81846272, 8192, ) == 0x0
 03012   896   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 03013   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 520, {1252, 120}, ) == 0x0
 03014   896   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1252,Tid=120,}, 0x0, ) == 0x0
 03015   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0x\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81986, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0x\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0x\0\0\0" )  ) == 0x0
 03016   896   NtResumeThread  (520, ... 1, ) == 0x0
 03017   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81854464, 1048576, ) == 0x0
 03018   896   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ...
 03019   120   NtTestAlert  (... ) == 0x0
 03020   120   NtContinue  (81853744, 1, ...
 03021   120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03022   120   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03018   896   NtAllocateVirtualMemory  ... 82894848, 8192, ) == 0x0
 03023   896   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ... (0x4f0e000), 4096, 4, ) == 0x0
 03024   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 524, {1252, 1796}, ) == 0x0
 03025   896   NtQueryInformationThread  (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1252,Tid=1796,}, 0x0, ) == 0x0
 03026   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\4\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\4\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81987, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\4\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\4\7\0\0" )  ) == 0x0
 03027   896   NtResumeThread  (524, ... 1, ) == 0x0
 03028  1796   NtTestAlert  (... ) == 0x0
 03029  1796   NtContinue  (82902320, 1, ...
 03030  1796   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03031  1796   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03032   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82903040, 1048576, ) == 0x0
 03033   896   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ... 83943424, 8192, ) == 0x0
 03034   896   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ... (0x500e000), 4096, 4, ) == 0x0
 03035   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 528, {1252, 1728}, ) == 0x0
 03036   896   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1252,Tid=1728,}, 0x0, ) == 0x0
 03037   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\300\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81988, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\300\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\300\6\0\0" )  ) == 0x0
 03038   896   NtResumeThread  (528, ... 1, ) == 0x0
 03039   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83951616, 1048576, ) == 0x0
 03040   896   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ...
 03041  1728   NtTestAlert  (... ) == 0x0
 03042  1728   NtContinue  (83950896, 1, ...
 03043  1728   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03044  1728   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03040   896   NtAllocateVirtualMemory  ... 84992000, 8192, ) == 0x0
 03045   896   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ... (0x510e000), 4096, 4, ) == 0x0
 03046   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {1252, 152}, ) == 0x0
 03047   896   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1252,Tid=152,}, 0x0, ) == 0x0
 03048   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0\230\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81989, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0\230\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0\230\0\0\0" )  ) == 0x0
 03049   896   NtResumeThread  (532, ... 1, ) == 0x0
 03050   152   NtTestAlert  (... ) == 0x0
 03051   152   NtContinue  (84999472, 1, ...
 03052   152   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03053   152   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03054   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85000192, 1048576, ) == 0x0
 03055   896   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ... 86040576, 8192, ) == 0x0
 03056   896   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ... (0x520e000), 4096, 4, ) == 0x0
 03057   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 536, {1252, 180}, ) == 0x0
 03058   896   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1252,Tid=180,}, 0x0, ) == 0x0
 03059   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\264\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\264\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81990, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\264\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\264\0\0\0" )  ) == 0x0
 03060   896   NtResumeThread  (536, ... 1, ) == 0x0
 03061   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86048768, 1048576, ) == 0x0
 03062   896   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ...
 03063   180   NtTestAlert  (... ) == 0x0
 03064   180   NtContinue  (86048048, 1, ...
 03065   180   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03066   180   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03062   896   NtAllocateVirtualMemory  ... 87089152, 8192, ) == 0x0
 03067   896   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ... (0x530e000), 4096, 4, ) == 0x0
 03068   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 540, {1252, 1904}, ) == 0x0
 03069   896   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1252,Tid=1904,}, 0x0, ) == 0x0
 03070   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0p\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0p\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81991, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0p\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0p\7\0\0" )  ) == 0x0
 03071   896   NtResumeThread  (540, ... 1, ) == 0x0
 03072  1904   NtTestAlert  (... ) == 0x0
 03073  1904   NtContinue  (87096624, 1, ...
 03074  1904   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03075  1904   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03076   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87097344, 1048576, ) == 0x0
 03077   896   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ... 88137728, 8192, ) == 0x0
 03078   896   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ... (0x540e000), 4096, 4, ) == 0x0
 03079   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 544, {1252, 464}, ) == 0x0
 03080   896   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1252,Tid=464,}, 0x0, ) == 0x0
 03081   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0\320\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0\320\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81992, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0\320\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0\320\1\0\0" )  ) == 0x0
 03082   896   NtResumeThread  (544, ... 1, ) == 0x0
 03083   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88145920, 1048576, ) == 0x0
 03084   896   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ...
 03085   464   NtTestAlert  (... ) == 0x0
 03086   464   NtContinue  (88145200, 1, ...
 03087   464   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03088   464   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03084   896   NtAllocateVirtualMemory  ... 89186304, 8192, ) == 0x0
 03089   896   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ... (0x550e000), 4096, 4, ) == 0x0
 03090   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 548, {1252, 1536}, ) == 0x0
 03091   896   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1252,Tid=1536,}, 0x0, ) == 0x0
 03092   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0\0\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81993, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0\0\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0\0\6\0\0" )  ) == 0x0
 03093   896   NtResumeThread  (548, ... 1, ) == 0x0
 03094  1536   NtTestAlert  (... ) == 0x0
 03095  1536   NtContinue  (89193776, 1, ...
 03096  1536   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03097  1536   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03098   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89194496, 1048576, ) == 0x0
 03099   896   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ... 90234880, 8192, ) == 0x0
 03100   896   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ... (0x560e000), 4096, 4, ) == 0x0
 03101   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 552, {1252, 444}, ) == 0x0
 03102   896   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1252,Tid=444,}, 0x0, ) == 0x0
 03103   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0\274\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81994, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0\274\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0\274\1\0\0" )  ) == 0x0
 03104   896   NtResumeThread  (552, ... 1, ) == 0x0
 03105   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90243072, 1048576, ) == 0x0
 03106   896   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ...
 03107   444   NtTestAlert  (... ) == 0x0
 03108   444   NtContinue  (90242352, 1, ...
 03109   444   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03110   444   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03106   896   NtAllocateVirtualMemory  ... 91283456, 8192, ) == 0x0
 03111   896   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ... (0x570e000), 4096, 4, ) == 0x0
 03112   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 556, {1252, 1648}, ) == 0x0
 03113   896   NtQueryInformationThread  (556, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1252,Tid=1648,}, 0x0, ) == 0x0
 03114   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0p\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0p\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81995, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0p\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0p\6\0\0" )  ) == 0x0
 03115   896   NtResumeThread  (556, ... 1, ) == 0x0
 03116  1648   NtTestAlert  (... ) == 0x0
 03117  1648   NtContinue  (91290928, 1, ...
 03118  1648   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03119  1648   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03120   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91291648, 1048576, ) == 0x0
 03121   896   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ... 92332032, 8192, ) == 0x0
 03122   896   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ... (0x580e000), 4096, 4, ) == 0x0
 03123   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 560, {1252, 968}, ) == 0x0
 03124   896   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1252,Tid=968,}, 0x0, ) == 0x0
 03125   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\310\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81996, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\310\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\310\3\0\0" )  ) == 0x0
 03126   896   NtResumeThread  (560, ... 1, ) == 0x0
 03127   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92340224, 1048576, ) == 0x0
 03128   896   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ...
 03129   968   NtTestAlert  (... ) == 0x0
 03130   968   NtContinue  (92339504, 1, ...
 03131   968   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03132   968   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03128   896   NtAllocateVirtualMemory  ... 93380608, 8192, ) == 0x0
 03133   896   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ... (0x590e000), 4096, 4, ) == 0x0
 03134   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 564, {1252, 1688}, ) == 0x0
 03135   896   NtQueryInformationThread  (564, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1252,Tid=1688,}, 0x0, ) == 0x0
 03136   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\230\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\230\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81997, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\230\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\230\6\0\0" )  ) == 0x0
 03137   896   NtResumeThread  (564, ... 1, ) == 0x0
 03138  1688   NtAllocateVirtualMemory  (-1, 3633152, 0, 4096, 4096, 4, ... 3633152, 4096, ) == 0x0
 03139  1688   NtTestAlert  (... ) == 0x0
 03140  1688   NtContinue  (93388080, 1, ...
 03141  1688   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03142  1688   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03143   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93388800, 1048576, ) == 0x0
 03144   896   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ... 94429184, 8192, ) == 0x0
 03145   896   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ... (0x5a0e000), 4096, 4, ) == 0x0
 03146   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {1252, 1584}, ) == 0x0
 03147   896   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1252,Tid=1584,}, 0x0, ) == 0x0
 03148   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\00\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\00\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81998, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\00\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\00\6\0\0" )  ) == 0x0
 03149   896   NtResumeThread  (568, ... 1, ) == 0x0
 03150   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94437376, 1048576, ) == 0x0
 03151   896   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ...
 03152  1584   NtTestAlert  (... ) == 0x0
 03153  1584   NtContinue  (94436656, 1, ...
 03154  1584   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03155  1584   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03151   896   NtAllocateVirtualMemory  ... 95477760, 8192, ) == 0x0
 03156   896   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ... (0x5b0e000), 4096, 4, ) == 0x0
 03157   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 572, {1252, 1944}, ) == 0x0
 03158   896   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1252,Tid=1944,}, 0x0, ) == 0x0
 03159   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0\230\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0\230\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81999, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0\230\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0\230\7\0\0" )  ) == 0x0
 03160   896   NtResumeThread  (572, ... 1, ) == 0x0
 03161  1944   NtTestAlert  (... ) == 0x0
 03162  1944   NtContinue  (95485232, 1, ...
 03163  1944   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03164  1944   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03165   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95485952, 1048576, ) == 0x0
 03166   896   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ... 96526336, 8192, ) == 0x0
 03167   896   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ... (0x5c0e000), 4096, 4, ) == 0x0
 03168   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {1252, 148}, ) == 0x0
 03169   896   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1252,Tid=148,}, 0x0, ) == 0x0
 03170   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\224\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82000, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\224\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\224\0\0\0" )  ) == 0x0
 03171   896   NtResumeThread  (576, ... 1, ) == 0x0
 03172   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96534528, 1048576, ) == 0x0
 03173   896   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ...
 03174   148   NtTestAlert  (... ) == 0x0
 03175   148   NtContinue  (96533808, 1, ...
 03176   148   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03177   148   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03173   896   NtAllocateVirtualMemory  ... 97574912, 8192, ) == 0x0
 03178   896   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ... (0x5d0e000), 4096, 4, ) == 0x0
 03179   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 580, {1252, 1500}, ) == 0x0
 03180   896   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1252,Tid=1500,}, 0x0, ) == 0x0
 03181   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\334\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82001, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\334\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\334\5\0\0" )  ) == 0x0
 03182   896   NtResumeThread  (580, ... 1, ) == 0x0
 03183  1500   NtTestAlert  (... ) == 0x0
 03184  1500   NtContinue  (97582384, 1, ...
 03185  1500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03186  1500   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03187   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97583104, 1048576, ) == 0x0
 03188   896   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ... 98623488, 8192, ) == 0x0
 03189   896   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ... (0x5e0e000), 4096, 4, ) == 0x0
 03190   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {1252, 240}, ) == 0x0
 03191   896   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1252,Tid=240,}, 0x0, ) == 0x0
 03192   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\360\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82002, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\360\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\360\0\0\0" )  ) == 0x0
 03193   896   NtResumeThread  (584, ... 1, ) == 0x0
 03194   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98631680, 1048576, ) == 0x0
 03195   896   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ...
 03196   240   NtTestAlert  (... ) == 0x0
 03197   240   NtContinue  (98630960, 1, ...
 03198   240   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03199   240   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03195   896   NtAllocateVirtualMemory  ... 99672064, 8192, ) == 0x0
 03200   896   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ... (0x5f0e000), 4096, 4, ) == 0x0
 03201   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {1252, 2032}, ) == 0x0
 03202   896   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1252,Tid=2032,}, 0x0, ) == 0x0
 03203   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82003, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\360\7\0\0" )  ) == 0x0
 03204   896   NtResumeThread  (588, ... 1, ) == 0x0
 03205  2032   NtTestAlert  (... ) == 0x0
 03206  2032   NtContinue  (99679536, 1, ...
 03207  2032   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03208  2032   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03209   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99680256, 1048576, ) == 0x0
 03210   896   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ... 100720640, 8192, ) == 0x0
 03211   896   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ... (0x600e000), 4096, 4, ) == 0x0
 03212   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1252, 1592}, ) == 0x0
 03213   896   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1252,Tid=1592,}, 0x0, ) == 0x0
 03214   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\08\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\08\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82004, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\08\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\08\6\0\0" )  ) == 0x0
 03215   896   NtResumeThread  (592, ... 1, ) == 0x0
 03216   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100728832, 1048576, ) == 0x0
 03217   896   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ...
 03218  1592   NtTestAlert  (... ) == 0x0
 03219  1592   NtContinue  (100728112, 1, ...
 03220  1592   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03221  1592   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03217   896   NtAllocateVirtualMemory  ... 101769216, 8192, ) == 0x0
 03222   896   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ... (0x610e000), 4096, 4, ) == 0x0
 03223   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {1252, 496}, ) == 0x0
 03224   896   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1252,Tid=496,}, 0x0, ) == 0x0
 03225   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\360\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\360\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82005, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\360\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\360\1\0\0" )  ) == 0x0
 03226   896   NtResumeThread  (596, ... 1, ) == 0x0
 03227   496   NtTestAlert  (... ) == 0x0
 03228   496   NtContinue  (101776688, 1, ...
 03229   496   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03230   496   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03231   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101777408, 1048576, ) == 0x0
 03232   896   NtAllocateVirtualMemory  (-1, 102817792, 0, 8192, 4096, 4, ... 102817792, 8192, ) == 0x0
 03233   896   NtProtectVirtualMemory  (-1, (0x620e000), 4096, 260, ... (0x620e000), 4096, 4, ) == 0x0
 03234   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1252, 476}, ) == 0x0
 03235   896   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1252,Tid=476,}, 0x0, ) == 0x0
 03236   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\334\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\334\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82006, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\334\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\334\1\0\0" )  ) == 0x0
 03237   896   NtResumeThread  (600, ... 1, ) == 0x0
 03238   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102825984, 1048576, ) == 0x0
 03239   896   NtAllocateVirtualMemory  (-1, 103866368, 0, 8192, 4096, 4, ...
 03240   476   NtTestAlert  (... ) == 0x0
 03241   476   NtContinue  (102825264, 1, ...
 03242   476   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03243   476   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03239   896   NtAllocateVirtualMemory  ... 103866368, 8192, ) == 0x0
 03244   896   NtProtectVirtualMemory  (-1, (0x630e000), 4096, 260, ... (0x630e000), 4096, 4, ) == 0x0
 03245   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1252, 1404}, ) == 0x0
 03246   896   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1252,Tid=1404,}, 0x0, ) == 0x0
 03247   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0|\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82007, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0|\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0|\5\0\0" )  ) == 0x0
 03248   896   NtResumeThread  (604, ... 1, ) == 0x0
 03249  1404   NtTestAlert  (... ) == 0x0
 03250  1404   NtContinue  (103873840, 1, ...
 03251  1404   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03252  1404   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03253   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103874560, 1048576, ) == 0x0
 03254   896   NtAllocateVirtualMemory  (-1, 104914944, 0, 8192, 4096, 4, ... 104914944, 8192, ) == 0x0
 03255   896   NtProtectVirtualMemory  (-1, (0x640e000), 4096, 260, ... (0x640e000), 4096, 4, ) == 0x0
 03256   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1252, 1744}, ) == 0x0
 03257   896   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1252,Tid=1744,}, 0x0, ) == 0x0
 03258   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0\320\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82008, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0\320\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0\320\6\0\0" )  ) == 0x0
 03259   896   NtResumeThread  (608, ... 1, ) == 0x0
 03260   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104923136, 1048576, ) == 0x0
 03261   896   NtAllocateVirtualMemory  (-1, 105963520, 0, 8192, 4096, 4, ...
 03262  1744   NtTestAlert  (... ) == 0x0
 03263  1744   NtContinue  (104922416, 1, ...
 03264  1744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03265  1744   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03261   896   NtAllocateVirtualMemory  ... 105963520, 8192, ) == 0x0
 03266   896   NtProtectVirtualMemory  (-1, (0x650e000), 4096, 260, ... (0x650e000), 4096, 4, ) == 0x0
 03267   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {1252, 336}, ) == 0x0
 03268   896   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1252,Tid=336,}, 0x0, ) == 0x0
 03269   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0P\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0P\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82009, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0P\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0P\1\0\0" )  ) == 0x0
 03270   896   NtResumeThread  (612, ... 1, ) == 0x0
 03271   336   NtTestAlert  (... ) == 0x0
 03272   336   NtContinue  (105970992, 1, ...
 03273   336   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03274   336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03275   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 105971712, 1048576, ) == 0x0
 03276   896   NtAllocateVirtualMemory  (-1, 107012096, 0, 8192, 4096, 4, ... 107012096, 8192, ) == 0x0
 03277   896   NtProtectVirtualMemory  (-1, (0x660e000), 4096, 260, ... (0x660e000), 4096, 4, ) == 0x0
 03278   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1252, 1128}, ) == 0x0
 03279   896   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1252,Tid=1128,}, 0x0, ) == 0x0
 03280   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0h\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82010, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0h\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0h\4\0\0" )  ) == 0x0
 03281   896   NtResumeThread  (616, ... 1, ) == 0x0
 03282   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 107020288, 1048576, ) == 0x0
 03283   896   NtAllocateVirtualMemory  (-1, 108060672, 0, 8192, 4096, 4, ...
 03284  1128   NtTestAlert  (... ) == 0x0
 03285  1128   NtContinue  (107019568, 1, ...
 03286  1128   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03287  1128   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03283   896   NtAllocateVirtualMemory  ... 108060672, 8192, ) == 0x0
 03288   896   NtProtectVirtualMemory  (-1, (0x670e000), 4096, 260, ... (0x670e000), 4096, 4, ) == 0x0
 03289   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1252, 1924}, ) == 0x0
 03290   896   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1252,Tid=1924,}, 0x0, ) == 0x0
 03291   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\204\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82011, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\204\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\204\7\0\0" )  ) == 0x0
 03292   896   NtResumeThread  (620, ... 1, ) == 0x0
 03293  1924   NtTestAlert  (... ) == 0x0
 03294  1924   NtContinue  (108068144, 1, ...
 03295  1924   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03296  1924   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03297   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108068864, 1048576, ) == 0x0
 03298   896   NtAllocateVirtualMemory  (-1, 109109248, 0, 8192, 4096, 4, ... 109109248, 8192, ) == 0x0
 03299   896   NtProtectVirtualMemory  (-1, (0x680e000), 4096, 260, ... (0x680e000), 4096, 4, ) == 0x0
 03300   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1252, 2040}, ) == 0x0
 03301   896   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1252,Tid=2040,}, 0x0, ) == 0x0
 03302   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\370\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82012, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\370\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\370\7\0\0" )  ) == 0x0
 03303   896   NtResumeThread  (624, ... 1, ) == 0x0
 03304   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109117440, 1048576, ) == 0x0
 03305   896   NtAllocateVirtualMemory  (-1, 110157824, 0, 8192, 4096, 4, ...
 03306  2040   NtTestAlert  (... ) == 0x0
 03307  2040   NtContinue  (109116720, 1, ...
 03308  2040   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03309  2040   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03305   896   NtAllocateVirtualMemory  ... 110157824, 8192, ) == 0x0
 03310   896   NtProtectVirtualMemory  (-1, (0x690e000), 4096, 260, ... (0x690e000), 4096, 4, ) == 0x0
 03311   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1252, 1524}, ) == 0x0
 03312   896   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1252,Tid=1524,}, 0x0, ) == 0x0
 03313   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0\364\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82013, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0\364\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0\364\5\0\0" )  ) == 0x0
 03314   896   NtResumeThread  (628, ... 1, ) == 0x0
 03315  1524   NtTestAlert  (... ) == 0x0
 03316  1524   NtContinue  (110165296, 1, ...
 03317  1524   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03318  1524   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03319   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110166016, 1048576, ) == 0x0
 03320   896   NtAllocateVirtualMemory  (-1, 111206400, 0, 8192, 4096, 4, ... 111206400, 8192, ) == 0x0
 03321   896   NtProtectVirtualMemory  (-1, (0x6a0e000), 4096, 260, ... (0x6a0e000), 4096, 4, ) == 0x0
 03322   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {1252, 388}, ) == 0x0
 03323   896   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1252,Tid=388,}, 0x0, ) == 0x0
 03324   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\204\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\204\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82014, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\204\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\204\1\0\0" )  ) == 0x0
 03325   896   NtResumeThread  (632, ... 1, ) == 0x0
 03326   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 111214592, 1048576, ) == 0x0
 03327   896   NtAllocateVirtualMemory  (-1, 112254976, 0, 8192, 4096, 4, ...
 03328   388   NtTestAlert  (... ) == 0x0
 03329   388   NtContinue  (111213872, 1, ...
 03330   388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03331   388   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03327   896   NtAllocateVirtualMemory  ... 112254976, 8192, ) == 0x0
 03332   896   NtProtectVirtualMemory  (-1, (0x6b0e000), 4096, 260, ... (0x6b0e000), 4096, 4, ) == 0x0
 03333   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1252, 1020}, ) == 0x0
 03334   896   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1252,Tid=1020,}, 0x0, ) == 0x0
 03335   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\374\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82015, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\374\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\374\3\0\0" )  ) == 0x0
 03336   896   NtResumeThread  (636, ... 1, ) == 0x0
 03337  1020   NtTestAlert  (... ) == 0x0
 03338  1020   NtContinue  (112262448, 1, ...
 03339  1020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03340  1020   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03341   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112263168, 1048576, ) == 0x0
 03342   896   NtAllocateVirtualMemory  (-1, 113303552, 0, 8192, 4096, 4, ... 113303552, 8192, ) == 0x0
 03343   896   NtProtectVirtualMemory  (-1, (0x6c0e000), 4096, 260, ... (0x6c0e000), 4096, 4, ) == 0x0
 03344   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1252, 1804}, ) == 0x0
 03345   896   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1252,Tid=1804,}, 0x0, ) == 0x0
 03346   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\14\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\14\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82016, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\14\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\14\7\0\0" )  ) == 0x0
 03347   896   NtResumeThread  (640, ... 1, ) == 0x0
 03348   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 113311744, 1048576, ) == 0x0
 03349   896   NtAllocateVirtualMemory  (-1, 114352128, 0, 8192, 4096, 4, ...
 03350  1804   NtTestAlert  (... ) == 0x0
 03351  1804   NtContinue  (113311024, 1, ...
 03352  1804   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03353  1804   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03349   896   NtAllocateVirtualMemory  ... 114352128, 8192, ) == 0x0
 03354   896   NtProtectVirtualMemory  (-1, (0x6d0e000), 4096, 260, ... (0x6d0e000), 4096, 4, ) == 0x0
 03355   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1252, 1644}, ) == 0x0
 03356   896   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1252,Tid=1644,}, 0x0, ) == 0x0
 03357   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0l\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0l\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82017, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0l\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0l\6\0\0" )  ) == 0x0
 03358   896   NtResumeThread  (644, ... 1, ) == 0x0
 03359  1644   NtTestAlert  (... ) == 0x0
 03360  1644   NtContinue  (114359600, 1, ...
 03361  1644   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03362  1644   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03363   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 114360320, 1048576, ) == 0x0
 03364   896   NtAllocateVirtualMemory  (-1, 115400704, 0, 8192, 4096, 4, ... 115400704, 8192, ) == 0x0
 03365   896   NtProtectVirtualMemory  (-1, (0x6e0e000), 4096, 260, ... (0x6e0e000), 4096, 4, ) == 0x0
 03366   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1252, 1124}, ) == 0x0
 03367   896   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1252,Tid=1124,}, 0x0, ) == 0x0
 03368   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82018, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0d\4\0\0" )  ) == 0x0
 03369   896   NtResumeThread  (648, ... 1, ) == 0x0
 03370   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 115408896, 1048576, ) == 0x0
 03371   896   NtAllocateVirtualMemory  (-1, 116449280, 0, 8192, 4096, 4, ...
 03372  1124   NtTestAlert  (... ) == 0x0
 03373  1124   NtContinue  (115408176, 1, ...
 03374  1124   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03375  1124   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03371   896   NtAllocateVirtualMemory  ... 116449280, 8192, ) == 0x0
 03376   896   NtProtectVirtualMemory  (-1, (0x6f0e000), 4096, 260, ... (0x6f0e000), 4096, 4, ) == 0x0
 03377   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1252, 776}, ) == 0x0
 03378   896   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1252,Tid=776,}, 0x0, ) == 0x0
 03379   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\10\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82019, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\10\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\10\3\0\0" )  ) == 0x0
 03380   896   NtResumeThread  (652, ... 1, ) == 0x0
 03381   776   NtTestAlert  (... ) == 0x0
 03382   776   NtContinue  (116456752, 1, ...
 03383   776   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03384   776   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03385   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 116457472, 1048576, ) == 0x0
 03386   896   NtAllocateVirtualMemory  (-1, 117497856, 0, 8192, 4096, 4, ... 117497856, 8192, ) == 0x0
 03387   896   NtProtectVirtualMemory  (-1, (0x700e000), 4096, 260, ... (0x700e000), 4096, 4, ) == 0x0
 03388   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1252, 1692}, ) == 0x0
 03389   896   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1252,Tid=1692,}, 0x0, ) == 0x0
 03390   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\234\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82020, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\234\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\234\6\0\0" )  ) == 0x0
 03391   896   NtResumeThread  (656, ... 1, ) == 0x0
 03392   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 117506048, 1048576, ) == 0x0
 03393   896   NtAllocateVirtualMemory  (-1, 118546432, 0, 8192, 4096, 4, ...
 03394  1692   NtTestAlert  (... ) == 0x0
 03395  1692   NtContinue  (117505328, 1, ...
 03396  1692   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03397  1692   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03393   896   NtAllocateVirtualMemory  ... 118546432, 8192, ) == 0x0
 03398   896   NtProtectVirtualMemory  (-1, (0x710e000), 4096, 260, ... (0x710e000), 4096, 4, ) == 0x0
 03399   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1252, 1392}, ) == 0x0
 03400   896   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1252,Tid=1392,}, 0x0, ) == 0x0
 03401   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0p\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0p\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82021, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0p\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0p\5\0\0" )  ) == 0x0
 03402   896   NtResumeThread  (660, ... 1, ) == 0x0
 03403  1392   NtTestAlert  (... ) == 0x0
 03404  1392   NtContinue  (118553904, 1, ...
 03405  1392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03406  1392   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03407   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 118554624, 1048576, ) == 0x0
 03408   896   NtAllocateVirtualMemory  (-1, 119595008, 0, 8192, 4096, 4, ... 119595008, 8192, ) == 0x0
 03409   896   NtProtectVirtualMemory  (-1, (0x720e000), 4096, 260, ... (0x720e000), 4096, 4, ) == 0x0
 03410   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1252, 1176}, ) == 0x0
 03411   896   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=1252,Tid=1176,}, 0x0, ) == 0x0
 03412   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\230\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\230\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82022, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\230\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\230\4\0\0" )  ) == 0x0
 03413   896   NtResumeThread  (664, ... 1, ) == 0x0
 03414   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 119603200, 1048576, ) == 0x0
 03415   896   NtAllocateVirtualMemory  (-1, 120643584, 0, 8192, 4096, 4, ...
 03416  1176   NtTestAlert  (... ) == 0x0
 03417  1176   NtContinue  (119602480, 1, ...
 03418  1176   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03419  1176   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03415   896   NtAllocateVirtualMemory  ... 120643584, 8192, ) == 0x0
 03420   896   NtProtectVirtualMemory  (-1, (0x730e000), 4096, 260, ... (0x730e000), 4096, 4, ) == 0x0
 03421   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1252, 1828}, ) == 0x0
 03422   896   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=1252,Tid=1828,}, 0x0, ) == 0x0
 03423   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0$\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0$\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82023, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0$\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0$\7\0\0" )  ) == 0x0
 03424   896   NtResumeThread  (668, ... 1, ) == 0x0
 03425  1828   NtTestAlert  (... ) == 0x0
 03426  1828   NtContinue  (120651056, 1, ...
 03427  1828   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03428  1828   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03429   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 120651776, 1048576, ) == 0x0
 03430   896   NtAllocateVirtualMemory  (-1, 121692160, 0, 8192, 4096, 4, ... 121692160, 8192, ) == 0x0
 03431   896   NtProtectVirtualMemory  (-1, (0x740e000), 4096, 260, ... (0x740e000), 4096, 4, ) == 0x0
 03432   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1252, 1544}, ) == 0x0
 03433   896   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=1252,Tid=1544,}, 0x0, ) == 0x0
 03434   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\10\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\10\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82024, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\10\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\10\6\0\0" )  ) == 0x0
 03435   896   NtResumeThread  (672, ... 1, ) == 0x0
 03436   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 121700352, 1048576, ) == 0x0
 03437   896   NtAllocateVirtualMemory  (-1, 122740736, 0, 8192, 4096, 4, ...
 03438  1544   NtTestAlert  (... ) == 0x0
 03439  1544   NtContinue  (121699632, 1, ...
 03440  1544   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03441  1544   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03437   896   NtAllocateVirtualMemory  ... 122740736, 8192, ) == 0x0
 03442   896   NtProtectVirtualMemory  (-1, (0x750e000), 4096, 260, ... (0x750e000), 4096, 4, ) == 0x0
 03443   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1252, 1548}, ) == 0x0
 03444   896   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=1252,Tid=1548,}, 0x0, ) == 0x0
 03445   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\14\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\14\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82025, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\14\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\14\6\0\0" )  ) == 0x0
 03446   896   NtResumeThread  (676, ... 1, ) == 0x0
 03447  1548   NtAllocateVirtualMemory  (-1, 3637248, 0, 4096, 4096, 4, ... 3637248, 4096, ) == 0x0
 03448  1548   NtTestAlert  (... ) == 0x0
 03449  1548   NtContinue  (122748208, 1, ...
 03450  1548   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03451  1548   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03452   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 122748928, 1048576, ) == 0x0
 03453   896   NtAllocateVirtualMemory  (-1, 123789312, 0, 8192, 4096, 4, ... 123789312, 8192, ) == 0x0
 03454   896   NtProtectVirtualMemory  (-1, (0x760e000), 4096, 260, ... (0x760e000), 4096, 4, ) == 0x0
 03455   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1252, 1540}, ) == 0x0
 03456   896   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=1252,Tid=1540,}, 0x0, ) == 0x0
 03457   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\4\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\4\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82026, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\4\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\4\6\0\0" )  ) == 0x0
 03458   896   NtResumeThread  (680, ... 1, ) == 0x0
 03459   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 123797504, 1048576, ) == 0x0
 03460   896   NtAllocateVirtualMemory  (-1, 124837888, 0, 8192, 4096, 4, ...
 03461  1540   NtTestAlert  (... ) == 0x0
 03462  1540   NtContinue  (123796784, 1, ...
 03463  1540   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03464  1540   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03460   896   NtAllocateVirtualMemory  ... 124837888, 8192, ) == 0x0
 03465   896   NtProtectVirtualMemory  (-1, (0x770e000), 4096, 260, ... (0x770e000), 4096, 4, ) == 0x0
 03466   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1252, 420}, ) == 0x0
 03467   896   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=1252,Tid=420,}, 0x0, ) == 0x0
 03468   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\244\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82027, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\244\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\244\1\0\0" )  ) == 0x0
 03469   896   NtResumeThread  (684, ... 1, ) == 0x0
 03470   420   NtTestAlert  (... ) == 0x0
 03471   420   NtContinue  (124845360, 1, ...
 03472   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03473   420   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03474   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 124846080, 1048576, ) == 0x0
 03475   896   NtAllocateVirtualMemory  (-1, 125886464, 0, 8192, 4096, 4, ... 125886464, 8192, ) == 0x0
 03476   896   NtProtectVirtualMemory  (-1, (0x780e000), 4096, 260, ... (0x780e000), 4096, 4, ) == 0x0
 03477   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1252, 2012}, ) == 0x0
 03478   896   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=1252,Tid=2012,}, 0x0, ) == 0x0
 03479   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82028, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\334\7\0\0" )  ) == 0x0
 03480   896   NtResumeThread  (688, ... 1, ) == 0x0
 03481   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125894656, 1048576, ) == 0x0
 03482   896   NtAllocateVirtualMemory  (-1, 126935040, 0, 8192, 4096, 4, ...
 03483  2012   NtTestAlert  (... ) == 0x0
 03484  2012   NtContinue  (125893936, 1, ...
 03485  2012   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03486  2012   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03482   896   NtAllocateVirtualMemory  ... 126935040, 8192, ) == 0x0
 03487   896   NtProtectVirtualMemory  (-1, (0x790e000), 4096, 260, ... (0x790e000), 4096, 4, ) == 0x0
 03488   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1252, 1168}, ) == 0x0
 03489   896   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=1252,Tid=1168,}, 0x0, ) == 0x0
 03490   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82029, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\220\4\0\0" )  ) == 0x0
 03491   896   NtResumeThread  (692, ... 1, ) == 0x0
 03492  1168   NtTestAlert  (... ) == 0x0
 03493  1168   NtContinue  (126942512, 1, ...
 03494  1168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03495  1168   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03496   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 126943232, 1048576, ) == 0x0
 03497   896   NtAllocateVirtualMemory  (-1, 127983616, 0, 8192, 4096, 4, ... 127983616, 8192, ) == 0x0
 03498   896   NtProtectVirtualMemory  (-1, (0x7a0e000), 4096, 260, ... (0x7a0e000), 4096, 4, ) == 0x0
 03499   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1252, 928}, ) == 0x0
 03500   896   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=1252,Tid=928,}, 0x0, ) == 0x0
 03501   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82030, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\240\3\0\0" )  ) == 0x0
 03502   896   NtResumeThread  (696, ... 1, ) == 0x0
 03503   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 127991808, 1048576, ) == 0x0
 03504   896   NtAllocateVirtualMemory  (-1, 129032192, 0, 8192, 4096, 4, ...
 03505   928   NtTestAlert  (... ) == 0x0
 03506   928   NtContinue  (127991088, 1, ...
 03507   928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03508   928   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03504   896   NtAllocateVirtualMemory  ... 129032192, 8192, ) == 0x0
 03509   896   NtProtectVirtualMemory  (-1, (0x7b0e000), 4096, 260, ... (0x7b0e000), 4096, 4, ) == 0x0
 03510   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1252, 900}, ) == 0x0
 03511   896   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=1252,Tid=900,}, 0x0, ) == 0x0
 03512   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82031, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\204\3\0\0" )  ) == 0x0
 03513   896   NtResumeThread  (700, ... 1, ) == 0x0
 03514   900   NtTestAlert  (... ) == 0x0
 03515   900   NtContinue  (129039664, 1, ...
 03516   900   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03517   900   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03518   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 129040384, 1048576, ) == 0x0
 03519   896   NtAllocateVirtualMemory  (-1, 130080768, 0, 8192, 4096, 4, ... 130080768, 8192, ) == 0x0
 03520   896   NtProtectVirtualMemory  (-1, (0x7c0e000), 4096, 260, ... (0x7c0e000), 4096, 4, ) == 0x0
 03521   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1252, 1388}, ) == 0x0
 03522   896   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=1252,Tid=1388,}, 0x0, ) == 0x0
 03523   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82032, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0l\5\0\0" )  ) == 0x0
 03524   896   NtResumeThread  (704, ... 1, ) == 0x0
 03525   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 130088960, 1048576, ) == 0x0
 03526   896   NtAllocateVirtualMemory  (-1, 131129344, 0, 8192, 4096, 4, ...
 03527  1388   NtTestAlert  (... ) == 0x0
 03528  1388   NtContinue  (130088240, 1, ...
 03529  1388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03530  1388   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03526   896   NtAllocateVirtualMemory  ... 131129344, 8192, ) == 0x0
 03531   896   NtProtectVirtualMemory  (-1, (0x7d0e000), 4096, 260, ... (0x7d0e000), 4096, 4, ) == 0x0
 03532   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1252, 1948}, ) == 0x0
 03533   896   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=1252,Tid=1948,}, 0x0, ) == 0x0
 03534   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82033, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\234\7\0\0" )  ) == 0x0
 03535   896   NtResumeThread  (708, ... 1, ) == 0x0
 03536  1948   NtTestAlert  (... ) == 0x0
 03537  1948   NtContinue  (131136816, 1, ...
 03538  1948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03539  1948   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03540   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 131137536, 1048576, ) == 0x0
 03541   896   NtAllocateVirtualMemory  (-1, 132177920, 0, 8192, 4096, 4, ... 132177920, 8192, ) == 0x0
 03542   896   NtProtectVirtualMemory  (-1, (0x7e0e000), 4096, 260, ... (0x7e0e000), 4096, 4, ) == 0x0
 03543   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1252, 1708}, ) == 0x0
 03544   896   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=1252,Tid=1708,}, 0x0, ) == 0x0
 03545   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82034, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\254\6\0\0" )  ) == 0x0
 03546   896   NtResumeThread  (712, ... 1, ) == 0x0
 03547   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 132186112, 1048576, ) == 0x0
 03548   896   NtAllocateVirtualMemory  (-1, 133226496, 0, 8192, 4096, 4, ...
 03549  1708   NtTestAlert  (... ) == 0x0
 03550  1708   NtContinue  (132185392, 1, ...
 03551  1708   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03552  1708   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03548   896   NtAllocateVirtualMemory  ... 133226496, 8192, ) == 0x0
 03553   896   NtProtectVirtualMemory  (-1, (0x7f0e000), 4096, 260, ... (0x7f0e000), 4096, 4, ) == 0x0
 03554   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1252, 1324}, ) == 0x0
 03555   896   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=1252,Tid=1324,}, 0x0, ) == 0x0
 03556   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82034, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0,\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82035, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0,\5\0\0" )  ) == 0x0
 03557   896   NtResumeThread  (716, ... 1, ) == 0x0
 03558  1324   NtTestAlert  (... ) == 0x0
 03559  1324   NtContinue  (133233968, 1, ...
 03560  1324   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03561  1324   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03562   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 133234688, 1048576, ) == 0x0
 03563   896   NtAllocateVirtualMemory  (-1, 134275072, 0, 8192, 4096, 4, ... 134275072, 8192, ) == 0x0
 03564   896   NtProtectVirtualMemory  (-1, (0x800e000), 4096, 260, ... (0x800e000), 4096, 4, ) == 0x0
 03565   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1252, 248}, ) == 0x0
 03566   896   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=1252,Tid=248,}, 0x0, ) == 0x0
 03567   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82035, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82036, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\370\0\0\0" )  ) == 0x0
 03568   896   NtResumeThread  (720, ... 1, ) == 0x0
 03569   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 134283264, 1048576, ) == 0x0
 03570   896   NtAllocateVirtualMemory  (-1, 135323648, 0, 8192, 4096, 4, ...
 03571   248   NtTestAlert  (... ) == 0x0
 03572   248   NtContinue  (134282544, 1, ...
 03573   248   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03574   248   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03570   896   NtAllocateVirtualMemory  ... 135323648, 8192, ) == 0x0
 03575   896   NtProtectVirtualMemory  (-1, (0x810e000), 4096, 260, ... (0x810e000), 4096, 4, ) == 0x0
 03576   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1252, 1676}, ) == 0x0
 03577   896   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=1252,Tid=1676,}, 0x0, ) == 0x0
 03578   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82036, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82037, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\214\6\0\0" )  ) == 0x0
 03579   896   NtResumeThread  (724, ... 1, ) == 0x0
 03580  1676   NtTestAlert  (... ) == 0x0
 03581  1676   NtContinue  (135331120, 1, ...
 03582  1676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03583  1676   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03584   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 135331840, 1048576, ) == 0x0
 03585   896   NtAllocateVirtualMemory  (-1, 136372224, 0, 8192, 4096, 4, ... 136372224, 8192, ) == 0x0
 03586   896   NtProtectVirtualMemory  (-1, (0x820e000), 4096, 260, ... (0x820e000), 4096, 4, ) == 0x0
 03587   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1252, 1588}, ) == 0x0
 03588   896   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=1252,Tid=1588,}, 0x0, ) == 0x0
 03589   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82037, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\04\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82038, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\04\6\0\0" )  ) == 0x0
 03590   896   NtResumeThread  (728, ... 1, ) == 0x0
 03591   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 136380416, 1048576, ) == 0x0
 03592   896   NtAllocateVirtualMemory  (-1, 137420800, 0, 8192, 4096, 4, ...
 03593  1588   NtTestAlert  (... ) == 0x0
 03594  1588   NtContinue  (136379696, 1, ...
 03595  1588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03596  1588   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03592   896   NtAllocateVirtualMemory  ... 137420800, 8192, ) == 0x0
 03597   896   NtProtectVirtualMemory  (-1, (0x830e000), 4096, 260, ... (0x830e000), 4096, 4, ) == 0x0
 03598   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1252, 1376}, ) == 0x0
 03599   896   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=1252,Tid=1376,}, 0x0, ) == 0x0
 03600   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82038, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0`\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82039, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0`\5\0\0" )  ) == 0x0
 03601   896   NtResumeThread  (732, ... 1, ) == 0x0
 03602  1376   NtTestAlert  (... ) == 0x0
 03603  1376   NtContinue  (137428272, 1, ...
 03604  1376   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03605  1376   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03606   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 137428992, 1048576, ) == 0x0
 03607   896   NtAllocateVirtualMemory  (-1, 138469376, 0, 8192, 4096, 4, ... 138469376, 8192, ) == 0x0
 03608   896   NtProtectVirtualMemory  (-1, (0x840e000), 4096, 260, ... (0x840e000), 4096, 4, ) == 0x0
 03609   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1252, 1436}, ) == 0x0
 03610   896   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=1252,Tid=1436,}, 0x0, ) == 0x0
 03611   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82039, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\234\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82040, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\234\5\0\0" )  ) == 0x0
 03612   896   NtResumeThread  (736, ... 1, ) == 0x0
 03613   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 138477568, 1048576, ) == 0x0
 03614   896   NtAllocateVirtualMemory  (-1, 139517952, 0, 8192, 4096, 4, ...
 03615  1436   NtTestAlert  (... ) == 0x0
 03616  1436   NtContinue  (138476848, 1, ...
 03617  1436   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03618  1436   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03614   896   NtAllocateVirtualMemory  ... 139517952, 8192, ) == 0x0
 03619   896   NtProtectVirtualMemory  (-1, (0x850e000), 4096, 260, ... (0x850e000), 4096, 4, ) == 0x0
 03620   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1252, 1276}, ) == 0x0
 03621   896   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=1252,Tid=1276,}, 0x0, ) == 0x0
 03622   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82040, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0\374\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82041, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0\374\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0\374\4\0\0" )  ) == 0x0
 03623   896   NtResumeThread  (740, ... 1, ) == 0x0
 03624  1276   NtTestAlert  (... ) == 0x0
 03625  1276   NtContinue  (139525424, 1, ...
 03626  1276   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03627  1276   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03628   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 139526144, 1048576, ) == 0x0
 03629   896   NtAllocateVirtualMemory  (-1, 140566528, 0, 8192, 4096, 4, ... 140566528, 8192, ) == 0x0
 03630   896   NtProtectVirtualMemory  (-1, (0x860e000), 4096, 260, ... (0x860e000), 4096, 4, ) == 0x0
 03631   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1252, 1636}, ) == 0x0
 03632   896   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff37000,Pid=1252,Tid=1636,}, 0x0, ) == 0x0
 03633   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82041, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0d\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0d\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82042, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0d\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0d\6\0\0" )  ) == 0x0
 03634   896   NtResumeThread  (744, ... 1, ) == 0x0
 03635   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 140574720, 1048576, ) == 0x0
 03636   896   NtAllocateVirtualMemory  (-1, 141615104, 0, 8192, 4096, 4, ...
 03637  1636   NtTestAlert  (... ) == 0x0
 03638  1636   NtContinue  (140574000, 1, ...
 03639  1636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03640  1636   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03636   896   NtAllocateVirtualMemory  ... 141615104, 8192, ) == 0x0
 03641   896   NtProtectVirtualMemory  (-1, (0x870e000), 4096, 260, ... (0x870e000), 4096, 4, ) == 0x0
 03642   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1252, 1152}, ) == 0x0
 03643   896   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff36000,Pid=1252,Tid=1152,}, 0x0, ) == 0x0
 03644   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82042, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\200\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\200\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82043, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\200\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\200\4\0\0" )  ) == 0x0
 03645   896   NtResumeThread  (748, ... 1, ) == 0x0
 03646  1152   NtTestAlert  (... ) == 0x0
 03647  1152   NtContinue  (141622576, 1, ...
 03648  1152   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03649  1152   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03650   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 141623296, 1048576, ) == 0x0
 03651   896   NtAllocateVirtualMemory  (-1, 142663680, 0, 8192, 4096, 4, ... 142663680, 8192, ) == 0x0
 03652   896   NtProtectVirtualMemory  (-1, (0x880e000), 4096, 260, ... (0x880e000), 4096, 4, ) == 0x0
 03653   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1252, 1484}, ) == 0x0
 03654   896   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff35000,Pid=1252,Tid=1484,}, 0x0, ) == 0x0
 03655   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82043, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\314\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\314\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82044, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\314\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\314\5\0\0" )  ) == 0x0
 03656   896   NtResumeThread  (752, ... 1, ) == 0x0
 03657   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 142671872, 1048576, ) == 0x0
 03658   896   NtAllocateVirtualMemory  (-1, 143712256, 0, 8192, 4096, 4, ...
 03659  1484   NtTestAlert  (... ) == 0x0
 03660  1484   NtContinue  (142671152, 1, ...
 03661  1484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03662  1484   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03658   896   NtAllocateVirtualMemory  ... 143712256, 8192, ) == 0x0
 03663   896   NtProtectVirtualMemory  (-1, (0x890e000), 4096, 260, ... (0x890e000), 4096, 4, ) == 0x0
 03664   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1252, 888}, ) == 0x0
 03665   896   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff34000,Pid=1252,Tid=888,}, 0x0, ) == 0x0
 03666   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82044, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0x\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0x\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82045, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0x\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0x\3\0\0" )  ) == 0x0
 03667   896   NtResumeThread  (756, ... 1, ) == 0x0
 03668   888   NtTestAlert  (... ) == 0x0
 03669   888   NtContinue  (143719728, 1, ...
 03670   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03671   888   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03672   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 143720448, 1048576, ) == 0x0
 03673   896   NtAllocateVirtualMemory  (-1, 144760832, 0, 8192, 4096, 4, ... 144760832, 8192, ) == 0x0
 03674   896   NtProtectVirtualMemory  (-1, (0x8a0e000), 4096, 260, ... (0x8a0e000), 4096, 4, ) == 0x0
 03675   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1252, 840}, ) == 0x0
 03676   896   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff33000,Pid=1252,Tid=840,}, 0x0, ) == 0x0
 03677   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82045, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0H\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0H\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82046, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0H\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0H\3\0\0" )  ) == 0x0
 03678   896   NtResumeThread  (760, ... 1, ) == 0x0
 03679   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 144769024, 1048576, ) == 0x0
 03680   896   NtAllocateVirtualMemory  (-1, 145809408, 0, 8192, 4096, 4, ...
 03681   840   NtTestAlert  (... ) == 0x0
 03682   840   NtContinue  (144768304, 1, ...
 03683   840   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03684   840   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03680   896   NtAllocateVirtualMemory  ... 145809408, 8192, ) == 0x0
 03685   896   NtProtectVirtualMemory  (-1, (0x8b0e000), 4096, 260, ... (0x8b0e000), 4096, 4, ) == 0x0
 03686   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1252, 876}, ) == 0x0
 03687   896   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff32000,Pid=1252,Tid=876,}, 0x0, ) == 0x0
 03688   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82046, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0l\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82047, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0l\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0l\3\0\0" )  ) == 0x0
 03689   896   NtResumeThread  (764, ... 1, ) == 0x0
 03690   876   NtTestAlert  (... ) == 0x0
 03691   876   NtContinue  (145816880, 1, ...
 03692   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03693   876   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03694   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 145817600, 1048576, ) == 0x0
 03695   896   NtAllocateVirtualMemory  (-1, 146857984, 0, 8192, 4096, 4, ... 146857984, 8192, ) == 0x0
 03696   896   NtProtectVirtualMemory  (-1, (0x8c0e000), 4096, 260, ... (0x8c0e000), 4096, 4, ) == 0x0
 03697   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1252, 860}, ) == 0x0
 03698   896   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff31000,Pid=1252,Tid=860,}, 0x0, ) == 0x0
 03699   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82047, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82048, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\\3\0\0" )  ) == 0x0
 03700   896   NtResumeThread  (768, ... 1, ) == 0x0
 03701   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 146866176, 1048576, ) == 0x0
 03702   896   NtAllocateVirtualMemory  (-1, 147906560, 0, 8192, 4096, 4, ...
 03703   860   NtTestAlert  (... ) == 0x0
 03704   860   NtContinue  (146865456, 1, ...
 03705   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03706   860   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03702   896   NtAllocateVirtualMemory  ... 147906560, 8192, ) == 0x0
 03707   896   NtProtectVirtualMemory  (-1, (0x8d0e000), 4096, 260, ... (0x8d0e000), 4096, 4, ) == 0x0
 03708   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 772, {1252, 780}, ) == 0x0
 03709   896   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff30000,Pid=1252,Tid=780,}, 0x0, ) == 0x0
 03710   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82048, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\4\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82049, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\4\0\0\14\3\0\0" )  ) == 0x0
 03711   896   NtResumeThread  (772, ... 1, ) == 0x0
 03712   780   NtTestAlert  (... ) == 0x0
 03713   780   NtContinue  (147914032, 1, ...
 03714   780   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03715   780   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03716   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03717   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 776, ) == 0x0
 03718   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03719   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03720   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243192,  (0xc0100080, {24, 0, 0x40, 0, 1243192, "\??\PIPE\InitShutdown"}, 0x0, 0, 3, 1, 64, 0, 0, ... 780, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 780, {status=0x0, info=1}, ) == 0x0
 03721   896   NtSetInformationFile  (780, 1243248, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03722   896   NtSetInformationFile  (780, 1243236, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03723   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03724   896   NtWriteFile  (780, 57, 0, 0,  (780, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\300\340M\211U\15\323\21\243"\0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03725   896   NtReadFile  (780, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (780, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\234(\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03726   896   NtFsControlFile  (780, 57, 0x0, 0x0, 0x11c017,  (780, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0\210J", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\234(\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=76},  (780, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0\210J", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\234(\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03727   896   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 03728   896   NtClose  (776, ... ) == 0x0
 03729   896   NtClose  (780, ... ) == 0x0
 03730   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03731   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 780, ) == 0x0
 03732   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03733   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03734   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243188,  (0xc0100080, {24, 0, 0x40, 0, 1243188, "\??\PIPE\winreg"}, 0x0, 0, 3, 1, 64, 0, 0, ... 776, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 776, {status=0x0, info=1}, ) == 0x0
 03735   896   NtSetInformationFile  (776, 1243244, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03736   896   NtSetInformationFile  (776, 1243232, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03737   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03738   896   NtWriteFile  (776, 57, 0, 0,  (776, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\1\320\2143D"\3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03739   896   NtReadFile  (776, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (776, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03740   896   NtFsControlFile  (776, 57, 0x0, 0x0, 0x11c017,  (776, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0\210J", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=68},  (776, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0\210J", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03741   896   NtWaitForSingleObject  (57, 0, 0x0, ...
 02149   504   NtOpenKey  ... 784, ) == 0x0
 03742   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03743   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03744   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 02196   428   NtSetInformationThread  ... ) == 0x0
 02197  1028   NtSetInformationThread  ... ) == 0x0
 02198  1700   NtSetInformationThread  ... ) == 0x0
 02199  1740   NtSetInformationThread  ... ) == 0x0
 02310  1096   NtSetInformationThread  ... ) == 0x0
 02314  1300   NtSetInformationThread  ... ) == 0x0
 02716  1964   NtSetInformationThread  ... ) == 0x0
 02722  1624   NtSetInformationThread  ... ) == 0x0
 02735  1440   NtSetInformationThread  ... ) == 0x0
 02744  1972   NtSetInformationThread  ... ) == 0x0
 02757  1036   NtSetInformationThread  ... ) == 0x0
 02766  1664   NtSetInformationThread  ... ) == 0x0
 02779  1248   NtSetInformationThread  ... ) == 0x0
 02788  1656   NtSetInformationThread  ... ) == 0x0
 02801   760   NtSetInformationThread  ... ) == 0x0
 02810   484   NtSetInformationThread  ... ) == 0x0
 03741   896   NtWaitForSingleObject  ... ) == 0x0
 02824  1580   NtSetInformationThread  ... ) == 0x0
 02833  1756   NtSetInformationThread  ... ) == 0x0
 02846  1304   NtSetInformationThread  ... ) == 0x0
 02855  1292   NtSetInformationThread  ... ) == 0x0
 02868  1956   NtSetInformationThread  ... ) == 0x0
 02877  1556   NtSetInformationThread  ... ) == 0x0
 02890  1480   NtSetInformationThread  ... ) == 0x0
 02899  1784   NtSetInformationThread  ... ) == 0x0
 02912  1856   NtSetInformationThread  ... ) == 0x0
 02921  1604   NtSetInformationThread  ... ) == 0x0
 02934  1272   NtSetInformationThread  ... ) == 0x0
 02943  1132   NtSetInformationThread  ... ) == 0x0
 02956   184   NtSetInformationThread  ... ) == 0x0
 02965  1064   NtSetInformationThread  ... ) == 0x0
 02978  1384   NtSetInformationThread  ... ) == 0x0
 02987  1240   NtSetInformationThread  ... ) == 0x0
 03000   296   NtSetInformationThread  ... ) == 0x0
 03009   740   NtSetInformationThread  ... ) == 0x0
 03022   120   NtSetInformationThread  ... ) == 0x0
 03031  1796   NtSetInformationThread  ... ) == 0x0
 03044  1728   NtSetInformationThread  ... ) == 0x0
 03053   152   NtSetInformationThread  ... ) == 0x0
 03066   180   NtSetInformationThread  ... ) == 0x0
 03075  1904   NtSetInformationThread  ... ) == 0x0
 03088   464   NtSetInformationThread  ... ) == 0x0
 03097  1536   NtSetInformationThread  ... ) == 0x0
 03110   444   NtSetInformationThread  ... ) == 0x0
 03119  1648   NtSetInformationThread  ... ) == 0x0
 03132   968   NtSetInformationThread  ... ) == 0x0
 03142  1688   NtSetInformationThread  ... ) == 0x0
 03155  1584   NtSetInformationThread  ... ) == 0x0
 03164  1944   NtSetInformationThread  ... ) == 0x0
 03177   148   NtSetInformationThread  ... ) == 0x0
 03186  1500   NtSetInformationThread  ... ) == 0x0
 03199   240   NtSetInformationThread  ... ) == 0x0
 03208  2032   NtSetInformationThread  ... ) == 0x0
 03221  1592   NtSetInformationThread  ... ) == 0x0
 03230   496   NtSetInformationThread  ... ) == 0x0
 03243   476   NtSetInformationThread  ... ) == 0x0
 03252  1404   NtSetInformationThread  ... ) == 0x0
 03265  1744   NtSetInformationThread  ... ) == 0x0
 03274   336   NtSetInformationThread  ... ) == 0x0
 03287  1128   NtSetInformationThread  ... ) == 0x0
 03296  1924   NtSetInformationThread  ... ) == 0x0
 03309  2040   NtSetInformationThread  ... ) == 0x0
 03318  1524   NtSetInformationThread  ... ) == 0x0
 03331   388   NtSetInformationThread  ... ) == 0x0
 03340  1020   NtSetInformationThread  ... ) == 0x0
 03353  1804   NtSetInformationThread  ... ) == 0x0
 03362  1644   NtSetInformationThread  ... ) == 0x0
 03375  1124   NtSetInformationThread  ... ) == 0x0
 03384   776   NtSetInformationThread  ... ) == 0x0
 03397  1692   NtSetInformationThread  ... ) == 0x0
 03406  1392   NtSetInformationThread  ... ) == 0x0
 03419  1176   NtSetInformationThread  ... ) == 0x0
 03428  1828   NtSetInformationThread  ... ) == 0x0
 03441  1544   NtSetInformationThread  ... ) == 0x0
 03451  1548   NtSetInformationThread  ... ) == 0x0
 03464  1540   NtSetInformationThread  ... ) == 0x0
 03473   420   NtSetInformationThread  ... ) == 0x0
 03486  2012   NtSetInformationThread  ... ) == 0x0
 03495  1168   NtSetInformationThread  ... ) == 0x0
 03508   928   NtSetInformationThread  ... ) == 0x0
 03517   900   NtSetInformationThread  ... ) == 0x0
 03530  1388   NtSetInformationThread  ... ) == 0x0
 03539  1948   NtSetInformationThread  ... ) == 0x0
 03552  1708   NtSetInformationThread  ... ) == 0x0
 03561  1324   NtSetInformationThread  ... ) == 0x0
 03574   248   NtSetInformationThread  ... ) == 0x0
 03583  1676   NtSetInformationThread  ... ) == 0x0
 03596  1588   NtSetInformationThread  ... ) == 0x0
 03605  1376   NtSetInformationThread  ... ) == 0x0
 03618  1436   NtSetInformationThread  ... ) == 0x0
 03627  1276   NtSetInformationThread  ... ) == 0x0
 03640  1636   NtSetInformationThread  ... ) == 0x0
 03649  1152   NtSetInformationThread  ... ) == 0x0
 03662  1484   NtSetInformationThread  ... ) == 0x0
 03671   888   NtSetInformationThread  ... ) == 0x0
 03684   840   NtSetInformationThread  ... ) == 0x0
 03693   876   NtSetInformationThread  ... ) == 0x0
 03706   860   NtSetInformationThread  ... ) == 0x0
 03715   780   NtSetInformationThread  ... ) == 0x0
 03745   428   NtWaitForSingleObject  (252, 0, 0x0, ...
 03746  1028   NtWaitForSingleObject  (252, 0, 0x0, ...
 03747  1700   NtWaitForSingleObject  (252, 0, 0x0, ...
 03748  1740   NtWaitForSingleObject  (252, 0, 0x0, ...
 03749  1096   NtWaitForSingleObject  (252, 0, 0x0, ...
 03750  1300   NtWaitForSingleObject  (252, 0, 0x0, ...
 03751  1964   NtWaitForSingleObject  (252, 0, 0x0, ...
 03752  1624   NtWaitForSingleObject  (252, 0, 0x0, ...
 03753  1440   NtWaitForSingleObject  (252, 0, 0x0, ...
 03754  1972   NtWaitForSingleObject  (252, 0, 0x0, ...
 03755  1036   NtWaitForSingleObject  (252, 0, 0x0, ...
 03756  1664   NtWaitForSingleObject  (252, 0, 0x0, ...
 03757  1248   NtWaitForSingleObject  (252, 0, 0x0, ...
 03758  1656   NtWaitForSingleObject  (252, 0, 0x0, ...
 03759   760   NtWaitForSingleObject  (252, 0, 0x0, ...
 03760   896   NtClose  (780, ...
 03761   484   NtWaitForSingleObject  (252, 0, 0x0, ...
 03762  1580   NtWaitForSingleObject  (252, 0, 0x0, ...
 03763  1756   NtWaitForSingleObject  (252, 0, 0x0, ...
 03764  1304   NtWaitForSingleObject  (252, 0, 0x0, ...
 03765  1292   NtWaitForSingleObject  (252, 0, 0x0, ...
 03766  1956   NtWaitForSingleObject  (252, 0, 0x0, ...
 03767  1556   NtWaitForSingleObject  (252, 0, 0x0, ...
 03768  1480   NtWaitForSingleObject  (252, 0, 0x0, ...
 03769  1784   NtWaitForSingleObject  (252, 0, 0x0, ...
 03770  1856   NtWaitForSingleObject  (252, 0, 0x0, ...
 03771  1604   NtWaitForSingleObject  (252, 0, 0x0, ...
 03772  1272   NtWaitForSingleObject  (252, 0, 0x0, ...
 03773  1132   NtWaitForSingleObject  (252, 0, 0x0, ...
 03774   184   NtWaitForSingleObject  (252, 0, 0x0, ...
 03775  1064   NtWaitForSingleObject  (252, 0, 0x0, ...
 03776  1384   NtWaitForSingleObject  (252, 0, 0x0, ...
 03777  1240   NtWaitForSingleObject  (252, 0, 0x0, ...
 03778   296   NtWaitForSingleObject  (252, 0, 0x0, ...
 03779   740   NtWaitForSingleObject  (252, 0, 0x0, ...
 03780   120   NtWaitForSingleObject  (252, 0, 0x0, ...
 03781  1796   NtWaitForSingleObject  (252, 0, 0x0, ...
 03782  1728   NtWaitForSingleObject  (252, 0, 0x0, ...
 03783   152   NtWaitForSingleObject  (252, 0, 0x0, ...
 03784   180   NtWaitForSingleObject  (252, 0, 0x0, ...
 03785  1904   NtWaitForSingleObject  (252, 0, 0x0, ...
 03786   464   NtWaitForSingleObject  (252, 0, 0x0, ...
 03787  1536   NtWaitForSingleObject  (252, 0, 0x0, ...
 03788   444   NtWaitForSingleObject  (252, 0, 0x0, ...
 03789  1648   NtWaitForSingleObject  (252, 0, 0x0, ...
 03790   968   NtWaitForSingleObject  (252, 0, 0x0, ...
 03791  1688   NtWaitForSingleObject  (252, 0, 0x0, ...
 03792  1584   NtWaitForSingleObject  (252, 0, 0x0, ...
 03793  1944   NtWaitForSingleObject  (252, 0, 0x0, ...
 03794   148   NtWaitForSingleObject  (252, 0, 0x0, ...
 03795  1500   NtWaitForSingleObject  (252, 0, 0x0, ...
 03796   240   NtWaitForSingleObject  (252, 0, 0x0, ...
 03797  2032   NtWaitForSingleObject  (252, 0, 0x0, ...
 03798  1592   NtWaitForSingleObject  (252, 0, 0x0, ...
 03799   496   NtWaitForSingleObject  (252, 0, 0x0, ...
 03800   476   NtWaitForSingleObject  (252, 0, 0x0, ...
 03801  1404   NtWaitForSingleObject  (252, 0, 0x0, ...
 03802  1744   NtWaitForSingleObject  (252, 0, 0x0, ...
 03803   336   NtWaitForSingleObject  (252, 0, 0x0, ...
 03804  1128   NtWaitForSingleObject  (252, 0, 0x0, ...
 03805  1924   NtWaitForSingleObject  (252, 0, 0x0, ...
 03806  2040   NtWaitForSingleObject  (252, 0, 0x0, ...
 03807  1524   NtWaitForSingleObject  (252, 0, 0x0, ...
 03808   388   NtWaitForSingleObject  (252, 0, 0x0, ...
 03809  1020   NtWaitForSingleObject  (252, 0, 0x0, ...
 03810  1804   NtWaitForSingleObject  (252, 0, 0x0, ...
 03811  1644   NtWaitForSingleObject  (252, 0, 0x0, ...
 03812  1124   NtWaitForSingleObject  (252, 0, 0x0, ...
 03813   776   NtWaitForSingleObject  (252, 0, 0x0, ...
 03814  1692   NtWaitForSingleObject  (252, 0, 0x0, ...
 03815  1392   NtWaitForSingleObject  (252, 0, 0x0, ...
 03816  1176   NtWaitForSingleObject  (252, 0, 0x0, ...
 03817  1828   NtWaitForSingleObject  (252, 0, 0x0, ...
 03818  1544   NtWaitForSingleObject  (252, 0, 0x0, ...
 03819  1548   NtWaitForSingleObject  (252, 0, 0x0, ...
 03820  1540   NtWaitForSingleObject  (252, 0, 0x0, ...
 03821   420   NtWaitForSingleObject  (252, 0, 0x0, ...
 03822  2012   NtWaitForSingleObject  (252, 0, 0x0, ...
 03823  1168   NtWaitForSingleObject  (252, 0, 0x0, ...
 03824   928   NtWaitForSingleObject  (252, 0, 0x0, ...
 03825   900   NtWaitForSingleObject  (252, 0, 0x0, ...
 03826  1388   NtWaitForSingleObject  (252, 0, 0x0, ...
 03827  1948   NtWaitForSingleObject  (252, 0, 0x0, ...
 03828  1708   NtWaitForSingleObject  (252, 0, 0x0, ...
 03829  1324   NtWaitForSingleObject  (252, 0, 0x0, ...
 03830   248   NtWaitForSingleObject  (252, 0, 0x0, ...
 03831  1676   NtWaitForSingleObject  (252, 0, 0x0, ...
 03832  1588   NtWaitForSingleObject  (252, 0, 0x0, ...
 03833  1376   NtWaitForSingleObject  (252, 0, 0x0, ...
 03834  1436   NtWaitForSingleObject  (252, 0, 0x0, ...
 03835  1276   NtWaitForSingleObject  (252, 0, 0x0, ...
 03836  1636   NtWaitForSingleObject  (252, 0, 0x0, ...
 03837  1152   NtWaitForSingleObject  (252, 0, 0x0, ...
 03838  1484   NtWaitForSingleObject  (252, 0, 0x0, ...
 03839   888   NtWaitForSingleObject  (252, 0, 0x0, ...
 03840   840   NtWaitForSingleObject  (252, 0, 0x0, ...
 03841   876   NtWaitForSingleObject  (252, 0, 0x0, ...
 03842   860   NtWaitForSingleObject  (252, 0, 0x0, ...
 03843   780   NtWaitForSingleObject  (252, 0, 0x0, ...
 03760   896   NtClose  ... ) == 0x0
 03844   896   NtClose  (776, ... ) == 0x0
 03845   896   NtDelayExecution  (0, {-10000000, -1}, ...
 03744   504   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03846   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 776, ) }, ... 776, ) == 0x0
 03847   504   NtQueryValueKey  (776,  (776, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (776, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03848   504   NtClose  (776, ... ) == 0x0
 03849   504   NtQueryValueKey  (136,  (136, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03850   504   NtQueryValueKey  (136,  (136, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03851   504   NtQueryValueKey  (136,  (136, "IdnEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03852   504   NtQueryValueKey  (136,  (136, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03853   504   NtQueryValueKey  (136,  (136, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03854   504   NtQueryValueKey  (136,  (136, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03855   504   NtQueryValueKey  (136,  (136, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03856   504   NtQueryValueKey  (136,  (136, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03857   504   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03858   504   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03859   504   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03860   504   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 776, ) }, ... 776, ) == 0x0
 03861   504   NtQueryValueKey  (776,  (776, "Feature_ClientAuthCertFilter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03862   504   NtClose  (776, ... ) == 0x0
 03863   504   NtAllocateVirtualMemory  (-1, 17879040, 0, 4096, 4096, 260, ... 17879040, 4096, ) == 0x0
 03864   504   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03865   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 17886864, ... ) }, 17886864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03866   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 17886864, ... ) }, 17886864, ... ) == 0x0
 03867   504   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 776, {status=0x0, info=1}, ) }, 5, 96, ... 776, {status=0x0, info=1}, ) == 0x0
 03868   504   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 776, ... 780, ) == 0x0
 03869   504   NtQuerySection  (780, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03870   504   NtClose  (776, ... ) == 0x0
 03871   504   NtMapViewOfSection  (780, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 03872   504   NtClose  (780, ... ) == 0x0
 03873   504   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 03874   504   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 03875   504   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 03876   504   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03877   504   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 780, ) == 0x0
 03878   504   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 776, ) == 0x0
 03879   504   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 788, ) }, ... 788, ) == 0x0
 03880   504   NtQueryEvent  (788, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 03881   504   NtClose  (788, ... ) == 0x0
 03882   504   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 17888436, 140, ... 788, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 17888436, 140, ... 788, 0x0, 0x0, 256, 140, ) == 0x0
 03883   504   NtRequestWaitReplyPort  (788, {28, 52, new_msg, 0, 0, 0, 0, 0}  (788, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\300\374\24\0" ... {188, 212, reply, 0, 1252, 504, 82051, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 1252, 504, 82051, 0}  (788, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\300\374\24\0" ... {188, 212, reply, 0, 1252, 504, 82051, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 03884   504   NtQueryValueKey  (136,  (136, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03885   504   NtOpenKey  (0x9, {24, 40, 0x40, 0, 0,  (0x9, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 792, ) }, ... 792, ) == 0x0
 03886   504   NtQueryValueKey  (792,  (792, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03887   504   NtClose  (792, ... ) == 0x0
 03888   504   NtOpenKey  (0xf, {24, 40, 0x40, 0, 0,  (0xf, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 792, ) }, ... 792, ) == 0x0
 03889   504   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 796, ) }, ... 796, ) == 0x0
 03890   504   NtOpenKey  (0x9, {24, 140, 0x40, 0, 0,  (0x9, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 800, ) }, ... 800, ) == 0x0
 03891   504   NtQueryValueKey  (800,  (800, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03892   504   NtQueryValueKey  (800,  (800, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03893   504   NtClose  (800, ... ) == 0x0
 03894   504   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "Content"}, ... 800, ) }, ... 800, ) == 0x0
 03895   504   NtQueryValueKey  (800,  (800, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03896   504   NtOpenKey  (0xf, {24, 792, 0x40, 0, 0,  (0xf, {24, 792, 0x40, 0, 0, "Content"}, ... 804, ) }, ... 804, ) == 0x0
 03897   504   NtQueryValueKey  (804,  (804, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (804, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03898   504   NtClose  (804, ... ) == 0x0
 03899   504   NtClose  (800, ... ) == 0x0
 03900   504   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "Content"}, ... 800, ) }, ... 800, ) == 0x0
 03901   504   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 804, ) }, ... 804, ) == 0x0
 03902   504   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 03903   504   NtClose  (804, ... ) == 0x0
 03904   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03905   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03906   504   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03907   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03908   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03909   504   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03910   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03911   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03912   504   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03913   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03914   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03915   504   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03916   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03917   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03918   504   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03919   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03920   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03921   504   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03922   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03923   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03924   504   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03925   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03926   504   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03927   504   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03928   504   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03929   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SYSTEM\Setup"}, ... 804, ) }, ... 804, ) == 0x0
 03930   504   NtQueryValueKey  (804,  (804, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (804, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03931   504   NtAllocateVirtualMemory  (-1, 17874944, 0, 4096, 4096, 260, ... 17874944, 4096, ) == 0x0
 03932   504   NtClose  (804, ... ) == 0x0
 03933   504   NtQueryDefaultUILanguage  (17883460, ...
 03934   504   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03935   504   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482764, ) == 0x0
 03936   504   NtQueryInformationToken  (-2147482764, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03937   504   NtClose  (-2147482764, ... ) == 0x0
 03938   504   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482764, ) }, ... -2147482764, ) == 0x0
 03939   504   NtOpenKey  (0x80000000, {24, -2147482764, 0x240, 0, 0,  (0x80000000, {24, -2147482764, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03940   504   NtOpenKey  (0x80000000, {24, -2147482764, 0x640, 0, 0,  (0x80000000, {24, -2147482764, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482688, ) }, ... -2147482688, ) == 0x0
 03941   504   NtQueryValueKey  (-2147482688,  (-2147482688, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03942   504   NtClose  (-2147482688, ... ) == 0x0
 03943   504   NtClose  (-2147482764, ... ) == 0x0
 03933   504   NtQueryDefaultUILanguage  ... ) == 0x0
 03944   504   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 804, {status=0x0, info=1}, ) }, 1, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 03945   504   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 804, ... 808, ) == 0x0
 03946   504   NtMapViewOfSection  (808, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d10000), 0x0, 8462336, ) == 0x0
 03947   504   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03948   504   NtAllocateVirtualMemory  (-1, 17870848, 0, 4096, 4096, 260, ... 17870848, 4096, ) == 0x0
 03949   504   NtQueryDefaultLocale  (1, 17881556, ... ) == 0x0
 03950   504   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03951   504   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 17882592, 1179817, 17882316}  (24, {128, 156, new_msg, 0, 2088850039, 17882592, 1179817, 17882316} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1$\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\324\341\20\1\0\0\0\0" ... {128, 156, reply, 0, 1252, 504, 82052, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1$\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\324\341\20\1\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 504, 82052, 0}  (24, {128, 156, new_msg, 0, 2088850039, 17882592, 1179817, 17882316} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1$\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\324\341\20\1\0\0\0\0" ... {128, 156, reply, 0, 1252, 504, 82052, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1$\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\324\341\20\1\0\0\0\0" )  ) == 0x0
 03952   504   NtClose  (804, ... ) == 0x0
 03953   504   NtClose  (808, ... ) == 0x0
 03954   504   NtUnmapViewOfSection  (-1, 0x8d10000, ... ) == 0x0
 03955   504   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03956   504   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03957   504   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03958   504   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03959   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 17880748, ... ) }, 17880748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03960   504   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03961   504   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03962   504   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03963   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 17880812, ... ) }, 17880812, ... ) == 0x0
 03964   504   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 808, {status=0x0, info=1}, ) }, 3, 33, ... 808, {status=0x0, info=1}, ) == 0x0
 03965   504   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03966   504   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 804, {status=0x0, info=1}, ) }, 5, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 03967   504   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 804, ... 812, ) == 0x0
 03968   504   NtClose  (804, ... ) == 0x0
 03969   504   NtMapViewOfSection  (812, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d10000), 0x0, 1056768, ) == 0x0
 03970   504   NtClose  (812, ... ) == 0x0
 03971   504   NtUnmapViewOfSection  (-1, 0x8d10000, ... ) == 0x0
 03972   504   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 812, {status=0x0, info=1}, ) }, 5, 96, ... 812, {status=0x0, info=1}, ) == 0x0
 03973   504   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 812, ... 804, ) == 0x0
 03974   504   NtQuerySection  (804, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03975   504   NtClose  (812, ... ) == 0x0
 03976   504   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 03977   504   NtClose  (804, ... ) == 0x0
 03978   504   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03979   504   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03980   504   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03981   504   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03982   504   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03983   504   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03984   504   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03985   504   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03986   504   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03987   504   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03988   504   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03989   504   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03990   504   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03991   504   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03992   504   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03993   504   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03994   504   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03995   504   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03996   504   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03997   504   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03998   504   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03999   504   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04000   504   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 17882292, ... ) , 42, 17882292, ... ) == 0x0
 04001   504   NtQueryDefaultUILanguage  (17880976, ...
 04002   504   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04003   504   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482764, ) == 0x0
 04004   504   NtQueryInformationToken  (-2147482764, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04005   504   NtClose  (-2147482764, ... ) == 0x0
 04006   504   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482764, ) }, ... -2147482764, ) == 0x0
 04007   504   NtOpenKey  (0x80000000, {24, -2147482764, 0x240, 0, 0,  (0x80000000, {24, -2147482764, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04008   504   NtOpenKey  (0x80000000, {24, -2147482764, 0x640, 0, 0,  (0x80000000, {24, -2147482764, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482688, ) }, ... -2147482688, ) == 0x0
 04009   504   NtQueryValueKey  (-2147482688,  (-2147482688, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04010   504   NtClose  (-2147482688, ... ) == 0x0
 04011   504   NtClose  (-2147482764, ... ) == 0x0
 04001   504   NtQueryDefaultUILanguage  ... ) == 0x0
 04012   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 17879816, ... ) }, 17879816, ... ) == 0x0
 04013   504   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 804, {status=0x0, info=1}, ) }, 5, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 04014   504   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 804, ... 812, ) == 0x0
 04015   504   NtClose  (804, ... ) == 0x0
 04016   504   NtMapViewOfSection  (812, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 04017   504   NtClose  (812, ... ) == 0x0
 04018   504   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 04019   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 17879412, ... ) }, 17879412, ... ) == 0x0
 04020   504   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 17880156,  (0x80100080, {24, 0, 0x40, 0, 17880156, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 812, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 812, {status=0x0, info=1}, ) == 0x0
 04021   504   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 812, ... 804, ) == 0x0
 04022   504   NtClose  (812, ... ) == 0x0
 04023   504   NtMapViewOfSection  (804, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 04024   504   NtClose  (804, ... ) == 0x0
 04025   504   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 04026   504   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 804, {status=0x0, info=1}, ) }, 1, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 04027   504   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 804, ... 812, ) == 0x0
 04028   504   NtMapViewOfSection  (812, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 04029   504   NtQueryInformationFile  (804, 17879808, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04030   504   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04031   504   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 17880108, 1179817, 17879832}  (24, {128, 156, new_msg, 0, 2088850039, 17880108, 1179817, 17879832} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1$\3\0\0,\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0 \330\20\1\0\0\0\0" ... {128, 156, reply, 0, 1252, 504, 82053, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1$\3\0\0,\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0 \330\20\1\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 504, 82053, 0}  (24, {128, 156, new_msg, 0, 2088850039, 17880108, 1179817, 17879832} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1$\3\0\0,\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0 \330\20\1\0\0\0\0" ... {128, 156, reply, 0, 1252, 504, 82053, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1$\3\0\0,\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0 \330\20\1\0\0\0\0" )  ) == 0x0
 04032   504   NtClose  (804, ... ) == 0x0
 04033   504   NtClose  (812, ... ) == 0x0
 04034   504   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 04035   504   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 04036   504   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 812, ) == 0x0
 04037   504   NtCallbackReturn  (0, 0, 0, ...
 04038   504   NtUserGetThreadState  (18, ... ) == 0x1
 04039   504   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 04040   504   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 04041   504   NtUserGetDC  (0, ... ) == 0x1010051
 04042   504   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 04043   504   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 04044   504   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 04045   504   NtUserSystemParametersInfo  (66, 12, 17881808, 0, ... ) == 0x1
 04046   504   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 04047   504   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 804, ) == 0x0
 04048   504   NtQueryInformationToken  (804, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 04049   504   NtClose  (804, ... ) == 0x0
 04050   504   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 804, ) }, ... 804, ) == 0x0
 04051   504   NtOpenProcessToken  (-1, 0x8, ... 816, ) == 0x0
 04052   504   NtAccessCheck  (1344040, 816, 0x1, 17881640, 17881692, 56, 17881672, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 04053   504   NtClose  (816, ... ) == 0x0
 04054   504   NtOpenKey  (0x20019, {24, 804, 0x40, 0, 0,  (0x20019, {24, 804, 0x40, 0, 0, "Control Panel\Desktop"}, ... 816, ) }, ... 816, ) == 0x0
 04055   504   NtQueryValueKey  (816,  (816, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04056   504   NtClose  (816, ... ) == 0x0
 04057   504   NtUserSystemParametersInfo  (41, 500, 17881836, 0, ... ) == 0x1
 04058   504   NtOpenProcessToken  (-1, 0x8, ... 816, ) == 0x0
 04059   504   NtAccessCheck  (1344040, 816, 0x1, 17881640, 17881692, 56, 17881672, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 04060   504   NtClose  (816, ... ) == 0x0
 04061   504   NtOpenKey  (0x20019, {24, 804, 0x40, 0, 0,  (0x20019, {24, 804, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 816, ) }, ... 816, ) == 0x0
 04062   504   NtQueryValueKey  (816,  (816, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04063   504   NtClose  (816, ... ) == 0x0
 04064   504   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 04065   504   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 04066   504   NtClose  (804, ... ) == 0x0
 04067   504   NtUserSystemParametersInfo  (4130, 0, 17882340, 0, ... ) == 0x1
 04068   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 804, ) }, ... 804, ) == 0x0
 04069   504   NtEnumerateValueKey  (804, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04070   504   NtClose  (804, ... ) == 0x0
 04071   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04072   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc03b
 04073   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc03d
 04074   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04075   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc03f
 04076   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04077   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc041
 04078   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04079   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc043
 04080   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc045
 04081   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04082   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc047
 04083   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04084   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc049
 04085   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04086   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc04b
 04087   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04088   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc04d
 04089   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04090   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc04f
 04091   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc051
 04092   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04093   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc053
 04094   504   NtUserFindExistingCursorIcon  (17881584, 17881600, 17881648, ... ) == 0x10011
 04095   504   NtUserRegisterClassExWOW  (17881528, 17881596, 17881612, 17881628, 0, 384, 0, ... ) == 0x819fc055
 04096   504   NtUserFindExistingCursorIcon  (17881584, 17881600, 17881648, ... ) == 0x10011
 04097   504   NtUserRegisterClassExWOW  (17881528, 17881596, 17881612, 17881628, 0, 384, 0, ... ) == 0x819fc057
 04098   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04099   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc059
 04100   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10013
 04101   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc05b
 04102   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04103   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc05d
 04104   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04105   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc05f
 04106   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04107   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc017
 04108   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04109   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc019
 04110   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10013
 04111   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc018
 04112   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04113   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc01a
 04114   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04115   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc01c
 04116   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04117   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc01e
 04118   504   NtUserFindExistingCursorIcon  (17881580, 17881596, 17881644, ... ) == 0x10011
 04119   504   NtUserRegisterClassExWOW  (17881580, 17881648, 17881664, 17881680, 0, 384, 0, ... ) == 0x819fc01b
 04120   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04121   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc068
 04122   504   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 04123   504   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x819fc06a
 04124   504   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04125   504   NtCreateSemaphore  (0x1f0003, {24, 16, 0x80, 1338216, 0,  (0x1f0003, {24, 16, 0x80, 1338216, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 804, ) }, 0, 2147483647, ... 804, ) == STATUS_OBJECT_NAME_EXISTS
 04126   504   NtReleaseSemaphore  (804, 1, ... 0, ) == 0x0
 04127   504   NtWaitForSingleObject  (804, 0, {0, 0}, ... ) == 0x0
 04128   504   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 04129   504   NtQueryValueKey  (816,  (816, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (816, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 04130   504   NtClose  (816, ... ) == 0x0
 04131   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17886532, ... ) }, 17886532, ... ) == 0x0
 04132   504   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 04133   504   NtSetValueKey  (816,  (816, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1,  (816, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0
 04134   504   NtClose  (816, ... ) == 0x0
 04135   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 04136   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17886432, ... ) }, 17886432, ... ) == 0x0
 04137   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 04138   504   NtSetInformationFile  (816, 17886404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04139   504   NtClose  (816, ... ) == 0x0
 04140   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 17886428, ... ) }, 17886428, ... ) == 0x0
 04141   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 04142   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 17886432, ... ) }, 17886432, ... ) == 0x0
 04143   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 04144   504   NtSetInformationFile  (816, 17886404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04145   504   NtClose  (816, ... ) == 0x0
 04146   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 17886428, ... ) }, 17886428, ... ) == 0x0
 04147   504   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04148   504   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04149   504   NtQueryValueKey  (800,  (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 04150   504   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "Cookies"}, ... 816, ) }, ... 816, ) == 0x0
 04151   504   NtQueryValueKey  (816,  (816, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04152   504   NtOpenKey  (0xf, {24, 792, 0x40, 0, 0,  (0xf, {24, 792, 0x40, 0, 0, "Cookies"}, ... 820, ) }, ... 820, ) == 0x0
 04153   504   NtQueryValueKey  (820,  (820, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (820, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04154   504   NtClose  (820, ... ) == 0x0
 04155   504   NtClose  (816, ... ) == 0x0
 04156   504   NtClose  (800, ... ) == 0x0
 04157   504   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "Cookies"}, ... 800, ) }, ... 800, ) == 0x0
 04158   504   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04159   504   NtReleaseSemaphore  (804, 1, ... 0, ) == 0x0
 04160   504   NtWaitForSingleObject  (804, 0, {0, 0}, ... ) == 0x0
 04161   504   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 04162   504   NtQueryValueKey  (816,  (816, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (816, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 04163   504   NtClose  (816, ... ) == 0x0
 04164   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 17886532, ... ) }, 17886532, ... ) == 0x0
 04165   504   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 04166   504   NtSetValueKey  (816,  (816, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 0, 1,  (816, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 98, ... ) == 0x0
 04167   504   NtClose  (816, ... ) == 0x0
 04168   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 04169   504   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 04170   504   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 04171   504   NtQueryValueKey  (800,  (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04172   504   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "History"}, ... 816, ) }, ... 816, ) == 0x0
 04173   504   NtQueryValueKey  (816,  (816, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04174   504   NtOpenKey  (0xf, {24, 792, 0x40, 0, 0,  (0xf, {24, 792, 0x40, 0, 0, "History"}, ... 820, ) }, ... 820, ) == 0x0
 04175   504   NtQueryValueKey  (820,  (820, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (820, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04176   504   NtClose  (820, ... ) == 0x0
 04177   504   NtClose  (816, ... ) == 0x0
 04178   504   NtClose  (800, ... ) == 0x0
 04179   504   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "History"}, ... 800, ) }, ... 800, ) == 0x0
 04180   504   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04181   504   NtReleaseSemaphore  (804, 1, ... 0, ) == 0x0
 04182   504   NtWaitForSingleObject  (804, 0, {0, 0}, ... ) == 0x0
 04183   504   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 04184   504   NtQueryValueKey  (816,  (816, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (816, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 04185   504   NtClose  (816, ... ) == 0x0
 04186   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17886532, ... ) }, 17886532, ... ) == 0x0
 04187   504   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 04188   504   NtSetValueKey  (816,  (816, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 0, 1,  (816, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 128, ... ) == 0x0
 04189   504   NtClose  (816, ... ) == 0x0
 04190   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 04191   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17886432, ... ) }, 17886432, ... ) == 0x0
 04192   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 04193   504   NtSetInformationFile  (816, 17886404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04194   504   NtClose  (816, ... ) == 0x0
 04195   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 17886428, ... ) }, 17886428, ... ) == 0x0
 04196   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 04197   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 17886432, ... ) }, 17886432, ... ) == 0x0
 04198   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 04199   504   NtSetInformationFile  (816, 17886404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04200   504   NtClose  (816, ... ) == 0x0
 04201   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 17886428, ... ) }, 17886428, ... ) == 0x0
 04202   504   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 04203   504   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 04204   504   NtQueryValueKey  (800,  (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04205   504   NtClose  (800, ... ) == 0x0
 04206   504   NtClose  (796, ... ) == 0x0
 04207   504   NtClose  (792, ... ) == 0x0
 04208   504   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... 792, ) }, ... 792, ) == 0x0
 04209   504   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... 796, ) }, ... 796, ) == 0x0
 04210   504   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04211   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 17888532, ... ) }, 17888532, ... ) == 0x0
 04212   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 800, {status=0x0, info=1}, ) }, 7, 2113568, ... 800, {status=0x0, info=1}, ) == 0x0
 04213   504   NtSetInformationFile  (800, 17888508, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04214   504   NtClose  (800, ... ) == 0x0
 04215   504   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17888448,  (0xc0100080, {24, 0, 0x40, 0, 17888448, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 800, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 800, {status=0x0, info=1}, ) == 0x0
 04216   504   NtSetInformationFile  (800, 17888500, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04217   504   NtQueryInformationFile  (800, 17888500, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04218   504   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... 816, ) }, ... 816, ) == 0x0
 04219   504   NtMapViewOfSection  (816, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8d10000), {0, 0}, 802816, ) == 0x0
 04220   504   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04221   504   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... 820, ) }, ... 820, ) == 0x0
 04222   504   NtWaitForSingleObject  (820, 0, 0x0, ... ) == 0x0
 04223   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 17888532, ... ) }, 17888532, ... ) == 0x0
 04224   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... 824, {status=0x0, info=1}, ) }, 7, 2113568, ... 824, {status=0x0, info=1}, ) == 0x0
 04225   504   NtSetInformationFile  (824, 17888508, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04226   504   NtClose  (824, ... ) == 0x0
 04227   504   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17888448,  (0xc0100080, {24, 0, 0x40, 0, 17888448, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 824, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 824, {status=0x0, info=1}, ) == 0x0
 04228   504   NtSetInformationFile  (824, 17888500, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04229   504   NtQueryInformationFile  (824, 17888500, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04230   504   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... 828, ) }, ... 828, ) == 0x0
 04231   504   NtMapViewOfSection  (828, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 32768, ) == 0x0
 04232   504   NtReleaseMutant  (820, ... 0x0, ) == 0x0
 04233   504   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... 832, ) }, ... 832, ) == 0x0
 04234   504   NtWaitForSingleObject  (832, 0, 0x0, ... ) == 0x0
 04235   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 17888532, ... ) }, 17888532, ... ) == 0x0
 04236   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 836, {status=0x0, info=1}, ) }, 7, 2113568, ... 836, {status=0x0, info=1}, ) == 0x0
 04237   504   NtSetInformationFile  (836, 17888508, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04238   504   NtClose  (836, ... ) == 0x0
 04239   504   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17888448,  (0xc0100080, {24, 0, 0x40, 0, 17888448, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 836, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 836, {status=0x0, info=1}, ) == 0x0
 04240   504   NtSetInformationFile  (836, 17888500, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04241   504   NtQueryInformationFile  (836, 17888500, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04242   504   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... 840, ) }, ... 840, ) == 0x0
 04243   504   NtMapViewOfSection  (840, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8de0000), {0, 0}, 81920, ) == 0x0
 04244   504   NtReleaseMutant  (832, ... 0x0, ) == 0x0
 04245   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 17888108, ... ) }, 17888108, ... ) == 0x0
 04246   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 844, {status=0x0, info=1}, ) }, 7, 2113568, ... 844, {status=0x0, info=1}, ) == 0x0
 04247   504   NtSetInformationFile  (844, 17888080, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04248   504   NtClose  (844, ... ) == 0x0
 04249   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 17888104, ... ) }, 17888104, ... ) == 0x0
 04250   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 17888108, ... ) }, 17888108, ... ) == 0x0
 04251   504   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 844, {status=0x0, info=1}, ) }, 7, 2113568, ... 844, {status=0x0, info=1}, ) == 0x0
 04252   504   NtSetInformationFile  (844, 17888080, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04253   504   NtClose  (844, ... ) == 0x0
 04254   504   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 17888104, ... ) }, 17888104, ... ) == 0x0
 04255   504   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04256   504   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04257   504   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 844, ) }, ... 844, ) == 0x0
 04258   504   NtOpenKey  (0xf, {24, 844, 0x40, 0, 0,  (0xf, {24, 844, 0x40, 0, 0, "Extensible Cache"}, ... 848, ) }, ... 848, ) == 0x0
 04259   504   NtClose  (844, ... ) == 0x0
 04260   504   NtWaitForSingleObject  (792, 0, {-600000000, -1}, ... ) == 0x0
 04261   504   NtEnumerateKey  (848, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= (848, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 04262   504   NtOpenKey  (0xf, {24, 848, 0x40, 0, 0,  (0xf, {24, 848, 0x40, 0, 0, "feedplat"}, ... 844, ) }, ... 844, ) == 0x0
 04263   504   NtQueryValueKey  (844,  (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04264   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04265   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 04266   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04267   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 04268   504   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 04269   504   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 04270   504   NtQueryValueKey  (844,  (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04271   504   NtQueryValueKey  (844,  (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04272   504   NtClose  (844, ... ) == 0x0
 04273   504   NtEnumerateKey  (848, 1, Basic, 288, ... {LastWrite={0x450668aa,0x1c8b090}, TitleIdx=0, Name= (848, 1, Basic, 288, ... {LastWrite={0x450668aa,0x1c8b090}, TitleIdx=0, Name="MSHist012008050720080508"}, 64, ) }, 64, ) == 0x0
 04274   504   NtOpenKey  (0xf, {24, 848, 0x40, 0, 0,  (0xf, {24, 848, 0x40, 0, 0, "MSHist012008050720080508"}, ... 844, ) }, ... 844, ) == 0x0
 04275   504   NtQueryValueKey  (844,  (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04276   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04277   504   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 04278   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 04279   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04280   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 04281   504   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04282   504   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04283   504   NtQueryValueKey  (844,  (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04284   504   NtQueryValueKey  (844,  (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 04285   504   NtClose  (844, ... ) == 0x0
 04286   504   NtEnumerateKey  (848, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (848, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 04287   504   NtOpenKey  (0xf, {24, 848, 0x40, 0, 0,  (0xf, {24, 848, 0x40, 0, 0, "UserData"}, ... 844, ) }, ... 844, ) == 0x0
 04288   504   NtQueryValueKey  (844,  (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04289   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04290   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 04291   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04292   504   NtQueryValueKey  (844,  (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 04293   504   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 04294   504   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 04295   504   NtQueryValueKey  (844,  (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 04296   504   NtQueryValueKey  (844,  (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 04297   504   NtClose  (844, ... ) == 0x0
 04298   504   NtEnumerateKey  (848, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 04299   504   NtReleaseMutant  (792, ... 0x0, ) == 0x0
 04300   504   NtClose  (848, ... ) == 0x0
 04301   504   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04302   504   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04303   504   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04304   504   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04305   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04306   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04307   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04308   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04309   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04310   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04311   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04312   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 848, ) }, ... 848, ) == 0x0
 04313   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04314   504   NtOpenKey  (0x1, {24, 848, 0x40, 0, 0,  (0x1, {24, 848, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04315   504   NtClose  (848, ... ) == 0x0
 04316   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04317   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04318   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 848, ) }, ... 848, ) == 0x0
 04319   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04320   504   NtOpenKey  (0x1, {24, 848, 0x40, 0, 0,  (0x1, {24, 848, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04321   504   NtClose  (848, ... ) == 0x0
 04322   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04323   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04324   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 848, ) }, ... 848, ) == 0x0
 04325   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04326   504   NtOpenKey  (0x1, {24, 848, 0x40, 0, 0,  (0x1, {24, 848, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04327   504   NtClose  (848, ... ) == 0x0
 04328   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04329   504   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04330   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04331   504   NtQueryValueKey  (848,  (848, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04332   504   NtClose  (848, ... ) == 0x0
 04333   504   NtQueryValueKey  (136,  (136, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04334   504   NtQueryValueKey  (136,  (136, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04335   504   NtQueryValueKey  (136,  (136, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04336   504   NtQueryValueKey  (136,  (136, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04337   504   NtQueryValueKey  (136,  (136, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04338   504   NtQueryValueKey  (136,  (136, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04339   504   NtQueryValueKey  (136,  (136, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04340   504   NtQueryValueKey  (136,  (136, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04341   504   NtQueryValueKey  (136,  (136, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04342   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04343   504   NtQueryValueKey  (848,  (848, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04344   504   NtClose  (848, ... ) == 0x0
 04345   504   NtQueryValueKey  (136,  (136, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04346   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04347   504   NtQueryValueKey  (848,  (848, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04348   504   NtClose  (848, ... ) == 0x0
 04349   504   NtQueryValueKey  (136,  (136, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04350   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04351   504   NtQueryValueKey  (848,  (848, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04352   504   NtClose  (848, ... ) == 0x0
 04353   504   NtQueryValueKey  (136,  (136, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04354   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04355   504   NtQueryValueKey  (848,  (848, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04356   504   NtClose  (848, ... ) == 0x0
 04357   504   NtQueryValueKey  (136,  (136, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04358   504   NtQueryValueKey  (136,  (136, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04359   504   NtQueryValueKey  (136,  (136, "CertCacheNoValidate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04360   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 848, ) }, ... 848, ) == 0x0
 04361   504   NtQueryValueKey  (848,  (848, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04362   504   NtClose  (848, ... ) == 0x0
 04363   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04364   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04365   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04366   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 848, ) }, ... 848, ) == 0x0
 04367   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 844, ) }, ... 844, ) == 0x0
 04368   504   NtQueryValueKey  (844,  (844, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04369   504   NtQueryValueKey  (848,  (848, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04370   504   NtClose  (848, ... ) == 0x0
 04371   504   NtClose  (844, ... ) == 0x0
 04372   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04373   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04374   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04375   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04376   504   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04377   504   NtClose  (844, ... ) == 0x0
 04378   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04379   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04380   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04381   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04382   504   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04383   504   NtClose  (844, ... ) == 0x0
 04384   504   NtQueryValueKey  (136,  (136, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04385   504   NtQueryValueKey  (136,  (136, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04386   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04387   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04388   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04389   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04390   504   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04391   504   NtClose  (844, ... ) == 0x0
 04392   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04393   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04394   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04395   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04396   504   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 848, ) }, ... 848, ) == 0x0
 04397   504   NtQueryValueKey  (848,  (848, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04398   504   NtQueryValueKey  (848,  (848, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04399   504   NtClose  (848, ... ) == 0x0
 04400   504   NtClose  (844, ... ) == 0x0
 04401   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04402   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04403   504   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04404   504   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04405   504   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04406   504   NtClose  (844, ... ) == 0x0
NtCreateMutant(>)	1	NtNotifyChangeKey(>)	2	NtOpenProcessToken(>)	9	NtOpenFile(>)	52
NtDuplicateToken(>)	1	NtOpenDirectoryObject(>)	2	NtOpenProcessTokenEx(>)	11	NtUnmapViewOfSection(>)	53
NtEnumerateValueKey(>)	1	NtQueryPerformanceCounter(>)	2	NtOpenThreadTokenEx(>)	11	NtOpenSection(>)	57
NtGdiCreateBitmap(>)	1	NtSetSecurityObject(>)	2	NtQueryDefaultUILanguage(>)	12	NtQueryVirtualMemory(>)	58
NtGdiInit(>)	1	NtUserGetDC(>)	2	NtUserSystemParametersInfo(>)	12	NtQueryAttributesFile(>)	59
NtGdiQueryFontAssocInfo(>)	1	NtConnectPort(>)	3	NtDelayExecution(>)	13	NtUserRegisterClassExWOW(>)	61
NtGdiSelectBitmap(>)	1	NtDeleteValueKey(>)	3	NtQueryInformationFile(>)	13	NtCreateSection(>)	81
NtOpenEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQuerySection(>)	13	NtFlushInstructionCache(>)	90
NtOpenKeyedEvent(>)	1	NtReleaseSemaphore(>)	3	NtQueryDirectoryFile(>)	14	NtMapViewOfSection(>)	114
NtOpenSymbolicLinkObject(>)	1	NtSecureConnectPort(>)	3	NtReadFile(>)	14	NtWriteVirtualMemory(>)	116
NtQueryEvent(>)	1	NtSetInformationObject(>)	3	NtQueryInformationToken(>)	16	NtQuerySystemInformation(>)	122
NtQueryInstallUILanguage(>)	1	NtUserRegisterWindowMessage(>)	3	NtWriteFile(>)	16	NtContinue(>)	135
NtQueryObject(>)	1	NtWaitForMultipleObjects(>)	3	NtSetValueKey(>)	19	NtResumeThread(>)	150
NtQuerySymbolicLinkObject(>)	1	NtAccessCheck(>)	4	NtCreateKey(>)	20	NtCreateThread(>)	153
NtQuerySystemTime(>)	1	NtEnumerateKey(>)	4	NtQueryDebugFilterState(>)	21	NtQueryInformationThread(>)	158
NtRaiseException(>)	1	NtOpenMutant(>)	4	NtSetEventBoostPriority(>)	26	NtTestAlert(>)	163
NtSetInformationProcess(>)	1	NtSetEvent(>)	4	NtFreeVirtualMemory(>)	29	NtRegisterThreadTerminatePort(>)	165
NtUserCallNoParam(>)	1	NtGdiGetStockObject(>)	5	NtOpenProcess(>)	30	NtWaitForSingleObject(>)	171
NtUserCallOneParam(>)	1	NtCreateSemaphore(>)	6	NtFsControlFile(>)	34	NtRequestWaitReplyPort(>)	184
NtUserGetThreadDesktop(>)	1	NtQueryDefaultLocale(>)	6	NtOpenThreadToken(>)	36	NtOpenKey(>)	218
NtUserGetThreadState(>)	1	NtQueryVolumeInformationFile(>)	6	NtCreateFile(>)	37	NtQueryValueKey(>)	257
NtAddAtom(>)	2	NtQueryInformationProcess(>)	7	NtDeviceIoControlFile(>)	43	NtSetInformationThread(>)	282
NtCallbackReturn(>)	2	NtReleaseMutant(>)	7	NtSetInformationFile(>)	44	NtProtectVirtualMemory(>)	452
NtCreateIoCompletion(>)	2	NtDuplicateObject(>)	8	NtCreateEvent(>)	50	NtClose(>)	456
NtGdiCreateSolidBrush(>)	2	NtAdjustPrivilegesToken(>)	9	NtUserFindExistingCursorIcon(>)	50	NtAllocateVirtualMemory(>)	467