Summary:





NtCancelTimer(>)  1 
NtDelayExecution(>)  2 
NtSetEvent(>)  6 
NtUserFindExistingCursorIcon(>)  50 


NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenMutant(>)  7 
NtOpenFile(>)  51 


NtCreateTimer(>)  1 
NtNotifyChangeKey(>)  2 
NtCreateSemaphore(>)  8 
NtMapViewOfSection(>)  55 


NtDuplicateToken(>)  1 
NtOpenDirectoryObject(>)  2 
NtReleaseMutant(>)  8 
NtQueryVirtualMemory(>)  58 


NtEnumerateValueKey(>)  1 
NtQueryPerformanceCounter(>)  2 
NtDuplicateObject(>)  9 
NtUserRegisterClassExWOW(>)  61 


NtGdiCreateBitmap(>)  1 
NtQuerySystemTime(>)  2 
NtFsControlFile(>)  9 
NtQueryAttributesFile(>)  67 


NtGdiInit(>)  1 
NtRemoveIoCompletion(>)  2 
NtQueryInformationProcess(>)  9 
NtFlushInstructionCache(>)  116 


NtGdiQueryFontAssocInfo(>)  1 
NtSecureConnectPort(>)  2 
NtOpenProcessTokenEx(>)  11 
NtQuerySystemInformation(>)  116 


NtGdiSelectBitmap(>)  1 
NtSetIoCompletion(>)  2 
NtOpenThreadTokenEx(>)  11 
NtContinue(>)  136 


NtOpenEvent(>)  1 
NtUserGetDC(>)  2 
NtQueryDefaultUILanguage(>)  12 
NtQueryInformationThread(>)  154 


NtOpenKeyedEvent(>)  1 
NtWaitForMultipleObjects(>)  2 
NtQueryInformationFile(>)  12 
NtCreateThread(>)  157 


NtOpenProcess(>)  1 
NtConnectPort(>)  3 
NtUserSystemParametersInfo(>)  12 
NtResumeThread(>)  159 


NtOpenSymbolicLinkObject(>)  1 
NtDeleteValueKey(>)  3 
NtQueryInformationToken(>)  14 
NtRegisterThreadTerminatePort(>)  170 


NtQueryEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUnmapViewOfSection(>)  17 
NtTestAlert(>)  171 


NtQueryInstallUILanguage(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtOpenThreadToken(>)  18 
NtRequestWaitReplyPort(>)  186 


NtQueryObject(>)  1 
NtReleaseSemaphore(>)  3 
NtQuerySection(>)  18 
NtOpenKey(>)  244 


NtQuerySymbolicLinkObject(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtSetValueKey(>)  19 
NtSetInformationThread(>)  266 


NtRaiseException(>)  1 
NtAccessCheck(>)  4 
NtCreateFile(>)  20 
NtSetEventBoostPriority(>)  281 


NtSetInformationProcess(>)  1 
NtEnumerateKey(>)  4 
NtCreateKey(>)  20 
NtClose(>)  294 


NtSetTimer(>)  1 
NtReadFile(>)  4 
NtQueryDebugFilterState(>)  21 
NtQueryValueKey(>)  318 


NtUserCallNoParam(>)  1 
NtSetInformationObject(>)  4 
NtSetInformationFile(>)  23 
NtAllocateVirtualMemory(>)  429 


NtUserCallOneParam(>)  1 
NtWriteFile(>)  4 
NtFreeVirtualMemory(>)  28 
NtWaitForSingleObject(>)  433 


NtUserGetThreadDesktop(>)  1 
NtCreateIoCompletion(>)  5 
NtCreateSection(>)  33 
NtProtectVirtualMemory(>)  446 


NtUserGetThreadState(>)  1 
NtGdiGetStockObject(>)  5 
NtOpenSection(>)  34 


NtAddAtom(>)  2 
NtOpenProcessToken(>)  6 
NtDeviceIoControlFile(>)  45 


NtCallbackReturn(>)  2 



Trace:

 00001   312   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   312   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   312   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   312   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   312   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   312   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   312   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   312   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   312   NtClose  (12, ... ) == 0x0
 00015   312   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   312   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   312   NtClose  (16, ... ) == 0x0
 00021   312   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   312   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   312   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   312   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   312   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   312   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   312   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   312   NtClose  (16, ... ) == 0x0
 00030   312   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   312   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   312   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   312   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 940, 312, 57932, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 57932, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 940, 312, 57932, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   312   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   312   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   312   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   312   NtClose  (16, ... ) == 0x0
 00041   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   312   NtClose  (16, ... ) == 0x0
 00044   312   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   312   NtClose  (16, ... ) == 0x0
 00048   312   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   312   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   312   NtClose  (16, ... ) == 0x0
 00052   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   312   NtClose  (16, ... ) == 0x0
 00055   312   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   312   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   312   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 940, 312, 57933, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 940, 312, 57933, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 940, 312, 57933, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 940, 312, 57934, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 57934, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 940, 312, 57934, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   312   NtProtectVirtualMemory  (-1, (0x408000), 65536, 4, ... (0x408000), 65536, 128, ) == 0x0
 00062   312   NtProtectVirtualMemory  (-1, (0x408000), 65536, 128, ... (0x408000), 65536, 4, ) == 0x0
 00063   312   NtFlushInstructionCache  (-1, 4227072, 65536, ... ) == 0x0
 00064   312   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065   312   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066   312   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067   312   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068   312   NtClose  (16, ... ) == 0x0
 00069   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070   312   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071   312   NtClose  (16, ... ) == 0x0
 00072   312   NtTestAlert  (... ) == 0x0
 00073   312   NtContinue  (1244464, 1, ...
 00074   312   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40292e,}, 4, ... ) == 0x0
 00075   312   NtQueryVirtualMemory  (-1, 0x408729, Basic, 28, ... {BaseAddress=0x408000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076   312   NtContinue  (1244400, 0, ...
 00077   312   NtAllocateVirtualMemory  (-1, 0, 0, 2398, 4096, 64, ... 3276800, 4096, ) == 0x0
 00078   312   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079   312   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080   312   NtClose  (16, ... ) == 0x0
 00081   312   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00084   312   NtClose  (16, ... ) == 0x0
 00085   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00086   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00087   312   NtClose  (16, ... ) == 0x0
 00088   312   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089   312   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090   312   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091   312   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092   312   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093   312   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094   312   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095   312   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096   312   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097   312   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098   312   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099   312   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100   312   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101   312   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102   312   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103   312   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104   312   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105   312   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00109   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 940, 312, 57935, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 57935, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 940, 312, 57935, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00110   312   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00111   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00112   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00113   312   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00114   312   NtClose  (16, ... ) == 0x0
 00115   312   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00116   312   NtClose  (28, ... ) == 0x0
 00117   312   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00118   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00119   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00120   312   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00121   312   NtClose  (28, ... ) == 0x0
 00122   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00123   312   NtClose  (16, ... ) == 0x0
 00124   312   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00125   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00126   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00127   312   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00128   312   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00129   312   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130   312   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00131   312   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   312   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00133   312   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134   312   NtClose  (36, ... ) == 0x0
 00135   312   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00136   312   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00137   312   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00138   312   NtClose  (36, ... ) == 0x0
 00139   312   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   312   NtClose  (32, ... ) == 0x0
 00141   312   NtClose  (16, ... ) == 0x0
 00142   312   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00143   312   NtClose  (28, ... ) == 0x0
 00144   312   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145   312   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146   312   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147   312   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148   312   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149   312   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150   312   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00151   312   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00152   312   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00153   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00154   312   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00155   312   NtClose  (28, ... ) == 0x0
 00156   312   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00157   312   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00158   312   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00159   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00160   312   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00161   312   NtClose  (28, ... ) == 0x0
 00162   312   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00163   312   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164   312   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165   312   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166   312   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167   312   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168   312   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169   312   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00170   312   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00171   312   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00172   312   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00173   312   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00174   312   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00175   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   312   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00177   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00179   312   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180   312   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181   312   NtClose  (28, ... ) == 0x0
 00182   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00183   312   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   312   NtClose  (28, ... ) == 0x0
 00185   312   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00186   312   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00187   312   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00191   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00194   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00196   312   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   312   NtClose  (16, ... ) == 0x0
 00198   312   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00199   312   NtClose  (-2147482740, ... ) == 0x0
 00200   312   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00201   312   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00202   312   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00203   312   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00204   312   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00205   312   NtClose  (-2147482740, ... ) == 0x0
 00206   312   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00207   312   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00208   312   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00209   312   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00210   312   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211   312   NtClose  (-2147482740, ... ) == 0x0
 00212   312   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00213   312   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   312   NtClose  (-2147482740, ... ) == 0x0
 00215   312   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00216   312   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00217   312   NtUserCallNoParam  (24, ... ) == 0x0
 00218   312   NtGdiCreateCompatibleDC  (0, ...
 00219   312   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00218   312   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00220   312   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00221   312   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00222   312   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00223   312   NtGdiCreateSolidBrush  (0, 0, ...
 00224   312   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00223   312   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00225   312   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00226   312   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00227   312   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00228   312   NtUserGetThreadDesktop  (312, 0, ... ) == 0x24
 00229   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00230   312   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00231   312   NtClose  (44, ... ) == 0x0
 00232   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00233   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x81b1c017
 00234   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x81b1c01c
 00236   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x81b1c01e
 00238   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81b18002
 00240   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00241   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x81b1c018
 00242   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00243   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x81b1c01a
 00244   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x81b1c01d
 00246   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x81b1c026
 00248   312   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249   312   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x81b1c019
 00250   312   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c020
 00251   312   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81b1c022
 00252   312   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c023
 00253   312   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81b1c024
 00254   312   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c025
 00255   312   NtCallbackReturn  (0, 0, 0, ...
 00256   312   NtGdiInit  (... ) == 0x1
 00257   312   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00258   312   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00259   312   NtAllocateVirtualMemory  (-1, 0, 0, 27136, 4096, 64, ... 8716288, 28672, ) == 0x0
 00260   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00263   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00264   312   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00265   312   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266   312   NtClose  (44, ... ) == 0x0
 00267   312   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00268   312   NtClose  (48, ... ) == 0x0
 00269   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00270   312   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00271   312   NtClose  (48, ... ) == 0x0
 00272   312   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00273   312   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00274   312   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00275   312   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00276   312   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00277   312   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00278   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00281   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00282   312   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00283   312   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00284   312   NtClose  (48, ... ) == 0x0
 00285   312   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00286   312   NtClose  (44, ... ) == 0x0
 00287   312   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00288   312   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00289   312   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00290   312   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00291   312   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00292   312   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00293   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00296   312   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00297   312   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00298   312   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00299   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00300   312   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00301   312   NtClose  (44, ... ) == 0x0
 00302   312   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00303   312   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00304   312   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00305   312   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00306   312   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00307   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00310   312   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00311   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00312   312   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 00313   312   NtClose  (44, ... ) == 0x0
 00314   312   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00315   312   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00316   312   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00317   312   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00318   312   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00319   312   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00320   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00321   312   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00322   312   NtClose  (44, ... ) == 0x0
 00323   312   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00324   312   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00325   312   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00326   312   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00327   312   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00328   312   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00329   312   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00330   312   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00331   312   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00332   312   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00333   312   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00334   312   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00335   312   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00336   312   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00337   312   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00338   312   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00339   312   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00340   312   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00341   312   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00342   312   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00343   312   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00344   312   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00345   312   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00346   312   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00347   312   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00348   312   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00349   312   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00350   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00351   312   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x880000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 00352   312   NtProtectVirtualMemory  (-1, (0x881000), 18944, 4, ... (0x881000), 20480, 32, ) == 0x0
 00353   312   NtProtectVirtualMemory  (-1, (0x887000), 1024, 4, ... (0x887000), 4096, 2, ) == 0x0
 00354   312   NtProtectVirtualMemory  (-1, (0x888000), 1536, 4, ... (0x888000), 4096, 2, ) == 0x0
 00355   312   NtMapViewOfSection  (44, -1, (0x880000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00356   312   NtProtectVirtualMemory  (-1, (0x881000), 18944, 16, ... (0x881000), 20480, 4, ) == 0x0
 00357   312   NtProtectVirtualMemory  (-1, (0x887000), 1024, 2, ... (0x887000), 4096, 8, ) == 0x0
 00358   312   NtProtectVirtualMemory  (-1, (0x888000), 1536, 2, ... (0x888000), 4096, 8, ) == 0x0
 00359   312   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00360   312   NtClose  (44, ... ) == 0x0
 00361   312   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00362   312   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00363   312   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00364   312   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00365   312   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00366   312   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00367   312   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00368   312   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00369   312   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00370   312   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00371   312   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00372   312   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00373   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00374   312   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00375   312   NtClose  (44, ... ) == 0x0
 00376   312   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00377   312   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00378   312   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00379   312   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00380   312   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00381   312   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00382   312   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00383   312   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00384   312   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00385   312   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00386   312   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00387   312   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00388   312   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00389   312   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00390   312   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00391   312   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00392   312   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00393   312   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00394   312   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00395   312   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00396   312   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00397   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   312   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399   312   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00400   312   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1330488, 0,  (0x1f0003, {24, 44, 0x80, 1330488, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 48, ) }, 0, 2147483647, ... 48, ) == STATUS_OBJECT_NAME_EXISTS
 00401   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   312   NtQueryPerformanceCounter  (... {924355287, 10}, {3579545, 0}, ) == 0x0
 00404   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00405   312   NtQueryPerformanceCounter  (... {924355850, 10}, {3579545, 0}, ) == 0x0
 00406   312   NtAllocateVirtualMemory  (-1, 1331200, 0, 8192, 4096, 4, ... 1331200, 8192, ) == 0x0
 00407   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00408   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00409   312   NtAllocateVirtualMemory  (-1, 8978432, 0, 4096, 4096, 4, ... 8978432, 4096, ) == 0x0
 00410   312   NtAllocateVirtualMemory  (-1, 8982528, 0, 8192, 4096, 4, ... 8982528, 8192, ) == 0x0
 00411   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00412   312   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242348,  (0xc0100080, {24, 0, 0x40, 0, 1242348, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) == 0x0
 00413   312   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 60, ) == 0x0
 00414   312   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f54c, 0x22414c,  (56, 60, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00415   312   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00416   312   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417   312   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   312   NtClose  (-2147482740, ... ) == 0x0
 00419   312   NtClose  (908, ... ) == 0x0
 00414   312   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\350\16\37\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#e\0r\02\0-\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00420   312   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242564,  (0xc0100080, {24, 0, 0x40, 0, 1242564, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) == 0x0
 00421   312   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00422   312   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 76, ) == 0x0
 00423   312   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 80, ) == 0x0
 00424   312   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00425   312   NtAllocateVirtualMemory  (-1, 8990720, 0, 8192, 4096, 4, ... 8990720, 8192, ) == 0x0
 00426   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00427   312   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00428   312   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00429   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1241648, 1241592, 1, ... 88, {940, 776}, ) == 0x0
 00430   312   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=940,Tid=776,}, 0x0, ) == 0x0
 00431   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808}  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\254\3\0\0\10\3\0\0" ... {28, 56, reply, 0, 940, 312, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\254\3\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 57942, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\254\3\0\0\10\3\0\0" ... {28, 56, reply, 0, 940, 312, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\254\3\0\0\10\3\0\0" )  ) == 0x0
 00432   312   NtResumeThread  (88, ... 1, ) == 0x0
 00433   312   NtClose  (88, ... ) == 0x0
 00434   312   NtSetEvent  (72, ...
 00435   776   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 88, ) == 0x0
 00436   776   NtWaitForSingleObject  (88, 0, 0x0, ...
 00434   312   NtSetEvent  ... 0x0, ) == 0x0
 00437   312   NtSetEvent  (52, ... 0x0, ) == 0x0
 00438   312   NtClose  (52, ... ) == 0x0
 00439   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00440   312   NtAllocateVirtualMemory  (-1, 8998912, 0, 4096, 4096, 4, ... 8998912, 4096, ) == 0x0
 00441   312   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f54c, 0x22414c,  (56, 60, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00442   312   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00443   312   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   312   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   312   NtClose  (-2147482740, ... ) == 0x0
 00446   312   NtClose  (908, ... ) == 0x0
 00441   312   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\250\33\257\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344e\0r\0IoNm\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00447   312   NtSetEvent  (72, ... 0x0, ) == 0x0
 00448   312   NtSetEvent  (52, ... 0x0, ) == 0x0
 00449   312   NtClose  (52, ... ) == 0x0
 00450   312   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00451   312   NtOpenProcessToken  (-1, 0xa, ... 52, ) == 0x0
 00452   312   NtDuplicateToken  (52, 0xc, {24, 0, 0x0, 0, 1242832, 0x0}, 0, 2, ... 96, ) == 0x0
 00453   312   NtClose  (52, ... ) == 0x0
 00454   312   NtAccessCheck  (1336312, 96, 0x1, 1242908, 1242960, 56, 1242940, ... (0x1), ) == 0x0
 00455   312   NtClose  (96, ... ) == 0x0
 00456   312   NtQueryDefaultUILanguage  (1241712, ...
 00457   312   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00458   312   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00459   312   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00460   312   NtClose  (-2147482740, ... ) == 0x0
 00461   312   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00462   312   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463   312   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00464   312   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465   312   NtClose  (-2147481328, ... ) == 0x0
 00466   312   NtClose  (-2147482740, ... ) == 0x0
 00456   312   NtQueryDefaultUILanguage  ... ) == 0x0
 00467   312   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468   312   NtQueryDefaultUILanguage  (2090319928, ...
 00469   312   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00470   312   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00471   312   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00472   312   NtClose  (-2147482740, ... ) == 0x0
 00473   312   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00474   312   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475   312   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00476   312   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   312   NtClose  (-2147481328, ... ) == 0x0
 00478   312   NtClose  (-2147482740, ... ) == 0x0
 00468   312   NtQueryDefaultUILanguage  ... ) == 0x0
 00479   312   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00480   312   NtQueryDefaultLocale  (1, 1239808, ... ) == 0x0
 00481   312   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   312   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 940, 312, 57943, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 940, 312, 57943, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 940, 312, 57943, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ) == 0x0
 00483   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00484   312   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00485   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00486   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00487   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239036, ... ) }, 1239036, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00488   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00489   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00490   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00491   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239100, ... ) }, 1239100, ... ) == 0x0
 00492   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00493   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00494   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00495   312   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00496   312   NtClose  (52, ... ) == 0x0
 00497   312   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaa0000), 0x0, 1056768, ) == 0x0
 00498   312   NtClose  (100, ... ) == 0x0
 00499   312   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00500   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00501   312   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 52, ) == 0x0
 00502   312   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00503   312   NtClose  (100, ... ) == 0x0
 00504   312   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00505   312   NtClose  (52, ... ) == 0x0
 00506   312   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00507   312   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00508   312   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00509   312   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00510   312   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00511   312   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00512   312   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00513   312   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00514   312   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00515   312   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00516   312   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00517   312   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00518   312   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00519   312   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00520   312   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00521   312   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00522   312   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00523   312   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00524   312   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00525   312   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00526   312   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00527   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528   312   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240580, ... ) , 42, 1240580, ... ) == 0x0
 00529   312   NtQueryDefaultUILanguage  (1239264, ...
 00530   312   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00531   312   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00532   312   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00533   312   NtClose  (-2147482740, ... ) == 0x0
 00534   312   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00535   312   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536   312   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00537   312   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   312   NtClose  (-2147481328, ... ) == 0x0
 00539   312   NtClose  (-2147482740, ... ) == 0x0
 00529   312   NtQueryDefaultUILanguage  ... ) == 0x0
 00540   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238104, ... ) }, 1238104, ... ) == 0x0
 00541   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00542   312   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00543   312   NtClose  (52, ... ) == 0x0
 00544   312   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaa0000), 0x0, 4096, ) == 0x0
 00545   312   NtClose  (100, ... ) == 0x0
 00546   312   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00547   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237700, ... ) }, 1237700, ... ) == 0x0
 00548   312   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238444,  (0x80100080, {24, 0, 0x40, 0, 1238444, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00549   312   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 100, ... 52, ) == 0x0
 00550   312   NtClose  (100, ... ) == 0x0
 00551   312   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xaa0000), {0, 0}, 4096, ) == 0x0
 00552   312   NtClose  (52, ... ) == 0x0
 00553   312   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00554   312   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00555   312   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 100, ) == 0x0
 00556   312   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xaa0000), 0x0, 4096, ) == 0x0
 00557   312   NtQueryInformationFile  (52, 1238096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00558   312   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559   312   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 940, 312, 57946, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 940, 312, 57946, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 940, 312, 57946, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ) == 0x0
 00560   312   NtClose  (52, ... ) == 0x0
 00561   312   NtClose  (100, ... ) == 0x0
 00562   312   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00563   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00564   312   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00565   312   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00566   312   NtUserGetDC  (0, ... ) == 0x1010051
 00567   312   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00568   312   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00569   312   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00570   312   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00571   312   NtContinue  (1238304, 0, ...
 00572   312   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00573   312   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 00574   312   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00575   312   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 00576   312   NtClose  (96, ... ) == 0x0
 00577   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00578   312   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00579   312   NtClose  (96, ... ) == 0x0
 00580   312   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00581   312   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00582   312   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00583   312   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00584   312   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00585   312   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00586   312   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00587   312   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00588   312   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00589   312   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00590   312   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00591   312   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00592   312   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00593   312   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00594   312   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00595   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00597   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11075584, 65536, ) == 0x0
 00598   312   NtAllocateVirtualMemory  (-1, 11075584, 0, 4096, 4096, 4, ... 11075584, 4096, ) == 0x0
 00599   312   NtAllocateVirtualMemory  (-1, 11079680, 0, 8192, 4096, 4, ... 11079680, 8192, ) == 0x0
 00600   312   NtAllocateVirtualMemory  (-1, 11087872, 0, 4096, 4096, 4, ... 11087872, 4096, ) == 0x0
 00601   312   NtAllocateVirtualMemory  (-1, 11091968, 0, 4096, 4096, 4, ... 11091968, 4096, ) == 0x0
 00602   312   NtQueryDefaultUILanguage  (1238736, ...
 00603   312   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00604   312   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00605   312   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00606   312   NtClose  (-2147482740, ... ) == 0x0
 00607   312   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00608   312   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   312   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00610   312   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   312   NtClose  (-2147481328, ... ) == 0x0
 00612   312   NtClose  (-2147482740, ... ) == 0x0
 00602   312   NtQueryDefaultUILanguage  ... ) == 0x0
 00613   312   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00614   312   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00615   312   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xac0000), 0x0, 618496, ) == 0x0
 00616   312   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   312   NtQueryDefaultLocale  (1, 1236832, ... ) == 0x0
 00618   312   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   312   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 940, 312, 57947, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 940, 312, 57947, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 940, 312, 57947, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ) == 0x0
 00620   312   NtClose  (96, ... ) == 0x0
 00621   312   NtClose  (100, ... ) == 0x0
 00622   312   NtUnmapViewOfSection  (-1, 0xac0000, ... ) == 0x0
 00623   312   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00624   312   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {940, 0}, ... 100, ) == 0x0
 00625   312   NtQueryInformationProcess  (100, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00626   312   NtClose  (100, ... ) == 0x0
 00627   312   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00628   312   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00629   312   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00630   312   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00631   312   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00632   312   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00633   312   NtClose  (100, ... ) == 0x0
 00634   312   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00635   312   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00636   312   NtAccessCheck  (1336312, 96, 0x1, 1239928, 1239980, 56, 1239960, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00637   312   NtClose  (96, ... ) == 0x0
 00638   312   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 96, ) }, ... 96, ) == 0x0
 00639   312   NtQueryValueKey  (96,  (96, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00640   312   NtClose  (96, ... ) == 0x0
 00641   312   NtUserSystemParametersInfo  (41, 500, 1240108, 0, ... ) == 0x1
 00642   312   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00643   312   NtClose  (100, ... ) == 0x0
 00644   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00645   312   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00646   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c03b
 00647   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c03d
 00648   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00649   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c03f
 00650   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00651   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c041
 00652   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00653   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c043
 00654   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c045
 00655   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00656   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c047
 00657   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00658   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c049
 00659   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00660   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c04b
 00661   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00662   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c04d
 00663   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00664   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c04f
 00665   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c051
 00666   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00667   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c053
 00668   312   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 00669   312   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x81b1c055
 00670   312   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 00671   312   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x81b1c057
 00672   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00673   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c059
 00674   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10013
 00675   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c05b
 00676   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00677   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c05d
 00678   312   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00679   312   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c05f
 00680   312   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00681   312   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00682   312   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00683   312   NtClose  (100, ... ) == 0x0
 00684   312   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00685   312   NtSetInformationObject  (100, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00686   312   NtCreateKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00687   312   NtSetEventBoostPriority  (88, ...
 00436   776   NtWaitForSingleObject  ... ) == 0x0
 00688   776   NtTestAlert  (... ) == 0x0
 00689   776   NtContinue  (11074864, 1, ...
 00690   776   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00691   776   NtDeviceIoControlFile  (68, 80, 0x0, 0x77e466a0, 0x228144,  (68, 80, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0\\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00687   312   NtSetEventBoostPriority  ... ) == 0x0
 00692   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242908, ... }, 1242908, ...
 00694   776   NtWaitForMultipleObjects  (2, (72, 80, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 00695   776   NtDeviceIoControlFile  (68, 84, 0x0, 0x77e46680, 0x228144,  (68, 84, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0\\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00696   776   NtWaitForMultipleObjects  (2, (72, 84, ), 1, 1, {1294967296, -1}, ...
 00693   312   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00698   312   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00699   312   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 104, ) == 0x0
 00700   312   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00701   312   NtClose  (52, ... ) == 0x0
 00702   312   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 00703   312   NtClose  (104, ... ) == 0x0
 00704   312   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00705   312   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00706   312   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00707   312   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00708   312   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00709   312   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00710   312   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00711   312   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00712   312   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00713   312   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00714   312   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00715   312   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00716   312   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00717   312   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00718   312   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00719   312   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00720   312   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00721   312   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00722   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00724   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11272192, 65536, ) == 0x0
 00725   312   NtAllocateVirtualMemory  (-1, 11272192, 0, 4096, 4096, 4, ... 11272192, 4096, ) == 0x0
 00726   312   NtAllocateVirtualMemory  (-1, 11276288, 0, 8192, 4096, 4, ... 11276288, 8192, ) == 0x0
 00727   312   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 104, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 104, {status=0x0, info=0}, ) == 0x0
 00728   312   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) == 0x0
 00729   312   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 108, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 108, {status=0x0, info=0}, ) == 0x0
 00730   312   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 112, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 112, {status=0x0, info=0}, ) == 0x0
 00731   312   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242836,  (0x20100080, {24, 0, 0x40, 0, 1242836, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 116, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 116, {status=0x0, info=0}, ) == 0x0
 00732   312   NtAllocateVirtualMemory  (-1, 11284480, 0, 36864, 4096, 4, ... 11284480, 36864, ) == 0x0
 00733   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00734   312   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00735   312   NtClose  (120, ... ) == 0x0
 00736   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00737   312   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 00738   312   NtClose  (120, ... ) == 0x0
 00739   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00740   312   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363o\201\1\0\0\0\5\0\0\0\232A\250\25\303\207>\3\250\274\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0-\371%\0\203B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363o\201\1\0\0\0\5\0\0\0\232A\250\25\303\207>\3\250\274\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0-\371%\0\203B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 00741   312   NtClose  (120, ... ) == 0x0
 00742   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00743   312   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00744   312   NtClose  (120, ... ) == 0x0
 00745   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00746   312   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 00747   312   NtClose  (120, ... ) == 0x0
 00748   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00749   312   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 00750   312   NtClose  (120, ... ) == 0x0
 00751   312   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 120, ) == 0x0
 00752   312   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 124, ) == 0x0
 00753   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00754   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00755   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00756   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00757   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00758   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00759   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00760   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00761   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00762   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00763   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00764   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00765   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00766   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00767   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00768   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00769   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00770   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00771   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00772   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00773   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00774   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00775   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00776   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00777   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00778   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00779   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00780   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00781   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00782   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00783   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00784   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00785   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00786   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00787   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00788   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00789   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00790   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00791   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00792   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00793   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00794   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00795   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00796   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00797   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00798   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00799   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00800   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00801   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00802   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00803   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00804   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00805   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00806   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00807   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00808   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00809   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00810   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00811   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00812   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00813   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00814   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00815   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00816   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00817   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00818   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00819   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00820   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00821   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00822   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00823   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00824   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00825   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00826   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00827   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00828   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00829   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00830   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00831   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00832   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00833   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00834   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00835   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00836   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00837   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00838   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00839   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00840   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00841   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00842   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00843   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00844   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00845   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00846   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00847   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00848   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00849   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00850   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00851   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00852   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00853   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00854   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00855   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00856   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00857   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00858   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00859   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00860   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00861   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00862   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00863   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00864   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00865   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00866   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00867   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00868   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00869   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00870   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00871   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00872   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00873   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00874   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00875   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00876   312   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00877   312   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00878   312   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 128, ) }, ... 128, ) == 0x0
 00879   312   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 132, ) }, ... 132, ) == 0x0
 00880   312   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 136, ) }, ... 136, ) == 0x0
 00881   312   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 140, ) }, ... 140, ) == 0x0
 00882   312   NtQueryDefaultLocale  (1, 1242816, ... ) == 0x0
 00883   312   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00884   312   NtFreeVirtualMemory  (-1, (0x320147), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00885   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00886   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00887   312   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00888   312   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00889   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11337728, 1048576, ) == 0x0
 00890   312   NtAllocateVirtualMemory  (-1, 11337728, 0, 32768, 4096, 4, ... 11337728, 32768, ) == 0x0
 00891   312   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 00892   312   NtQueryValueKey  (144,  (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00893   312   NtQueryValueKey  (144,  (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00894   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 148, ) == 0x0
 00895   312   NtOpenKey  (0x2000000, {24, 144, 0x40, 0, 0,  (0x2000000, {24, 144, 0x40, 0, 0, "Protocol_Catalog9"}, ... 152, ) }, ... 152, ) == 0x0
 00896   312   NtQueryValueKey  (152,  (152, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00897   312   NtNotifyChangeKey  (152, 148, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00898   312   NtQueryValueKey  (152,  (152, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00899   312   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   312   NtQueryValueKey  (152,  (152, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00901   312   NtQueryValueKey  (152,  (152, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00902   312   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Catalog_Entries"}, ... 156, ) }, ... 156, ) == 0x0
 00903   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000001"}, ... 160, ) }, ... 160, ) == 0x0
 00904   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00905   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00906   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\213\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\213\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\214\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\215\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\213\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\213\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\214\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\215\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\213\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\213\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\214\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\215\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00907   312   NtClose  (160, ... ) == 0x0
 00908   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000002"}, ... 160, ) }, ... 160, ) == 0x0
 00909   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00910   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00911   312   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00912   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\221\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\221\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\222\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\223\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\221\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\221\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\222\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\223\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\221\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\221\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\222\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\223\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00913   312   NtClose  (160, ... ) == 0x0
 00914   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000003"}, ... 160, ) }, ... 160, ) == 0x0
 00915   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00916   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00917   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\226\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\226\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\227\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\230\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\226\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\226\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\227\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\230\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\226\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\226\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\227\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\230\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00918   312   NtClose  (160, ... ) == 0x0
 00919   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000004"}, ... 160, ) }, ... 160, ) == 0x0
 00920   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00921   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00922   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\233\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\233\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\234\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\235\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\233\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\233\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\234\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\235\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\233\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\233\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\234\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\235\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00923   312   NtClose  (160, ... ) == 0x0
 00924   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000005"}, ... 160, ) }, ... 160, ) == 0x0
 00925   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00926   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00927   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\240\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\240\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\241\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\242\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\240\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\240\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\241\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\242\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\240\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\240\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\241\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\242\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00928   312   NtClose  (160, ... ) == 0x0
 00929   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000006"}, ... 160, ) }, ... 160, ) == 0x0
 00930   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00931   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00932   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\245\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\246\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\247\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\245\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\246\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\247\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\245\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\246\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\247\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00933   312   NtClose  (160, ... ) == 0x0
 00934   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000007"}, ... 160, ) }, ... 160, ) == 0x0
 00935   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00936   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00937   312   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00938   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\253\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\254\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\255\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\253\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\254\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\255\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\253\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\254\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\255\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00939   312   NtClose  (160, ... ) == 0x0
 00940   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000008"}, ... 160, ) }, ... 160, ) == 0x0
 00941   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00942   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00943   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\260\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\261\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\262\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\260\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\261\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\262\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\260\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\261\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\262\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00944   312   NtClose  (160, ... ) == 0x0
 00945   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000009"}, ... 160, ) }, ... 160, ) == 0x0
 00946   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00947   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00948   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\265\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\265\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\266\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\267\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\265\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\265\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\266\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\267\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\265\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\265\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\266\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\267\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00949   312   NtClose  (160, ... ) == 0x0
 00950   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000010"}, ... 160, ) }, ... 160, ) == 0x0
 00951   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00952   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00953   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\272\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\272\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\273\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\274\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\272\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\272\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\273\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\274\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\272\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\272\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\273\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\274\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00954   312   NtClose  (160, ... ) == 0x0
 00955   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000011"}, ... 160, ) }, ... 160, ) == 0x0
 00956   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00957   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00958   312   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00959   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\300\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\300\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\301\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\302\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\300\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\300\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\301\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\302\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\300\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\300\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\301\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\302\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00960   312   NtClose  (160, ... ) == 0x0
 00961   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000012"}, ... 160, ) }, ... 160, ) == 0x0
 00962   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00963   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00964   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\305\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\305\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\306\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\307\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\305\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\305\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\306\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\307\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\305\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\305\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\306\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\307\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00965   312   NtClose  (160, ... ) == 0x0
 00966   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000013"}, ... 160, ) }, ... 160, ) == 0x0
 00967   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00968   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00969   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\312\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\312\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\313\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\314\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\312\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\312\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\313\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\314\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\312\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\312\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\313\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\314\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00970   312   NtClose  (160, ... ) == 0x0
 00971   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000014"}, ... 160, ) }, ... 160, ) == 0x0
 00972   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00973   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00974   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\317\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\317\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\320\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\321\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\317\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\317\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\320\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\321\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\317\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\317\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\320\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\321\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00975   312   NtClose  (160, ... ) == 0x0
 00976   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000015"}, ... 160, ) }, ... 160, ) == 0x0
 00977   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00978   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00979   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\324\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\324\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\325\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\326\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\324\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\324\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\325\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\326\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\324\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\324\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\325\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\326\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00980   312   NtClose  (160, ... ) == 0x0
 00981   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000016"}, ... 160, ) }, ... 160, ) == 0x0
 00982   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00983   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00984   312   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00985   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\332\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\332\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\333\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\334\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\332\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\332\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\333\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\334\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\332\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\332\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\333\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\334\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00986   312   NtClose  (160, ... ) == 0x0
 00987   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000017"}, ... 160, ) }, ... 160, ) == 0x0
 00988   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00989   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00990   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\337\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\337\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\340\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\341\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\337\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\337\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\340\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\341\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\337\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\337\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\340\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\341\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00991   312   NtClose  (160, ... ) == 0x0
 00992   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000018"}, ... 160, ) }, ... 160, ) == 0x0
 00993   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00994   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00995   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\344\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\344\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\345\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\346\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\344\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\344\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\345\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\346\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\344\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\344\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\345\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\346\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00996   312   NtClose  (160, ... ) == 0x0
 00997   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000019"}, ... 160, ) }, ... 160, ) == 0x0
 00998   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00999   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01000   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\351\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\351\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\352\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\353\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\351\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\351\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\352\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\353\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\351\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\351\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\352\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\353\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01001   312   NtClose  (160, ... ) == 0x0
 01002   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000020"}, ... 160, ) }, ... 160, ) == 0x0
 01003   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01004   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01005   312   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01006   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\357\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\357\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\360\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\361\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\357\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\357\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\360\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\361\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\357\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\357\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\360\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\361\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01007   312   NtClose  (160, ... ) == 0x0
 01008   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000021"}, ... 160, ) }, ... 160, ) == 0x0
 01009   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01010   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01011   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\364\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\364\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\365\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\366\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\364\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\364\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\365\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\366\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\364\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\364\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\365\3\0\0\254\3\0\08\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\366\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\254\3\0\08\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\254\3\0\08\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01012   312   NtClose  (160, ... ) == 0x0
 01013   312   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000022"}, ... 160, ) }, ... 160, ) == 0x0
 01014   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01015   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01016   312   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\371\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\371\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\234\0\0\0\372\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\254\3\0\08\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\373\3\0\0\254\3\0\08\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\374\3\0\0\254\3\0\08\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0\254\3\0\08\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\234\0\0\0\375\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\220\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\371\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\371\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\234\0\0\0\372\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\254\3\0\08\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\373\3\0\0\254\3\0\08\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\374\3\0\0\254\3\0\08\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0\254\3\0\08\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\234\0\0\0\375\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\220\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\371\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\371\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\254\3\0\08\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\234\0\0\0\372\3\0\0\254\3\0\08\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\254\3\0\08\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\373\3\0\0\254\3\0\08\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\374\3\0\0\254\3\0\08\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0\254\3\0\08\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\234\0\0\0\375\3\0\0\254\3\0\08\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\220\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01017   312   NtClose  (160, ... ) == 0x0
 01018   312   NtClose  (156, ... ) == 0x0
 01019   312   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x102
 01020   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01021   312   NtOpenKey  (0x2000000, {24, 144, 0x40, 0, 0,  (0x2000000, {24, 144, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 160, ) }, ... 160, ) == 0x0
 01022   312   NtQueryValueKey  (160,  (160, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01023   312   NtNotifyChangeKey  (160, 156, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01024   312   NtQueryValueKey  (160,  (160, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01025   312   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   312   NtQueryValueKey  (160,  (160, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01027   312   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, "Catalog_Entries"}, ... 164, ) }, ... 164, ) == 0x0
 01028   312   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "000000000001"}, ... 168, ) }, ... 168, ) == 0x0
 01029   312   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01030   312   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01031   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01032   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01033   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01034   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01035   312   NtQueryValueKey  (168,  (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01036   312   NtQueryValueKey  (168,  (168, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01037   312   NtQueryValueKey  (168,  (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01038   312   NtQueryValueKey  (168,  (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01039   312   NtQueryValueKey  (168,  (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040   312   NtQueryValueKey  (168,  (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01041   312   NtClose  (168, ... ) == 0x0
 01042   312   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "000000000002"}, ... 168, ) }, ... 168, ) == 0x0
 01043   312   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01044   312   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01045   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01046   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01047   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01048   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01049   312   NtQueryValueKey  (168,  (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01050   312   NtQueryValueKey  (168,  (168, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   312   NtQueryValueKey  (168,  (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01052   312   NtQueryValueKey  (168,  (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01053   312   NtQueryValueKey  (168,  (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01054   312   NtQueryValueKey  (168,  (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01055   312   NtClose  (168, ... ) == 0x0
 01056   312   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "000000000003"}, ... 168, ) }, ... 168, ) == 0x0
 01057   312   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01058   312   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01059   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01060   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01061   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01062   312   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01063   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01064   312   NtQueryValueKey  (168,  (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01065   312   NtQueryValueKey  (168,  (168, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01066   312   NtQueryValueKey  (168,  (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01067   312   NtQueryValueKey  (168,  (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01068   312   NtQueryValueKey  (168,  (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01069   312   NtQueryValueKey  (168,  (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01070   312   NtClose  (168, ... ) == 0x0
 01071   312   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "000000000004"}, ... 168, ) }, ... 168, ) == 0x0
 01072   312   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01073   312   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01074   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01075   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01076   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01077   312   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01078   312   NtQueryValueKey  (168,  (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01079   312   NtQueryValueKey  (168,  (168, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080   312   NtQueryValueKey  (168,  (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01081   312   NtQueryValueKey  (168,  (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01082   312   NtQueryValueKey  (168,  (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01083   312   NtQueryValueKey  (168,  (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01084   312   NtClose  (168, ... ) == 0x0
 01085   312   NtClose  (164, ... ) == 0x0
 01086   312   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x102
 01087   312   NtClose  (144, ... ) == 0x0
 01088   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01089   312   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01090   312   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 01091   312   NtQueryValueKey  (144,  (144, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   312   NtClose  (144, ... ) == 0x0
 01093   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01094   312   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241640,  (0x80100080, {24, 0, 0x40, 0, 1241640, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01095   312   NtQueryInformationFile  (164, 1242076, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01096   312   NtQueryInformationFile  (164, 1241992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01097   312   NtQueryInformationFile  (164, 1241808, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01098   312   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01099   312   NtQueryInformationFile  (164, 1365424, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01100   312   NtQueryInformationFile  (164, 1240256, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01101   312   NtQueryInformationFile  (164, 1240532, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01102   312   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240408,  (0x40110080, {24, 0, 0x40, 0, 1240408, "\??\C:\WINDOWS\lsasss.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01103   312   NtClose  (-2147482740, ... ) == 0x0
 01102   312   NtCreateFile  ... 168, {status=0x0, info=2}, ) == 0x0
 01104   312   NtQueryVolumeInformationFile  (168, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01105   312   NtQueryInformationFile  (168, 1240144, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01106   312   NtQueryVolumeInformationFile  (164, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01107   312   NtSetInformationFile  (168, 1240460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01108   312   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 164, ... 172, ) == 0x0
 01109   312   NtMapViewOfSection  (172, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 16384, ) == 0x0
 01110   312   NtClose  (172, ... ) == 0x0
 01111   312   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0i8\366\222-Y\230\301-Y\230\301-Y\230\301\256Q\305\301/Y\230\301-Y\230\301.Y\230\301\305F\222\3017Y\230\301\256E\226\301&Y\230\301-Y\231\301}Y\230\301OF\213\301$Y\230\301\305F\223\301)Y\230\301Rich-Y\230\301\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\6\302\226@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0.)\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\1\200\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 15873, 0x0, 0, ... {status=0x0, info=15873}, ) \0\0\0\0\0\0.)\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\1\200\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 15873, 0x0, 0, ... {status=0x0, info=15873}, ) == 0x0
 01112   312   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01113   312   NtSetInformationFile  (168, 1241808, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01114   312   NtClose  (164, ... ) == 0x0
 01115   312   NtClose  (168, ... ) == 0x0
 01116   312   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 168, ) }, ... 168, ) == 0x0
 01117   312   NtSetValueKey  (168,  (168, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 0, 1,  (168, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 44, ...
 01118   312   NtSetInformationFile  (-2147482448, -139610320, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01119   312   NtSetInformationFile  (-2147482448, -139610412, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01120   312   NtSetInformationFile  (-2147482448, -139610720, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01117   312   NtSetValueKey  ... ) == 0x0
 01121   312   NtClose  (168, ... ) == 0x0
 01122   312   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 168, ) }, ... 168, ) == 0x0
 01123   312   NtDeleteValueKey  (168,  (168, "ssgrate.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   312   NtClose  (168, ... ) == 0x0
 01125   312   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 168, ) }, ... 168, ) == 0x0
 01126   312   NtDeleteValueKey  (168,  (168, "drvsys.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   312   NtClose  (168, ... ) == 0x0
 01128   312   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 168, ) }, ... 168, ) == 0x0
 01129   312   NtDeleteValueKey  (168,  (168, "Drvddll_exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   312   NtClose  (168, ... ) == 0x0
 01131   312   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "SkynetNotice"}, 0, ... 168, ) }, 0, ... 168, ) == 0x0
 01132   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12386304, 1048576, ) == 0x0
 01133   312   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 01134   312   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 01135   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 164, {940, 1928}, ) == 0x0
 01136   312   NtQueryInformationThread  (164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=940,Tid=1928,}, 0x0, ) == 0x0
 01137   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\254\3\0\0\210\7\0\0" ... {28, 56, reply, 0, 940, 312, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\254\3\0\0\210\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 57948, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\254\3\0\0\210\7\0\0" ... {28, 56, reply, 0, 940, 312, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\254\3\0\0\210\7\0\0" )  ) == 0x0
 01138   312   NtResumeThread  (164, ... 1, ) == 0x0
 01139   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 01140  1928   NtTestAlert  (... ) == 0x0
 01141  1928   NtContinue  (13434160, 1, ...
 01142  1928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01143  1928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 172, ) == 0x0
 01144  1928   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x102
 01145  1928   NtAllocateVirtualMemory  (-1, 13422592, 0, 4096, 4096, 260, ...
 01146   312   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 01147   312   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ... (0xdce000), 4096, 4, ) == 0x0
 01148   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 176, {940, 808}, ) == 0x0
 01149   312   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=940,Tid=808,}, 0x0, ) == 0x0
 01150   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57948, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\254\3\0\0(\3\0\0" ... {28, 56, reply, 0, 940, 312, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\254\3\0\0(\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 57949, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\254\3\0\0(\3\0\0" ... {28, 56, reply, 0, 940, 312, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\254\3\0\0(\3\0\0" )  ) == 0x0
 01151   312   NtResumeThread  (176, ...
 01145  1928   NtAllocateVirtualMemory  ... 13422592, 4096, ) == 0x0
 01152  1928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13431284, ... ) }, 13431284, ... ) == 0x0
 01153  1928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01154  1928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01155  1928   NtClose  (180, ... ) == 0x0
 01156  1928   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdd0000), 0x0, 245760, ) == 0x0
 01157  1928   NtClose  (184, ...
 01151   312   NtResumeThread  ... 1, ) == 0x0
 01158   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 01159   312   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01160   312   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 01161   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {940, 1516}, ) == 0x0
 01162   312   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=940,Tid=1516,}, 0x0, ) == 0x0
 01163   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57949, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\254\3\0\0\354\5\0\0" ...  ...
 01157  1928   NtClose  ... ) == 0x0
 01164   808   NtWaitForSingleObject  (88, 0, 0x0, ...
 01165  1928   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 01166  1928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13431592, ... ) }, 13431592, ... ) == 0x0
 01167  1928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01168  1928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 188, ) == 0x0
 01169  1928   NtQuerySection  (188, Image, 48, ...
 01163   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57950, 0}  ... {28, 56, reply, 0, 940, 312, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\254\3\0\0\354\5\0\0" )  ) == 0x0
 01170   312   NtResumeThread  (180, ... 1, ) == 0x0
 01171   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01172   312   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ... 16834560, 8192, ) == 0x0
 01173   312   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ... (0x100e000), 4096, 4, ) == 0x0
 01174   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {940, 1664}, ) == 0x0
 01169  1928   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01175  1516   NtWaitForSingleObject  (88, 0, 0x0, ...
 01176  1928   NtClose  (184, ... ) == 0x0
 01177  1928   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01178  1928   NtClose  (188, ... ) == 0x0
 01179  1928   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01180  1928   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01181   312   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=940,Tid=1664,}, 0x0, ) == 0x0
 01182   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57950, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\254\3\0\0\200\6\0\0" ... {28, 56, reply, 0, 940, 312, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\254\3\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 57951, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\254\3\0\0\200\6\0\0" ... {28, 56, reply, 0, 940, 312, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\254\3\0\0\200\6\0\0" )  ) == 0x0
 01183   312   NtResumeThread  (192, ... 1, ) == 0x0
 01184   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16842752, 1048576, ) == 0x0
 01185   312   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ... 17883136, 8192, ) == 0x0
 01186   312   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ...
 01180  1928   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01187  1664   NtWaitForSingleObject  (88, 0, 0x0, ...
 01188  1928   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01189  1928   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01190  1928   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01191  1928   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01192  1928   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01193  1928   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01186   312   NtProtectVirtualMemory  ... (0x110e000), 4096, 4, ) == 0x0
 01194   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 188, {940, 1972}, ) == 0x0
 01195   312   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=940,Tid=1972,}, 0x0, ) == 0x0
 01196   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57951, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\254\3\0\0\264\7\0\0" ... {28, 56, reply, 0, 940, 312, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\254\3\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 57952, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\254\3\0\0\264\7\0\0" ... {28, 56, reply, 0, 940, 312, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\254\3\0\0\264\7\0\0" )  ) == 0x0
 01197   312   NtResumeThread  (188, ... 1, ) == 0x0
 01198   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17891328, 1048576, ) == 0x0
 01193  1928   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01199  1972   NtWaitForSingleObject  (88, 0, 0x0, ...
 01200  1928   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01201   312   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ...
 01202  1928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203  1928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01204  1928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01205  1928   NtSetEventBoostPriority  (88, ...
 01164   808   NtWaitForSingleObject  ... ) == 0x0
 01206   808   NtSetEventBoostPriority  (88, ...
 01175  1516   NtWaitForSingleObject  ... ) == 0x0
 01207  1516   NtSetEventBoostPriority  (88, ...
 01187  1664   NtWaitForSingleObject  ... ) == 0x0
 01208  1664   NtSetEventBoostPriority  (88, ...
 01199  1972   NtWaitForSingleObject  ... ) == 0x0
 01209  1972   NtTestAlert  (... ) == 0x0
 01208  1664   NtSetEventBoostPriority  ... ) == 0x0
 01207  1516   NtSetEventBoostPriority  ... ) == 0x0
 01206   808   NtSetEventBoostPriority  ... ) == 0x0
 01205  1928   NtSetEventBoostPriority  ... ) == 0x0
 01201   312   NtAllocateVirtualMemory  ... 18931712, 8192, ) == 0x0
 01210  1972   NtContinue  (17890608, 1, ...
 01211  1664   NtTestAlert  (...
 01212  1516   NtTestAlert  (...
 01213  1928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01214   312   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ...
 01215  1972   NtRegisterThreadTerminatePort  (24, ...
 01211  1664   NtTestAlert  ... ) == 0x0
 01212  1516   NtTestAlert  ... ) == 0x0
 01216   808   NtTestAlert  (...
 01214   312   NtProtectVirtualMemory  ... (0x120e000), 4096, 4, ) == 0x0
 01215  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 01217  1664   NtContinue  (16842032, 1, ...
 01218  1516   NtContinue  (15793456, 1, ...
 01216   808   NtTestAlert  ... ) == 0x0
 01219   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01220  1972   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01221  1664   NtRegisterThreadTerminatePort  (24, ...
 01222  1516   NtRegisterThreadTerminatePort  (24, ...
 01223   808   NtContinue  (14482736, 1, ...
 01219   312   NtCreateThread  ... 184, {940, 928}, ) == 0x0
 01221  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 01222  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 01224   808   NtRegisterThreadTerminatePort  (24, ...
 01213  1928   NtCreateEvent  ... 196, ) == 0x0
 01220  1972   NtSetInformationThread  ... ) == 0x0
 01225  1664   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01226  1516   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01224   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01227  1928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01228   312   NtQueryInformationThread  (184, Basic, 28, ...
 01229   808   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01227  1928   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=940,Tid=928,}, 0x0, ) == 0x0
 01230  1928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 13431204, ... }, 13431204, ...
 01231   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57952, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\254\3\0\0\240\3\0\0" ... {28, 56, reply, 0, 940, 312, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\254\3\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 57953, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\254\3\0\0\240\3\0\0" ... {28, 56, reply, 0, 940, 312, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\254\3\0\0\240\3\0\0" )  ) == 0x0
 01232   312   NtResumeThread  (184, ... 1, ) == 0x0
 01233   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18939904, 1048576, ) == 0x0
 01234   312   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01235   312   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ...
 01236  1972   NtQueryValueKey  (96,  (96, "FromCacheTimeout", Partial, 144, ... , Partial, 144, ...
 01237   928   NtWaitForSingleObject  (88, 0, 0x0, ...
 01235   312   NtProtectVirtualMemory  ... (0x130e000), 4096, 4, ) == 0x0
 01238   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {940, 1740}, ) == 0x0
 01239   312   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=940,Tid=1740,}, 0x0, ) == 0x0
 01240   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57953, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\254\3\0\0\314\6\0\0" ... {28, 56, reply, 0, 940, 312, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\254\3\0\0\314\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 57954, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\254\3\0\0\314\6\0\0" ... {28, 56, reply, 0, 940, 312, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\254\3\0\0\314\6\0\0" )  ) == 0x0
 01241   312   NtResumeThread  (200, ... 1, ) == 0x0
 01242   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19988480, 1048576, ) == 0x0
 01236  1972   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01243  1740   NtWaitForSingleObject  (88, 0, 0x0, ...
 01244   312   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ...
 01230  1928   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   312   NtAllocateVirtualMemory  ... 21028864, 8192, ) == 0x0
 01245  1928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 13431204, ... }, 13431204, ...
 01246   312   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ...
 01245  1928   NtQueryAttributesFile  ... ) == 0x0
 01246   312   NtProtectVirtualMemory  ... (0x140e000), 4096, 4, ) == 0x0
 01247  1928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01248   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01247  1928   NtOpenFile  ... 204, {status=0x0, info=1}, ) == 0x0
 01248   312   NtCreateThread  ... 208, {940, 1656}, ) == 0x0
 01249  1972   NtQueryValueKey  (96,  (96, "SecureProtocols", Partial, 144, ... , Partial, 144, ...
 01250  1928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ...
 01251   312   NtQueryInformationThread  (208, Basic, 28, ...
 01225  1664   NtSetInformationThread  ... ) == 0x0
 01226  1516   NtSetInformationThread  ... ) == 0x0
 01229   808   NtSetInformationThread  ... ) == 0x0
 01250  1928   NtCreateSection  ... 212, ) == 0x0
 01251   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=940,Tid=1656,}, 0x0, ) == 0x0
 01252  1664   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01253  1516   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01254  1928   NtQuerySection  (212, Image, 48, ...
 01255   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57954, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\254\3\0\0x\6\0\0" ...  ...
 01256   808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01252  1664   NtCreateEvent  ... 216, ) == 0x0
 01254  1928   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01255   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57955, 0}  ... {28, 56, reply, 0, 940, 312, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\254\3\0\0x\6\0\0" )  ) == 0x0
 01253  1516   NtCreateEvent  ... 220, ) == 0x0
 01256   808   NtCreateEvent  ... 224, ) == 0x0
 01257  1928   NtClose  (204, ...
 01258   312   NtResumeThread  (208, ...
 01259  1664   NtWaitForSingleObject  (216, 0, 0x0, ...
 01260  1516   NtClose  (220, ...
 01257  1928   NtClose  ... ) == 0x0
 01261   808   NtClose  (224, ...
 01258   312   NtResumeThread  ... 1, ) == 0x0
 01262  1656   NtWaitForSingleObject  (88, 0, 0x0, ...
 01260  1516   NtClose  ... ) == 0x0
 01263  1928   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01264   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01261   808   NtClose  ... ) == 0x0
 01263  1928   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 01264   312   NtAllocateVirtualMemory  ... 21037056, 1048576, ) == 0x0
 01265  1516   NtWaitForSingleObject  (216, 0, 0x0, ...
 01266  1928   NtClose  (212, ...
 01267   312   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ...
 01268   808   NtWaitForSingleObject  (216, 0, 0x0, ...
 01249  1972   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 01266  1928   NtClose  ... ) == 0x0
 01267   312   NtAllocateVirtualMemory  ... 22077440, 8192, ) == 0x0
 01269  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01270   312   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ...
 01269  1928   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01271  1972   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 01270   312   NtProtectVirtualMemory  ... (0x150e000), 4096, 4, ) == 0x0
 01272  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01273   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01272  1928   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01273   312   NtCreateThread  ... 212, {940, 1248}, ) == 0x0
 01274  1928   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01275   312   NtQueryInformationThread  (212, Basic, 28, ...
 01274  1928   NtFlushInstructionCache  ... ) == 0x0
 01275   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=940,Tid=1248,}, 0x0, ) == 0x0
 01276  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01277   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57955, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\254\3\0\0\340\4\0\0" ...  ...
 01276  1928   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01271  1972   NtOpenKey  ... 224, ) == 0x0
 01277   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57956, 0}  ... {28, 56, reply, 0, 940, 312, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\254\3\0\0\340\4\0\0" )  ) == 0x0
 01278  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01279   312   NtResumeThread  (212, ...
 01278  1928   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01279   312   NtResumeThread  ... 1, ) == 0x0
 01280  1928   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01281   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01280  1928   NtFlushInstructionCache  ... ) == 0x0
 01281   312   NtAllocateVirtualMemory  ... 22085632, 1048576, ) == 0x0
 01282  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01283  1972   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 01284  1248   NtWaitForSingleObject  (88, 0, 0x0, ...
 01282  1928   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01285   312   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ...
 01283  1972   NtOpenKey  ... 220, ) == 0x0
 01285   312   NtAllocateVirtualMemory  ... 23126016, 8192, ) == 0x0
 01286  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01287   312   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ...
 01286  1928   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01287   312   NtProtectVirtualMemory  ... (0x160e000), 4096, 4, ) == 0x0
 01288  1928   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01289   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01288  1928   NtFlushInstructionCache  ... ) == 0x0
 01289   312   NtCreateThread  ... 204, {940, 1036}, ) == 0x0
 01290  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01291  1972   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software"}, ... }, ...
 01290  1928   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01292   312   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=940,Tid=1036,}, 0x0, ) == 0x0
 01293   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57956, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\254\3\0\0\14\4\0\0" ... {28, 56, reply, 0, 940, 312, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\254\3\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 57957, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\254\3\0\0\14\4\0\0" ... {28, 56, reply, 0, 940, 312, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\254\3\0\0\14\4\0\0" )  ) == 0x0
 01294   312   NtResumeThread  (204, ... 1, ) == 0x0
 01295   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23134208, 1048576, ) == 0x0
 01296   312   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ... 24174592, 8192, ) == 0x0
 01297   312   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ...
 01298  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01299  1036   NtWaitForSingleObject  (88, 0, 0x0, ...
 01298  1928   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01300  1928   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01301  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01302  1928   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01303  1928   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01304  1928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   312   NtProtectVirtualMemory  ... (0x170e000), 4096, 4, ) == 0x0
 01305   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {940, 464}, ) == 0x0
 01306   312   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=940,Tid=464,}, 0x0, ) == 0x0
 01307   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57957, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\254\3\0\0\320\1\0\0" ... {28, 56, reply, 0, 940, 312, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\254\3\0\0\320\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 57958, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\254\3\0\0\320\1\0\0" ... {28, 56, reply, 0, 940, 312, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\254\3\0\0\320\1\0\0" )  ) == 0x0
 01308   312   NtResumeThread  (228, ... 1, ) == 0x0
 01309   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24182784, 1048576, ) == 0x0
 01310  1928   NtSetEventBoostPriority  (88, ...
 01311   464   NtWaitForSingleObject  (88, 0, 0x0, ...
 01237   928   NtWaitForSingleObject  ... ) == 0x0
 01310  1928   NtSetEventBoostPriority  ... ) == 0x0
 01312   928   NtSetEventBoostPriority  (88, ...
 01243  1740   NtWaitForSingleObject  ... ) == 0x0
 01313  1740   NtSetEventBoostPriority  (88, ...
 01262  1656   NtWaitForSingleObject  ... ) == 0x0
 01314  1656   NtSetEventBoostPriority  (88, ...
 01284  1248   NtWaitForSingleObject  ... ) == 0x0
 01315  1248   NtSetEventBoostPriority  (88, ...
 01299  1036   NtWaitForSingleObject  ... ) == 0x0
 01316  1036   NtSetEventBoostPriority  (88, ...
 01311   464   NtWaitForSingleObject  ... ) == 0x0
 01317   464   NtTestAlert  (... ) == 0x0
 01316  1036   NtSetEventBoostPriority  ... ) == 0x0
 01315  1248   NtSetEventBoostPriority  ... ) == 0x0
 01314  1656   NtSetEventBoostPriority  ... ) == 0x0
 01313  1740   NtSetEventBoostPriority  ... ) == 0x0
 01312   928   NtSetEventBoostPriority  ... ) == 0x0
 01318  1928   NtQuerySystemInformation  (Basic, 44, ...
 01319   312   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ...
 01320   464   NtContinue  (24182064, 1, ...
 01321  1036   NtTestAlert  (...
 01322  1248   NtTestAlert  (...
 01323  1656   NtTestAlert  (...
 01324  1740   NtTestAlert  (...
 01318  1928   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01319   312   NtAllocateVirtualMemory  ... 25223168, 8192, ) == 0x0
 01325   464   NtRegisterThreadTerminatePort  (24, ...
 01321  1036   NtTestAlert  ... ) == 0x0
 01322  1248   NtTestAlert  ... ) == 0x0
 01323  1656   NtTestAlert  ... ) == 0x0
 01324  1740   NtTestAlert  ... ) == 0x0
 01326  1928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01327   312   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ...
 01325   464   NtRegisterThreadTerminatePort  ... ) == 0x0
 01328  1036   NtContinue  (23133488, 1, ...
 01329  1248   NtContinue  (22084912, 1, ...
 01330  1656   NtContinue  (21036336, 1, ...
 01331  1740   NtContinue  (19987760, 1, ...
 01326  1928   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01327   312   NtProtectVirtualMemory  ... (0x180e000), 4096, 4, ) == 0x0
 01332   464   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01333  1036   NtRegisterThreadTerminatePort  (24, ...
 01334  1248   NtRegisterThreadTerminatePort  (24, ...
 01335  1656   NtRegisterThreadTerminatePort  (24, ...
 01336  1740   NtRegisterThreadTerminatePort  (24, ...
 01337   928   NtTestAlert  (...
 01338   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01333  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01334  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01335  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 01336  1740   NtRegisterThreadTerminatePort  ... ) == 0x0
 01337   928   NtTestAlert  ... ) == 0x0
 01338   312   NtCreateThread  ... 232, {940, 860}, ) == 0x0
 01339  1036   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01340  1248   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01341  1656   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01342  1740   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01343   928   NtContinue  (18939184, 1, ...
 01344  1928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01332   464   NtSetInformationThread  ... ) == 0x0
 01345   312   NtQueryInformationThread  (232, Basic, 28, ...
 01346   928   NtRegisterThreadTerminatePort  (24, ...
 01344  1928   NtOpenKey  ... 236, ) == 0x0
 01345   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=940,Tid=860,}, 0x0, ) == 0x0
 01346   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01347  1928   NtQueryValueKey  (236,  (236, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01348   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57958, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\254\3\0\0\\3\0\0" ...  ...
 01349   928   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01347  1928   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57959, 0}  ... {28, 56, reply, 0, 940, 312, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\254\3\0\0\\3\0\0" )  ) == 0x0
 01350   464   NtWaitForSingleObject  (216, 0, 0x0, ...
 01351  1928   NtClose  (236, ...
 01352   312   NtResumeThread  (232, ...
 01351  1928   NtClose  ... ) == 0x0
 01352   312   NtResumeThread  ... 1, ) == 0x0
 01353   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25231360, 1048576, ) == 0x0
 01354   312   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ... 26271744, 8192, ) == 0x0
 01355   312   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01356   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {940, 484}, ) == 0x0
 01357   312   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=940,Tid=484,}, 0x0, ) == 0x0
 01358   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57959, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\254\3\0\0\344\1\0\0" ...  ...
 01359  1928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01360   860   NtTestAlert  (...
 01359  1928   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01360   860   NtTestAlert  ... ) == 0x0
 01361  1928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01362   860   NtContinue  (25230640, 1, ...
 01361  1928   NtCreateEvent  ... 240, ) == 0x0
 01363   860   NtRegisterThreadTerminatePort  (24, ...
 01364  1928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01363   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 01364  1928   NtCreateEvent  ... 244, ) == 0x0
 01358   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57960, 0}  ... {28, 56, reply, 0, 940, 312, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\254\3\0\0\344\1\0\0" )  ) == 0x0
 01365   860   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01366   312   NtResumeThread  (236, ... 1, ) == 0x0
 01367   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26279936, 1048576, ) == 0x0
 01368   312   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ... 27320320, 8192, ) == 0x0
 01369   312   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ... (0x1a0e000), 4096, 4, ) == 0x0
 01370   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {940, 748}, ) == 0x0
 01371  1928   NtQuerySystemTime  (...
 01365   860   NtSetInformationThread  ... ) == 0x0
 01372   484   NtTestAlert  (...
 01371  1928   NtQuerySystemTime  ... {-1821332512, 29915146}, ) == 0x0
 01373   312   NtQueryInformationThread  (248, Basic, 28, ...
 01372   484   NtTestAlert  ... ) == 0x0
 01374  1928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01373   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=940,Tid=748,}, 0x0, ) == 0x0
 01375   484   NtContinue  (26279216, 1, ...
 01374  1928   NtCreateEvent  ... 252, ) == 0x0
 01376   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57960, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\254\3\0\0\354\2\0\0" ...  ...
 01377   484   NtRegisterThreadTerminatePort  (24, ...
 01378  1928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 01376   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57961, 0}  ... {28, 56, reply, 0, 940, 312, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\254\3\0\0\354\2\0\0" )  ) == 0x0
 01377   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01378  1928   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   312   NtResumeThread  (248, ...
 01380   860   NtWaitForSingleObject  (216, 0, 0x0, ...
 01381   484   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01382  1928   NtQuerySystemInformation  (Performance, 312, ...
 01379   312   NtResumeThread  ... 1, ) == 0x0
 01382  1928   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01383   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01384  1928   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 01383   312   NtAllocateVirtualMemory  ... 27328512, 1048576, ) == 0x0
 01384  1928   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01385   312   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ...
 01386  1928   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01385   312   NtAllocateVirtualMemory  ... 28368896, 8192, ) == 0x0
 01386  1928   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01387   312   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ...
 01388   748   NtTestAlert  (...
 01381   484   NtSetInformationThread  ... ) == 0x0
 01389  1928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01388   748   NtTestAlert  ... ) == 0x0
 01387   312   NtProtectVirtualMemory  ... (0x1b0e000), 4096, 4, ) == 0x0
 01389  1928   NtCreateEvent  ... 256, ) == 0x0
 01390   748   NtContinue  (27327792, 1, ...
 01391   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01392  1928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01393   748   NtRegisterThreadTerminatePort  (24, ...
 01391   312   NtCreateThread  ... 260, {940, 1580}, ) == 0x0
 01392  1928   NtDuplicateObject  ... 264, ) == 0x0
 01393   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01394   312   NtQueryInformationThread  (260, Basic, 28, ...
 01395  1928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01396   484   NtWaitForSingleObject  (216, 0, 0x0, ...
 01394   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=940,Tid=1580,}, 0x0, ) == 0x0
 01395  1928   NtOpenKey  ... 268, ) == 0x0
 01397   748   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01398   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57961, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\254\3\0\0,\6\0\0" ...  ...
 01399  1928   NtQueryValueKey  (268,  (268, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01397   748   NtSetInformationThread  ... ) == 0x0
 01399  1928   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57962, 0}  ... {28, 56, reply, 0, 940, 312, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\254\3\0\0,\6\0\0" )  ) == 0x0
 01400  1928   NtClose  (268, ...
 01401   312   NtResumeThread  (260, ...
 01400  1928   NtClose  ... ) == 0x0
 01401   312   NtResumeThread  ... 1, ) == 0x0
 01402   748   NtWaitForSingleObject  (216, 0, 0x0, ...
 01403   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01404  1928   NtOpenThreadToken  (-2, 0xc, 1, ...
 01405  1580   NtTestAlert  (...
 01403   312   NtAllocateVirtualMemory  ... 28377088, 1048576, ) == 0x0
 01404  1928   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01405  1580   NtTestAlert  ... ) == 0x0
 01406  1928   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01407  1580   NtContinue  (28376368, 1, ...
 01406  1928   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01408  1580   NtRegisterThreadTerminatePort  (24, ...
 01409  1928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13430896, ... }, 13430896, ...
 01408  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 01409  1928   NtQueryAttributesFile  ... ) == 0x0
 01410   312   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ...
 01411  1580   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01410   312   NtAllocateVirtualMemory  ... 29417472, 8192, ) == 0x0
 01412   312   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 01413   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 268, {940, 1756}, ) == 0x0
 01414   312   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=940,Tid=1756,}, 0x0, ) == 0x0
 01415   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57962, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\254\3\0\0\334\6\0\0" ... {28, 56, reply, 0, 940, 312, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\254\3\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 57963, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\254\3\0\0\334\6\0\0" ... {28, 56, reply, 0, 940, 312, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\254\3\0\0\334\6\0\0" )  ) == 0x0
 01416   312   NtResumeThread  (268, ...
 01417  1928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01411  1580   NtSetInformationThread  ... ) == 0x0
 01417  1928   NtOpenKey  ... 272, ) == 0x0
 01416   312   NtResumeThread  ... 1, ) == 0x0
 01418  1928   NtQueryValueKey  (272,  (272, "Transports", Partial, 144, ... , Partial, 144, ...
 01419   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01418  1928   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01419   312   NtAllocateVirtualMemory  ... 29425664, 1048576, ) == 0x0
 01420  1928   NtQueryValueKey  (272,  (272, "Transports", Partial, 144, ... , Partial, 144, ...
 01421   312   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ...
 01420  1928   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01421   312   NtAllocateVirtualMemory  ... 30466048, 8192, ) == 0x0
 01422  1580   NtWaitForSingleObject  (216, 0, 0x0, ...
 01423  1756   NtTestAlert  (...
 01424   312   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ...
 01425  1928   NtClose  (272, ...
 01423  1756   NtTestAlert  ... ) == 0x0
 01425  1928   NtClose  ... ) == 0x0
 01426  1756   NtContinue  (29424944, 1, ...
 01427  1928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01428  1756   NtRegisterThreadTerminatePort  (24, ...
 01427  1928   NtOpenKey  ... 272, ) == 0x0
 01428  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 01429  1928   NtQueryValueKey  (272,  (272, "Mapping", Partial, 144, ... , Partial, 144, ...
 01424   312   NtProtectVirtualMemory  ... (0x1d0e000), 4096, 4, ) == 0x0
 01429  1928   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01430   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01431  1756   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01430   312   NtCreateThread  ... 276, {940, 1292}, ) == 0x0
 01432   312   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=940,Tid=1292,}, 0x0, ) == 0x0
 01433   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57963, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\254\3\0\0\14\5\0\0" ... {28, 56, reply, 0, 940, 312, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\254\3\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 57964, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\254\3\0\0\14\5\0\0" ... {28, 56, reply, 0, 940, 312, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\254\3\0\0\14\5\0\0" )  ) == 0x0
 01434   312   NtResumeThread  (276, ... 1, ) == 0x0
 01435   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30474240, 1048576, ) == 0x0
 01436  1928   NtQueryValueKey  (272,  (272, "Mapping", Partial, 144, ... , Partial, 144, ...
 01437  1292   NtTestAlert  (...
 01431  1756   NtSetInformationThread  ... ) == 0x0
 01436  1928   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01437  1292   NtTestAlert  ... ) == 0x0
 01438   312   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ...
 01439  1928   NtQueryValueKey  (272,  (272, "Mapping", Partial, 152, ... , Partial, 152, ...
 01440  1292   NtContinue  (30473520, 1, ...
 01438   312   NtAllocateVirtualMemory  ... 31514624, 8192, ) == 0x0
 01439  1928   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01441  1292   NtRegisterThreadTerminatePort  (24, ...
 01442   312   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ...
 01443  1928   NtClose  (272, ...
 01441  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 01442   312   NtProtectVirtualMemory  ... (0x1e0e000), 4096, 4, ) == 0x0
 01443  1928   NtClose  ... ) == 0x0
 01444  1756   NtWaitForSingleObject  (216, 0, 0x0, ...
 01445   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01446  1292   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01447  1928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01445   312   NtCreateThread  ... 272, {940, 1956}, ) == 0x0
 01447  1928   NtOpenKey  ... 280, ) == 0x0
 01446  1292   NtSetInformationThread  ... ) == 0x0
 01448  1928   NtQueryValueKey  (280,  (280, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01449   312   NtQueryInformationThread  (272, Basic, 28, ...
 01448  1928   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01449   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=940,Tid=1956,}, 0x0, ) == 0x0
 01450  1928   NtQueryValueKey  (280,  (280, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01451   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57964, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\254\3\0\0\244\7\0\0" ...  ...
 01450  1928   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01451   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57965, 0}  ... {28, 56, reply, 0, 940, 312, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\254\3\0\0\244\7\0\0" )  ) == 0x0
 01452  1292   NtWaitForSingleObject  (216, 0, 0x0, ...
 01453   312   NtResumeThread  (272, ...
 01454  1928   NtQueryValueKey  (280,  (280, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01455  1928   NtQueryValueKey  (280,  (280, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (280, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01456  1928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13431852, ... ) }, 13431852, ... ) == 0x0
 01457  1928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01458  1928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 288, ) == 0x0
 01459  1928   NtClose  (284, ... ) == 0x0
 01453   312   NtResumeThread  ... 1, ) == 0x0
 01460   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31522816, 1048576, ) == 0x0
 01461   312   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 01462   312   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ... (0x1f0e000), 4096, 4, ) == 0x0
 01463   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 284, {940, 1980}, ) == 0x0
 01464   312   NtQueryInformationThread  (284, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=940,Tid=1980,}, 0x0, ) == 0x0
 01465   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57965, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\254\3\0\0\274\7\0\0" ...  ...
 01466  1928   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01467  1956   NtWaitForSingleObject  (88, 0, 0x0, ...
 01466  1928   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 01468  1928   NtClose  (288, ... ) == 0x0
 01469  1928   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01470  1928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13432160, ... ) }, 13432160, ... ) == 0x0
 01471  1928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 01465   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57966, 0}  ... {28, 56, reply, 0, 940, 312, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\254\3\0\0\274\7\0\0" )  ) == 0x0
 01472   312   NtResumeThread  (284, ... 1, ) == 0x0
 01473   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32571392, 1048576, ) == 0x0
 01474   312   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ... 33611776, 8192, ) == 0x0
 01475   312   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ... (0x200e000), 4096, 4, ) == 0x0
 01476   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 292, {940, 1784}, ) == 0x0
 01477  1928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ...
 01478  1980   NtWaitForSingleObject  (88, 0, 0x0, ...
 01477  1928   NtCreateSection  ... 296, ) == 0x0
 01479  1928   NtQuerySection  (296, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01480  1928   NtClose  (288, ... ) == 0x0
 01481  1928   NtMapViewOfSection  (296, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01482  1928   NtClose  (296, ... ) == 0x0
 01483  1928   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01484   312   NtQueryInformationThread  (292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=940,Tid=1784,}, 0x0, ) == 0x0
 01485   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57966, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\254\3\0\0\370\6\0\0" ... {28, 56, reply, 0, 940, 312, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\254\3\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 57967, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\254\3\0\0\370\6\0\0" ... {28, 56, reply, 0, 940, 312, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\254\3\0\0\370\6\0\0" )  ) == 0x0
 01486   312   NtResumeThread  (292, ... 1, ) == 0x0
 01487   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33619968, 1048576, ) == 0x0
 01488   312   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ... 34660352, 8192, ) == 0x0
 01489   312   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ...
 01490  1928   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 01491  1784   NtWaitForSingleObject  (88, 0, 0x0, ...
 01490  1928   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 01492  1928   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01493  1928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1928   NtSetEventBoostPriority  (88, ...
 01467  1956   NtWaitForSingleObject  ... ) == 0x0
 01495  1956   NtSetEventBoostPriority  (88, ...
 01478  1980   NtWaitForSingleObject  ... ) == 0x0
 01496  1980   NtSetEventBoostPriority  (88, ...
 01491  1784   NtWaitForSingleObject  ... ) == 0x0
 01497  1784   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ... 8802304, 4096, ) == 0x0
 01496  1980   NtSetEventBoostPriority  ... ) == 0x0
 01495  1956   NtSetEventBoostPriority  ... ) == 0x0
 01494  1928   NtSetEventBoostPriority  ... ) == 0x0
 01489   312   NtProtectVirtualMemory  ... (0x210e000), 4096, 4, ) == 0x0
 01498  1784   NtTestAlert  (...
 01499  1980   NtTestAlert  (...
 01500  1956   NtTestAlert  (...
 01501   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01498  1784   NtTestAlert  ... ) == 0x0
 01499  1980   NtTestAlert  ... ) == 0x0
 01500  1956   NtTestAlert  ... ) == 0x0
 01501   312   NtCreateThread  ... 296, {940, 1480}, ) == 0x0
 01502  1784   NtContinue  (33619248, 1, ...
 01503  1980   NtContinue  (32570672, 1, ...
 01504  1956   NtContinue  (31522096, 1, ...
 01505   312   NtQueryInformationThread  (296, Basic, 28, ...
 01506  1784   NtRegisterThreadTerminatePort  (24, ...
 01507  1980   NtRegisterThreadTerminatePort  (24, ...
 01508  1956   NtRegisterThreadTerminatePort  (24, ...
 01505   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=940,Tid=1480,}, 0x0, ) == 0x0
 01506  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01507  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 01508  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01509   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57967, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\254\3\0\0\310\5\0\0" ...  ...
 01510  1784   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01511  1980   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01512  1956   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01513  1928   NtClose  (280, ...
 01509   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57968, 0}  ... {28, 56, reply, 0, 940, 312, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\254\3\0\0\310\5\0\0" )  ) == 0x0
 01513  1928   NtClose  ... ) == 0x0
 01514   312   NtResumeThread  (296, ...
 01515  1928   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 13434496, 67, ... }, 0x0, 0, 3, 3, 0, 13434496, 67, ...
 01514   312   NtResumeThread  ... 1, ) == 0x0
 01515  1928   NtCreateFile  ... 280, {status=0x0, info=0}, ) == 0x0
 01516   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01517  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x1207b,  (280, 196, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01516   312   NtAllocateVirtualMemory  ... 34668544, 1048576, ) == 0x0
 01517  1928   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01518  1480   NtTestAlert  (...
 01519   312   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ...
 01518  1480   NtTestAlert  ... ) == 0x0
 01519   312   NtAllocateVirtualMemory  ... 35708928, 8192, ) == 0x0
 01520  1480   NtContinue  (34667824, 1, ...
 01521   312   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ...
 01522  1480   NtRegisterThreadTerminatePort  (24, ...
 01521   312   NtProtectVirtualMemory  ... (0x220e000), 4096, 4, ) == 0x0
 01522  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 01523   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01524  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x1207b,  (280, 196, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 01523   312   NtCreateThread  ... 288, {940, 1556}, ) == 0x0
 01524  1928   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01525  1480   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01526  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x12047,  (280, 196, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 01527  1928   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x102
 01528  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x12003,  (280, 196, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=300}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=300},  (280, 196, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=300}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01529  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x12047,  (280, 196, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01530   312   NtQueryInformationThread  (288, Basic, 28, ...
 01525  1480   NtSetInformationThread  ... ) == 0x0
 01530   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=940,Tid=1556,}, 0x0, ) == 0x0
 01531  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x12037,  (280, 196, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01532   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57968, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\254\3\0\0\24\6\0\0" ...  ...
 01531  1928   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01532   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57969, 0}  ... {28, 56, reply, 0, 940, 312, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\254\3\0\0\24\6\0\0" )  ) == 0x0
 01533  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x1200b,  (280, 196, 0x0, 0x0, 0x1200b, "\0\376\314\0\5\0\0\0\0\324\24\0", 12, 0, ... , 12, 0, ...
 01534   312   NtResumeThread  (288, ...
 01533  1928   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01535  1480   NtWaitForSingleObject  (216, 0, 0x0, ...
 01536  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x12047,  (280, 196, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\314\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01534   312   NtResumeThread  ... 1, ) == 0x0
 01536  1928   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01537   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01538  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01537   312   NtAllocateVirtualMemory  ... 35717120, 1048576, ) == 0x0
 01538  1928   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01539   312   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ...
 01540  1928   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01539   312   NtAllocateVirtualMemory  ... 36757504, 8192, ) == 0x0
 01541  1556   NtTestAlert  (...
 01542   312   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ...
 01541  1556   NtTestAlert  ... ) == 0x0
 01540  1928   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01543  1556   NtContinue  (35716400, 1, ...
 01544  1928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01545  1556   NtRegisterThreadTerminatePort  (24, ...
 01544  1928   NtOpenFile  ... 304, {status=0x0, info=0}, ) == 0x0
 01545  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 01546  1928   NtDeviceIoControlFile  (304, 0, 0x0, 0x0, 0x390008,  (304, 0, 0x0, 0x0, 0x390008, "\342\300X\314\324}N\364\262Tb\252\225\307}\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01542   312   NtProtectVirtualMemory  ... (0x230e000), 4096, 4, ) == 0x0
 01547  1928   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01548   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01547  1928   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01548   312   NtCreateThread  ... 308, {940, 460}, ) == 0x0
 01549  1556   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01550   312   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=940,Tid=460,}, 0x0, ) == 0x0
 01551   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57969, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\254\3\0\0\314\1\0\0" ... {28, 56, reply, 0, 940, 312, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\254\3\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 57970, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\254\3\0\0\314\1\0\0" ... {28, 56, reply, 0, 940, 312, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\254\3\0\0\314\1\0\0" )  ) == 0x0
 01552   312   NtResumeThread  (308, ... 1, ) == 0x0
 01553   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36765696, 1048576, ) == 0x0
 01554  1928   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01555   460   NtTestAlert  (...
 01549  1556   NtSetInformationThread  ... ) == 0x0
 01554  1928   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01555   460   NtTestAlert  ... ) == 0x0
 01556   312   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ...
 01557  1928   NtQuerySystemInformation  (Performance, 312, ...
 01558   460   NtContinue  (36764976, 1, ...
 01556   312   NtAllocateVirtualMemory  ... 37806080, 8192, ) == 0x0
 01557  1928   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01559   460   NtRegisterThreadTerminatePort  (24, ...
 01560   312   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ...
 01561  1928   NtQuerySystemInformation  (Exception, 16, ...
 01559   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 01560   312   NtProtectVirtualMemory  ... (0x240e000), 4096, 4, ) == 0x0
 01561  1928   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01562  1556   NtWaitForSingleObject  (216, 0, 0x0, ...
 01563   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01564   460   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01565  1928   NtQuerySystemInformation  (Lookaside, 32, ...
 01563   312   NtCreateThread  ... 312, {940, 1068}, ) == 0x0
 01565  1928   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01564   460   NtSetInformationThread  ... ) == 0x0
 01566  1928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01567   312   NtQueryInformationThread  (312, Basic, 28, ...
 01566  1928   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01567   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=940,Tid=1068,}, 0x0, ) == 0x0
 01568  1928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01569   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57970, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\254\3\0\0,\4\0\0" ...  ...
 01568  1928   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01569   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57971, 0}  ... {28, 56, reply, 0, 940, 312, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\254\3\0\0,\4\0\0" )  ) == 0x0
 01570   460   NtWaitForSingleObject  (216, 0, 0x0, ...
 01571   312   NtResumeThread  (312, ...
 01572  1928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481344, 2, ) }, 0, 0x0, 0, ... -2147481344, 2, ) == 0x0
 01573  1928   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\262"\267\317\244E\317Iv0\233\323r\203@-c"&\24\272U\3]\363X%\0W\21\242\244\350;\235\226\334d\204\334G\10\351R\311\214\241\2453\34@C\5\336I;Gk\4\234\212\203\201\247|+3CO\304F\220\376\350\34q\244V\225", 80, ... ) , 0, 3,  (-2147481344, "Seed", 0, 3, "\262"\267\317\244E\317Iv0\233\323r\203@-c"&\24\272U\3]\363X%\0W\21\242\244\350;\235\226\334d\204\334G\10\351R\311\214\241\2453\34@C\5\336I;Gk\4\234\212\203\201\247|+3CO\304F\220\376\350\34q\244V\225", 80, ... ) \267\317\244E\317Iv0\233\323r\203@-c (-2147481344, "Seed", 0, 3, "\262"\267\317\244E\317Iv0\233\323r\203@-c"&\24\272U\3]\363X%\0W\21\242\244\350;\235\226\334d\204\334G\10\351R\311\214\241\2453\34@C\5\336I;Gk\4\234\212\203\201\247|+3CO\304F\220\376\350\34q\244V\225", 80, ... ) , 80, ... ) == 0x0
 01574  1928   NtClose  (-2147481344, ... ) == 0x0
 01546  1928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\6\316\227jW\312\344\345\10\2755\347\4\271"\304\230\217\302\255\317\243\245+\340\312t\246\10\233\0\210\201\274\253\333\217\355\364\242\331\364\271\6\36\10\325\1\346\257\253\246U\232a\311\264\16\223]#\203\334\261\256+\370\13\377\315\311\321\272\212im\233@q\337\23\237\273;\340\266\234\372\325\314\255JG\227HT\356pu&\375\317 s\341\313\347yaS\210\246\32\211P\342[\12\6\256\14D\337U\261\37\347\203\321\376\342[\200\222\5\362P\14", ) \304\230\217\302\255\317\243\245+\340\312t\246\10\233\0277\266ol\236\244b\245k\5i\264\250_\210Fv\343-\37\240\345j\246n\1779\1]\\34\230\230o\4\226\300\273s5r\356\244\2125\27\307*\200\347 W\33\325\354\233\355\360\323\314\30^\275\302\30\3470d\26~\324\332\357\205\1,@\351\230GG\24\225\4\3212\327\25\251^\346\4\304^\231\313\12X\324\362z\1\354\322\215G5\2768PP\373\250\177>\210\201\274\253\333\217\355\364\242\331\364\271\6\36\10\325\1\346\257\253\246U\232a\311\264\16\223]#\203\334\261\256+\370\13\377\315\311\321\272\212im\233@q\337\23\237\273;\340\266\234\372\325\314\255JG\227HT\356pu&\375\317 s\341\313\347yaS\210\246\32\211P\342[\12\6\256\14D\337U\261\37\347\203\321\376\342[\200\222\5\362P\14", ) == 0x0
 01575  1928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 316, ) == 0x0
 01576  1928   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 13431416, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 13431416, 188, ...
 01571   312   NtResumeThread  ... 1, ) == 0x0
 01577   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37814272, 1048576, ) == 0x0
 01578   312   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ... 38854656, 8192, ) == 0x0
 01579   312   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ...
 01576  1928   NtConnectPort  ... 320, 0x0, 0x0, 0x0, 188, ) == 0x0
 01580  1068   NtTestAlert  (...
 01581  1928   NtRequestWaitReplyPort  (320, {200, 224, new_msg, 0, 2883626, 1365368, 12, 2}  (320, {200, 224, new_msg, 0, 2883626, 1365368, 12, 2} "\0\1\0\0\320\2\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\240<\24\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0KE\5\305Z\274?\325\250\16\25\0`\1\24\0\12\0\0\0\0\0\0\0@\0\0\0(\0\0\0\260\16\25\0_0\62\320\2\24\0\320\16\25\0`\1\24\0\0\0\0\0\0\0\0\0\320\16\25\0P\0\0\0\330\16\25\0\360\6\221|\250\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\314\0\372\31\221|\214\370\314\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01580  1068   NtTestAlert  ... ) == 0x0
 01582  1068   NtContinue  (37813552, 1, ...
 01583  1068   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01581  1928   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 940, 1928, 57973, 0}  ... {200, 224, reply, 0, 940, 1928, 57973, 0} "\7\1\0\0\320\2\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0KE\5\305Z\274?\325\250\16\25\0`\1\24\0\12\0\0\0\0\0\0\0@\0\0\0(\0\0\0\260\16\25\0_0\62\320\2\24\0\320\16\25\0`\1\24\0\0\0\0\0\0\0\0\0\320\16\25\0P\0\0\0\330\16\25\0\360\6\221|\250\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\314\0\372\31\221|\214\370\314\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01579   312   NtProtectVirtualMemory  ... (0x250e000), 4096, 4, ) == 0x0
 01584  1928   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01585   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01586  1068   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01585   312   NtCreateThread  ... 324, {940, 1856}, ) == 0x0
 01587   312   NtQueryInformationThread  (324, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=940,Tid=1856,}, 0x0, ) == 0x0
 01588   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57971, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\254\3\0\0@\7\0\0" ... {28, 56, reply, 0, 940, 312, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\254\3\0\0@\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 57974, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\254\3\0\0@\7\0\0" ... {28, 56, reply, 0, 940, 312, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\254\3\0\0@\7\0\0" )  ) == 0x0
 01589   312   NtResumeThread  (324, ... 1, ) == 0x0
 01590   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38862848, 1048576, ) == 0x0
 01584  1928   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01591  1856   NtTestAlert  (...
 01586  1068   NtSetInformationThread  ... ) == 0x0
 01592  1928   NtRequestWaitReplyPort  (320, {44, 68, new_msg, 56, 0, 0, 0, 0}  (320, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\08\20\25\0\322\0\0\0" ...  ...
 01591  1856   NtTestAlert  ... ) == 0x0
 01593   312   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ...
 01594  1856   NtContinue  (38862128, 1, ...
 01593   312   NtAllocateVirtualMemory  ... 39903232, 8192, ) == 0x0
 01592  1928   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 940, 1928, 57975, 0}  ... {40, 64, reply, 0, 940, 1928, 57975, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01595  1856   NtRegisterThreadTerminatePort  (24, ...
 01596   312   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ...
 01597  1928   NtRequestWaitReplyPort  (320, {64, 88, new_msg, 56, 1310720, 13431284, 1380400, 0}  (320, {64, 88, new_msg, 56, 1310720, 13431284, 1380400, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\00\21\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01595  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01596   312   NtProtectVirtualMemory  ... (0x260e000), 4096, 4, ) == 0x0
 01598  1068   NtWaitForSingleObject  (216, 0, 0x0, ...
 01599   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01600  1856   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01597  1928   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 940, 1928, 57976, 0}  ... {64, 88, reply, 56, 940, 1928, 57976, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\00\21\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01599   312   NtCreateThread  ... 328, {940, 1596}, ) == 0x0
 01601  1928   NtRequestWaitReplyPort  (320, {44, 68, new_msg, 56, 940, 1928, 57975, 0}  (320, {44, 68, new_msg, 56, 940, 1928, 57975, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\08\20\25\0\322\0\0\0" ...  ...
 01600  1856   NtSetInformationThread  ... ) == 0x0
 01601  1928   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 940, 1928, 57977, 0}  ... {40, 64, reply, 0, 940, 1928, 57977, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 01602   312   NtQueryInformationThread  (328, Basic, 28, ...
 01603  1928   NtRequestWaitReplyPort  (320, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0}  (320, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0\0\36\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01602   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=940,Tid=1596,}, 0x0, ) == 0x0
 01604   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57974, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\254\3\0\0<\6\0\0" ... {28, 56, reply, 0, 940, 312, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\254\3\0\0<\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 57979, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\254\3\0\0<\6\0\0" ... {28, 56, reply, 0, 940, 312, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\254\3\0\0<\6\0\0" )  ) == 0x0
 01605   312   NtResumeThread  (328, ...
 01606  1856   NtWaitForSingleObject  (216, 0, 0x0, ...
 01605   312   NtResumeThread  ... 1, ) == 0x0
 01603  1928   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 940, 1928, 57978, 0}  ... {64, 88, reply, 56, 940, 1928, 57978, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0\0\36\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01607   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01608  1928   NtRequestWaitReplyPort  (320, {44, 68, new_msg, 56, 940, 1928, 57977, 0}  (320, {44, 68, new_msg, 56, 940, 1928, 57977, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\08\20\25\0\322\0\0\0" ...  ...
 01607   312   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 01609   312   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ... 40951808, 8192, ) == 0x0
 01610   312   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 01608  1928   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 940, 1928, 57980, 0}  ... {40, 64, reply, 0, 940, 1928, 57980, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 01611  1596   NtTestAlert  (...
 01612  1928   NtRequestWaitReplyPort  (320, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0}  (320, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0h\26\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01611  1596   NtTestAlert  ... ) == 0x0
 01613  1596   NtContinue  (39910704, 1, ...
 01614  1596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01610   312   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 01615   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 332, {940, 1128}, ) == 0x0
 01616   312   NtQueryInformationThread  (332, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=940,Tid=1128,}, 0x0, ) == 0x0
 01617   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57979, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\254\3\0\0h\4\0\0" ... {28, 56, reply, 0, 940, 312, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\254\3\0\0h\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 57982, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\254\3\0\0h\4\0\0" ... {28, 56, reply, 0, 940, 312, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\254\3\0\0h\4\0\0" )  ) == 0x0
 01618   312   NtResumeThread  (332, ... 1, ) == 0x0
 01619   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40960000, 1048576, ) == 0x0
 01620  1596   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01612  1928   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 940, 1928, 57981, 0}  ... {64, 88, reply, 56, 940, 1928, 57981, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0h\26\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01621  1128   NtTestAlert  (...
 01622  1928   NtClose  (316, ...
 01621  1128   NtTestAlert  ... ) == 0x0
 01622  1928   NtClose  ... ) == 0x0
 01623  1128   NtContinue  (40959280, 1, ...
 01624  1928   NtClose  (320, ...
 01625  1128   NtRegisterThreadTerminatePort  (24, ...
 01624  1928   NtClose  ... ) == 0x0
 01625  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 01626  1928   NtDeviceIoControlFile  (304, 0, 0x0, 0x0, 0x390008,  (304, 0, 0x0, 0x0, 0x390008, "\342\300X\314\324}N1\206$\5\15G\222{\235\204\304p\255\332\365\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01627   312   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ...
 01620  1596   NtSetInformationThread  ... ) == 0x0
 01628  1128   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01627   312   NtAllocateVirtualMemory  ... 42000384, 8192, ) == 0x0
 01629  1928   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01630   312   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ...
 01629  1928   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01630   312   NtProtectVirtualMemory  ... (0x280e000), 4096, 4, ) == 0x0
 01631  1928   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01632   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01631  1928   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01632   312   NtCreateThread  ... 320, {940, 220}, ) == 0x0
 01633  1928   NtQuerySystemInformation  (Performance, 312, ...
 01634  1596   NtWaitForSingleObject  (216, 0, 0x0, ...
 01628  1128   NtSetInformationThread  ... ) == 0x0
 01633  1928   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01635   312   NtQueryInformationThread  (320, Basic, 28, ...
 01636  1128   NtWaitForSingleObject  (216, 0, 0x0, ...
 01635   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=940,Tid=220,}, 0x0, ) == 0x0
 01637  1928   NtQuerySystemInformation  (Exception, 16, ...
 01638   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57982, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\254\3\0\0\334\0\0\0" ...  ...
 01637  1928   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01638   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57985, 0}  ... {28, 56, reply, 0, 940, 312, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\254\3\0\0\334\0\0\0" )  ) == 0x0
 01639  1928   NtQuerySystemInformation  (Lookaside, 32, ...
 01640   312   NtResumeThread  (320, ...
 01639  1928   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01641  1928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01642  1928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01643  1928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481344, 2, ) }, 0, 0x0, 0, ... -2147481344, 2, ) == 0x0
 01644  1928   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "S\37\310\332D=\322\2045C\261]"\222:\351H?\2739(\20\223s\206}\256\236\14,\324\255&\227\335Z\232\35\237\22r\27H\1xo<\330ZO\222\316\25\241R \233?\7X\23\\243{\320D\263\304m\362f\230\345XN(f\263\367\374", 80, ... ) , 0, 3,  (-2147481344, "Seed", 0, 3, "S\37\310\332D=\322\2045C\261]"\222:\351H?\2739(\20\223s\206}\256\236\14,\324\255&\227\335Z\232\35\237\22r\27H\1xo<\330ZO\222\316\25\241R \233?\7X\23\\243{\320D\263\304m\362f\230\345XN(f\263\367\374", 80, ... ) \222:\351H?\2739(\20\223s\206}\256\236\14,\324\255&\227\335Z\232\35\237\22r\27H\1xo<\330ZO\222\316\25\241R \233?\7X\23\\243{\320D\263\304m\362f\230\345XN(f\263\367\374", 80, ... ) == 0x0
 01640   312   NtResumeThread  ... 1, ) == 0x0
 01645   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42008576, 1048576, ) == 0x0
 01646   312   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ... 43048960, 8192, ) == 0x0
 01647   312   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ... (0x290e000), 4096, 4, ) == 0x0
 01648   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 316, {940, 1800}, ) == 0x0
 01649   312   NtQueryInformationThread  (316, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=940,Tid=1800,}, 0x0, ) == 0x0
 01650   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57985, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\254\3\0\0\10\7\0\0" ...  ...
 01651  1928   NtClose  (-2147481344, ...
 01652   220   NtTestAlert  (...
 01651  1928   NtClose  ... ) == 0x0
 01652   220   NtTestAlert  ... ) == 0x0
 01626  1928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\30\305\270\36e\13\363o\4\254\252\2629\65\376B\224\251\335\366\260\366\357\304N\272\2160\240\335\230\241e5\275\210\305\310\206\371\316\205B*\365,\215\203\14\350H\247?\325\254ri\324\202\202b\321\373=\33\250\257\17u\260.\2136)\37\235\312\351\7\316G\331%\321\261^S\214P\305YD\315\266yt\366\378\11b\250OO\203|^\350\15\35\26\302\206\204\346\2516h\271\220\14d\257_q2\256?p\303\316*C\264\242\277\12\315>\3525\277d6\223\240\265|=\334O\312S:H\376\213\206;\240\370j\15(\275\210|\12y\234\233rQi\206\245\276\213t\255\325B,\317\236*\247\11L\27Zf?\332\210\217\305u\207>\363OU\261\362\206\371\260\24\275\325\276J|\343\211y\222\316]1p\261\25\213\305xlk1\342\306\364\236, ) , ) == 0x0
 01653   220   NtContinue  (42007856, 1, ...
 01654  1928   NtDeviceIoControlFile  (304, 0, 0x0, 0x0, 0x390008,  (304, 0, 0x0, 0x0, 0x390008, "\342\300X\314\324}N1\206$\5\15G\222\276\251\364\243\327\177\217\363(\204\304p\255\332\365\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01655   220   NtRegisterThreadTerminatePort  (24, ...
 01656  1928   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01655   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01656  1928   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01650   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57986, 0}  ... {28, 56, reply, 0, 940, 312, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\254\3\0\0\10\7\0\0" )  ) == 0x0
 01657   220   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01658   312   NtResumeThread  (316, ... 1, ) == 0x0
 01659   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43057152, 1048576, ) == 0x0
 01660   312   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ... 44097536, 8192, ) == 0x0
 01661   312   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ... (0x2a0e000), 4096, 4, ) == 0x0
 01662   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 336, {940, 1796}, ) == 0x0
 01663  1928   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01657   220   NtSetInformationThread  ... ) == 0x0
 01664  1800   NtTestAlert  (...
 01663  1928   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01665   312   NtQueryInformationThread  (336, Basic, 28, ...
 01664  1800   NtTestAlert  ... ) == 0x0
 01666  1928   NtQuerySystemInformation  (Performance, 312, ...
 01665   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=940,Tid=1796,}, 0x0, ) == 0x0
 01667  1800   NtContinue  (43056432, 1, ...
 01666  1928   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01668   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57986, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\254\3\0\0\4\7\0\0" ...  ...
 01669  1800   NtRegisterThreadTerminatePort  (24, ...
 01670  1928   NtQuerySystemInformation  (Exception, 16, ...
 01668   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57987, 0}  ... {28, 56, reply, 0, 940, 312, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\254\3\0\0\4\7\0\0" )  ) == 0x0
 01669  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01670  1928   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01671   312   NtResumeThread  (336, ...
 01672   220   NtWaitForSingleObject  (216, 0, 0x0, ...
 01673  1800   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01674  1928   NtQuerySystemInformation  (Lookaside, 32, ...
 01671   312   NtResumeThread  ... 1, ) == 0x0
 01674  1928   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01675   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01676  1928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01675   312   NtAllocateVirtualMemory  ... 44105728, 1048576, ) == 0x0
 01676  1928   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01677   312   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ...
 01678  1928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01677   312   NtAllocateVirtualMemory  ... 45146112, 8192, ) == 0x0
 01678  1928   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01679   312   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ...
 01680  1796   NtTestAlert  (...
 01673  1800   NtSetInformationThread  ... ) == 0x0
 01681  1928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01680  1796   NtTestAlert  ... ) == 0x0
 01679   312   NtProtectVirtualMemory  ... (0x2b0e000), 4096, 4, ) == 0x0
 01681  1928   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01682  1796   NtContinue  (44105008, 1, ...
 01683   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01684  1928   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "l\4oAl\254\303n\246:H o\206}\215\322\202\315\304\2027<\330qG\22\5\203\206\244{\365\331\203\332\211\327\237\243\233\209\301^w\24\246'`F\256\240tO\200k9\26\320\267)\260\3071S/\317\243y_\361\351\205 \235\322\266s", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "l\4oAl\254\303n\246:H o\206}\215\322\202\315\304\2027<\330qG\22\5\203\206\244{\365\331\203\332\211\327\237\243\233\209\301^w\24\246'`F\256\240tO\200k9\26\320\267)\260\3071S/\317\243y_\361\351\205 \235\322\266s", 80, ... , 80, ...
 01685  1796   NtRegisterThreadTerminatePort  (24, ...
 01683   312   NtCreateThread  ... 340, {940, 1808}, ) == 0x0
 01684  1928   NtSetValueKey  ... ) == 0x0
 01685  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01686   312   NtQueryInformationThread  (340, Basic, 28, ...
 01687  1928   NtClose  (-2147481344, ...
 01688  1800   NtWaitForSingleObject  (216, 0, 0x0, ...
 01686   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=940,Tid=1808,}, 0x0, ) == 0x0
 01687  1928   NtClose  ... ) == 0x0
 01689  1796   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01690   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57987, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\254\3\0\0\20\7\0\0" ...  ...
 01689  1796   NtSetInformationThread  ... ) == 0x0
 01654  1928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\250\215z\276\32\250\\32\276\205\220\331\30\15\317\314\315\211~:S\255\255\216y\312w/\317f\364\350a\11\202\316up\276\276\347\20t\320M\212ezC\214\352\276\20\214c\354\262\322\252\0\226d\242G\257E\232\300\2752XN\300\375\366\371_\362h"%n\227m}\206\344)J\0\243\316;k\267G\337KF\271\244HP!'\363\307\273\10\265\237j\22\25\343\7\247&\274n\327\12\231\345\336`0\27{\224\331\316\37\300\14\37\360{\333L\342\314\16\177Q\24B\335q\237r\262$\207\225\5\210L\351\216-\273\20G\332\272\315\362\7\277\335s\367\231\350~&+\254\341\377\32\312a(.\341-\277\351\315\27\251\206\212t\34-u\335L\333\252\244\264\204\235l\360\254J\13\231\316"\207a\324?X\22\265\360\217!\235p\241\326\261\3430xb)\260\36\342U\323\244\243{\37\216\33\301\255\273\224\377\16g\22\243", ) %n\227m}\206\344)J\0\243\316;k\267G\337KF\271\244HP!'\363\307\273\10\265\237j\22\25\343\7\247&\274n\327\12\231\345\336`0\27{\224\331\316\37\300\14\37\360{\333L\342\314\16\177Q\24B\335q\237r\262$\207\225\5\210L\351\216-\273\20G\332\272\315\362\7\277\335s\367\231\350~&+\254\341\377\32\312a(.\341-\277\351\315\27\251\206\212t\34-u\335L\333\252\244\264\204\235l\360\254J\13\231\316 ... {status=0x0, info=256}, "\250\215z\276\32\250\\32\276\205\220\331\30\15\317\314\315\211~:S\255\255\216y\312w/\317f\364\350a\11\202\316up\276\276\347\20t\320M\212ezC\214\352\276\20\214c\354\262\322\252\0\226d\242G\257E\232\300\2752XN\300\375\366\371_\362h"%n\227m}\206\344)J\0\243\316;k\267G\337KF\271\244HP!'\363\307\273\10\265\237j\22\25\343\7\247&\274n\327\12\231\345\336`0\27{\224\331\316\37\300\14\37\360{\333L\342\314\16\177Q\24B\335q\237r\262$\207\225\5\210L\351\216-\273\20G\332\272\315\362\7\277\335s\367\231\350~&+\254\341\377\32\312a(.\341-\277\351\315\27\251\206\212t\34-u\335L\333\252\244\264\204\235l\360\254J\13\231\316"\207a\324?X\22\265\360\217!\235p\241\326\261\3430xb)\260\36\342U\323\244\243{\37\216\33\301\255\273\224\377\16g\22\243", ) , ) == 0x0
 01690   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57988, 0}  ... {28, 56, reply, 0, 940, 312, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\254\3\0\0\20\7\0\0" )  ) == 0x0
 01691  1928   NtDeviceIoControlFile  (304, 0, 0x0, 0x0, 0x390008,  (304, 0, 0x0, 0x0, 0x390008, "\342\300X\314\324}N1\206$\5\15G\222\276\251\364\243\327\177\2176\34\364\243\327\177\217\363(\204\304p\255\332\365\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01692   312   NtResumeThread  (340, ...
 01693  1928   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01692   312   NtResumeThread  ... 1, ) == 0x0
 01693  1928   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01694   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01695  1928   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01694   312   NtAllocateVirtualMemory  ... 45154304, 1048576, ) == 0x0
 01695  1928   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01696  1796   NtWaitForSingleObject  (216, 0, 0x0, ...
 01697  1808   NtTestAlert  (...
 01698   312   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ...
 01699  1928   NtQuerySystemInformation  (Performance, 312, ...
 01697  1808   NtTestAlert  ... ) == 0x0
 01698   312   NtAllocateVirtualMemory  ... 46194688, 8192, ) == 0x0
 01699  1928   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01700  1808   NtContinue  (45153584, 1, ...
 01701   312   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ...
 01702  1928   NtQuerySystemInformation  (Exception, 16, ...
 01703  1808   NtRegisterThreadTerminatePort  (24, ...
 01701   312   NtProtectVirtualMemory  ... (0x2c0e000), 4096, 4, ) == 0x0
 01702  1928   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01703  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01704   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01705  1928   NtQuerySystemInformation  (Lookaside, 32, ...
 01704   312   NtCreateThread  ... 344, {940, 1700}, ) == 0x0
 01705  1928   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01706  1808   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01707   312   NtQueryInformationThread  (344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=940,Tid=1700,}, 0x0, ) == 0x0
 01708   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57988, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\254\3\0\0\244\6\0\0" ... {28, 56, reply, 0, 940, 312, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\254\3\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 57989, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\254\3\0\0\244\6\0\0" ... {28, 56, reply, 0, 940, 312, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\254\3\0\0\244\6\0\0" )  ) == 0x0
 01709   312   NtResumeThread  (344, ... 1, ) == 0x0
 01710   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 46202880, 1048576, ) == 0x0
 01711   312   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ... 47243264, 8192, ) == 0x0
 01712   312   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ...
 01713  1928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01706  1808   NtSetInformationThread  ... ) == 0x0
 01714  1700   NtTestAlert  (...
 01713  1928   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01712   312   NtProtectVirtualMemory  ... (0x2d0e000), 4096, 4, ) == 0x0
 01714  1700   NtTestAlert  ... ) == 0x0
 01715  1928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01716   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01717  1700   NtContinue  (46202160, 1, ...
 01715  1928   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01716   312   NtCreateThread  ... 348, {940, 1156}, ) == 0x0
 01718  1700   NtRegisterThreadTerminatePort  (24, ...
 01719  1928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01720   312   NtQueryInformationThread  (348, Basic, 28, ...
 01718  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 01719  1928   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01720   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=940,Tid=1156,}, 0x0, ) == 0x0
 01721  1808   NtWaitForSingleObject  (216, 0, 0x0, ...
 01722  1700   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01723   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57989, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\254\3\0\0\204\4\0\0" ...  ...
 01724  1928   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\216\371\336\241\6kV\32l\332\213U7\202J\3666\216\231E$:2^u\223\247h\205\214\210\204\12{+u\313\310PJ\15\373\366?\263%\215b\336\0\346\332"\201}@\212N*\355Y\267m\2555\210\335\342\362\361}\340>\254\11\271\233\313\26\267", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\216\371\336\241\6kV\32l\332\213U7\202J\3666\216\231E$:2^u\223\247h\205\214\210\204\12{+u\313\310PJ\15\373\366?\263%\215b\336\0\346\332"\201}@\212N*\355Y\267m\2555\210\335\342\362\361}\340>\254\11\271\233\313\26\267", 80, ... \201}@\212N*\355Y\267m\2555\210\335\342\362\361}\340>\254\11\271\233\313\26\267", 80, ...
 01722  1700   NtSetInformationThread  ... ) == 0x0
 01724  1928   NtSetValueKey  ... ) == 0x0
 01723   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57990, 0}  ... {28, 56, reply, 0, 940, 312, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\254\3\0\0\204\4\0\0" )  ) == 0x0
 01725  1928   NtClose  (-2147481344, ...
 01726   312   NtResumeThread  (348, ...
 01725  1928   NtClose  ... ) == 0x0
 01726   312   NtResumeThread  ... 1, ) == 0x0
 01691  1928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\30\11\372p\26\255\306\16O\226\30\351Y\326\3146(\42\227=\210X\35"\277\302F\230d\4\241u\30\254\215\336\363q\374\335\267\12\344d\226fA\222fw7\273\314\354{T\357\365\354\3623\222\306\37\232\231'h\344\15\336\212\275 G\265\366,Z\302.\241?E\231\263w\166\362o-X\231\257L&\271\240\327o\7g\322-<\342\242\341\340\333\316\332\27\310x\261d\320x\257@\213\253\324\5\235\226\236\17W\231%\222\376\361j19k\342[\217\20\377\317\266w\331\216\321Y\\233\10Z0\225\254\360\264}w\223\211\202\254:\272\234\214\21\250'Y\211\257X=mf|\301\204\377\304\35\315\250\320u\331\362\11\313\315\37\246%\352\214\247\330l\340@5K:a\26\363\337E\250\316 \211e\22e\33\341\256\230B\3700\327#\346\235\333\2655B\324\263\276\267tE'\25\227\353\372*W=EB\271\333#", ) \277\302F\230d\4\241u\30\254\215\336\363q\374\335\267\12\344d\226fA\222fw7\273\314\354{T\357\365\354\3623\222\306\37\232\231'h\344\15\336\212\275 G\265\366,Z\302.\241?E\231\263w\166\362o-X\231\257L&\271\240\327o\7g\322-<\342\242\341\340\333\316\332\27\310x\261d\320x\257@\213\253\324\5\235\226\236\17W\231%\222\376\361j19k\342[\217\20\377\317\266w\331\216\321Y\\233\10Z0\225\254\360\264}w\223\211\202\254:\272\234\214\21\250'Y\211\257X=mf|\301\204\377\304\35\315\250\320u\331\362\11\313\315\37\246%\352\214\247\330l\340@5K:a\26\363\337E\250\316 \211e\22e\33\341\256\230B\3700\327#\346\235\333\2655B\324\263\276\267tE'\25\227\353\372*W=EB\271\333#", ) == 0x0
 01727   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01728  1928   NtDeviceIoControlFile  (304, 0, 0x0, 0x0, 0x390008,  (304, 0, 0x0, 0x0, 0x390008, "\342\300X\314\324}N1\206$\5\15G\222\276\251\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\217\363(\204\304p\255\332\365\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01727   312   NtAllocateVirtualMemory  ... 47251456, 1048576, ) == 0x0
 01729  1700   NtWaitForSingleObject  (216, 0, 0x0, ...
 01730  1156   NtTestAlert  (...
 01731  1928   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01732   312   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ...
 01730  1156   NtTestAlert  ... ) == 0x0
 01731  1928   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01732   312   NtAllocateVirtualMemory  ... 48291840, 8192, ) == 0x0
 01733  1156   NtContinue  (47250736, 1, ...
 01734  1928   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01735   312   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ...
 01736  1156   NtRegisterThreadTerminatePort  (24, ...
 01735   312   NtProtectVirtualMemory  ... (0x2e0e000), 4096, 4, ) == 0x0
 01736  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 01737   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01734  1928   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01737   312   NtCreateThread  ... 352, {940, 712}, ) == 0x0
 01738  1928   NtQuerySystemInformation  (Performance, 312, ...
 01739  1156   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01738  1928   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01740  1928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01741  1928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01742  1928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01743  1928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01744  1928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01745   312   NtQueryInformationThread  (352, Basic, 28, ...
 01739  1156   NtSetInformationThread  ... ) == 0x0
 01745   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=940,Tid=712,}, 0x0, ) == 0x0
 01744  1928   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01746   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57990, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\254\3\0\0\310\2\0\0" ...  ...
 01747  1928   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "RR\324I\36\310H\251r\5\361?\205\275\212\314|s\261\2153\353\31\345\377\225e\200\363\336"\201\226\246"M\240>\240\316\364\376\246\365JW\226\363\320\252;bW\220B\244\361\355P\35\323\24\207\25a\265\340\332\357\260\327J\227A\370\242\17\265\1+", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "RR\324I\36\310H\251r\5\361?\205\275\212\314|s\261\2153\353\31\345\377\225e\200\363\336"\201\226\246"M\240>\240\316\364\376\246\365JW\226\363\320\252;bW\220B\244\361\355P\35\323\24\207\25a\265\340\332\357\260\327J\227A\370\242\17\265\1+", 80, ... \201\226\246 (-2147481344, "Seed", 0, 3, "RR\324I\36\310H\251r\5\361?\205\275\212\314|s\261\2153\353\31\345\377\225e\200\363\336"\201\226\246"M\240>\240\316\364\376\246\365JW\226\363\320\252;bW\220B\244\361\355P\35\323\24\207\25a\265\340\332\357\260\327J\227A\370\242\17\265\1+", 80, ... , 80, ...
 01746   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57991, 0}  ... {28, 56, reply, 0, 940, 312, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\254\3\0\0\310\2\0\0" )  ) == 0x0
 01747  1928   NtSetValueKey  ... ) == 0x0
 01748   312   NtResumeThread  (352, ...
 01749  1928   NtClose  (-2147481344, ...
 01750  1156   NtWaitForSingleObject  (216, 0, 0x0, ...
 01749  1928   NtClose  ... ) == 0x0
 01748   312   NtResumeThread  ... 1, ) == 0x0
 01728  1928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "^\227\346O\273\347\30\247\203Y\357/K\253\205\2061\250"\373\205\324\251&\254\301\265\250OfiRY;a\347\316?i\360FI\365\246\1m\263\345eD\321\4\237\223;jM?\356\20\\304\373\177Bk\30\303\301~l\331\206E\306\33RM\223\263@\356C\347\7d\234\333\213\230\307\20\246N\334L\22\345cpC\340\270\30\332k\261f\273\346\211\304\200\330y\24\303\317\301\246\301\236u:\315\1\344U\275<\231\260\366\316\300T\266\366X\256)\315dD\302<1`\3?\22\233\202\215\5\12<\352\342{m,\11-\204\203]`\1\330\245\372,\254&\335\27", ) \373\205\324\251&\254\301\265\250OfiRY;a\347\316?i\360FI\365\246\1m\263\345eD\321\4\237\223;jM?230\2668\221\22\22T\265\2\0\16\255\243u\253\376.\204\350T\0\224\210\321{@/@\26\10\230\27\233\206\0K\226)\221\235w<\304?\356\17\361\347\342\232\3608\265\363%\4v\201\212\315\262P\206u\267O\326'\6\273-\364\360\234>\356\20\\304\373\177Bk\30\303\301~l\331\206E\306\33RM\223\263@\356C\347\7d\234\333\213\230\307\20\246N\334L\22\345cpC\340\270\30\332k\261f\273\346\211\304\200\330y\24\303\317\301\246\301\236u:\315\1\344U\275<\231\260\366\316\300T\266\366X\256)\315dD\302<1`\3?\22\233\202\215\5\12<\352\342{m,\11-\204\203]`\1\330\245\372,\254&\335\27", ) == 0x0
 01751   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01752   712   NtTestAlert  (...
 01751   312   NtAllocateVirtualMemory  ... 48300032, 1048576, ) == 0x0
 01752   712   NtTestAlert  ... ) == 0x0
 01753   312   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 01754   712   NtContinue  (48299312, 1, ...
 01753   312   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 01755   712   NtRegisterThreadTerminatePort  (24, ...
 01756   312   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 01755   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 01757  1928   NtDeviceIoControlFile  (304, 0, 0x0, 0x0, 0x390008,  (304, 0, 0x0, 0x0, 0x390008, "\342\300X\314\324}N1\206$\5\15G\222\276\251\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\217\363(\204\304p\255\332\365\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01756   312   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 01758  1928   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01759   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01758  1928   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01759   312   NtCreateThread  ... 356, {940, 1728}, ) == 0x0
 01760  1928   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01761   312   NtQueryInformationThread  (356, Basic, 28, ...
 01760  1928   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01761   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=940,Tid=1728,}, 0x0, ) == 0x0
 01762  1928   NtQuerySystemInformation  (Performance, 312, ...
 01763   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57991, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\254\3\0\0\300\6\0\0" ...  ...
 01764   712   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01762  1928   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01765  1928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01766  1928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01767  1928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01768  1928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01769  1928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481344, 2, ) }, 0, 0x0, 0, ... -2147481344, 2, ) == 0x0
 01770  1928   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\251"\252\315;\376\363#P\0\250\213\355l\225\302\366\270\341\246\275b*\273T-AB\340,[\200\304\364@{ ^\205\302\240\17S\217\361Y,\262\13~\262\3306z\240X\252\342\260w\340\3|][=\323\251.\300}\\241\14\33\357\317\7\37", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\251"\252\315;\376\363#P\0\250\213\355l\225\302\366\270\341\246\275b*\273T-AB\340,[\200\304\364@{ ^\205\302\240\17S\217\361Y,\262\13~\262\3306z\240X\252\342\260w\340\3|][=\323\251.\300}\\241\14\33\357\317\7\37", 80, ... \252\315;\376\363#P\0\250\213\355l\225\302\366\270\341\246\275b*\273T-AB\340,[\200\304\364@{ ^\205\302\240\17S\217\361Y,\262\13~\262\3306z\240X\252\342\260w\340\3|][=\323\251.\300}\\241\14\33\357\317\7\37", 80, ...
 01763   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57992, 0}  ... {28, 56, reply, 0, 940, 312, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\254\3\0\0\300\6\0\0" )  ) == 0x0
 01764   712   NtSetInformationThread  ... ) == 0x0
 01771   312   NtResumeThread  (356, ...
 01770  1928   NtSetValueKey  ... ) == 0x0
 01771   312   NtResumeThread  ... 1, ) == 0x0
 01772  1928   NtClose  (-2147481344, ...
 01773   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01772  1928   NtClose  ... ) == 0x0
 01773   312   NtAllocateVirtualMemory  ... 49348608, 1048576, ) == 0x0
 01757  1928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\20\201u\2315Y\377\25N\364\254(_\225\232\266Y\267\332\366\225\376\343\337\277\4Ev\330\3\355Eo\206$\275\374u\370\267\223\352\206z\277B4\205\330v\264h\231\236\242Q\277_\311\233O\246\371\5\242\232\340\224Op\207 \266>\207\300$\317&Q\345\272\201\246\332n\233\312iz\231\34\205\242\247\17#e\177\3411\275\5\226H\212\352\315?\14\230\200\331\220\252\3\305>R\370\241\7 m\265\376#\360\354\213\365Pk,&\210f\273}\366r&\252\372_\227\275\363\250\20\13\245\200\2\276\263j\271\200[\230V\312\3516\325^2\205k_\17\\227\223\325)\235`\302$\277\305\324\275Q4\342]\304\314\3670"tc\7\20\21\246z%\240\311o\336\352\12\20W\211#\312\21\313\211i\26\220\250$2\372>\225\300\233\300\236\316\376\237\270\375\336\7\23\3615\216\214\230\227\350b\274v\211\367\255X\243\374\202", ) tc\7\20\21\246z%\240\311o\336\352\12\20W\211#\312\21\313\211i\26\220\250$2\372>\225\300\233\300\236\316\376\237\270\375\336\7\23\3615\216\214\230\227\350b\274v\211\367\255X\243\374\202", ) == 0x0
 01774   712   NtWaitForSingleObject  (216, 0, 0x0, ...
 01775  1728   NtTestAlert  (...
 01776  1928   NtDeviceIoControlFile  (304, 0, 0x0, 0x0, 0x390008,  (304, 0, 0x0, 0x0, 0x390008, "\342\300X\314\324}N1\206$\5\15G\222\276\251\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\217\363(\204\304p\255\332\365\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01777   312   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ...
 01775  1728   NtTestAlert  ... ) == 0x0
 01778  1928   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01777   312   NtAllocateVirtualMemory  ... 50388992, 8192, ) == 0x0
 01779  1728   NtContinue  (49347888, 1, ...
 01780   312   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ...
 01781  1728   NtRegisterThreadTerminatePort  (24, ...
 01780   312   NtProtectVirtualMemory  ... (0x300e000), 4096, 4, ) == 0x0
 01781  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01782   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01778  1928   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01782   312   NtCreateThread  ... 360, {940, 1356}, ) == 0x0
 01783  1928   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01784  1728   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01783  1928   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01785  1928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01786  1928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01787  1928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01788  1928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01789  1928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01790   312   NtQueryInformationThread  (360, Basic, 28, ...
 01784  1728   NtSetInformationThread  ... ) == 0x0
 01790   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=940,Tid=1356,}, 0x0, ) == 0x0
 01789  1928   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01791   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57992, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\254\3\0\0L\5\0\0" ...  ...
 01792  1928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01791   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57993, 0}  ... {28, 56, reply, 0, 940, 312, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\254\3\0\0L\5\0\0" )  ) == 0x0
 01792  1928   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01793   312   NtResumeThread  (360, ...
 01794  1928   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "J\373\203I^\205\337C\31\224\322\342>\275\307\313\302\257L\242\17\24\321\325PL\177\2~\276|\224$\254\337\353o^\357~k0\221/\314\364\273%!v)\262\323\203\275\212\224\6\242\221\375\36\26\250\34\202\266\212\277\340\320\267Ej\4I\314B\10\214", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "J\373\203I^\205\337C\31\224\322\342>\275\307\313\302\257L\242\17\24\321\325PL\177\2~\276|\224$\254\337\353o^\357~k0\221/\314\364\273%!v)\262\323\203\275\212\224\6\242\221\375\36\26\250\34\202\266\212\277\340\320\267Ej\4I\314B\10\214", 80, ... , 80, ...
 01795  1728   NtWaitForSingleObject  (216, 0, 0x0, ...
 01794  1928   NtSetValueKey  ... ) == 0x0
 01793   312   NtResumeThread  ... 1, ) == 0x0
 01796  1928   NtClose  (-2147481344, ...
 01797   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01798  1356   NtTestAlert  (...
 01797   312   NtAllocateVirtualMemory  ... 50397184, 1048576, ) == 0x0
 01798  1356   NtTestAlert  ... ) == 0x0
 01799   312   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ...
 01800  1356   NtContinue  (50396464, 1, ...
 01799   312   NtAllocateVirtualMemory  ... 51437568, 8192, ) == 0x0
 01801  1356   NtRegisterThreadTerminatePort  (24, ...
 01802   312   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ...
 01801  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 01796  1928   NtClose  ... ) == 0x0
 01802   312   NtProtectVirtualMemory  ... (0x310e000), 4096, 4, ) == 0x0
 01776  1928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "A\306 \244\13\36e\263z9\214\21\216o\202\302Sr\15\251i\275\230>Wh\307O\242\10})\226\36167%\3\302\274}\353"\313w\204\223Eo\14x\274\362u\262>\361\3\242\232\277\11dC_\254\276\267\266\256\225b`\340T\372\213\272\255\1\335\200D\246\214z]\272\345\351\257\2\266\3q!\233\211\274\\225\345\372\276cE\332f\3\334X\3572\1\33\267\307\330j\3248w\26H\227#\306\276y\377\250\370\240\212\231{\276X\253\356(}bk\315\12N\203QA\343\22\373\232\361\211v\207\237X\241\337\33\16)\224\226Yp\11t\263]lY[T\256\342\321\350\250\359\201G\22\240\355\374\23F\261V\233q\353\276nk\22G\279\221j\177\357\2736~h8\251\273W\235D\322|\305\316O\203\32\277\3623\314\2643\315M\210\245e_\300\10n{\320t\276\207^%n\273\300\304\243\370\240t\2", ) \313w\204\223Eo\14x\274\362u\262>\361\3\242\232\277\11dC_\254\276\267\266\256\225b`\340T\372\213\272\255\1\335\200D\246\214z]\272\345\351\257\2\266\3q!\233\211\274\\225\345\372\276cE\332f\3\334X\3572\1\33\267\307\330j\3248w\26H\227#\306\276y\377\250\370\240\212\231{\276X\253\356(}bk\315\12N\203QA\343\22\373\232\361\211v\207\237X\241\337\33\16)\224\226Yp\11t\263]lY[T\256\342\321\350\250\359\201G\22\240\355\374\23F\261V\233q\353\276nk\22G\279\221j\177\357\2736~h8\251\273W\235D\322|\305\316O\203\32\277\3623\314\2643\315M\210\245e_\300\10n{\320t\276\207^%n\273\300\304\243\370\240t\2", ) == 0x0
 01803   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01804  1928   NtDeviceIoControlFile  (304, 0, 0x0, 0x0, 0x390008,  (304, 0, 0x0, 0x0, 0x390008, "\342\300X\314\324}N1\206$\5\15G\222\276\251\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\2176\34\364\243\327\177\217\363(\204\304p\255\332\365\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01803   312   NtCreateThread  ... 364, {940, 1536}, ) == 0x0
 01805  1928   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01806   312   NtQueryInformationThread  (364, Basic, 28, ...
 01805  1928   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01806   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=940,Tid=1536,}, 0x0, ) == 0x0
 01807  1928   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01808   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57993, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\254\3\0\0\0\6\0\0" ...  ...
 01809  1356   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01807  1928   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01810  1928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01811  1928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01812  1928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01813  1928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01814  1928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01815  1928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01808   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57994, 0}  ... {28, 56, reply, 0, 940, 312, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\254\3\0\0\0\6\0\0" )  ) == 0x0
 01809  1356   NtSetInformationThread  ... ) == 0x0
 01816   312   NtResumeThread  (364, ...
 01815  1928   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01816   312   NtResumeThread  ... 1, ) == 0x0
 01817  1928   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\356;\253e\314\335\340;f\363q\314R\357\307\270\366\370\16\342y\320u\251T\265bftj'\215\335\214=\215\3\5.\234-\266\374\264)F\271\\2C\307\16\344\227\2Y\30\260\177Ze\4\264\22\275<\22s\305\261\314\355\351$W\236k\26.\234", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\356;\253e\314\335\340;f\363q\314R\357\307\270\366\370\16\342y\320u\251T\265bftj'\215\335\214=\215\3\5.\234-\266\374\264)F\271\\2C\307\16\344\227\2Y\30\260\177Ze\4\264\22\275<\22s\305\261\314\355\351$W\236k\26.\234", 80, ... , 80, ...
 01818   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01817  1928   NtSetValueKey  ... ) == 0x0
 01818   312   NtAllocateVirtualMemory  ... 51445760, 1048576, ) == 0x0
 01819  1928   NtClose  (-2147481344, ...
 01820  1356   NtWaitForSingleObject  (216, 0, 0x0, ...
 01821  1536   NtTestAlert  (...
 01819  1928   NtClose  ... ) == 0x0
 01822   312   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ...
 01821  1536   NtTestAlert  ... ) == 0x0
 01804  1928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "=\2x\312\5\252\7\336\200\361\25\336\305\15\364\314:\371R\343\232+\231a\367\247N\1\340\363\332)Nr\261\255\237\2700\34\232B\0\13n0\346\302>\350\201\356V;\354I\276\3\350*=\2018\202\232A\376\201/jy\3134\23]\303\275\24+\353\273>UV\240\22\23?ax\277\3543\264\342d\316\252u\307!\337\311F/Fp\262-\/9_\333\312\334\365\365\321M\342\3641b\342d\33\1'\251@\246\367\335\335L\\33Q\327\351o\36777\211\275\300\242z\31\5\353X\370\1\2108\10\275W\301A\24>\320>\24\10FIpA\3701ya\300\332\3\361\361\15*1$\203\367$.\7X\375\311\221=uC47\252\223\200\31\224\355\22\244 q\23\360\262Qt\265.~\245\312F\12\331\261E6-\351\277\270\207Is!\20\13U\220b\261A\342\24e\17\241\32\350\362\245\261\341\353\31J.", ) , ) == 0x0
 01822   312   NtAllocateVirtualMemory  ... 52486144, 8192, ) == 0x0
 01823  1536   NtContinue  (51445040, 1, ...
 01824   312   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ...
 01825  1536   NtRegisterThreadTerminatePort  (24, ...
 01824   312   NtProtectVirtualMemory  ... (0x320e000), 4096, 4, ) == 0x0
 01825  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 01826   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01827  1928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01826   312   NtCreateThread  ... 368, {940, 444}, ) == 0x0
 01827  1928   NtCreateEvent  ... 372, ) == 0x0
 01828  1536   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01829  1928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 376, ) }, ... 376, ) == 0x0
 01830  1928   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "ActiveComputerName"}, ... 380, ) }, ... 380, ) == 0x0
 01831  1928   NtQueryValueKey  (380,  (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01832  1928   NtClose  (380, ... ) == 0x0
 01833  1928   NtClose  (376, ... ) == 0x0
 01834   312   NtQueryInformationThread  (368, Basic, 28, ...
 01828  1536   NtSetInformationThread  ... ) == 0x0
 01834   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=940,Tid=444,}, 0x0, ) == 0x0
 01835  1928   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01836   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57994, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\254\3\0\0\274\1\0\0" ...  ...
 01835  1928   NtCreateIoCompletion  ... 376, ) == 0x0
 01836   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57995, 0}  ... {28, 56, reply, 0, 940, 312, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\254\3\0\0\274\1\0\0" )  ) == 0x0
 01837  1928   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01838   312   NtResumeThread  (368, ...
 01837  1928   NtCreateIoCompletion  ... 380, ) == 0x0
 01839  1536   NtWaitForSingleObject  (216, 0, 0x0, ...
 01840  1928   NtDuplicateObject  (-1, 376, -1, 0x0, 0, 2, ...
 01838   312   NtResumeThread  ... 1, ) == 0x0
 01840  1928   NtDuplicateObject  ... 384, ) == 0x0
 01841   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01842   444   NtTestAlert  (...
 01841   312   NtAllocateVirtualMemory  ... 52494336, 1048576, ) == 0x0
 01842   444   NtTestAlert  ... ) == 0x0
 01843   312   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ...
 01844   444   NtContinue  (52493616, 1, ...
 01843   312   NtAllocateVirtualMemory  ... 53534720, 8192, ) == 0x0
 01845   444   NtRegisterThreadTerminatePort  (24, ...
 01846   312   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ...
 01845   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 01847  1928   NtOpenThreadToken  (-2, 0xc, 1, ...
 01846   312   NtProtectVirtualMemory  ... (0x330e000), 4096, 4, ) == 0x0
 01847  1928   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01848   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01849  1928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01848   312   NtCreateThread  ... 388, {940, 1904}, ) == 0x0
 01849  1928   NtCreateEvent  ... 392, ) == 0x0
 01850   312   NtQueryInformationThread  (388, Basic, 28, ...
 01851  1928   NtOpenThreadToken  (-2, 0xc, 1, ...
 01850   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=940,Tid=1904,}, 0x0, ) == 0x0
 01851  1928   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01852   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57995, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\254\3\0\0p\7\0\0" ...  ...
 01853   444   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01854  1928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01855  1928   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 13430976,  (0xc0100080, {24, 0, 0x40, 0, 13430976, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 01856  1928   NtSetInformationFile  (396, 13431032, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01857  1928   NtSetInformationFile  (396, 13431020, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01858  1928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01859  1928   NtWriteFile  (396, 257, 0, 0,  (396, 257, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01852   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57996, 0}  ... {28, 56, reply, 0, 940, 312, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\254\3\0\0p\7\0\0" )  ) == 0x0
 01853   444   NtSetInformationThread  ... ) == 0x0
 01860   312   NtResumeThread  (388, ...
 01861  1928   NtReadFile  (396, 257, 0, 0, 1024, {0, 0}, 0, ...
 01860   312   NtResumeThread  ... 1, ) == 0x0
 01861  1928   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01862   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01863  1928   NtFsControlFile  (396, 257, 0x0, 0x0, 0x11c017,  (396, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\314\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 01862   312   NtAllocateVirtualMemory  ... 53542912, 1048576, ) == 0x0
 01863  1928   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01864   444   NtWaitForSingleObject  (216, 0, 0x0, ...
 01865  1904   NtTestAlert  (...
 01866  1928   NtFsControlFile  (396, 257, 0x0, 0x0, 0x11c017,  (396, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\1\0\0\0\1\0\0\0&\0(\0\350\357\24\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 01867   312   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ...
 01865  1904   NtTestAlert  ... ) == 0x0
 01866  1928   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) , ) == 0x103
 01867   312   NtAllocateVirtualMemory  ... 54583296, 8192, ) == 0x0
 01868  1904   NtContinue  (53542192, 1, ...
 01869   312   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ...
 01870  1904   NtRegisterThreadTerminatePort  (24, ...
 01869   312   NtProtectVirtualMemory  ... (0x340e000), 4096, 4, ) == 0x0
 01870  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 01871   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01872  1928   NtFsControlFile  (396, 257, 0x0, 0x0, 0x11c017,  (396, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... , 44, 1024, ...
 01871   312   NtCreateThread  ... 400, {940, 1936}, ) == 0x0
 01872  1928   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0 \25\25\0\1\0\0\0,\25\25\0 \0\0\0\1\0\0\0\30\0\32\08\25\25\0T\25\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\210\376\24\0\1\0\0\0\5\0i\0\230\376\24\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01873  1904   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01874  1928   NtClose  (392, ... ) == 0x0
 01875  1928   NtClose  (396, ... ) == 0x0
 01876  1928   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1382416, 0x0, 13432900, 188, ... 396, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 1382416, 0x0, 13432900, 188, ... 396, 0x0, 0x0, 0x0, 188, ) == 0x0
 01877  1928   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01878  1928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01879   312   NtQueryInformationThread  (400, Basic, 28, ...
 01873  1904   NtSetInformationThread  ... ) == 0x0
 01879   312   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=940,Tid=1936,}, 0x0, ) == 0x0
 01878  1928   NtSetInformationThread  ... ) == 0x0
 01880   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57996, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\254\3\0\0\220\7\0\0" ...  ...
 01881  1928   NtRequestWaitReplyPort  (396, {200, 224, new_msg, 0, 1365368, 12, 2, 1310977}  (396, {200, 224, new_msg, 0, 1365368, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\206\221\234\256\11q\270\235_L\212\247\26\3\22M\12\0\0\09RUV\255}\17\200\0\0\0\0@\361\24\0\13\275\345{\272\363\264((\0\0\0+a\0\261\0\0\24\0\240\366\314\06\304\7h\0\0\0\0\330\16\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\314\0\372\31\221|X\376\314\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01880   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 57998, 0}  ... {28, 56, reply, 0, 940, 312, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\254\3\0\0\220\7\0\0" )  ) == 0x0
 01882   312   NtResumeThread  (400, ...
 01881  1928   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 940, 1928, 57999, 0}  ... {200, 224, reply, 0, 940, 1928, 57999, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\2\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\206\221\234\256\11q\270\235_L\212\247\26\3\22M\12\0\0\09RUV\255}\17\200\0\0\0\0@\361\24\0\13\275\345{\272\363\264((\0\0\0+a\0\261\0\0\24\0\240\366\314\06\304\7h\0\0\0\0\330\16\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\314\0\372\31\221|X\376\314\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01883  1904   NtWaitForSingleObject  (216, 0, 0x0, ...
 01884  1928   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01882   312   NtResumeThread  ... 1, ) == 0x0
 01884  1928   NtSetInformationThread  ... ) == 0x0
 01885   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01886  1936   NtTestAlert  (...
 01885   312   NtAllocateVirtualMemory  ... 54591488, 1048576, ) == 0x0
 01886  1936   NtTestAlert  ... ) == 0x0
 01887   312   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ...
 01888  1936   NtContinue  (54590768, 1, ...
 01887   312   NtAllocateVirtualMemory  ... 55631872, 8192, ) == 0x0
 01889  1936   NtRegisterThreadTerminatePort  (24, ...
 01890   312   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ...
 01889  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01891  1928   NtRequestWaitReplyPort  (396, {56, 80, new_msg, 0, 44, 3, 20, 0}  (396, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\215\373FC\227[\347p\214Nse\1\0\0\0\0\0\0\0&\0(\0\30\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01890   312   NtProtectVirtualMemory  ... (0x350e000), 4096, 4, ) == 0x0
 01892   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 392, {940, 1648}, ) == 0x0
 01893   312   NtQueryInformationThread  (392, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=940,Tid=1648,}, 0x0, ) == 0x0
 01894   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 57998, 0}  (24, {28, 56, new_msg, 0, 940, 312, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\254\3\0\0p\6\0\0" ...  ...
 01895  1936   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01896  1936   NtWaitForSingleObject  (216, 0, 0x0, ...
 01894   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 58001, 0}  ... {28, 56, reply, 0, 940, 312, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\254\3\0\0p\6\0\0" )  ) == 0x0
 01897   312   NtResumeThread  (392, ...
 01891  1928   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 940, 1928, 58000, 0}  ... {44, 68, reply, 0, 940, 1928, 58000, 0} "\4\31\221|\0\0\221|\200\300\227|p\31\221|\0\276\21\0\330\0\0\0\204-|\2\0\220\366\177\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01898  1928   NtRaiseException  (13433360, 13432620, 1, ...
 01899  1928   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01900  1928   NtContinue  (13431588, 0, ...
 01897   312   NtResumeThread  ... 1, ) == 0x0
 01901   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55640064, 1048576, ) == 0x0
 01902  1648   NtTestAlert  (... ) == 0x0
 01903  1648   NtContinue  (55639344, 1, ...
 01904  1648   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01905  1648   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01906   312   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ... 56680448, 8192, ) == 0x0
 01907   312   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ... (0x360e000), 4096, 4, ) == 0x0
 01908   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 404, {940, 148}, ) == 0x0
 01909   312   NtQueryInformationThread  (404, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=940,Tid=148,}, 0x0, ) == 0x0
 01910   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58001, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\254\3\0\0\224\0\0\0" ... {28, 56, reply, 0, 940, 312, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\254\3\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 58002, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\254\3\0\0\224\0\0\0" ... {28, 56, reply, 0, 940, 312, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\254\3\0\0\224\0\0\0" )  ) == 0x0
 01911   312   NtResumeThread  (404, ...
 01912  1928   NtDeviceIoControlFile  (280, 196, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01911   312   NtResumeThread  ... 1, ) == 0x0
 01913   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56688640, 1048576, ) == 0x0
 01914   312   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ... 57729024, 8192, ) == 0x0
 01915   312   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ... (0x370e000), 4096, 4, ) == 0x0
 01916   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {940, 1828}, ) == 0x0
 01917   312   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=940,Tid=1828,}, 0x0, ) == 0x0
 01918   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58002, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\254\3\0\0$\7\0\0" ...  ...
 01912  1928   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 01919   148   NtTestAlert  (...
 01920  1928   NtWaitForSingleObject  (196, 1, {-5000000, -1}, ...
 01919   148   NtTestAlert  ... ) == 0x0
 01921   148   NtContinue  (56687920, 1, ...
 01922   148   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01923   148   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01918   312   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 940, 312, 58003, 0}  ... {28, 56, reply, 0, 940, 312, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\254\3\0\0$\7\0\0" )  ) == 0x0
 01924   312   NtResumeThread  (408, ... 1, ) == 0x0
 01925   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57737216, 1048576, ) == 0x0
 01926  1828   NtTestAlert  (... ) == 0x0
 01927  1828   NtContinue  (57736496, 1, ...
 01928  1828   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01929  1828   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01930   312   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ... 58777600, 8192, ) == 0x0
 01931   312   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ... (0x380e000), 4096, 4, ) == 0x0
 01932   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {940, 1864}, ) == 0x0
 01933   312   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=940,Tid=1864,}, 0x0, ) == 0x0
 01934   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58003, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\254\3\0\0H\7\0\0" ... {28, 56, reply, 0, 940, 312, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\254\3\0\0H\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58004, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\254\3\0\0H\7\0\0" ... {28, 56, reply, 0, 940, 312, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\254\3\0\0H\7\0\0" )  ) == 0x0
 01935   312   NtResumeThread  (412, ... 1, ) == 0x0
 01936   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58785792, 1048576, ) == 0x0
 01937   312   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ... 59826176, 8192, ) == 0x0
 01938   312   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ...
 01939  1864   NtTestAlert  (... ) == 0x0
 01940  1864   NtContinue  (58785072, 1, ...
 01941  1864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01942  1864   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01938   312   NtProtectVirtualMemory  ... (0x390e000), 4096, 4, ) == 0x0
 01943   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 416, {940, 1896}, ) == 0x0
 01944   312   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=940,Tid=1896,}, 0x0, ) == 0x0
 01945   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58004, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\254\3\0\0h\7\0\0" ... {28, 56, reply, 0, 940, 312, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\254\3\0\0h\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58005, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\254\3\0\0h\7\0\0" ... {28, 56, reply, 0, 940, 312, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\254\3\0\0h\7\0\0" )  ) == 0x0
 01946   312   NtResumeThread  (416, ... 1, ) == 0x0
 01947   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59834368, 1048576, ) == 0x0
 01948  1896   NtTestAlert  (... ) == 0x0
 01949  1896   NtContinue  (59833648, 1, ...
 01950  1896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01951  1896   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01952   312   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ... 60874752, 8192, ) == 0x0
 01953   312   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ... (0x3a0e000), 4096, 4, ) == 0x0
 01954   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 420, {940, 1524}, ) == 0x0
 01955   312   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=940,Tid=1524,}, 0x0, ) == 0x0
 01956   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58005, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\254\3\0\0\364\5\0\0" ... {28, 56, reply, 0, 940, 312, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\254\3\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58006, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\254\3\0\0\364\5\0\0" ... {28, 56, reply, 0, 940, 312, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\254\3\0\0\364\5\0\0" )  ) == 0x0
 01957   312   NtResumeThread  (420, ... 1, ) == 0x0
 01958   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60882944, 1048576, ) == 0x0
 01959   312   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ... 61923328, 8192, ) == 0x0
 01960   312   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ...
 01961  1524   NtTestAlert  (... ) == 0x0
 01962  1524   NtContinue  (60882224, 1, ...
 01963  1524   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01964  1524   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01960   312   NtProtectVirtualMemory  ... (0x3b0e000), 4096, 4, ) == 0x0
 01965   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 424, {940, 1944}, ) == 0x0
 01966   312   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=940,Tid=1944,}, 0x0, ) == 0x0
 01967   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58006, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\254\3\0\0\230\7\0\0" ... {28, 56, reply, 0, 940, 312, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\254\3\0\0\230\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58007, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\254\3\0\0\230\7\0\0" ... {28, 56, reply, 0, 940, 312, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\254\3\0\0\230\7\0\0" )  ) == 0x0
 01968   312   NtResumeThread  (424, ... 1, ) == 0x0
 01969   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61931520, 1048576, ) == 0x0
 01970  1944   NtTestAlert  (... ) == 0x0
 01971  1944   NtContinue  (61930800, 1, ...
 01972  1944   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01973  1944   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01974   312   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ... 62971904, 8192, ) == 0x0
 01975   312   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ... (0x3c0e000), 4096, 4, ) == 0x0
 01976   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {940, 2044}, ) == 0x0
 01977   312   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=940,Tid=2044,}, 0x0, ) == 0x0
 01978   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58007, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\254\3\0\0\374\7\0\0" ... {28, 56, reply, 0, 940, 312, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\254\3\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58008, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\254\3\0\0\374\7\0\0" ... {28, 56, reply, 0, 940, 312, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\254\3\0\0\374\7\0\0" )  ) == 0x0
 01979   312   NtResumeThread  (428, ... 1, ) == 0x0
 01980   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62980096, 1048576, ) == 0x0
 01981   312   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ... 64020480, 8192, ) == 0x0
 01982   312   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ...
 01983  2044   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ... 8806400, 4096, ) == 0x0
 01984  2044   NtTestAlert  (... ) == 0x0
 01985  2044   NtContinue  (62979376, 1, ...
 01986  2044   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01987  2044   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01982   312   NtProtectVirtualMemory  ... (0x3d0e000), 4096, 4, ) == 0x0
 01988   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {940, 240}, ) == 0x0
 01989   312   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=940,Tid=240,}, 0x0, ) == 0x0
 01990   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58008, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\254\3\0\0\360\0\0\0" ... {28, 56, reply, 0, 940, 312, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\254\3\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 58009, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\254\3\0\0\360\0\0\0" ... {28, 56, reply, 0, 940, 312, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\254\3\0\0\360\0\0\0" )  ) == 0x0
 01991   312   NtResumeThread  (432, ... 1, ) == 0x0
 01992   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64028672, 1048576, ) == 0x0
 01993   240   NtTestAlert  (... ) == 0x0
 01994   240   NtContinue  (64027952, 1, ...
 01995   240   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01996   240   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01997   312   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ... 65069056, 8192, ) == 0x0
 01998   312   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ... (0x3e0e000), 4096, 4, ) == 0x0
 01999   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {940, 968}, ) == 0x0
 02000   312   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=940,Tid=968,}, 0x0, ) == 0x0
 02001   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58009, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\254\3\0\0\310\3\0\0" ... {28, 56, reply, 0, 940, 312, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\254\3\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58010, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\254\3\0\0\310\3\0\0" ... {28, 56, reply, 0, 940, 312, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\254\3\0\0\310\3\0\0" )  ) == 0x0
 02002   312   NtResumeThread  (436, ... 1, ) == 0x0
 02003   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65077248, 1048576, ) == 0x0
 02004   312   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ... 66117632, 8192, ) == 0x0
 02005   312   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ...
 02006   968   NtTestAlert  (... ) == 0x0
 02007   968   NtContinue  (65076528, 1, ...
 02008   968   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02009   968   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02005   312   NtProtectVirtualMemory  ... (0x3f0e000), 4096, 4, ) == 0x0
 02010   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {940, 308}, ) == 0x0
 02011   312   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=940,Tid=308,}, 0x0, ) == 0x0
 02012   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58010, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\254\3\0\04\1\0\0" ... {28, 56, reply, 0, 940, 312, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\254\3\0\04\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58011, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\254\3\0\04\1\0\0" ... {28, 56, reply, 0, 940, 312, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\254\3\0\04\1\0\0" )  ) == 0x0
 02013   312   NtResumeThread  (440, ... 1, ) == 0x0
 02014   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66125824, 1048576, ) == 0x0
 02015   308   NtTestAlert  (... ) == 0x0
 02016   308   NtContinue  (66125104, 1, ...
 02017   308   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02018   308   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02019   312   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ... 67166208, 8192, ) == 0x0
 02020   312   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ... (0x400e000), 4096, 4, ) == 0x0
 02021   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {940, 764}, ) == 0x0
 02022   312   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=940,Tid=764,}, 0x0, ) == 0x0
 02023   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58011, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\254\3\0\0\374\2\0\0" ... {28, 56, reply, 0, 940, 312, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\254\3\0\0\374\2\0\0" )  ... {28, 56, reply, 0, 940, 312, 58012, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\254\3\0\0\374\2\0\0" ... {28, 56, reply, 0, 940, 312, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\254\3\0\0\374\2\0\0" )  ) == 0x0
 02024   312   NtResumeThread  (444, ... 1, ) == 0x0
 02025   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67174400, 1048576, ) == 0x0
 02026   312   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 02027   312   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ...
 02028   764   NtTestAlert  (... ) == 0x0
 02029   764   NtContinue  (67173680, 1, ...
 02030   764   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02031   764   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02027   312   NtProtectVirtualMemory  ... (0x410e000), 4096, 4, ) == 0x0
 02032   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {940, 2000}, ) == 0x0
 02033   312   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=940,Tid=2000,}, 0x0, ) == 0x0
 02034   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58012, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\254\3\0\0\320\7\0\0" ... {28, 56, reply, 0, 940, 312, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\254\3\0\0\320\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58013, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\254\3\0\0\320\7\0\0" ... {28, 56, reply, 0, 940, 312, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\254\3\0\0\320\7\0\0" )  ) == 0x0
 02035   312   NtResumeThread  (448, ... 1, ) == 0x0
 02036   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68222976, 1048576, ) == 0x0
 02037  2000   NtTestAlert  (... ) == 0x0
 02038  2000   NtContinue  (68222256, 1, ...
 02039  2000   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02040  2000   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02041   312   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ... 69263360, 8192, ) == 0x0
 02042   312   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ... (0x420e000), 4096, 4, ) == 0x0
 02043   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {940, 1852}, ) == 0x0
 02044   312   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=940,Tid=1852,}, 0x0, ) == 0x0
 02045   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58013, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\254\3\0\0<\7\0\0" ... {28, 56, reply, 0, 940, 312, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\254\3\0\0<\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58014, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\254\3\0\0<\7\0\0" ... {28, 56, reply, 0, 940, 312, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\254\3\0\0<\7\0\0" )  ) == 0x0
 02046   312   NtResumeThread  (452, ... 1, ) == 0x0
 02047   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69271552, 1048576, ) == 0x0
 02048   312   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 02049   312   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ...
 02050  1852   NtTestAlert  (... ) == 0x0
 02051  1852   NtContinue  (69270832, 1, ...
 02052  1852   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02053  1852   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02049   312   NtProtectVirtualMemory  ... (0x430e000), 4096, 4, ) == 0x0
 02054   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 456, {940, 1420}, ) == 0x0
 02055   312   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=940,Tid=1420,}, 0x0, ) == 0x0
 02056   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58014, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\254\3\0\0\214\5\0\0" ... {28, 56, reply, 0, 940, 312, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\254\3\0\0\214\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58015, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\254\3\0\0\214\5\0\0" ... {28, 56, reply, 0, 940, 312, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\254\3\0\0\214\5\0\0" )  ) == 0x0
 02057   312   NtResumeThread  (456, ... 1, ) == 0x0
 02058   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70320128, 1048576, ) == 0x0
 02059  1420   NtTestAlert  (... ) == 0x0
 02060  1420   NtContinue  (70319408, 1, ...
 02061  1420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02062  1420   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02063   312   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ... 71360512, 8192, ) == 0x0
 02064   312   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ... (0x440e000), 4096, 4, ) == 0x0
 02065   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 460, {940, 164}, ) == 0x0
 02066   312   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=940,Tid=164,}, 0x0, ) == 0x0
 02067   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58015, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\254\3\0\0\244\0\0\0" ... {28, 56, reply, 0, 940, 312, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\254\3\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 58016, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\254\3\0\0\244\0\0\0" ... {28, 56, reply, 0, 940, 312, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\254\3\0\0\244\0\0\0" )  ) == 0x0
 02068   312   NtResumeThread  (460, ... 1, ) == 0x0
 02069   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71368704, 1048576, ) == 0x0
 02070   312   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ... 72409088, 8192, ) == 0x0
 02071   312   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ...
 02072   164   NtTestAlert  (... ) == 0x0
 02073   164   NtContinue  (71367984, 1, ...
 02074   164   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02075   164   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02071   312   NtProtectVirtualMemory  ... (0x450e000), 4096, 4, ) == 0x0
 02076   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {940, 1564}, ) == 0x0
 02077   312   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=940,Tid=1564,}, 0x0, ) == 0x0
 02078   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58016, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\254\3\0\0\34\6\0\0" ... {28, 56, reply, 0, 940, 312, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\254\3\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58017, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\254\3\0\0\34\6\0\0" ... {28, 56, reply, 0, 940, 312, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\254\3\0\0\34\6\0\0" )  ) == 0x0
 02079   312   NtResumeThread  (464, ... 1, ) == 0x0
 02080   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72417280, 1048576, ) == 0x0
 02081  1564   NtTestAlert  (... ) == 0x0
 02082  1564   NtContinue  (72416560, 1, ...
 02083  1564   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02084  1564   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02085   312   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ... 73457664, 8192, ) == 0x0
 02086   312   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ... (0x460e000), 4096, 4, ) == 0x0
 02087   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 468, {940, 1592}, ) == 0x0
 02088   312   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=940,Tid=1592,}, 0x0, ) == 0x0
 02089   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58017, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\254\3\0\08\6\0\0" ... {28, 56, reply, 0, 940, 312, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\254\3\0\08\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58018, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\254\3\0\08\6\0\0" ... {28, 56, reply, 0, 940, 312, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\254\3\0\08\6\0\0" )  ) == 0x0
 02090   312   NtResumeThread  (468, ... 1, ) == 0x0
 02091   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73465856, 1048576, ) == 0x0
 02092   312   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ... 74506240, 8192, ) == 0x0
 02093   312   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ...
 02094  1592   NtTestAlert  (... ) == 0x0
 02095  1592   NtContinue  (73465136, 1, ...
 02096  1592   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02097  1592   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02093   312   NtProtectVirtualMemory  ... (0x470e000), 4096, 4, ) == 0x0
 02098   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 472, {940, 2032}, ) == 0x0
 02099   312   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=940,Tid=2032,}, 0x0, ) == 0x0
 02100   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58018, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\254\3\0\0\360\7\0\0" ... {28, 56, reply, 0, 940, 312, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\254\3\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58019, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\254\3\0\0\360\7\0\0" ... {28, 56, reply, 0, 940, 312, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\254\3\0\0\360\7\0\0" )  ) == 0x0
 02101   312   NtResumeThread  (472, ... 1, ) == 0x0
 02102   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02103  2032   NtTestAlert  (... ) == 0x0
 02104  2032   NtContinue  (74513712, 1, ...
 02105  2032   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02106  2032   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02107   312   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02108   312   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02109   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 476, {940, 1500}, ) == 0x0
 02110   312   NtQueryInformationThread  (476, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=940,Tid=1500,}, 0x0, ) == 0x0
 02111   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58019, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\254\3\0\0\334\5\0\0" ... {28, 56, reply, 0, 940, 312, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\254\3\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58020, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\254\3\0\0\334\5\0\0" ... {28, 56, reply, 0, 940, 312, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\254\3\0\0\334\5\0\0" )  ) == 0x0
 02112   312   NtResumeThread  (476, ... 1, ) == 0x0
 02113   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75563008, 1048576, ) == 0x0
 02114   312   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 02115   312   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ...
 02116  1500   NtTestAlert  (... ) == 0x0
 02117  1500   NtContinue  (75562288, 1, ...
 02118  1500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02119  1500   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02115   312   NtProtectVirtualMemory  ... (0x490e000), 4096, 4, ) == 0x0
 02120   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 480, {940, 932}, ) == 0x0
 02121   312   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=940,Tid=932,}, 0x0, ) == 0x0
 02122   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58020, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\254\3\0\0\244\3\0\0" ... {28, 56, reply, 0, 940, 312, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\254\3\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58021, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\254\3\0\0\244\3\0\0" ... {28, 56, reply, 0, 940, 312, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\254\3\0\0\244\3\0\0" )  ) == 0x0
 02123   312   NtResumeThread  (480, ... 1, ) == 0x0
 02124   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76611584, 1048576, ) == 0x0
 02125   932   NtTestAlert  (... ) == 0x0
 02126   932   NtContinue  (76610864, 1, ...
 02127   932   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02128   932   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02129   312   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ... 77651968, 8192, ) == 0x0
 02130   312   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ... (0x4a0e000), 4096, 4, ) == 0x0
 02131   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 484, {940, 1528}, ) == 0x0
 02132   312   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=940,Tid=1528,}, 0x0, ) == 0x0
 02133   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58021, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\254\3\0\0\370\5\0\0" ... {28, 56, reply, 0, 940, 312, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\254\3\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58022, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\254\3\0\0\370\5\0\0" ... {28, 56, reply, 0, 940, 312, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\254\3\0\0\370\5\0\0" )  ) == 0x0
 02134   312   NtResumeThread  (484, ... 1, ) == 0x0
 02135   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77660160, 1048576, ) == 0x0
 02136   312   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ... 78700544, 8192, ) == 0x0
 02137   312   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ...
 02138  1528   NtTestAlert  (... ) == 0x0
 02139  1528   NtContinue  (77659440, 1, ...
 02140  1528   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02141  1528   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02137   312   NtProtectVirtualMemory  ... (0x4b0e000), 4096, 4, ) == 0x0
 02142   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 488, {940, 1780}, ) == 0x0
 02143   312   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=940,Tid=1780,}, 0x0, ) == 0x0
 02144   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58022, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\254\3\0\0\364\6\0\0" ... {28, 56, reply, 0, 940, 312, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\254\3\0\0\364\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58023, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\254\3\0\0\364\6\0\0" ... {28, 56, reply, 0, 940, 312, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\254\3\0\0\364\6\0\0" )  ) == 0x0
 02145   312   NtResumeThread  (488, ... 1, ) == 0x0
 02146   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02147  1780   NtTestAlert  (... ) == 0x0
 02148  1780   NtContinue  (78708016, 1, ...
 02149  1780   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02150  1780   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02151   312   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02152   312   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ... (0x4c0e000), 4096, 4, ) == 0x0
 02153   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {940, 1804}, ) == 0x0
 02154   312   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=940,Tid=1804,}, 0x0, ) == 0x0
 02155   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58023, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\254\3\0\0\14\7\0\0" ... {28, 56, reply, 0, 940, 312, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\254\3\0\0\14\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58024, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\254\3\0\0\14\7\0\0" ... {28, 56, reply, 0, 940, 312, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\254\3\0\0\14\7\0\0" )  ) == 0x0
 02156   312   NtResumeThread  (492, ... 1, ) == 0x0
 02157   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79757312, 1048576, ) == 0x0
 02158   312   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02159   312   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ...
 02160  1804   NtTestAlert  (... ) == 0x0
 02161  1804   NtContinue  (79756592, 1, ...
 02162  1804   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02163  1804   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02159   312   NtProtectVirtualMemory  ... (0x4d0e000), 4096, 4, ) == 0x0
 02164   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 496, {940, 1644}, ) == 0x0
 02165   312   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=940,Tid=1644,}, 0x0, ) == 0x0
 02166   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58024, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\254\3\0\0l\6\0\0" ... {28, 56, reply, 0, 940, 312, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\254\3\0\0l\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58025, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\254\3\0\0l\6\0\0" ... {28, 56, reply, 0, 940, 312, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\254\3\0\0l\6\0\0" )  ) == 0x0
 02167   312   NtResumeThread  (496, ... 1, ) == 0x0
 02168   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80805888, 1048576, ) == 0x0
 02169  1644   NtTestAlert  (... ) == 0x0
 02170  1644   NtContinue  (80805168, 1, ...
 02171  1644   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02172  1644   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02173   312   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ... 81846272, 8192, ) == 0x0
 02174   312   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 02175   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 500, {940, 336}, ) == 0x0
 02176   312   NtQueryInformationThread  (500, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=940,Tid=336,}, 0x0, ) == 0x0
 02177   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58025, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\254\3\0\0P\1\0\0" ... {28, 56, reply, 0, 940, 312, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\254\3\0\0P\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58026, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\254\3\0\0P\1\0\0" ... {28, 56, reply, 0, 940, 312, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\254\3\0\0P\1\0\0" )  ) == 0x0
 02178   312   NtResumeThread  (500, ... 1, ) == 0x0
 02179   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81854464, 1048576, ) == 0x0
 02180   312   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ... 82894848, 8192, ) == 0x0
 02181   312   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ...
 02182   336   NtTestAlert  (... ) == 0x0
 02183   336   NtContinue  (81853744, 1, ...
 02184   336   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02185   336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02181   312   NtProtectVirtualMemory  ... (0x4f0e000), 4096, 4, ) == 0x0
 02186   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 504, {940, 800}, ) == 0x0
 02187   312   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=940,Tid=800,}, 0x0, ) == 0x0
 02188   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58026, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\254\3\0\0 \3\0\0" ... {28, 56, reply, 0, 940, 312, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\254\3\0\0 \3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58027, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\254\3\0\0 \3\0\0" ... {28, 56, reply, 0, 940, 312, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\254\3\0\0 \3\0\0" )  ) == 0x0
 02189   312   NtResumeThread  (504, ... 1, ) == 0x0
 02190   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82903040, 1048576, ) == 0x0
 02191   800   NtTestAlert  (... ) == 0x0
 02192   800   NtContinue  (82902320, 1, ...
 02193   800   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02194   800   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02195   312   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ... 83943424, 8192, ) == 0x0
 02196   312   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ... (0x500e000), 4096, 4, ) == 0x0
 02197   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 508, {940, 504}, ) == 0x0
 02198   312   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=940,Tid=504,}, 0x0, ) == 0x0
 02199   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58027, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\254\3\0\0\370\1\0\0" ... {28, 56, reply, 0, 940, 312, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\254\3\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58028, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\254\3\0\0\370\1\0\0" ... {28, 56, reply, 0, 940, 312, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\254\3\0\0\370\1\0\0" )  ) == 0x0
 02200   312   NtResumeThread  (508, ... 1, ) == 0x0
 02201   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83951616, 1048576, ) == 0x0
 02202   312   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ... 84992000, 8192, ) == 0x0
 02203   312   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ...
 02204   504   NtTestAlert  (... ) == 0x0
 02205   504   NtContinue  (83950896, 1, ...
 02206   504   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02207   504   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02203   312   NtProtectVirtualMemory  ... (0x510e000), 4096, 4, ) == 0x0
 02208   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 512, {940, 888}, ) == 0x0
 02209   312   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=940,Tid=888,}, 0x0, ) == 0x0
 02210   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58028, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\254\3\0\0x\3\0\0" ... {28, 56, reply, 0, 940, 312, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\254\3\0\0x\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58029, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\254\3\0\0x\3\0\0" ... {28, 56, reply, 0, 940, 312, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\254\3\0\0x\3\0\0" )  ) == 0x0
 02211   312   NtResumeThread  (512, ... 1, ) == 0x0
 02212   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85000192, 1048576, ) == 0x0
 02213   888   NtTestAlert  (... ) == 0x0
 02214   888   NtContinue  (84999472, 1, ...
 02215   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02216   888   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02217   312   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ... 86040576, 8192, ) == 0x0
 02218   312   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ... (0x520e000), 4096, 4, ) == 0x0
 02219   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 516, {940, 1392}, ) == 0x0
 02220   312   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=940,Tid=1392,}, 0x0, ) == 0x0
 02221   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58029, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\254\3\0\0p\5\0\0" ... {28, 56, reply, 0, 940, 312, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\254\3\0\0p\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58030, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\254\3\0\0p\5\0\0" ... {28, 56, reply, 0, 940, 312, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\254\3\0\0p\5\0\0" )  ) == 0x0
 02222   312   NtResumeThread  (516, ... 1, ) == 0x0
 02223   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86048768, 1048576, ) == 0x0
 02224   312   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ... 87089152, 8192, ) == 0x0
 02225   312   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ...
 02226  1392   NtTestAlert  (... ) == 0x0
 02227  1392   NtContinue  (86048048, 1, ...
 02228  1392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02229  1392   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02225   312   NtProtectVirtualMemory  ... (0x530e000), 4096, 4, ) == 0x0
 02230   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 520, {940, 2020}, ) == 0x0
 02231   312   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=940,Tid=2020,}, 0x0, ) == 0x0
 02232   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58030, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\254\3\0\0\344\7\0\0" ... {28, 56, reply, 0, 940, 312, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\254\3\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58031, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\254\3\0\0\344\7\0\0" ... {28, 56, reply, 0, 940, 312, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\254\3\0\0\344\7\0\0" )  ) == 0x0
 02233   312   NtResumeThread  (520, ... 1, ) == 0x0
 02234   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87097344, 1048576, ) == 0x0
 02235  2020   NtTestAlert  (... ) == 0x0
 02236  2020   NtContinue  (87096624, 1, ...
 02237  2020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02238  2020   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02239   312   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ... 88137728, 8192, ) == 0x0
 02240   312   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ... (0x540e000), 4096, 4, ) == 0x0
 02241   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 524, {940, 740}, ) == 0x0
 02242   312   NtQueryInformationThread  (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=940,Tid=740,}, 0x0, ) == 0x0
 02243   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58031, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\254\3\0\0\344\2\0\0" ... {28, 56, reply, 0, 940, 312, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\254\3\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 940, 312, 58032, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\254\3\0\0\344\2\0\0" ... {28, 56, reply, 0, 940, 312, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\254\3\0\0\344\2\0\0" )  ) == 0x0
 02244   312   NtResumeThread  (524, ... 1, ) == 0x0
 02245   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88145920, 1048576, ) == 0x0
 02246   312   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ... 89186304, 8192, ) == 0x0
 02247   312   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ...
 02248   740   NtTestAlert  (... ) == 0x0
 02249   740   NtContinue  (88145200, 1, ...
 02250   740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02251   740   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02247   312   NtProtectVirtualMemory  ... (0x550e000), 4096, 4, ) == 0x0
 02252   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 528, {940, 1676}, ) == 0x0
 02253   312   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=940,Tid=1676,}, 0x0, ) == 0x0
 02254   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58032, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\254\3\0\0\214\6\0\0" ... {28, 56, reply, 0, 940, 312, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\254\3\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58033, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\254\3\0\0\214\6\0\0" ... {28, 56, reply, 0, 940, 312, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\254\3\0\0\214\6\0\0" )  ) == 0x0
 02255   312   NtResumeThread  (528, ... 1, ) == 0x0
 02256   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89194496, 1048576, ) == 0x0
 02257  1676   NtTestAlert  (... ) == 0x0
 02258  1676   NtContinue  (89193776, 1, ...
 02259  1676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02260  1676   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02261   312   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ... 90234880, 8192, ) == 0x0
 02262   312   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ... (0x560e000), 4096, 4, ) == 0x0
 02263   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {940, 496}, ) == 0x0
 02264   312   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=940,Tid=496,}, 0x0, ) == 0x0
 02265   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58033, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\254\3\0\0\360\1\0\0" ... {28, 56, reply, 0, 940, 312, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\254\3\0\0\360\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58034, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\254\3\0\0\360\1\0\0" ... {28, 56, reply, 0, 940, 312, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\254\3\0\0\360\1\0\0" )  ) == 0x0
 02266   312   NtResumeThread  (532, ... 1, ) == 0x0
 02267   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90243072, 1048576, ) == 0x0
 02268   312   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ... 91283456, 8192, ) == 0x0
 02269   312   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ...
 02270   496   NtTestAlert  (... ) == 0x0
 02271   496   NtContinue  (90242352, 1, ...
 02272   496   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02273   496   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02269   312   NtProtectVirtualMemory  ... (0x570e000), 4096, 4, ) == 0x0
 02274   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 536, {940, 1020}, ) == 0x0
 02275   312   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=940,Tid=1020,}, 0x0, ) == 0x0
 02276   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58034, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\254\3\0\0\374\3\0\0" ... {28, 56, reply, 0, 940, 312, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\254\3\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58035, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\254\3\0\0\374\3\0\0" ... {28, 56, reply, 0, 940, 312, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\254\3\0\0\374\3\0\0" )  ) == 0x0
 02277   312   NtResumeThread  (536, ... 1, ) == 0x0
 02278   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91291648, 1048576, ) == 0x0
 02279  1020   NtTestAlert  (... ) == 0x0
 02280  1020   NtContinue  (91290928, 1, ...
 02281  1020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02282  1020   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02283   312   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ... 92332032, 8192, ) == 0x0
 02284   312   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ... (0x580e000), 4096, 4, ) == 0x0
 02285   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 540, {940, 432}, ) == 0x0
 02286   312   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=940,Tid=432,}, 0x0, ) == 0x0
 02287   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58035, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\254\3\0\0\260\1\0\0" ... {28, 56, reply, 0, 940, 312, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\254\3\0\0\260\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58036, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\254\3\0\0\260\1\0\0" ... {28, 56, reply, 0, 940, 312, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\254\3\0\0\260\1\0\0" )  ) == 0x0
 02288   312   NtResumeThread  (540, ... 1, ) == 0x0
 02289   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92340224, 1048576, ) == 0x0
 02290   312   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ... 93380608, 8192, ) == 0x0
 02291   312   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ...
 02292   432   NtTestAlert  (... ) == 0x0
 02293   432   NtContinue  (92339504, 1, ...
 02294   432   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02295   432   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02291   312   NtProtectVirtualMemory  ... (0x590e000), 4096, 4, ) == 0x0
 02296   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 544, {940, 1332}, ) == 0x0
 02297   312   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=940,Tid=1332,}, 0x0, ) == 0x0
 02298   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58036, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\254\3\0\04\5\0\0" ... {28, 56, reply, 0, 940, 312, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\254\3\0\04\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58037, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\254\3\0\04\5\0\0" ... {28, 56, reply, 0, 940, 312, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\254\3\0\04\5\0\0" )  ) == 0x0
 02299   312   NtResumeThread  (544, ... 1, ) == 0x0
 02300   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93388800, 1048576, ) == 0x0
 02301  1332   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ... 8810496, 4096, ) == 0x0
 02302  1332   NtTestAlert  (... ) == 0x0
 02303  1332   NtContinue  (93388080, 1, ...
 02304  1332   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02305  1332   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02306   312   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ... 94429184, 8192, ) == 0x0
 02307   312   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ... (0x5a0e000), 4096, 4, ) == 0x0
 02308   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 548, {940, 1328}, ) == 0x0
 02309   312   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=940,Tid=1328,}, 0x0, ) == 0x0
 02310   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58037, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\254\3\0\00\5\0\0" ... {28, 56, reply, 0, 940, 312, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\254\3\0\00\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58038, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\254\3\0\00\5\0\0" ... {28, 56, reply, 0, 940, 312, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\254\3\0\00\5\0\0" )  ) == 0x0
 02311   312   NtResumeThread  (548, ... 1, ) == 0x0
 02312   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94437376, 1048576, ) == 0x0
 02313   312   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ... 95477760, 8192, ) == 0x0
 02314   312   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ...
 02315  1328   NtTestAlert  (... ) == 0x0
 02316  1328   NtContinue  (94436656, 1, ...
 02317  1328   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02318  1328   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02314   312   NtProtectVirtualMemory  ... (0x5b0e000), 4096, 4, ) == 0x0
 02319   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 552, {940, 752}, ) == 0x0
 02320   312   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=940,Tid=752,}, 0x0, ) == 0x0
 02321   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58038, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\254\3\0\0\360\2\0\0" ... {28, 56, reply, 0, 940, 312, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\254\3\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 940, 312, 58039, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\254\3\0\0\360\2\0\0" ... {28, 56, reply, 0, 940, 312, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\254\3\0\0\360\2\0\0" )  ) == 0x0
 02322   312   NtResumeThread  (552, ... 1, ) == 0x0
 02323   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95485952, 1048576, ) == 0x0
 02324   752   NtTestAlert  (... ) == 0x0
 02325   752   NtContinue  (95485232, 1, ...
 02326   752   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02327   752   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02328   312   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ... 96526336, 8192, ) == 0x0
 02329   312   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ... (0x5c0e000), 4096, 4, ) == 0x0
 02330   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 556, {940, 120}, ) == 0x0
 02331   312   NtQueryInformationThread  (556, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=940,Tid=120,}, 0x0, ) == 0x0
 02332   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58039, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\254\3\0\0x\0\0\0" ... {28, 56, reply, 0, 940, 312, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\254\3\0\0x\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 58040, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\254\3\0\0x\0\0\0" ... {28, 56, reply, 0, 940, 312, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\254\3\0\0x\0\0\0" )  ) == 0x0
 02333   312   NtResumeThread  (556, ... 1, ) == 0x0
 02334   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96534528, 1048576, ) == 0x0
 02335   312   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ... 97574912, 8192, ) == 0x0
 02336   312   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ...
 02337   120   NtTestAlert  (... ) == 0x0
 02338   120   NtContinue  (96533808, 1, ...
 02339   120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02340   120   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02336   312   NtProtectVirtualMemory  ... (0x5d0e000), 4096, 4, ) == 0x0
 02341   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 560, {940, 1732}, ) == 0x0
 02342   312   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=940,Tid=1732,}, 0x0, ) == 0x0
 02343   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58040, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\254\3\0\0\304\6\0\0" ... {28, 56, reply, 0, 940, 312, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\254\3\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58041, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\254\3\0\0\304\6\0\0" ... {28, 56, reply, 0, 940, 312, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\254\3\0\0\304\6\0\0" )  ) == 0x0
 02344   312   NtResumeThread  (560, ... 1, ) == 0x0
 02345   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97583104, 1048576, ) == 0x0
 02346  1732   NtTestAlert  (... ) == 0x0
 02347  1732   NtContinue  (97582384, 1, ...
 02348  1732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02349  1732   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02350   312   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ... 98623488, 8192, ) == 0x0
 02351   312   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ... (0x5e0e000), 4096, 4, ) == 0x0
 02352   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 564, {940, 188}, ) == 0x0
 02353   312   NtQueryInformationThread  (564, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=940,Tid=188,}, 0x0, ) == 0x0
 02354   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58041, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\254\3\0\0\274\0\0\0" ... {28, 56, reply, 0, 940, 312, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\254\3\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 58042, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\254\3\0\0\274\0\0\0" ... {28, 56, reply, 0, 940, 312, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\254\3\0\0\274\0\0\0" )  ) == 0x0
 02355   312   NtResumeThread  (564, ... 1, ) == 0x0
 02356   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98631680, 1048576, ) == 0x0
 02357   312   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ... 99672064, 8192, ) == 0x0
 02358   312   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ...
 02359   188   NtTestAlert  (... ) == 0x0
 02360   188   NtContinue  (98630960, 1, ...
 02361   188   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02362   188   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02358   312   NtProtectVirtualMemory  ... (0x5f0e000), 4096, 4, ) == 0x0
 02363   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {940, 1636}, ) == 0x0
 02364   312   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=940,Tid=1636,}, 0x0, ) == 0x0
 02365   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58042, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\254\3\0\0d\6\0\0" ... {28, 56, reply, 0, 940, 312, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\254\3\0\0d\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58043, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\254\3\0\0d\6\0\0" ... {28, 56, reply, 0, 940, 312, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\254\3\0\0d\6\0\0" )  ) == 0x0
 02366   312   NtResumeThread  (568, ... 1, ) == 0x0
 02367   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99680256, 1048576, ) == 0x0
 02368  1636   NtTestAlert  (... ) == 0x0
 02369  1636   NtContinue  (99679536, 1, ...
 02370  1636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02371  1636   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02372   312   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ... 100720640, 8192, ) == 0x0
 02373   312   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ... (0x600e000), 4096, 4, ) == 0x0
 02374   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 572, {940, 624}, ) == 0x0
 02375   312   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=940,Tid=624,}, 0x0, ) == 0x0
 02376   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58043, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\254\3\0\0p\2\0\0" ... {28, 56, reply, 0, 940, 312, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\254\3\0\0p\2\0\0" )  ... {28, 56, reply, 0, 940, 312, 58044, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\254\3\0\0p\2\0\0" ... {28, 56, reply, 0, 940, 312, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\254\3\0\0p\2\0\0" )  ) == 0x0
 02377   312   NtResumeThread  (572, ... 1, ) == 0x0
 02378   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100728832, 1048576, ) == 0x0
 02379   312   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ... 101769216, 8192, ) == 0x0
 02380   312   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ...
 02381   624   NtTestAlert  (... ) == 0x0
 02382   624   NtContinue  (100728112, 1, ...
 02383   624   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02384   624   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02380   312   NtProtectVirtualMemory  ... (0x610e000), 4096, 4, ) == 0x0
 02385   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {940, 1948}, ) == 0x0
 02386   312   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=940,Tid=1948,}, 0x0, ) == 0x0
 02387   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58044, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\254\3\0\0\234\7\0\0" ... {28, 56, reply, 0, 940, 312, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\254\3\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58045, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\254\3\0\0\234\7\0\0" ... {28, 56, reply, 0, 940, 312, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\254\3\0\0\234\7\0\0" )  ) == 0x0
 02388   312   NtResumeThread  (576, ... 1, ) == 0x0
 02389   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101777408, 1048576, ) == 0x0
 02390  1948   NtTestAlert  (... ) == 0x0
 02391  1948   NtContinue  (101776688, 1, ...
 02392  1948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02393  1948   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02394   312   NtAllocateVirtualMemory  (-1, 102817792, 0, 8192, 4096, 4, ... 102817792, 8192, ) == 0x0
 02395   312   NtProtectVirtualMemory  (-1, (0x620e000), 4096, 260, ... (0x620e000), 4096, 4, ) == 0x0
 02396   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 580, {940, 988}, ) == 0x0
 02397   312   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=940,Tid=988,}, 0x0, ) == 0x0
 02398   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58045, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\254\3\0\0\334\3\0\0" ... {28, 56, reply, 0, 940, 312, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\254\3\0\0\334\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58046, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\254\3\0\0\334\3\0\0" ... {28, 56, reply, 0, 940, 312, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\254\3\0\0\334\3\0\0" )  ) == 0x0
 02399   312   NtResumeThread  (580, ... 1, ) == 0x0
 02400   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102825984, 1048576, ) == 0x0
 02401   312   NtAllocateVirtualMemory  (-1, 103866368, 0, 8192, 4096, 4, ... 103866368, 8192, ) == 0x0
 02402   312   NtProtectVirtualMemory  (-1, (0x630e000), 4096, 260, ...
 02403   988   NtTestAlert  (... ) == 0x0
 02404   988   NtContinue  (102825264, 1, ...
 02405   988   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02406   988   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02402   312   NtProtectVirtualMemory  ... (0x630e000), 4096, 4, ) == 0x0
 02407   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {940, 468}, ) == 0x0
 02408   312   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=940,Tid=468,}, 0x0, ) == 0x0
 02409   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58046, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\254\3\0\0\324\1\0\0" ... {28, 56, reply, 0, 940, 312, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\254\3\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58047, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\254\3\0\0\324\1\0\0" ... {28, 56, reply, 0, 940, 312, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\254\3\0\0\324\1\0\0" )  ) == 0x0
 02410   312   NtResumeThread  (584, ... 1, ) == 0x0
 02411   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103874560, 1048576, ) == 0x0
 02412   468   NtTestAlert  (... ) == 0x0
 02413   468   NtContinue  (103873840, 1, ...
 02414   468   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02415   468   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02416   312   NtAllocateVirtualMemory  (-1, 104914944, 0, 8192, 4096, 4, ... 104914944, 8192, ) == 0x0
 02417   312   NtProtectVirtualMemory  (-1, (0x640e000), 4096, 260, ... (0x640e000), 4096, 4, ) == 0x0
 02418   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {940, 380}, ) == 0x0
 02419   312   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=940,Tid=380,}, 0x0, ) == 0x0
 02420   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58047, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\254\3\0\0|\1\0\0" ... {28, 56, reply, 0, 940, 312, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\254\3\0\0|\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58048, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\254\3\0\0|\1\0\0" ... {28, 56, reply, 0, 940, 312, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\254\3\0\0|\1\0\0" )  ) == 0x0
 02421   312   NtResumeThread  (588, ... 1, ) == 0x0
 02422   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104923136, 1048576, ) == 0x0
 02423   312   NtAllocateVirtualMemory  (-1, 105963520, 0, 8192, 4096, 4, ... 105963520, 8192, ) == 0x0
 02424   312   NtProtectVirtualMemory  (-1, (0x650e000), 4096, 260, ...
 02425   380   NtTestAlert  (... ) == 0x0
 02426   380   NtContinue  (104922416, 1, ...
 02427   380   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02428   380   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02424   312   NtProtectVirtualMemory  ... (0x650e000), 4096, 4, ) == 0x0
 02429   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {940, 1692}, ) == 0x0
 02430   312   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=940,Tid=1692,}, 0x0, ) == 0x0
 02431   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58048, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\254\3\0\0\234\6\0\0" ... {28, 56, reply, 0, 940, 312, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\254\3\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58049, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\254\3\0\0\234\6\0\0" ... {28, 56, reply, 0, 940, 312, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\254\3\0\0\234\6\0\0" )  ) == 0x0
 02432   312   NtResumeThread  (592, ... 1, ) == 0x0
 02433   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 105971712, 1048576, ) == 0x0
 02434  1692   NtTestAlert  (... ) == 0x0
 02435  1692   NtContinue  (105970992, 1, ...
 02436  1692   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02437  1692   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02438   312   NtAllocateVirtualMemory  (-1, 107012096, 0, 8192, 4096, 4, ... 107012096, 8192, ) == 0x0
 02439   312   NtProtectVirtualMemory  (-1, (0x660e000), 4096, 260, ... (0x660e000), 4096, 4, ) == 0x0
 02440   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {940, 1792}, ) == 0x0
 02441   312   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=940,Tid=1792,}, 0x0, ) == 0x0
 02442   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58049, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\254\3\0\0\0\7\0\0" ... {28, 56, reply, 0, 940, 312, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\254\3\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58050, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\254\3\0\0\0\7\0\0" ... {28, 56, reply, 0, 940, 312, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\254\3\0\0\0\7\0\0" )  ) == 0x0
 02443   312   NtResumeThread  (596, ... 1, ) == 0x0
 02444   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 107020288, 1048576, ) == 0x0
 02445   312   NtAllocateVirtualMemory  (-1, 108060672, 0, 8192, 4096, 4, ... 108060672, 8192, ) == 0x0
 02446   312   NtProtectVirtualMemory  (-1, (0x670e000), 4096, 260, ...
 02447  1792   NtTestAlert  (... ) == 0x0
 02448  1792   NtContinue  (107019568, 1, ...
 02449  1792   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02450  1792   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02446   312   NtProtectVirtualMemory  ... (0x670e000), 4096, 4, ) == 0x0
 02451   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {940, 784}, ) == 0x0
 02452   312   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=940,Tid=784,}, 0x0, ) == 0x0
 02453   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58050, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\254\3\0\0\20\3\0\0" ... {28, 56, reply, 0, 940, 312, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\254\3\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58051, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\254\3\0\0\20\3\0\0" ... {28, 56, reply, 0, 940, 312, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\254\3\0\0\20\3\0\0" )  ) == 0x0
 02454   312   NtResumeThread  (600, ... 1, ) == 0x0
 02455   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108068864, 1048576, ) == 0x0
 02456   784   NtTestAlert  (... ) == 0x0
 02457   784   NtContinue  (108068144, 1, ...
 02458   784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02459   784   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02460   312   NtAllocateVirtualMemory  (-1, 109109248, 0, 8192, 4096, 4, ... 109109248, 8192, ) == 0x0
 02461   312   NtProtectVirtualMemory  (-1, (0x680e000), 4096, 260, ... (0x680e000), 4096, 4, ) == 0x0
 02462   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {940, 1520}, ) == 0x0
 02463   312   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=940,Tid=1520,}, 0x0, ) == 0x0
 02464   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58051, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\254\3\0\0\360\5\0\0" ... {28, 56, reply, 0, 940, 312, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\254\3\0\0\360\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58052, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\254\3\0\0\360\5\0\0" ... {28, 56, reply, 0, 940, 312, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\254\3\0\0\360\5\0\0" )  ) == 0x0
 02465   312   NtResumeThread  (604, ... 1, ) == 0x0
 02466   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109117440, 1048576, ) == 0x0
 02467   312   NtAllocateVirtualMemory  (-1, 110157824, 0, 8192, 4096, 4, ... 110157824, 8192, ) == 0x0
 02468   312   NtProtectVirtualMemory  (-1, (0x690e000), 4096, 260, ...
 02469  1520   NtTestAlert  (... ) == 0x0
 02470  1520   NtContinue  (109116720, 1, ...
 02471  1520   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02472  1520   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02468   312   NtProtectVirtualMemory  ... (0x690e000), 4096, 4, ) == 0x0
 02473   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {940, 1696}, ) == 0x0
 02474   312   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=940,Tid=1696,}, 0x0, ) == 0x0
 02475   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58052, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\254\3\0\0\240\6\0\0" ... {28, 56, reply, 0, 940, 312, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\254\3\0\0\240\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58053, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\254\3\0\0\240\6\0\0" ... {28, 56, reply, 0, 940, 312, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\254\3\0\0\240\6\0\0" )  ) == 0x0
 02476   312   NtResumeThread  (608, ... 1, ) == 0x0
 02477   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110166016, 1048576, ) == 0x0
 02478  1696   NtTestAlert  (... ) == 0x0
 02479  1696   NtContinue  (110165296, 1, ...
 02480  1696   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02481  1696   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02482   312   NtAllocateVirtualMemory  (-1, 111206400, 0, 8192, 4096, 4, ... 111206400, 8192, ) == 0x0
 02483   312   NtProtectVirtualMemory  (-1, (0x6a0e000), 4096, 260, ... (0x6a0e000), 4096, 4, ) == 0x0
 02484   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {940, 1744}, ) == 0x0
 02485   312   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=940,Tid=1744,}, 0x0, ) == 0x0
 02486   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58053, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\254\3\0\0\320\6\0\0" ... {28, 56, reply, 0, 940, 312, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\254\3\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58054, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\254\3\0\0\320\6\0\0" ... {28, 56, reply, 0, 940, 312, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\254\3\0\0\320\6\0\0" )  ) == 0x0
 02487   312   NtResumeThread  (612, ... 1, ) == 0x0
 02488   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 111214592, 1048576, ) == 0x0
 02489   312   NtAllocateVirtualMemory  (-1, 112254976, 0, 8192, 4096, 4, ... 112254976, 8192, ) == 0x0
 02490   312   NtProtectVirtualMemory  (-1, (0x6b0e000), 4096, 260, ...
 02491  1744   NtTestAlert  (... ) == 0x0
 02492  1744   NtContinue  (111213872, 1, ...
 02493  1744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02494  1744   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02490   312   NtProtectVirtualMemory  ... (0x6b0e000), 4096, 4, ) == 0x0
 02495   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {940, 1124}, ) == 0x0
 02496   312   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=940,Tid=1124,}, 0x0, ) == 0x0
 02497   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58054, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\254\3\0\0d\4\0\0" ... {28, 56, reply, 0, 940, 312, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\254\3\0\0d\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 58055, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\254\3\0\0d\4\0\0" ... {28, 56, reply, 0, 940, 312, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\254\3\0\0d\4\0\0" )  ) == 0x0
 02498   312   NtResumeThread  (616, ... 1, ) == 0x0
 02499   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112263168, 1048576, ) == 0x0
 02500  1124   NtTestAlert  (... ) == 0x0
 02501  1124   NtContinue  (112262448, 1, ...
 02502  1124   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02503  1124   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02504   312   NtAllocateVirtualMemory  (-1, 113303552, 0, 8192, 4096, 4, ... 113303552, 8192, ) == 0x0
 02505   312   NtProtectVirtualMemory  (-1, (0x6c0e000), 4096, 260, ... (0x6c0e000), 4096, 4, ) == 0x0
 02506   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {940, 1496}, ) == 0x0
 02507   312   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=940,Tid=1496,}, 0x0, ) == 0x0
 02508   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58055, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\254\3\0\0\330\5\0\0" ... {28, 56, reply, 0, 940, 312, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\254\3\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58056, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\254\3\0\0\330\5\0\0" ... {28, 56, reply, 0, 940, 312, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\254\3\0\0\330\5\0\0" )  ) == 0x0
 02509   312   NtResumeThread  (620, ... 1, ) == 0x0
 02510   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 113311744, 1048576, ) == 0x0
 02511   312   NtAllocateVirtualMemory  (-1, 114352128, 0, 8192, 4096, 4, ... 114352128, 8192, ) == 0x0
 02512   312   NtProtectVirtualMemory  (-1, (0x6d0e000), 4096, 260, ...
 02513  1496   NtTestAlert  (... ) == 0x0
 02514  1496   NtContinue  (113311024, 1, ...
 02515  1496   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02516  1496   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02512   312   NtProtectVirtualMemory  ... (0x6d0e000), 4096, 4, ) == 0x0
 02517   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {940, 168}, ) == 0x0
 02518   312   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=940,Tid=168,}, 0x0, ) == 0x0
 02519   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58056, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\254\3\0\0\250\0\0\0" ... {28, 56, reply, 0, 940, 312, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\254\3\0\0\250\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 58057, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\254\3\0\0\250\0\0\0" ... {28, 56, reply, 0, 940, 312, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\254\3\0\0\250\0\0\0" )  ) == 0x0
 02520   312   NtResumeThread  (624, ... 1, ) == 0x0
 02521   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 114360320, 1048576, ) == 0x0
 02522   168   NtTestAlert  (... ) == 0x0
 02523   168   NtContinue  (114359600, 1, ...
 02524   168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02525   168   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02526   312   NtAllocateVirtualMemory  (-1, 115400704, 0, 8192, 4096, 4, ... 115400704, 8192, ) == 0x0
 02527   312   NtProtectVirtualMemory  (-1, (0x6e0e000), 4096, 260, ... (0x6e0e000), 4096, 4, ) == 0x0
 02528   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {940, 1284}, ) == 0x0
 02529   312   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=940,Tid=1284,}, 0x0, ) == 0x0
 02530   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58057, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\254\3\0\0\4\5\0\0" ... {28, 56, reply, 0, 940, 312, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\254\3\0\0\4\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58058, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\254\3\0\0\4\5\0\0" ... {28, 56, reply, 0, 940, 312, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\254\3\0\0\4\5\0\0" )  ) == 0x0
 02531   312   NtResumeThread  (628, ... 1, ) == 0x0
 02532   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 115408896, 1048576, ) == 0x0
 02533   312   NtAllocateVirtualMemory  (-1, 116449280, 0, 8192, 4096, 4, ... 116449280, 8192, ) == 0x0
 02534   312   NtProtectVirtualMemory  (-1, (0x6f0e000), 4096, 260, ...
 02535  1284   NtTestAlert  (... ) == 0x0
 02536  1284   NtContinue  (115408176, 1, ...
 02537  1284   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02538  1284   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02534   312   NtProtectVirtualMemory  ... (0x6f0e000), 4096, 4, ) == 0x0
 02539   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {940, 1268}, ) == 0x0
 02540   312   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=940,Tid=1268,}, 0x0, ) == 0x0
 02541   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58058, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\254\3\0\0\364\4\0\0" ... {28, 56, reply, 0, 940, 312, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\254\3\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 58059, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\254\3\0\0\364\4\0\0" ... {28, 56, reply, 0, 940, 312, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\254\3\0\0\364\4\0\0" )  ) == 0x0
 02542   312   NtResumeThread  (632, ... 1, ) == 0x0
 02543   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 116457472, 1048576, ) == 0x0
 02544  1268   NtTestAlert  (... ) == 0x0
 02545  1268   NtContinue  (116456752, 1, ...
 02546  1268   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02547  1268   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02548   312   NtAllocateVirtualMemory  (-1, 117497856, 0, 8192, 4096, 4, ... 117497856, 8192, ) == 0x0
 02549   312   NtProtectVirtualMemory  (-1, (0x700e000), 4096, 260, ... (0x700e000), 4096, 4, ) == 0x0
 02550   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {940, 840}, ) == 0x0
 02551   312   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=940,Tid=840,}, 0x0, ) == 0x0
 02552   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58059, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\254\3\0\0H\3\0\0" ... {28, 56, reply, 0, 940, 312, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\254\3\0\0H\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58060, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\254\3\0\0H\3\0\0" ... {28, 56, reply, 0, 940, 312, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\254\3\0\0H\3\0\0" )  ) == 0x0
 02553   312   NtResumeThread  (636, ... 1, ) == 0x0
 02554   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 117506048, 1048576, ) == 0x0
 02555   312   NtAllocateVirtualMemory  (-1, 118546432, 0, 8192, 4096, 4, ... 118546432, 8192, ) == 0x0
 02556   312   NtProtectVirtualMemory  (-1, (0x710e000), 4096, 260, ...
 02557   840   NtTestAlert  (... ) == 0x0
 02558   840   NtContinue  (117505328, 1, ...
 02559   840   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02560   840   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02556   312   NtProtectVirtualMemory  ... (0x710e000), 4096, 4, ) == 0x0
 02561   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {940, 1336}, ) == 0x0
 02562   312   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=940,Tid=1336,}, 0x0, ) == 0x0
 02563   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58060, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\254\3\0\08\5\0\0" ... {28, 56, reply, 0, 940, 312, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\254\3\0\08\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58061, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\254\3\0\08\5\0\0" ... {28, 56, reply, 0, 940, 312, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\254\3\0\08\5\0\0" )  ) == 0x0
 02564   312   NtResumeThread  (640, ... 1, ) == 0x0
 02565   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 118554624, 1048576, ) == 0x0
 02566  1336   NtTestAlert  (... ) == 0x0
 02567  1336   NtContinue  (118553904, 1, ...
 02568  1336   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02569  1336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02570   312   NtAllocateVirtualMemory  (-1, 119595008, 0, 8192, 4096, 4, ... 119595008, 8192, ) == 0x0
 02571   312   NtProtectVirtualMemory  (-1, (0x720e000), 4096, 260, ... (0x720e000), 4096, 4, ) == 0x0
 02572   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {940, 1200}, ) == 0x0
 02573   312   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=940,Tid=1200,}, 0x0, ) == 0x0
 02574   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58061, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\254\3\0\0\260\4\0\0" ... {28, 56, reply, 0, 940, 312, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\254\3\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 58062, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\254\3\0\0\260\4\0\0" ... {28, 56, reply, 0, 940, 312, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\254\3\0\0\260\4\0\0" )  ) == 0x0
 02575   312   NtResumeThread  (644, ... 1, ) == 0x0
 02576   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 119603200, 1048576, ) == 0x0
 02577   312   NtAllocateVirtualMemory  (-1, 120643584, 0, 8192, 4096, 4, ... 120643584, 8192, ) == 0x0
 02578   312   NtProtectVirtualMemory  (-1, (0x730e000), 4096, 260, ...
 02579  1200   NtTestAlert  (... ) == 0x0
 02580  1200   NtContinue  (119602480, 1, ...
 02581  1200   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02582  1200   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02578   312   NtProtectVirtualMemory  ... (0x730e000), 4096, 4, ) == 0x0
 02583   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {940, 1920}, ) == 0x0
 02584   312   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=940,Tid=1920,}, 0x0, ) == 0x0
 02585   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58062, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\254\3\0\0\200\7\0\0" ... {28, 56, reply, 0, 940, 312, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\254\3\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58063, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\254\3\0\0\200\7\0\0" ... {28, 56, reply, 0, 940, 312, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\254\3\0\0\200\7\0\0" )  ) == 0x0
 02586   312   NtResumeThread  (648, ... 1, ) == 0x0
 02587   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 120651776, 1048576, ) == 0x0
 02588  1920   NtTestAlert  (... ) == 0x0
 02589  1920   NtContinue  (120651056, 1, ...
 02590  1920   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02591  1920   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02592   312   NtAllocateVirtualMemory  (-1, 121692160, 0, 8192, 4096, 4, ... 121692160, 8192, ) == 0x0
 02593   312   NtProtectVirtualMemory  (-1, (0x740e000), 4096, 260, ... (0x740e000), 4096, 4, ) == 0x0
 02594   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {940, 896}, ) == 0x0
 02595   312   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=940,Tid=896,}, 0x0, ) == 0x0
 02596   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58063, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\254\3\0\0\200\3\0\0" ... {28, 56, reply, 0, 940, 312, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\254\3\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58064, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\254\3\0\0\200\3\0\0" ... {28, 56, reply, 0, 940, 312, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\254\3\0\0\200\3\0\0" )  ) == 0x0
 02597   312   NtResumeThread  (652, ... 1, ) == 0x0
 02598   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 121700352, 1048576, ) == 0x0
 02599   312   NtAllocateVirtualMemory  (-1, 122740736, 0, 8192, 4096, 4, ... 122740736, 8192, ) == 0x0
 02600   312   NtProtectVirtualMemory  (-1, (0x750e000), 4096, 260, ...
 02601   896   NtTestAlert  (... ) == 0x0
 02602   896   NtContinue  (121699632, 1, ...
 02603   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02604   896   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02600   312   NtProtectVirtualMemory  ... (0x750e000), 4096, 4, ) == 0x0
 02605   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {940, 2016}, ) == 0x0
 02606   312   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=940,Tid=2016,}, 0x0, ) == 0x0
 02607   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58064, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\254\3\0\0\340\7\0\0" ... {28, 56, reply, 0, 940, 312, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\254\3\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58065, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\254\3\0\0\340\7\0\0" ... {28, 56, reply, 0, 940, 312, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\254\3\0\0\340\7\0\0" )  ) == 0x0
 02608   312   NtResumeThread  (656, ... 1, ) == 0x0
 02609   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 122748928, 1048576, ) == 0x0
 02610  2016   NtAllocateVirtualMemory  (-1, 8814592, 0, 4096, 4096, 4, ... 8814592, 4096, ) == 0x0
 02611  2016   NtTestAlert  (... ) == 0x0
 02612  2016   NtContinue  (122748208, 1, ...
 02613  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02614  2016   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02615   312   NtAllocateVirtualMemory  (-1, 123789312, 0, 8192, 4096, 4, ... 123789312, 8192, ) == 0x0
 02616   312   NtProtectVirtualMemory  (-1, (0x760e000), 4096, 260, ... (0x760e000), 4096, 4, ) == 0x0
 02617   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {940, 2012}, ) == 0x0
 02618   312   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=940,Tid=2012,}, 0x0, ) == 0x0
 02619   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58065, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\254\3\0\0\334\7\0\0" ... {28, 56, reply, 0, 940, 312, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\254\3\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58066, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\254\3\0\0\334\7\0\0" ... {28, 56, reply, 0, 940, 312, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\254\3\0\0\334\7\0\0" )  ) == 0x0
 02620   312   NtResumeThread  (660, ... 1, ) == 0x0
 02621   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 123797504, 1048576, ) == 0x0
 02622   312   NtAllocateVirtualMemory  (-1, 124837888, 0, 8192, 4096, 4, ... 124837888, 8192, ) == 0x0
 02623   312   NtProtectVirtualMemory  (-1, (0x770e000), 4096, 260, ...
 02624  2012   NtTestAlert  (... ) == 0x0
 02625  2012   NtContinue  (123796784, 1, ...
 02626  2012   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02627  2012   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02623   312   NtProtectVirtualMemory  ... (0x770e000), 4096, 4, ) == 0x0
 02628   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {940, 1604}, ) == 0x0
 02629   312   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=940,Tid=1604,}, 0x0, ) == 0x0
 02630   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58066, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\254\3\0\0D\6\0\0" ... {28, 56, reply, 0, 940, 312, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\254\3\0\0D\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58067, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\254\3\0\0D\6\0\0" ... {28, 56, reply, 0, 940, 312, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\254\3\0\0D\6\0\0" )  ) == 0x0
 02631   312   NtResumeThread  (664, ... 1, ) == 0x0
 02632   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 124846080, 1048576, ) == 0x0
 02633  1604   NtTestAlert  (... ) == 0x0
 02634  1604   NtContinue  (124845360, 1, ...
 02635  1604   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02636  1604   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02637   312   NtAllocateVirtualMemory  (-1, 125886464, 0, 8192, 4096, 4, ... 125886464, 8192, ) == 0x0
 02638   312   NtProtectVirtualMemory  (-1, (0x780e000), 4096, 260, ... (0x780e000), 4096, 4, ) == 0x0
 02639   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {940, 1572}, ) == 0x0
 02640   312   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=940,Tid=1572,}, 0x0, ) == 0x0
 02641   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58067, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\254\3\0\0$\6\0\0" ... {28, 56, reply, 0, 940, 312, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\254\3\0\0$\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58068, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\254\3\0\0$\6\0\0" ... {28, 56, reply, 0, 940, 312, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\254\3\0\0$\6\0\0" )  ) == 0x0
 02642   312   NtResumeThread  (668, ... 1, ) == 0x0
 02643   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125894656, 1048576, ) == 0x0
 02644   312   NtAllocateVirtualMemory  (-1, 126935040, 0, 8192, 4096, 4, ... 126935040, 8192, ) == 0x0
 02645   312   NtProtectVirtualMemory  (-1, (0x790e000), 4096, 260, ...
 02646  1572   NtTestAlert  (... ) == 0x0
 02647  1572   NtContinue  (125893936, 1, ...
 02648  1572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02649  1572   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02645   312   NtProtectVirtualMemory  ... (0x790e000), 4096, 4, ) == 0x0
 02650   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {940, 596}, ) == 0x0
 02651   312   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=940,Tid=596,}, 0x0, ) == 0x0
 02652   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58068, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\254\3\0\0T\2\0\0" ... {28, 56, reply, 0, 940, 312, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\254\3\0\0T\2\0\0" )  ... {28, 56, reply, 0, 940, 312, 58069, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\254\3\0\0T\2\0\0" ... {28, 56, reply, 0, 940, 312, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\254\3\0\0T\2\0\0" )  ) == 0x0
 02653   312   NtResumeThread  (672, ... 1, ) == 0x0
 02654   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 126943232, 1048576, ) == 0x0
 02655   596   NtTestAlert  (... ) == 0x0
 02656   596   NtContinue  (126942512, 1, ...
 02657   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02658   596   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02659   312   NtAllocateVirtualMemory  (-1, 127983616, 0, 8192, 4096, 4, ... 127983616, 8192, ) == 0x0
 02660   312   NtProtectVirtualMemory  (-1, (0x7a0e000), 4096, 260, ... (0x7a0e000), 4096, 4, ) == 0x0
 02661   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {940, 376}, ) == 0x0
 02662   312   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=940,Tid=376,}, 0x0, ) == 0x0
 02663   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58069, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\254\3\0\0x\1\0\0" ... {28, 56, reply, 0, 940, 312, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\254\3\0\0x\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58070, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\254\3\0\0x\1\0\0" ... {28, 56, reply, 0, 940, 312, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\254\3\0\0x\1\0\0" )  ) == 0x0
 02664   312   NtResumeThread  (676, ... 1, ) == 0x0
 02665   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 127991808, 1048576, ) == 0x0
 02666   312   NtAllocateVirtualMemory  (-1, 129032192, 0, 8192, 4096, 4, ... 129032192, 8192, ) == 0x0
 02667   312   NtProtectVirtualMemory  (-1, (0x7b0e000), 4096, 260, ...
 02668   376   NtTestAlert  (... ) == 0x0
 02669   376   NtContinue  (127991088, 1, ...
 02670   376   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02671   376   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02667   312   NtProtectVirtualMemory  ... (0x7b0e000), 4096, 4, ) == 0x0
 02672   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {940, 1168}, ) == 0x0
 02673   312   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=940,Tid=1168,}, 0x0, ) == 0x0
 02674   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58070, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\254\3\0\0\220\4\0\0" ... {28, 56, reply, 0, 940, 312, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\254\3\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 58071, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\254\3\0\0\220\4\0\0" ... {28, 56, reply, 0, 940, 312, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\254\3\0\0\220\4\0\0" )  ) == 0x0
 02675   312   NtResumeThread  (680, ... 1, ) == 0x0
 02676   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 129040384, 1048576, ) == 0x0
 02677  1168   NtTestAlert  (... ) == 0x0
 02678  1168   NtContinue  (129039664, 1, ...
 02679  1168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02680  1168   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02681   312   NtAllocateVirtualMemory  (-1, 130080768, 0, 8192, 4096, 4, ... 130080768, 8192, ) == 0x0
 02682   312   NtProtectVirtualMemory  (-1, (0x7c0e000), 4096, 260, ... (0x7c0e000), 4096, 4, ) == 0x0
 02683   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {940, 428}, ) == 0x0
 02684   312   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=940,Tid=428,}, 0x0, ) == 0x0
 02685   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58071, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\254\3\0\0\254\1\0\0" ... {28, 56, reply, 0, 940, 312, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\254\3\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58072, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\254\3\0\0\254\1\0\0" ... {28, 56, reply, 0, 940, 312, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\254\3\0\0\254\1\0\0" )  ) == 0x0
 02686   312   NtResumeThread  (684, ... 1, ) == 0x0
 02687   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 130088960, 1048576, ) == 0x0
 02688   312   NtAllocateVirtualMemory  (-1, 131129344, 0, 8192, 4096, 4, ... 131129344, 8192, ) == 0x0
 02689   312   NtProtectVirtualMemory  (-1, (0x7d0e000), 4096, 260, ...
 02690   428   NtTestAlert  (... ) == 0x0
 02691   428   NtContinue  (130088240, 1, ...
 02692   428   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02693   428   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02689   312   NtProtectVirtualMemory  ... (0x7d0e000), 4096, 4, ) == 0x0
 02694   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {940, 1344}, ) == 0x0
 02695   312   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=940,Tid=1344,}, 0x0, ) == 0x0
 02696   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58072, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\254\3\0\0@\5\0\0" ... {28, 56, reply, 0, 940, 312, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\254\3\0\0@\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58073, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\254\3\0\0@\5\0\0" ... {28, 56, reply, 0, 940, 312, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\254\3\0\0@\5\0\0" )  ) == 0x0
 02697   312   NtResumeThread  (688, ... 1, ) == 0x0
 02698   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 131137536, 1048576, ) == 0x0
 02699   312   NtAllocateVirtualMemory  (-1, 132177920, 0, 8192, 4096, 4, ... 132177920, 8192, ) == 0x0
 02700   312   NtProtectVirtualMemory  (-1, (0x7e0e000), 4096, 260, ...
 02701  1344   NtTestAlert  (... ) == 0x0
 02702  1344   NtContinue  (131136816, 1, ...
 02703  1344   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02704  1344   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02700   312   NtProtectVirtualMemory  ... (0x7e0e000), 4096, 4, ) == 0x0
 02705   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {940, 1300}, ) == 0x0
 02706   312   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=940,Tid=1300,}, 0x0, ) == 0x0
 02707   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58073, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\254\3\0\0\24\5\0\0" ... {28, 56, reply, 0, 940, 312, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\254\3\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58074, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\254\3\0\0\24\5\0\0" ... {28, 56, reply, 0, 940, 312, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\254\3\0\0\24\5\0\0" )  ) == 0x0
 02708   312   NtResumeThread  (692, ... 1, ) == 0x0
 02709   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 132186112, 1048576, ) == 0x0
 02710  1300   NtTestAlert  (... ) == 0x0
 02711  1300   NtContinue  (132185392, 1, ...
 02712  1300   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02713  1300   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02714   312   NtAllocateVirtualMemory  (-1, 133226496, 0, 8192, 4096, 4, ... 133226496, 8192, ) == 0x0
 02715   312   NtProtectVirtualMemory  (-1, (0x7f0e000), 4096, 260, ... (0x7f0e000), 4096, 4, ) == 0x0
 02716   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {940, 1096}, ) == 0x0
 02717   312   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=940,Tid=1096,}, 0x0, ) == 0x0
 02718   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58074, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\254\3\0\0H\4\0\0" ... {28, 56, reply, 0, 940, 312, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\254\3\0\0H\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 58075, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\254\3\0\0H\4\0\0" ... {28, 56, reply, 0, 940, 312, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\254\3\0\0H\4\0\0" )  ) == 0x0
 02719   312   NtResumeThread  (696, ... 1, ) == 0x0
 02720   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 133234688, 1048576, ) == 0x0
 02721   312   NtAllocateVirtualMemory  (-1, 134275072, 0, 8192, 4096, 4, ... 134275072, 8192, ) == 0x0
 02722   312   NtProtectVirtualMemory  (-1, (0x800e000), 4096, 260, ...
 02723  1096   NtTestAlert  (... ) == 0x0
 02724  1096   NtContinue  (133233968, 1, ...
 02725  1096   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02726  1096   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02722   312   NtProtectVirtualMemory  ... (0x800e000), 4096, 4, ) == 0x0
 02727   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {940, 252}, ) == 0x0
 02728   312   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=940,Tid=252,}, 0x0, ) == 0x0
 02729   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58075, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\254\3\0\0\374\0\0\0" ... {28, 56, reply, 0, 940, 312, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\254\3\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 58076, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\254\3\0\0\374\0\0\0" ... {28, 56, reply, 0, 940, 312, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\254\3\0\0\374\0\0\0" )  ) == 0x0
 02730   312   NtResumeThread  (700, ... 1, ) == 0x0
 02731   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 134283264, 1048576, ) == 0x0
 02732   252   NtTestAlert  (... ) == 0x0
 02733   252   NtContinue  (134282544, 1, ...
 02734   252   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02735   252   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02736   312   NtAllocateVirtualMemory  (-1, 135323648, 0, 8192, 4096, 4, ... 135323648, 8192, ) == 0x0
 02737   312   NtProtectVirtualMemory  (-1, (0x810e000), 4096, 260, ... (0x810e000), 4096, 4, ) == 0x0
 02738   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {940, 500}, ) == 0x0
 02739   312   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=940,Tid=500,}, 0x0, ) == 0x0
 02740   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58076, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\254\3\0\0\364\1\0\0" ... {28, 56, reply, 0, 940, 312, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\254\3\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58077, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\254\3\0\0\364\1\0\0" ... {28, 56, reply, 0, 940, 312, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\254\3\0\0\364\1\0\0" )  ) == 0x0
 02741   312   NtResumeThread  (704, ... 1, ) == 0x0
 02742   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 135331840, 1048576, ) == 0x0
 02743   312   NtAllocateVirtualMemory  (-1, 136372224, 0, 8192, 4096, 4, ... 136372224, 8192, ) == 0x0
 02744   312   NtProtectVirtualMemory  (-1, (0x820e000), 4096, 260, ...
 02745   500   NtTestAlert  (... ) == 0x0
 02746   500   NtContinue  (135331120, 1, ...
 02747   500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02748   500   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02744   312   NtProtectVirtualMemory  ... (0x820e000), 4096, 4, ) == 0x0
 02749   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {940, 1132}, ) == 0x0
 02750   312   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=940,Tid=1132,}, 0x0, ) == 0x0
 02751   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58077, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\254\3\0\0l\4\0\0" ... {28, 56, reply, 0, 940, 312, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\254\3\0\0l\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 58078, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\254\3\0\0l\4\0\0" ... {28, 56, reply, 0, 940, 312, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\254\3\0\0l\4\0\0" )  ) == 0x0
 02752   312   NtResumeThread  (708, ... 1, ) == 0x0
 02753   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 136380416, 1048576, ) == 0x0
 02754  1132   NtTestAlert  (... ) == 0x0
 02755  1132   NtContinue  (136379696, 1, ...
 02756  1132   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02757  1132   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02758   312   NtAllocateVirtualMemory  (-1, 137420800, 0, 8192, 4096, 4, ... 137420800, 8192, ) == 0x0
 02759   312   NtProtectVirtualMemory  (-1, (0x830e000), 4096, 260, ... (0x830e000), 4096, 4, ) == 0x0
 02760   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {940, 1024}, ) == 0x0
 02761   312   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=940,Tid=1024,}, 0x0, ) == 0x0
 02762   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58078, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\254\3\0\0\0\4\0\0" ... {28, 56, reply, 0, 940, 312, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\254\3\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 58079, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\254\3\0\0\0\4\0\0" ... {28, 56, reply, 0, 940, 312, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\254\3\0\0\0\4\0\0" )  ) == 0x0
 02763   312   NtResumeThread  (712, ... 1, ) == 0x0
 02764   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 137428992, 1048576, ) == 0x0
 02765   312   NtAllocateVirtualMemory  (-1, 138469376, 0, 8192, 4096, 4, ... 138469376, 8192, ) == 0x0
 02766   312   NtProtectVirtualMemory  (-1, (0x840e000), 4096, 260, ...
 02767  1024   NtTestAlert  (... ) == 0x0
 02768  1024   NtContinue  (137428272, 1, ...
 02769  1024   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02770  1024   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02766   312   NtProtectVirtualMemory  ... (0x840e000), 4096, 4, ) == 0x0
 02771   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {940, 948}, ) == 0x0
 02772   312   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=940,Tid=948,}, 0x0, ) == 0x0
 02773   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58079, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\254\3\0\0\264\3\0\0" ... {28, 56, reply, 0, 940, 312, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\254\3\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58080, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\254\3\0\0\264\3\0\0" ... {28, 56, reply, 0, 940, 312, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\254\3\0\0\264\3\0\0" )  ) == 0x0
 02774   312   NtResumeThread  (716, ... 1, ) == 0x0
 02775   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 138477568, 1048576, ) == 0x0
 02776   948   NtTestAlert  (... ) == 0x0
 02777   948   NtContinue  (138476848, 1, ...
 02778   948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02779   948   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02780   312   NtAllocateVirtualMemory  (-1, 139517952, 0, 8192, 4096, 4, ... 139517952, 8192, ) == 0x0
 02781   312   NtProtectVirtualMemory  (-1, (0x850e000), 4096, 260, ... (0x850e000), 4096, 4, ) == 0x0
 02782   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {940, 1388}, ) == 0x0
 02783   312   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=940,Tid=1388,}, 0x0, ) == 0x0
 02784   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58080, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\254\3\0\0l\5\0\0" ... {28, 56, reply, 0, 940, 312, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\254\3\0\0l\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58081, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\254\3\0\0l\5\0\0" ... {28, 56, reply, 0, 940, 312, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\254\3\0\0l\5\0\0" )  ) == 0x0
 02785   312   NtResumeThread  (720, ... 1, ) == 0x0
 02786   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 139526144, 1048576, ) == 0x0
 02787   312   NtAllocateVirtualMemory  (-1, 140566528, 0, 8192, 4096, 4, ... 140566528, 8192, ) == 0x0
 02788   312   NtProtectVirtualMemory  (-1, (0x860e000), 4096, 260, ...
 02789  1388   NtTestAlert  (... ) == 0x0
 02790  1388   NtContinue  (139525424, 1, ...
 02791  1388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02792  1388   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02788   312   NtProtectVirtualMemory  ... (0x860e000), 4096, 4, ) == 0x0
 02793   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {940, 520}, ) == 0x0
 02794   312   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=940,Tid=520,}, 0x0, ) == 0x0
 02795   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58081, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\254\3\0\0\10\2\0\0" ... {28, 56, reply, 0, 940, 312, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\254\3\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 940, 312, 58082, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\254\3\0\0\10\2\0\0" ... {28, 56, reply, 0, 940, 312, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\254\3\0\0\10\2\0\0" )  ) == 0x0
 02796   312   NtResumeThread  (724, ... 1, ) == 0x0
 02797   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 140574720, 1048576, ) == 0x0
 02798   520   NtTestAlert  (... ) == 0x0
 02799   520   NtContinue  (140574000, 1, ...
 02800   520   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02801   520   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02802   312   NtAllocateVirtualMemory  (-1, 141615104, 0, 8192, 4096, 4, ... 141615104, 8192, ) == 0x0
 02803   312   NtProtectVirtualMemory  (-1, (0x870e000), 4096, 260, ... (0x870e000), 4096, 4, ) == 0x0
 02804   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {940, 276}, ) == 0x0
 02805   312   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=940,Tid=276,}, 0x0, ) == 0x0
 02806   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58082, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\254\3\0\0\24\1\0\0" ... {28, 56, reply, 0, 940, 312, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\254\3\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 940, 312, 58083, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\254\3\0\0\24\1\0\0" ... {28, 56, reply, 0, 940, 312, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\254\3\0\0\24\1\0\0" )  ) == 0x0
 02807   312   NtResumeThread  (728, ... 1, ) == 0x0
 02808   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 141623296, 1048576, ) == 0x0
 02809   312   NtAllocateVirtualMemory  (-1, 142663680, 0, 8192, 4096, 4, ... 142663680, 8192, ) == 0x0
 02810   312   NtProtectVirtualMemory  (-1, (0x880e000), 4096, 260, ...
 02811   276   NtTestAlert  (... ) == 0x0
 02812   276   NtContinue  (141622576, 1, ...
 02813   276   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02814   276   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02810   312   NtProtectVirtualMemory  ... (0x880e000), 4096, 4, ) == 0x0
 02815   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {940, 996}, ) == 0x0
 02816   312   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=940,Tid=996,}, 0x0, ) == 0x0
 02817   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58083, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\254\3\0\0\344\3\0\0" ... {28, 56, reply, 0, 940, 312, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\254\3\0\0\344\3\0\0" )  ... {28, 56, reply, 0, 940, 312, 58084, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\254\3\0\0\344\3\0\0" ... {28, 56, reply, 0, 940, 312, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\254\3\0\0\344\3\0\0" )  ) == 0x0
 02818   312   NtResumeThread  (732, ... 1, ) == 0x0
 02819   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 142671872, 1048576, ) == 0x0
 02820   996   NtTestAlert  (... ) == 0x0
 02821   996   NtContinue  (142671152, 1, ...
 02822   996   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02823   996   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02824   312   NtAllocateVirtualMemory  (-1, 143712256, 0, 8192, 4096, 4, ... 143712256, 8192, ) == 0x0
 02825   312   NtProtectVirtualMemory  (-1, (0x890e000), 4096, 260, ... (0x890e000), 4096, 4, ) == 0x0
 02826   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {940, 1064}, ) == 0x0
 02827   312   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=940,Tid=1064,}, 0x0, ) == 0x0
 02828   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58084, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\254\3\0\0(\4\0\0" ... {28, 56, reply, 0, 940, 312, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\254\3\0\0(\4\0\0" )  ... {28, 56, reply, 0, 940, 312, 58085, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\254\3\0\0(\4\0\0" ... {28, 56, reply, 0, 940, 312, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\254\3\0\0(\4\0\0" )  ) == 0x0
 02829   312   NtResumeThread  (736, ... 1, ) == 0x0
 02830   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 143720448, 1048576, ) == 0x0
 02831   312   NtAllocateVirtualMemory  (-1, 144760832, 0, 8192, 4096, 4, ... 144760832, 8192, ) == 0x0
 02832   312   NtProtectVirtualMemory  (-1, (0x8a0e000), 4096, 260, ...
 02833  1064   NtTestAlert  (... ) == 0x0
 02834  1064   NtContinue  (143719728, 1, ...
 02835  1064   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02836  1064   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02832   312   NtProtectVirtualMemory  ... (0x8a0e000), 4096, 4, ) == 0x0
 02837   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {940, 1600}, ) == 0x0
 02838   312   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=940,Tid=1600,}, 0x0, ) == 0x0
 02839   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58085, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\254\3\0\0@\6\0\0" ... {28, 56, reply, 0, 940, 312, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\254\3\0\0@\6\0\0" )  ... {28, 56, reply, 0, 940, 312, 58086, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\254\3\0\0@\6\0\0" ... {28, 56, reply, 0, 940, 312, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\254\3\0\0@\6\0\0" )  ) == 0x0
 02840   312   NtResumeThread  (740, ... 1, ) == 0x0
 02841   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 144769024, 1048576, ) == 0x0
 02842  1600   NtTestAlert  (... ) == 0x0
 02843  1600   NtContinue  (144768304, 1, ...
 02844  1600   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02845  1600   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02846   312   NtAllocateVirtualMemory  (-1, 145809408, 0, 8192, 4096, 4, ... 145809408, 8192, ) == 0x0
 02847   312   NtProtectVirtualMemory  (-1, (0x8b0e000), 4096, 260, ... (0x8b0e000), 4096, 4, ) == 0x0
 02848   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {940, 1372}, ) == 0x0
 02849   312   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=940,Tid=1372,}, 0x0, ) == 0x0
 02850   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58086, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\254\3\0\0\\5\0\0" ... {28, 56, reply, 0, 940, 312, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\254\3\0\0\\5\0\0" )  ... {28, 56, reply, 0, 940, 312, 58087, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\254\3\0\0\\5\0\0" ... {28, 56, reply, 0, 940, 312, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\254\3\0\0\\5\0\0" )  ) == 0x0
 02851   312   NtResumeThread  (744, ... 1, ) == 0x0
 02852   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 145817600, 1048576, ) == 0x0
 02853   312   NtAllocateVirtualMemory  (-1, 146857984, 0, 8192, 4096, 4, ... 146857984, 8192, ) == 0x0
 02854   312   NtProtectVirtualMemory  (-1, (0x8c0e000), 4096, 260, ...
 02855  1372   NtTestAlert  (... ) == 0x0
 02856  1372   NtContinue  (145816880, 1, ...
 02857  1372   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02858  1372   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02854   312   NtProtectVirtualMemory  ... (0x8c0e000), 4096, 4, ) == 0x0
 02859   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {940, 2040}, ) == 0x0
 02860   312   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=940,Tid=2040,}, 0x0, ) == 0x0
 02861   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58087, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\254\3\0\0\370\7\0\0" ... {28, 56, reply, 0, 940, 312, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\254\3\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 940, 312, 58088, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\254\3\0\0\370\7\0\0" ... {28, 56, reply, 0, 940, 312, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\254\3\0\0\370\7\0\0" )  ) == 0x0
 02862   312   NtResumeThread  (748, ... 1, ) == 0x0
 02863   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 146866176, 1048576, ) == 0x0
 02864  2040   NtTestAlert  (... ) == 0x0
 02865  2040   NtContinue  (146865456, 1, ...
 02866  2040   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02867  2040   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02868   312   NtAllocateVirtualMemory  (-1, 147906560, 0, 8192, 4096, 4, ... 147906560, 8192, ) == 0x0
 02869   312   NtProtectVirtualMemory  (-1, (0x8d0e000), 4096, 260, ... (0x8d0e000), 4096, 4, ) == 0x0
 02870   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {940, 216}, ) == 0x0
 02871   312   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=940,Tid=216,}, 0x0, ) == 0x0
 02872   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 940, 312, 58088, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\254\3\0\0\330\0\0\0" ... {28, 56, reply, 0, 940, 312, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\254\3\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 940, 312, 58089, 0}  (24, {28, 56, new_msg, 0, 940, 312, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\254\3\0\0\330\0\0\0" ... {28, 56, reply, 0, 940, 312, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\254\3\0\0\330\0\0\0" )  ) == 0x0
 02873   312   NtResumeThread  (752, ... 1, ) == 0x0
 02874   312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 756, ) == 0x0
 02875   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 760, ) == 0x0
 02876   312   NtOpenThreadToken  (-2, 0xc, 1, ...
 02877   216   NtTestAlert  (... ) == 0x0
 02878   216   NtContinue  (147914032, 1, ...
 02879   216   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02880   216   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02876   312   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02881   312   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 764, ) == 0x0
 02882   312   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02883   312   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02884   312   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243192,  (0xc0100080, {24, 0, 0x40, 0, 1243192, "\??\PIPE\InitShutdown"}, 0x0, 0, 3, 1, 64, 0, 0, ... 768, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 768, {status=0x0, info=1}, ) == 0x0
 02885   312   NtSetInformationFile  (768, 1243248, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02886   312   NtSetInformationFile  (768, 1243236, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02887   312   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02888   312   NtWriteFile  (768, 757, 0, 0,  (768, 757, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\300\340M\211U\15\323\21\243"\0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02889   312   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02890   312   NtReadFile  (768, 757, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (768, 757, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02891   312   NtFsControlFile  (768, 757, 0x0, 0x0, 0x11c017,  (768, 757, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0\260\375", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=76},  (768, 757, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0\260\375", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02892   312   NtWaitForSingleObject  (757, 0, 0x0, ...
 01291  1972   NtOpenKey  ... 772, ) == 0x0
 02893  1972   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software"}, ... }, ...
 02892   312   NtWaitForSingleObject  ... ) == 0x0
 02894   312   NtClose  (764, ... ) == 0x0
 02895   312   NtClose  (768, ... ) == 0x0
 02896   312   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02897   312   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 768, ) == 0x0
 02898   312   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02899   312   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02900   312   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243188,  (0xc0100080, {24, 0, 0x40, 0, 1243188, "\??\PIPE\winreg"}, 0x0, 0, 3, 1, 64, 0, 0, ... 764, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 764, {status=0x0, info=1}, ) == 0x0
 02901   312   NtSetInformationFile  (764, 1243244, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02902   312   NtSetInformationFile  (764, 1243232, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02903   312   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02904   312   NtWriteFile  (764, 757, 0, 0,  (764, 757, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\1\320\2143D"\3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02905   312   NtReadFile  (764, 757, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (764, 757, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02906   312   NtFsControlFile  (764, 757, 0x0, 0x0, 0x11c017,  (764, 757, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0\260\375", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=68},  (764, 757, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0\260\375", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02907   312   NtWaitForSingleObject  (757, 0, 0x0, ...
 02893  1972   NtOpenKey  ... 776, ) == 0x0
 02908  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02907   312   NtWaitForSingleObject  ... ) == 0x0
 02909   312   NtClose  (768, ... ) == 0x0
 02910   312   NtClose  (764, ... ) == 0x0
 02911   312   NtDelayExecution  (0, {-10000000, -1}, ...
 02912  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 01339  1036   NtSetInformationThread  ... ) == 0x0
 01340  1248   NtSetInformationThread  ... ) == 0x0
 01341  1656   NtSetInformationThread  ... ) == 0x0
 01342  1740   NtSetInformationThread  ... ) == 0x0
 01349   928   NtSetInformationThread  ... ) == 0x0
 01510  1784   NtSetInformationThread  ... ) == 0x0
 01511  1980   NtSetInformationThread  ... ) == 0x0
 01512  1956   NtSetInformationThread  ... ) == 0x0
 01905  1648   NtSetInformationThread  ... ) == 0x0
 01923   148   NtSetInformationThread  ... ) == 0x0
 01929  1828   NtSetInformationThread  ... ) == 0x0
 01942  1864   NtSetInformationThread  ... ) == 0x0
 01951  1896   NtSetInformationThread  ... ) == 0x0
 01964  1524   NtSetInformationThread  ... ) == 0x0
 01973  1944   NtSetInformationThread  ... ) == 0x0
 01987  2044   NtSetInformationThread  ... ) == 0x0
 01996   240   NtSetInformationThread  ... ) == 0x0
 02009   968   NtSetInformationThread  ... ) == 0x0
 02018   308   NtSetInformationThread  ... ) == 0x0
 02031   764   NtSetInformationThread  ... ) == 0x0
 02040  2000   NtSetInformationThread  ... ) == 0x0
 02053  1852   NtSetInformationThread  ... ) == 0x0
 02062  1420   NtSetInformationThread  ... ) == 0x0
 02075   164   NtSetInformationThread  ... ) == 0x0
 02084  1564   NtSetInformationThread  ... ) == 0x0
 02097  1592   NtSetInformationThread  ... ) == 0x0
 02106  2032   NtSetInformationThread  ... ) == 0x0
 02119  1500   NtSetInformationThread  ... ) == 0x0
 02128   932   NtSetInformationThread  ... ) == 0x0
 02141  1528   NtSetInformationThread  ... ) == 0x0
 02150  1780   NtSetInformationThread  ... ) == 0x0
 02163  1804   NtSetInformationThread  ... ) == 0x0
 02172  1644   NtSetInformationThread  ... ) == 0x0
 02185   336   NtSetInformationThread  ... ) == 0x0
 02194   800   NtSetInformationThread  ... ) == 0x0
 02207   504   NtSetInformationThread  ... ) == 0x0
 02216   888   NtSetInformationThread  ... ) == 0x0
 02229  1392   NtSetInformationThread  ... ) == 0x0
 02238  2020   NtSetInformationThread  ... ) == 0x0
 02251   740   NtSetInformationThread  ... ) == 0x0
 02260  1676   NtSetInformationThread  ... ) == 0x0
 02273   496   NtSetInformationThread  ... ) == 0x0
 02282  1020   NtSetInformationThread  ... ) == 0x0
 02295   432   NtSetInformationThread  ... ) == 0x0
 02305  1332   NtSetInformationThread  ... ) == 0x0
 02318  1328   NtSetInformationThread  ... ) == 0x0
 02327   752   NtSetInformationThread  ... ) == 0x0
 02340   120   NtSetInformationThread  ... ) == 0x0
 02349  1732   NtSetInformationThread  ... ) == 0x0
 02362   188   NtSetInformationThread  ... ) == 0x0
 02371  1636   NtSetInformationThread  ... ) == 0x0
 02384   624   NtSetInformationThread  ... ) == 0x0
 02393  1948   NtSetInformationThread  ... ) == 0x0
 02406   988   NtSetInformationThread  ... ) == 0x0
 02415   468   NtSetInformationThread  ... ) == 0x0
 02428   380   NtSetInformationThread  ... ) == 0x0
 02437  1692   NtSetInformationThread  ... ) == 0x0
 02450  1792   NtSetInformationThread  ... ) == 0x0
 02459   784   NtSetInformationThread  ... ) == 0x0
 02472  1520   NtSetInformationThread  ... ) == 0x0
 02481  1696   NtSetInformationThread  ... ) == 0x0
 02494  1744   NtSetInformationThread  ... ) == 0x0
 02503  1124   NtSetInformationThread  ... ) == 0x0
 02516  1496   NtSetInformationThread  ... ) == 0x0
 02525   168   NtSetInformationThread  ... ) == 0x0
 02538  1284   NtSetInformationThread  ... ) == 0x0
 02547  1268   NtSetInformationThread  ... ) == 0x0
 02560   840   NtSetInformationThread  ... ) == 0x0
 02569  1336   NtSetInformationThread  ... ) == 0x0
 02582  1200   NtSetInformationThread  ... ) == 0x0
 02591  1920   NtSetInformationThread  ... ) == 0x0
 02604   896   NtSetInformationThread  ... ) == 0x0
 02614  2016   NtSetInformationThread  ... ) == 0x0
 02627  2012   NtSetInformationThread  ... ) == 0x0
 02636  1604   NtSetInformationThread  ... ) == 0x0
 02649  1572   NtSetInformationThread  ... ) == 0x0
 02658   596   NtSetInformationThread  ... ) == 0x0
 02671   376   NtSetInformationThread  ... ) == 0x0
 02680  1168   NtSetInformationThread  ... ) == 0x0
 02693   428   NtSetInformationThread  ... ) == 0x0
 02704  1344   NtSetInformationThread  ... ) == 0x0
 02713  1300   NtSetInformationThread  ... ) == 0x0
 02726  1096   NtSetInformationThread  ... ) == 0x0
 02735   252   NtSetInformationThread  ... ) == 0x0
 02748   500   NtSetInformationThread  ... ) == 0x0
 02757  1132   NtSetInformationThread  ... ) == 0x0
 02770  1024   NtSetInformationThread  ... ) == 0x0
 02779   948   NtSetInformationThread  ... ) == 0x0
 02792  1388   NtSetInformationThread  ... ) == 0x0
 02801   520   NtSetInformationThread  ... ) == 0x0
 02814   276   NtSetInformationThread  ... ) == 0x0
 02823   996   NtSetInformationThread  ... ) == 0x0
 02836  1064   NtSetInformationThread  ... ) == 0x0
 02845  1600   NtSetInformationThread  ... ) == 0x0
 02858  1372   NtSetInformationThread  ... ) == 0x0
 02867  2040   NtSetInformationThread  ... ) == 0x0
 02880   216   NtSetInformationThread  ... ) == 0x0
 02913  1036   NtWaitForSingleObject  (216, 0, 0x0, ...
 02914  1248   NtWaitForSingleObject  (216, 0, 0x0, ...
 02915  1656   NtWaitForSingleObject  (216, 0, 0x0, ...
 02916  1740   NtWaitForSingleObject  (216, 0, 0x0, ...
 02917   928   NtWaitForSingleObject  (216, 0, 0x0, ...
 02918  1784   NtWaitForSingleObject  (216, 0, 0x0, ...
 02919  1980   NtWaitForSingleObject  (216, 0, 0x0, ...
 02920  1956   NtWaitForSingleObject  (216, 0, 0x0, ...
 02921  1648   NtWaitForSingleObject  (216, 0, 0x0, ...
 02922   148   NtWaitForSingleObject  (216, 0, 0x0, ...
 02923  1828   NtWaitForSingleObject  (216, 0, 0x0, ...
 02924  1864   NtWaitForSingleObject  (216, 0, 0x0, ...
 02925  1896   NtWaitForSingleObject  (216, 0, 0x0, ...
 02926  1524   NtWaitForSingleObject  (216, 0, 0x0, ...
 02927  1944   NtWaitForSingleObject  (216, 0, 0x0, ...
 02928  2044   NtWaitForSingleObject  (216, 0, 0x0, ...
 02929   240   NtWaitForSingleObject  (216, 0, 0x0, ...
 02930   968   NtWaitForSingleObject  (216, 0, 0x0, ...
 02931   308   NtWaitForSingleObject  (216, 0, 0x0, ...
 02932   764   NtWaitForSingleObject  (216, 0, 0x0, ...
 02933  2000   NtWaitForSingleObject  (216, 0, 0x0, ...
 02934  1852   NtWaitForSingleObject  (216, 0, 0x0, ...
 02935  1420   NtWaitForSingleObject  (216, 0, 0x0, ...
 02936   164   NtWaitForSingleObject  (216, 0, 0x0, ...
 02937  1564   NtWaitForSingleObject  (216, 0, 0x0, ...
 02938  1592   NtWaitForSingleObject  (216, 0, 0x0, ...
 02939  2032   NtWaitForSingleObject  (216, 0, 0x0, ...
 02940  1500   NtWaitForSingleObject  (216, 0, 0x0, ...
 02941   932   NtWaitForSingleObject  (216, 0, 0x0, ...
 02942  1528   NtWaitForSingleObject  (216, 0, 0x0, ...
 02943  1780   NtWaitForSingleObject  (216, 0, 0x0, ...
 02944  1804   NtWaitForSingleObject  (216, 0, 0x0, ...
 02945  1644   NtWaitForSingleObject  (216, 0, 0x0, ...
 02946   336   NtWaitForSingleObject  (216, 0, 0x0, ...
 02947   800   NtWaitForSingleObject  (216, 0, 0x0, ...
 02948   504   NtWaitForSingleObject  (216, 0, 0x0, ...
 02949   888   NtWaitForSingleObject  (216, 0, 0x0, ...
 02950  1392   NtWaitForSingleObject  (216, 0, 0x0, ...
 02951  2020   NtWaitForSingleObject  (216, 0, 0x0, ...
 02952   740   NtWaitForSingleObject  (216, 0, 0x0, ...
 02953  1676   NtWaitForSingleObject  (216, 0, 0x0, ...
 02954   496   NtWaitForSingleObject  (216, 0, 0x0, ...
 02955  1020   NtWaitForSingleObject  (216, 0, 0x0, ...
 02956   432   NtWaitForSingleObject  (216, 0, 0x0, ...
 02957  1332   NtWaitForSingleObject  (216, 0, 0x0, ...
 02958  1328   NtWaitForSingleObject  (216, 0, 0x0, ...
 02959   752   NtWaitForSingleObject  (216, 0, 0x0, ...
 02960   120   NtWaitForSingleObject  (216, 0, 0x0, ...
 02961  1732   NtWaitForSingleObject  (216, 0, 0x0, ...
 02962   188   NtWaitForSingleObject  (216, 0, 0x0, ...
 02963  1636   NtWaitForSingleObject  (216, 0, 0x0, ...
 02964   624   NtWaitForSingleObject  (216, 0, 0x0, ...
 02965  1948   NtWaitForSingleObject  (216, 0, 0x0, ...
 02966   988   NtWaitForSingleObject  (216, 0, 0x0, ...
 02967   468   NtWaitForSingleObject  (216, 0, 0x0, ...
 02968   380   NtWaitForSingleObject  (216, 0, 0x0, ...
 02969  1692   NtWaitForSingleObject  (216, 0, 0x0, ...
 02970  1792   NtWaitForSingleObject  (216, 0, 0x0, ...
 02971   784   NtWaitForSingleObject  (216, 0, 0x0, ...
 02972  1520   NtWaitForSingleObject  (216, 0, 0x0, ...
 02973  1696   NtWaitForSingleObject  (216, 0, 0x0, ...
 02974  1744   NtWaitForSingleObject  (216, 0, 0x0, ...
 02975  1124   NtWaitForSingleObject  (216, 0, 0x0, ...
 02976  1496   NtWaitForSingleObject  (216, 0, 0x0, ...
 02977   168   NtWaitForSingleObject  (216, 0, 0x0, ...
 02978  1284   NtWaitForSingleObject  (216, 0, 0x0, ...
 02979  1268   NtWaitForSingleObject  (216, 0, 0x0, ...
 02980   840   NtWaitForSingleObject  (216, 0, 0x0, ...
 02981  1336   NtWaitForSingleObject  (216, 0, 0x0, ...
 02982  1200   NtWaitForSingleObject  (216, 0, 0x0, ...
 02983  1920   NtWaitForSingleObject  (216, 0, 0x0, ...
 02984   896   NtWaitForSingleObject  (216, 0, 0x0, ...
 02985  2016   NtWaitForSingleObject  (216, 0, 0x0, ...
 02986  2012   NtWaitForSingleObject  (216, 0, 0x0, ...
 02987  1604   NtWaitForSingleObject  (216, 0, 0x0, ...
 02988  1572   NtWaitForSingleObject  (216, 0, 0x0, ...
 02989   596   NtWaitForSingleObject  (216, 0, 0x0, ...
 02990   376   NtWaitForSingleObject  (216, 0, 0x0, ...
 02991  1168   NtWaitForSingleObject  (216, 0, 0x0, ...
 02992   428   NtWaitForSingleObject  (216, 0, 0x0, ...
 02993  1344   NtWaitForSingleObject  (216, 0, 0x0, ...
 02994  1300   NtWaitForSingleObject  (216, 0, 0x0, ...
 02995  1096   NtWaitForSingleObject  (216, 0, 0x0, ...
 02996   252   NtWaitForSingleObject  (216, 0, 0x0, ...
 02997   500   NtWaitForSingleObject  (216, 0, 0x0, ...
 02998  1132   NtWaitForSingleObject  (216, 0, 0x0, ...
 02999  1024   NtWaitForSingleObject  (216, 0, 0x0, ...
 03000   948   NtWaitForSingleObject  (216, 0, 0x0, ...
 03001  1388   NtWaitForSingleObject  (216, 0, 0x0, ...
 03002   520   NtWaitForSingleObject  (216, 0, 0x0, ...
 03003   276   NtWaitForSingleObject  (216, 0, 0x0, ...
 03004   996   NtWaitForSingleObject  (216, 0, 0x0, ...
 03005  1064   NtWaitForSingleObject  (216, 0, 0x0, ...
 03006  1600   NtWaitForSingleObject  (216, 0, 0x0, ...
 03007  1372   NtWaitForSingleObject  (216, 0, 0x0, ...
 03008  2040   NtWaitForSingleObject  (216, 0, 0x0, ...
 03009   216   NtWaitForSingleObject  (216, 0, 0x0, ...
 02912  1972   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03010  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03011  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 764, ) }, ... 764, ) == 0x0
 03012  1972   NtQueryValueKey  (764,  (764, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (764, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03013  1972   NtClose  (764, ... ) == 0x0
 03014  1972   NtQueryValueKey  (96,  (96, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03015  1972   NtQueryValueKey  (96,  (96, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03016  1972   NtQueryValueKey  (96,  (96, "IdnEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03017  1972   NtQueryValueKey  (96,  (96, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03018  1972   NtQueryValueKey  (96,  (96, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03019  1972   NtQueryValueKey  (96,  (96, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03020  1972   NtQueryValueKey  (96,  (96, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03021  1972   NtQueryValueKey  (96,  (96, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03022  1972   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03023  1972   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03024  1972   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03025  1972   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 764, ) }, ... 764, ) == 0x0
 03026  1972   NtQueryValueKey  (764,  (764, "Feature_ClientAuthCertFilter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03027  1972   NtClose  (764, ... ) == 0x0
 03028  1972   NtAllocateVirtualMemory  (-1, 17879040, 0, 4096, 4096, 260, ... 17879040, 4096, ) == 0x0
 03029  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03030  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 17886864, ... ) }, 17886864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03031  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 17886864, ... ) }, 17886864, ... ) == 0x0
 03032  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 764, {status=0x0, info=1}, ) }, 5, 96, ... 764, {status=0x0, info=1}, ) == 0x0
 03033  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 764, ... 768, ) == 0x0
 03034  1972   NtQuerySection  (768, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03035  1972   NtClose  (764, ... ) == 0x0
 03036  1972   NtMapViewOfSection  (768, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 03037  1972   NtClose  (768, ... ) == 0x0
 03038  1972   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 03039  1972   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 03040  1972   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 03041  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042  1972   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 768, ) == 0x0
 03043  1972   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 764, ) == 0x0
 03044  1972   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 780, ) }, ... 780, ) == 0x0
 03045  1972   NtQueryEvent  (780, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 03046  1972   NtClose  (780, ... ) == 0x0
 03047  1972   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 17888436, 140, ... 780, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 17888436, 140, ... 780, 0x0, 0x0, 256, 140, ) == 0x0
 03048  1972   NtRequestWaitReplyPort  (780, {28, 52, new_msg, 0, 0, 0, 0, 0}  (780, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\340\347\24\0" ... {188, 212, reply, 0, 940, 1972, 58091, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 940, 1972, 58091, 0}  (780, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\340\347\24\0" ... {188, 212, reply, 0, 940, 1972, 58091, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 03049  1972   NtQueryValueKey  (96,  (96, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03050  1972   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 784, ) }, ... 784, ) == 0x0
 03051  1972   NtQueryValueKey  (784,  (784, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03052  1972   NtClose  (784, ... ) == 0x0
 03053  1972   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 784, ) }, ... 784, ) == 0x0
 03054  1972   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 788, ) }, ... 788, ) == 0x0
 03055  1972   NtOpenKey  (0x9, {24, 100, 0x40, 0, 0,  (0x9, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 792, ) }, ... 792, ) == 0x0
 03056  1972   NtQueryValueKey  (792,  (792, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03057  1972   NtQueryValueKey  (792,  (792, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03058  1972   NtClose  (792, ... ) == 0x0
 03059  1972   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "Content"}, ... 792, ) }, ... 792, ) == 0x0
 03060  1972   NtQueryValueKey  (792,  (792, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03061  1972   NtOpenKey  (0xf, {24, 784, 0x40, 0, 0,  (0xf, {24, 784, 0x40, 0, 0, "Content"}, ... 796, ) }, ... 796, ) == 0x0
 03062  1972   NtQueryValueKey  (796,  (796, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (796, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03063  1972   NtClose  (796, ... ) == 0x0
 03064  1972   NtClose  (792, ... ) == 0x0
 03065  1972   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "Content"}, ... 792, ) }, ... 792, ) == 0x0
 03066  1972   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 796, ) }, ... 796, ) == 0x0
 03067  1972   NtMapViewOfSection  (796, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 03068  1972   NtClose  (796, ... ) == 0x0
 03069  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03070  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03071  1972   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03072  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03073  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03074  1972   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03075  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03076  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03077  1972   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03078  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03079  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03080  1972   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03081  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03082  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03083  1972   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03084  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03085  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03086  1972   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03087  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03088  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03089  1972   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03090  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03091  1972   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03092  1972   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03093  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03094  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 796, ) }, ... 796, ) == 0x0
 03095  1972   NtQueryValueKey  (796,  (796, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (796, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03096  1972   NtAllocateVirtualMemory  (-1, 17874944, 0, 4096, 4096, 260, ... 17874944, 4096, ) == 0x0
 03097  1972   NtClose  (796, ... ) == 0x0
 03098  1972   NtQueryDefaultUILanguage  (17883460, ...
 03099  1972   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03100  1972   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481344, ) == 0x0
 03101  1972   NtQueryInformationToken  (-2147481344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03102  1972   NtClose  (-2147481344, ... ) == 0x0
 03103  1972   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481344, ) }, ... -2147481344, ) == 0x0
 03104  1972   NtOpenKey  (0x80000000, {24, -2147481344, 0x240, 0, 0,  (0x80000000, {24, -2147481344, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03105  1972   NtOpenKey  (0x80000000, {24, -2147481344, 0x640, 0, 0,  (0x80000000, {24, -2147481344, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 03106  1972   NtQueryValueKey  (-2147482132,  (-2147482132, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03107  1972   NtClose  (-2147482132, ... ) == 0x0
 03108  1972   NtClose  (-2147481344, ... ) == 0x0
 03098  1972   NtQueryDefaultUILanguage  ... ) == 0x0
 03109  1972   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 796, {status=0x0, info=1}, ) }, 1, 96, ... 796, {status=0x0, info=1}, ) == 0x0
 03110  1972   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 796, ... 800, ) == 0x0
 03111  1972   NtMapViewOfSection  (800, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d10000), 0x0, 8462336, ) == 0x0
 03112  1972   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03113  1972   NtAllocateVirtualMemory  (-1, 17870848, 0, 4096, 4096, 260, ... 17870848, 4096, ) == 0x0
 03114  1972   NtQueryDefaultLocale  (1, 17881556, ... ) == 0x0
 03115  1972   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03116  1972   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 17882592, 1179817, 17882316}  (24, {128, 156, new_msg, 0, 2088850039, 17882592, 1179817, 17882316} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\20\1\0\0\0\0" ... {128, 156, reply, 0, 940, 1972, 58092, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\20\1\0\0\0\0" )  ... {128, 156, reply, 0, 940, 1972, 58092, 0}  (24, {128, 156, new_msg, 0, 2088850039, 17882592, 1179817, 17882316} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\20\1\0\0\0\0" ... {128, 156, reply, 0, 940, 1972, 58092, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\20\1\0\0\0\0" )  ) == 0x0
 03117  1972   NtClose  (796, ... ) == 0x0
 03118  1972   NtClose  (800, ... ) == 0x0
 03119  1972   NtUnmapViewOfSection  (-1, 0x8d10000, ... ) == 0x0
 03120  1972   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03121  1972   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03122  1972   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03123  1972   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03124  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 17880748, ... ) }, 17880748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03125  1972   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03126  1972   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03127  1972   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03128  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 17880812, ... ) }, 17880812, ... ) == 0x0
 03129  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 800, {status=0x0, info=1}, ) }, 3, 33, ... 800, {status=0x0, info=1}, ) == 0x0
 03130  1972   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03131  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 796, {status=0x0, info=1}, ) }, 5, 96, ... 796, {status=0x0, info=1}, ) == 0x0
 03132  1972   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 796, ... 804, ) == 0x0
 03133  1972   NtClose  (796, ... ) == 0x0
 03134  1972   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d10000), 0x0, 1056768, ) == 0x0
 03135  1972   NtClose  (804, ... ) == 0x0
 03136  1972   NtUnmapViewOfSection  (-1, 0x8d10000, ... ) == 0x0
 03137  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 804, {status=0x0, info=1}, ) }, 5, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 03138  1972   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 804, ... 796, ) == 0x0
 03139  1972   NtQuerySection  (796, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03140  1972   NtClose  (804, ... ) == 0x0
 03141  1972   NtMapViewOfSection  (796, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 03142  1972   NtClose  (796, ... ) == 0x0
 03143  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03144  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03145  1972   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03146  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03147  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03148  1972   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03149  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03150  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03151  1972   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03152  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03153  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03154  1972   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03155  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03156  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03157  1972   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03158  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03159  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03160  1972   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03161  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03162  1972   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03163  1972   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03164  1972   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03165  1972   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 17882292, ... ) , 42, 17882292, ... ) == 0x0
 03166  1972   NtQueryDefaultUILanguage  (17880976, ...
 03167  1972   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03168  1972   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481344, ) == 0x0
 03169  1972   NtQueryInformationToken  (-2147481344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03170  1972   NtClose  (-2147481344, ... ) == 0x0
 03171  1972   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481344, ) }, ... -2147481344, ) == 0x0
 03172  1972   NtOpenKey  (0x80000000, {24, -2147481344, 0x240, 0, 0,  (0x80000000, {24, -2147481344, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03173  1972   NtOpenKey  (0x80000000, {24, -2147481344, 0x640, 0, 0,  (0x80000000, {24, -2147481344, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 03174  1972   NtQueryValueKey  (-2147482132,  (-2147482132, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175  1972   NtClose  (-2147482132, ... ) == 0x0
 03176  1972   NtClose  (-2147481344, ... ) == 0x0
 03166  1972   NtQueryDefaultUILanguage  ... ) == 0x0
 03177  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 17879816, ... ) }, 17879816, ... ) == 0x0
 03178  1972   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 796, {status=0x0, info=1}, ) }, 5, 96, ... 796, {status=0x0, info=1}, ) == 0x0
 03179  1972   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 796, ... 804, ) == 0x0
 03180  1972   NtClose  (796, ... ) == 0x0
 03181  1972   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdd0000), 0x0, 4096, ) == 0x0
 03182  1972   NtClose  (804, ... ) == 0x0
 03183  1972   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 03184  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 17879412, ... ) }, 17879412, ... ) == 0x0
 03185  1972   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 17880156,  (0x80100080, {24, 0, 0x40, 0, 17880156, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 804, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 804, {status=0x0, info=1}, ) == 0x0
 03186  1972   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 804, ... 796, ) == 0x0
 03187  1972   NtClose  (804, ... ) == 0x0
 03188  1972   NtMapViewOfSection  (796, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xdd0000), {0, 0}, 4096, ) == 0x0
 03189  1972   NtClose  (796, ... ) == 0x0
 03190  1972   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 03191  1972   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 796, {status=0x0, info=1}, ) }, 1, 96, ... 796, {status=0x0, info=1}, ) == 0x0
 03192  1972   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 796, ... 804, ) == 0x0
 03193  1972   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xdd0000), 0x0, 4096, ) == 0x0
 03194  1972   NtQueryInformationFile  (796, 17879808, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03195  1972   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03196  1972   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 17880108, 1179817, 17879832}  (24, {128, 156, new_msg, 0, 2088850039, 17880108, 1179817, 17879832} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\3\0\0$\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\20\1\0\0\0\0" ... {128, 156, reply, 0, 940, 1972, 58093, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\3\0\0$\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\20\1\0\0\0\0" )  ... {128, 156, reply, 0, 940, 1972, 58093, 0}  (24, {128, 156, new_msg, 0, 2088850039, 17880108, 1179817, 17879832} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\3\0\0$\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\20\1\0\0\0\0" ... {128, 156, reply, 0, 940, 1972, 58093, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\3\0\0$\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\20\1\0\0\0\0" )  ) == 0x0
 03197  1972   NtClose  (796, ... ) == 0x0
 03198  1972   NtClose  (804, ... ) == 0x0
 03199  1972   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 03200  1972   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03201  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 804, ) == 0x0
 03202  1972   NtCallbackReturn  (0, 0, 0, ...
 03203  1972   NtUserGetThreadState  (18, ... ) == 0x1
 03204  1972   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 03205  1972   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 03206  1972   NtUserGetDC  (0, ... ) == 0x1010052
 03207  1972   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 03208  1972   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 03209  1972   NtUserSystemParametersInfo  (66, 12, 17881808, 0, ... ) == 0x1
 03210  1972   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03211  1972   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 796, ) == 0x0
 03212  1972   NtQueryInformationToken  (796, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03213  1972   NtClose  (796, ... ) == 0x0
 03214  1972   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 796, ) }, ... 796, ) == 0x0
 03215  1972   NtOpenProcessToken  (-1, 0x8, ... 808, ) == 0x0
 03216  1972   NtAccessCheck  (1336312, 808, 0x1, 17881640, 17881692, 56, 17881672, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 03217  1972   NtClose  (808, ... ) == 0x0
 03218  1972   NtOpenKey  (0x20019, {24, 796, 0x40, 0, 0,  (0x20019, {24, 796, 0x40, 0, 0, "Control Panel\Desktop"}, ... 808, ) }, ... 808, ) == 0x0
 03219  1972   NtQueryValueKey  (808,  (808, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03220  1972   NtClose  (808, ... ) == 0x0
 03221  1972   NtUserSystemParametersInfo  (41, 500, 17881836, 0, ... ) == 0x1
 03222  1972   NtOpenProcessToken  (-1, 0x8, ... 808, ) == 0x0
 03223  1972   NtAccessCheck  (1336312, 808, 0x1, 17881640, 17881692, 56, 17881672, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 03224  1972   NtClose  (808, ... ) == 0x0
 03225  1972   NtOpenKey  (0x20019, {24, 796, 0x40, 0, 0,  (0x20019, {24, 796, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 808, ) }, ... 808, ) == 0x0
 03226  1972   NtQueryValueKey  (808,  (808, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03227  1972   NtClose  (808, ... ) == 0x0
 03228  1972   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 03229  1972   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 03230  1972   NtClose  (796, ... ) == 0x0
 03231  1972   NtUserSystemParametersInfo  (4130, 0, 17882340, 0, ... ) == 0x1
 03232  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 796, ) }, ... 796, ) == 0x0
 03233  1972   NtEnumerateValueKey  (796, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03234  1972   NtClose  (796, ... ) == 0x0
 03235  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03236  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c03b
 03237  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c03d
 03238  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03239  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c03f
 03240  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03241  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c041
 03242  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03243  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c043
 03244  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c045
 03245  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03246  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c047
 03247  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03248  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c049
 03249  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03250  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c04b
 03251  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03252  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c04d
 03253  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03254  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c04f
 03255  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c051
 03256  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03257  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c053
 03258  1972   NtUserFindExistingCursorIcon  (17881584, 17881600, 17881648, ... ) == 0x10011
 03259  1972   NtUserRegisterClassExWOW  (17881528, 17881596, 17881612, 17881628, 0, 384, 0, ... ) == 0x8179c055
 03260  1972   NtUserFindExistingCursorIcon  (17881584, 17881600, 17881648, ... ) == 0x10011
 03261  1972   NtUserRegisterClassExWOW  (17881528, 17881596, 17881612, 17881628, 0, 384, 0, ... ) == 0x8179c057
 03262  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03263  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c059
 03264  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10013
 03265  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c05b
 03266  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03267  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c05d
 03268  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03269  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c05f
 03270  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03271  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c017
 03272  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03273  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c019
 03274  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10013
 03275  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c018
 03276  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03277  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c01a
 03278  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03279  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c01c
 03280  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03281  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c01e
 03282  1972   NtUserFindExistingCursorIcon  (17881580, 17881596, 17881644, ... ) == 0x10011
 03283  1972   NtUserRegisterClassExWOW  (17881580, 17881648, 17881664, 17881680, 0, 384, 0, ... ) == 0x8179c01b
 03284  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03285  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c068
 03286  1972   NtUserFindExistingCursorIcon  (17881588, 17881604, 17881652, ... ) == 0x10011
 03287  1972   NtUserRegisterClassExWOW  (17881532, 17881600, 17881616, 17881632, 0, 384, 0, ... ) == 0x8179c06a
 03288  1972   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03289  1972   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1330488, 0,  (0x1f0003, {24, 44, 0x80, 1330488, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 796, ) }, 0, 2147483647, ... 796, ) == STATUS_OBJECT_NAME_EXISTS
 03290  1972   NtReleaseSemaphore  (796, 1, ... 0, ) == 0x0
 03291  1972   NtWaitForSingleObject  (796, 0, {0, 0}, ... ) == 0x0
 03292  1972   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03293  1972   NtQueryValueKey  (808,  (808, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (808, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 03294  1972   NtClose  (808, ... ) == 0x0
 03295  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17886532, ... ) }, 17886532, ... ) == 0x0
 03296  1972   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03297  1972   NtSetValueKey  (808,  (808, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1,  (808, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0
 03298  1972   NtClose  (808, ... ) == 0x0
 03299  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 03300  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17886432, ... ) }, 17886432, ... ) == 0x0
 03301  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 808, {status=0x0, info=1}, ) }, 7, 2113568, ... 808, {status=0x0, info=1}, ) == 0x0
 03302  1972   NtSetInformationFile  (808, 17886404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03303  1972   NtClose  (808, ... ) == 0x0
 03304  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 17886428, ... ) }, 17886428, ... ) == 0x0
 03305  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 03306  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 17886432, ... ) }, 17886432, ... ) == 0x0
 03307  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... 808, {status=0x0, info=1}, ) }, 7, 2113568, ... 808, {status=0x0, info=1}, ) == 0x0
 03308  1972   NtSetInformationFile  (808, 17886404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03309  1972   NtClose  (808, ... ) == 0x0
 03310  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 17886428, ... ) }, 17886428, ... ) == 0x0
 03311  1972   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03312  1972   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03313  1972   NtQueryValueKey  (792,  (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 03314  1972   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "Cookies"}, ... 808, ) }, ... 808, ) == 0x0
 03315  1972   NtQueryValueKey  (808,  (808, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03316  1972   NtOpenKey  (0xf, {24, 784, 0x40, 0, 0,  (0xf, {24, 784, 0x40, 0, 0, "Cookies"}, ... 812, ) }, ... 812, ) == 0x0
 03317  1972   NtQueryValueKey  (812,  (812, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (812, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03318  1972   NtClose  (812, ... ) == 0x0
 03319  1972   NtClose  (808, ... ) == 0x0
 03320  1972   NtClose  (792, ... ) == 0x0
 03321  1972   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "Cookies"}, ... 792, ) }, ... 792, ) == 0x0
 03322  1972   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03323  1972   NtReleaseSemaphore  (796, 1, ... 0, ) == 0x0
 03324  1972   NtWaitForSingleObject  (796, 0, {0, 0}, ... ) == 0x0
 03325  1972   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03326  1972   NtQueryValueKey  (808,  (808, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (808, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03327  1972   NtClose  (808, ... ) == 0x0
 03328  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 17886532, ... ) }, 17886532, ... ) == 0x0
 03329  1972   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03330  1972   NtSetValueKey  (808,  (808, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 0, 1,  (808, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 98, ... ) == 0x0
 03331  1972   NtClose  (808, ... ) == 0x0
 03332  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 03333  1972   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 03334  1972   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 03335  1972   NtQueryValueKey  (792,  (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03336  1972   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "History"}, ... 808, ) }, ... 808, ) == 0x0
 03337  1972   NtQueryValueKey  (808,  (808, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03338  1972   NtOpenKey  (0xf, {24, 784, 0x40, 0, 0,  (0xf, {24, 784, 0x40, 0, 0, "History"}, ... 812, ) }, ... 812, ) == 0x0
 03339  1972   NtQueryValueKey  (812,  (812, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (812, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03340  1972   NtClose  (812, ... ) == 0x0
 03341  1972   NtClose  (808, ... ) == 0x0
 03342  1972   NtClose  (792, ... ) == 0x0
 03343  1972   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "History"}, ... 792, ) }, ... 792, ) == 0x0
 03344  1972   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03345  1972   NtReleaseSemaphore  (796, 1, ... 0, ) == 0x0
 03346  1972   NtWaitForSingleObject  (796, 0, {0, 0}, ... ) == 0x0
 03347  1972   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03348  1972   NtQueryValueKey  (808,  (808, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (808, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 03349  1972   NtClose  (808, ... ) == 0x0
 03350  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17886532, ... ) }, 17886532, ... ) == 0x0
 03351  1972   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03352  1972   NtSetValueKey  (808,  (808, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 0, 1,  (808, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 128, ... ) == 0x0
 03353  1972   NtClose  (808, ... ) == 0x0
 03354  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 03355  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17886432, ... ) }, 17886432, ... ) == 0x0
 03356  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... 808, {status=0x0, info=1}, ) }, 7, 2113568, ... 808, {status=0x0, info=1}, ) == 0x0
 03357  1972   NtSetInformationFile  (808, 17886404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03358  1972   NtClose  (808, ... ) == 0x0
 03359  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 17886428, ... ) }, 17886428, ... ) == 0x0
 03360  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 17887224, ... ) }, 17887224, ... ) == 0x0
 03361  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 17886432, ... ) }, 17886432, ... ) == 0x0
 03362  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... 808, {status=0x0, info=1}, ) }, 7, 2113568, ... 808, {status=0x0, info=1}, ) == 0x0
 03363  1972   NtSetInformationFile  (808, 17886404, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03364  1972   NtClose  (808, ... ) == 0x0
 03365  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 17886428, ... ) }, 17886428, ... ) == 0x0
 03366  1972   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 03367  1972   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 03368  1972   NtQueryValueKey  (792,  (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03369  1972   NtClose  (792, ... ) == 0x0
 03370  1972   NtClose  (788, ... ) == 0x0
 03371  1972   NtClose  (784, ... ) == 0x0
 03372  1972   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... 784, ) }, ... 784, ) == 0x0
 03373  1972   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... 788, ) }, ... 788, ) == 0x0
 03374  1972   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03375  1972   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 03376  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 17888532, ... ) }, 17888532, ... ) == 0x0
 03377  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 792, {status=0x0, info=1}, ) }, 7, 2113568, ... 792, {status=0x0, info=1}, ) == 0x0
 03378  1972   NtSetInformationFile  (792, 17888508, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03379  1972   NtClose  (792, ... ) == 0x0
 03380  1972   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17888448,  (0xc0100080, {24, 0, 0x40, 0, 17888448, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 792, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 792, {status=0x0, info=1}, ) == 0x0
 03381  1972   NtSetInformationFile  (792, 17888500, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03382  1972   NtQueryInformationFile  (792, 17888500, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03383  1972   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... 808, ) }, ... 808, ) == 0x0
 03384  1972   NtMapViewOfSection  (808, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8d10000), {0, 0}, 802816, ) == 0x0
 03385  1972   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03386  1972   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... 812, ) }, ... 812, ) == 0x0
 03387  1972   NtWaitForSingleObject  (812, 0, 0x0, ... ) == 0x0
 03388  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 17888532, ... ) }, 17888532, ... ) == 0x0
 03389  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 03390  1972   NtSetInformationFile  (816, 17888508, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03391  1972   NtClose  (816, ... ) == 0x0
 03392  1972   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17888448,  (0xc0100080, {24, 0, 0x40, 0, 17888448, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 816, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 816, {status=0x0, info=1}, ) == 0x0
 03393  1972   NtSetInformationFile  (816, 17888500, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03394  1972   NtQueryInformationFile  (816, 17888500, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03395  1972   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... 820, ) }, ... 820, ) == 0x0
 03396  1972   NtMapViewOfSection  (820, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xdd0000), {0, 0}, 32768, ) == 0x0
 03397  1972   NtReleaseMutant  (812, ... 0x0, ) == 0x0
 03398  1972   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... 824, ) }, ... 824, ) == 0x0
 03399  1972   NtWaitForSingleObject  (824, 0, 0x0, ... ) == 0x0
 03400  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 17888532, ... ) }, 17888532, ... ) == 0x0
 03401  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 828, {status=0x0, info=1}, ) }, 7, 2113568, ... 828, {status=0x0, info=1}, ) == 0x0
 03402  1972   NtSetInformationFile  (828, 17888508, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03403  1972   NtClose  (828, ... ) == 0x0
 03404  1972   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17888448,  (0xc0100080, {24, 0, 0x40, 0, 17888448, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 828, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 828, {status=0x0, info=1}, ) == 0x0
 03405  1972   NtSetInformationFile  (828, 17888500, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03406  1972   NtQueryInformationFile  (828, 17888500, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03407  1972   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... 832, ) }, ... 832, ) == 0x0
 03408  1972   NtMapViewOfSection  (832, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xdf0000), {0, 0}, 81920, ) == 0x0
 03409  1972   NtReleaseMutant  (824, ... 0x0, ) == 0x0
 03410  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 17888108, ... ) }, 17888108, ... ) == 0x0
 03411  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 836, {status=0x0, info=1}, ) }, 7, 2113568, ... 836, {status=0x0, info=1}, ) == 0x0
 03412  1972   NtSetInformationFile  (836, 17888080, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03413  1972   NtClose  (836, ... ) == 0x0
 03414  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 17888104, ... ) }, 17888104, ... ) == 0x0
 03415  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 17888108, ... ) }, 17888108, ... ) == 0x0
 03416  1972   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 836, {status=0x0, info=1}, ) }, 7, 2113568, ... 836, {status=0x0, info=1}, ) == 0x0
 03417  1972   NtSetInformationFile  (836, 17888080, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03418  1972   NtClose  (836, ... ) == 0x0
 03419  1972   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 17888104, ... ) }, 17888104, ... ) == 0x0
 03420  1972   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03421  1972   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03422  1972   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 836, ) }, ... 836, ) == 0x0
 03423  1972   NtOpenKey  (0xf, {24, 836, 0x40, 0, 0,  (0xf, {24, 836, 0x40, 0, 0, "Extensible Cache"}, ... 840, ) }, ... 840, ) == 0x0
 03424  1972   NtClose  (836, ... ) == 0x0
 03425  1972   NtWaitForSingleObject  (784, 0, {-600000000, -1}, ... ) == 0x0
 03426  1972   NtEnumerateKey  (840, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= (840, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 03427  1972   NtOpenKey  (0xf, {24, 840, 0x40, 0, 0,  (0xf, {24, 840, 0x40, 0, 0, "feedplat"}, ... 836, ) }, ... 836, ) == 0x0
 03428  1972   NtQueryValueKey  (836,  (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03429  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03430  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 03431  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03432  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 03433  1972   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 03434  1972   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 03435  1972   NtQueryValueKey  (836,  (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03436  1972   NtQueryValueKey  (836,  (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03437  1972   NtClose  (836, ... ) == 0x0
 03438  1972   NtEnumerateKey  (840, 1, Basic, 288, ... {LastWrite={0x3124e1e0,0x1c877f6}, TitleIdx=0, Name= (840, 1, Basic, 288, ... {LastWrite={0x3124e1e0,0x1c877f6}, TitleIdx=0, Name="MSHist012008022520080226"}, 64, ) }, 64, ) == 0x0
 03439  1972   NtOpenKey  (0xf, {24, 840, 0x40, 0, 0,  (0xf, {24, 840, 0x40, 0, 0, "MSHist012008022520080226"}, ... 836, ) }, ... 836, ) == 0x0
 03440  1972   NtQueryValueKey  (836,  (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03441  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03442  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) }, 160, ) == 0x0
 03443  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03444  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) }, 160, ) == 0x0
 03445  1972   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03446  1972   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03447  1972   NtQueryValueKey  (836,  (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03448  1972   NtQueryValueKey  (836,  (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 03449  1972   NtClose  (836, ... ) == 0x0
 03450  1972   NtEnumerateKey  (840, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (840, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 03451  1972   NtOpenKey  (0xf, {24, 840, 0x40, 0, 0,  (0xf, {24, 840, 0x40, 0, 0, "UserData"}, ... 836, ) }, ... 836, ) == 0x0
 03452  1972   NtQueryValueKey  (836,  (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03453  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03454  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 03455  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03456  1972   NtQueryValueKey  (836,  (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 03457  1972   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 03458  1972   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 03459  1972   NtQueryValueKey  (836,  (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 03460  1972   NtQueryValueKey  (836,  (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 03461  1972   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 03462  1972   NtClose  (836, ... ) == 0x0
 03463  1972   NtEnumerateKey  (840, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03464  1972   NtReleaseMutant  (784, ... 0x0, ) == 0x0
 03465  1972   NtClose  (840, ... ) == 0x0
 03466  1972   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03467  1972   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03468  1972   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03469  1972   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03470  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03471  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03472  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03473  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03474  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03475  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03476  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03477  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 840, ) }, ... 840, ) == 0x0
 03478  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479  1972   NtOpenKey  (0x1, {24, 840, 0x40, 0, 0,  (0x1, {24, 840, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03480  1972   NtClose  (840, ... ) == 0x0
 03481  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03482  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03483  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 840, ) }, ... 840, ) == 0x0
 03484  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03485  1972   NtOpenKey  (0x1, {24, 840, 0x40, 0, 0,  (0x1, {24, 840, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03486  1972   NtClose  (840, ... ) == 0x0
 03487  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03488  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03489  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 840, ) }, ... 840, ) == 0x0
 03490  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03491  1972   NtOpenKey  (0x1, {24, 840, 0x40, 0, 0,  (0x1, {24, 840, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03492  1972   NtClose  (840, ... ) == 0x0
 03493  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03494  1972   NtQueryValueKey  (96,  (96, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03495  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03496  1972   NtQueryValueKey  (840,  (840, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03497  1972   NtClose  (840, ... ) == 0x0
 03498  1972   NtQueryValueKey  (96,  (96, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03499  1972   NtQueryValueKey  (96,  (96, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03500  1972   NtQueryValueKey  (96,  (96, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03501  1972   NtQueryValueKey  (96,  (96, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03502  1972   NtQueryValueKey  (96,  (96, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03503  1972   NtQueryValueKey  (96,  (96, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03504  1972   NtQueryValueKey  (96,  (96, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03505  1972   NtQueryValueKey  (96,  (96, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03506  1972   NtQueryValueKey  (96,  (96, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03507  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03508  1972   NtQueryValueKey  (840,  (840, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03509  1972   NtClose  (840, ... ) == 0x0
 03510  1972   NtQueryValueKey  (96,  (96, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03511  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03512  1972   NtQueryValueKey  (840,  (840, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03513  1972   NtClose  (840, ... ) == 0x0
 03514  1972   NtQueryValueKey  (96,  (96, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03515  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03516  1972   NtQueryValueKey  (840,  (840, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03517  1972   NtClose  (840, ... ) == 0x0
 03518  1972   NtQueryValueKey  (96,  (96, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03519  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03520  1972   NtQueryValueKey  (840,  (840, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03521  1972   NtClose  (840, ... ) == 0x0
 03522  1972   NtQueryValueKey  (96,  (96, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03523  1972   NtQueryValueKey  (96,  (96, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03524  1972   NtQueryValueKey  (96,  (96, "CertCacheNoValidate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03525  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 840, ) }, ... 840, ) == 0x0
 03526  1972   NtQueryValueKey  (840,  (840, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03527  1972   NtClose  (840, ... ) == 0x0
 03528  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03529  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03530  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03531  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 840, ) }, ... 840, ) == 0x0
 03532  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 836, ) }, ... 836, ) == 0x0
 03533  1972   NtQueryValueKey  (836,  (836, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03534  1972   NtQueryValueKey  (840,  (840, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03535  1972   NtClose  (840, ... ) == 0x0
 03536  1972   NtClose  (836, ... ) == 0x0
 03537  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03538  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03539  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03540  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03541  1972   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03542  1972   NtClose  (836, ... ) == 0x0
 03543  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03544  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03545  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03546  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03547  1972   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03548  1972   NtClose  (836, ... ) == 0x0
 03549  1972   NtQueryValueKey  (96,  (96, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03550  1972   NtQueryValueKey  (96,  (96, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03551  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03552  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03553  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03554  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03555  1972   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03556  1972   NtClose  (836, ... ) == 0x0
 03557  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03558  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03559  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03560  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03561  1972   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 840, ) }, ... 840, ) == 0x0
 03562  1972   NtQueryValueKey  (840,  (840, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03563  1972   NtQueryValueKey  (840,  (840, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03564  1972   NtClose  (840, ... ) == 0x0
 03565  1972   NtClose  (836, ... ) == 0x0
 03566  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03567  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03568  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03569  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03570  1972   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03571  1972   NtClose  (836, ... ) == 0x0
 03572  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03573  1972   NtQueryValueKey  (836,  (836, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03574  1972   NtClose  (836, ... ) == 0x0
 03575  1972   NtQueryValueKey  (96,  (96, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03576  1972   NtQueryValueKey  (96,  (96, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03577  1972   NtQueryValueKey  (96,  (96, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03578  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03579  1972   NtQueryValueKey  (836,  (836, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03580  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03581  1972   NtQueryValueKey  (840,  (840, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03582  1972   NtClose  (836, ... ) == 0x0
 03583  1972   NtClose  (840, ... ) == 0x0
 03584  1972   NtQueryValueKey  (96,  (96, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03585  1972   NtQueryValueKey  (96,  (96, "BypassFtpTimeCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03586  1972   NtQueryValueKey  (96,  (96, "ReleaseSocketDuringAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03587  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03588  1972   NtQueryValueKey  (840,  (840, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03589  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03590  1972   NtQueryValueKey  (836,  (836, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03591  1972   NtClose  (840, ... ) == 0x0
 03592  1972   NtClose  (836, ... ) == 0x0
 03593  1972   NtQueryValueKey  (96,  (96, "WpadSearchAllDomains", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03594  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03595  1972   NtQueryValueKey  (836,  (836, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03596  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03597  1972   NtQueryValueKey  (840,  (840, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03598  1972   NtClose  (836, ... ) == 0x0
 03599  1972   NtClose  (840, ... ) == 0x0
 03600  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03601  1972   NtQueryValueKey  (840,  (840, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03602  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03603  1972   NtQueryValueKey  (836,  (836, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03604  1972   NtClose  (840, ... ) == 0x0
 03605  1972   NtClose  (836, ... ) == 0x0
 03606  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03607  1972   NtQueryValueKey  (836,  (836, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03608  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03609  1972   NtQueryValueKey  (840,  (840, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03610  1972   NtClose  (836, ... ) == 0x0
 03611  1972   NtClose  (840, ... ) == 0x0
 03612  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03613  1972   NtQueryValueKey  (840,  (840, "EnableHttpTrace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03614  1972   NtClose  (840, ... ) == 0x0
 03615  1972   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03616  1972   NtQueryValueKey  (840,  (840, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03617  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03618  1972   NtQueryValueKey  (836,  (836, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03619  1972   NtClose  (840, ... ) == 0x0
 03620  1972   NtClose  (836, ... ) == 0x0
 03621  1972   NtQueryValueKey  (96,  (96, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03622  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03623  1972   NtQueryValueKey  (836,  (836, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03624  1972   NtClose  (836, ... ) == 0x0
 03625  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03626  1972   NtQueryValueKey  (836,  (836, "ShareCredsWithWinHttp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03627  1972   NtClose  (836, ... ) == 0x0
 03628  1972   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03629  1972   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03630  1972   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03631  1972   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03632  1972   NtQueryValueKey  (96,  (96, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03633  1972   NtQueryValueKey  (96,  (96, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03634  1972   NtQueryValueKey  (96,  (96, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03635  1972   NtQueryValueKey  (96,  (96, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03636  1972   NtQueryValueKey  (96,  (96, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (96, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03637  1972   NtQueryValueKey  (96,  (96, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03638  1972   NtQueryValueKey  (96,  (96, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03639  1972   NtQueryValueKey  (96,  (96, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03640  1972   NtQueryValueKey  (96,  (96, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03641  1972   NtQueryValueKey  (96,  (96, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03642  1972   NtQueryValueKey  (96,  (96, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03643  1972   NtQueryValueKey  (96,  (96, "WarnOnHTTPSToHTTPRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03644  1972   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetStartupMutex"}, ... 836, ) }, ... 836, ) == 0x0
 03645  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 840, ) == 0x0
 03646  1972   NtQueryValueKey  (96,  (96, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03647  1972   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03648  1972   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03649  1972   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetConnectionMutex"}, ... 844, ) }, ... 844, ) == 0x0
 03650  1972   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetProxyRegistryMutex"}, ... 848, ) }, ... 848, ) == 0x0
 03651  1972   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 852, ) == 0x0
 03652  1972   NtQueryValueKey  (96,  (96, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03653  1972   NtQueryValueKey  (96,  (96, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03654  1972   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 856, ) == 0x0
 03655  1972   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 860, ) }, ... 860, ) == 0x0
 03656  1972   NtQueryValueKey  (860,  (860, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (860, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 03657  1972   NtQueryValueKey  (860,  (860, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (860, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 03658  1972   NtClose  (860, ... ) == 0x0
 03659  1972   NtQueryValueKey  (96,  (96, "TruncateFileName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03660  1972   NtQueryValueKey  (96,  (96, "BadProxyExpiresTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03661  1972   NtSetEventBoostPriority  (216, ...
 01259  1664   NtWaitForSingleObject  ... ) == 0x0
 03662  1664   NtSetEventBoostPriority  (216, ...
 01265  1516   NtWaitForSingleObject  ... ) == 0x0
 03663  1516   NtSetEventBoostPriority  (216, ...
 01268   808   NtWaitForSingleObject  ... ) == 0x0
 03664   808   NtSetEventBoostPriority  (216, ...
 01350   464   NtWaitForSingleObject  ... ) == 0x0
 03665   464   NtSetEventBoostPriority  (216, ...
 01380   860   NtWaitForSingleObject  ... ) == 0x0
 03666   860   NtSetEventBoostPriority  (216, ...
 01396   484   NtWaitForSingleObject  ... ) == 0x0
 03667   484   NtSetEventBoostPriority  (216, ...
 01402   748   NtWaitForSingleObject  ... ) == 0x0
 03668   748   NtSetEventBoostPriority  (216, ...
 01422  1580   NtWaitForSingleObject  ... ) == 0x0
 03669  1580   NtSetEventBoostPriority  (216, ...
 01444  1756   NtWaitForSingleObject  ... ) == 0x0
 03670  1756   NtSetEventBoostPriority  (216, ... ) == 0x0
 03669  1580   NtSetEventBoostPriority  ... ) == 0x0
 03668   748   NtSetEventBoostPriority  ... ) == 0x0
 03667   484   NtSetEventBoostPriority  ... ) == 0x0
 03666   860   NtSetEventBoostPriority  ... ) == 0x0
 03665   464   NtSetEventBoostPriority  ... ) == 0x0
 03662  1664   NtSetEventBoostPriority  ... ) == 0x0
 03664   808   NtSetEventBoostPriority  ... ) == 0x0
 03663  1516   NtSetEventBoostPriority  ... ) == 0x0
 03661  1972   NtSetEventBoostPriority  ... ) == 0x0
 01452  1292   NtWaitForSingleObject  ... ) == 0x0
 03671  1756   NtWaitForSingleObject  (848, 0, 0x0, ...
 03672  1580   NtWaitForSingleObject  (848, 0, 0x0, ...
 03673   748   NtWaitForSingleObject  (848, 0, 0x0, ...
 03674   484   NtWaitForSingleObject  (848, 0, 0x0, ...
 03675   860   NtWaitForSingleObject  (848, 0, 0x0, ...
 03676   464   NtWaitForSingleObject  (848, 0, 0x0, ...
 03677   808   NtWaitForSingleObject  (848, 0, 0x0, ...
 03678  1516   NtWaitForSingleObject  (848, 0, 0x0, ...
 03679  1972   NtWaitForSingleObject  (848, 0, 0x0, ...
 03680  1292   NtSetEventBoostPriority  (216, ...
 03671  1756   NtWaitForSingleObject  ... ) == 0x0
 03681  1664   NtWaitForSingleObject  (848, 0, 0x0, ...
 01535  1480   NtWaitForSingleObject  ... ) == 0x0
 03680  1292   NtSetEventBoostPriority  ... ) == 0x0
 03682  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03683  1480   NtSetEventBoostPriority  (216, ...
 03684  1292   NtWaitForSingleObject  (848, 0, 0x0, ...
 01562  1556   NtWaitForSingleObject  ... ) == 0x0
 03683  1480   NtSetEventBoostPriority  ... ) == 0x0
 03682  1756   NtCreateEvent  ... 860, ) == 0x0
 03685  1556   NtSetEventBoostPriority  (216, ...
 01570   460   NtWaitForSingleObject  ... ) == 0x0
 03686   460   NtSetEventBoostPriority  (216, ...
 01598  1068   NtWaitForSingleObject  ... ) == 0x0
 03687  1068   NtSetEventBoostPriority  (216, ...
 01606  1856   NtWaitForSingleObject  ... ) == 0x0
 03688  1856   NtSetEventBoostPriority  (216, ...
 01634  1596   NtWaitForSingleObject  ... ) == 0x0
 03689  1596   NtSetEventBoostPriority  (216, ...
 01636  1128   NtWaitForSingleObject  ... ) == 0x0
 03690  1128   NtSetEventBoostPriority  (216, ...
 01672   220   NtWaitForSingleObject  ... ) == 0x0
 03691   220   NtSetEventBoostPriority  (216, ...
 01688  1800   NtWaitForSingleObject  ... ) == 0x0
 03692  1800   NtSetEventBoostPriority  (216, ...
 01696  1796   NtWaitForSingleObject  ... ) == 0x0
 03693  1796   NtSetEventBoostPriority  (216, ...
 01721  1808   NtWaitForSingleObject  ... ) == 0x0
 03694  1808   NtSetEventBoostPriority  (216, ...
 01729  1700   NtWaitForSingleObject  ... ) == 0x0
 03695  1700   NtSetEventBoostPriority  (216, ...
 01750  1156   NtWaitForSingleObject  ... ) == 0x0
 03696  1156   NtSetEventBoostPriority  (216, ...
 01774   712   NtWaitForSingleObject  ... ) == 0x0
 03697   712   NtSetEventBoostPriority  (216, ...
 01795  1728   NtWaitForSingleObject  ... ) == 0x0
 03698  1728   NtSetEventBoostPriority  (216, ...
 01820  1356   NtWaitForSingleObject  ... ) == 0x0
 03699  1356   NtSetEventBoostPriority  (216, ...
 01839  1536   NtWaitForSingleObject  ... ) == 0x0
 03700  1536   NtSetEventBoostPriority  (216, ...
 01864   444   NtWaitForSingleObject  ... ) == 0x0
 03701   444   NtSetEventBoostPriority  (216, ...
 01883  1904   NtWaitForSingleObject  ... ) == 0x0
 03702  1904   NtSetEventBoostPriority  (216, ...
 01896  1936   NtWaitForSingleObject  ... ) == 0x0
 03703  1936   NtSetEventBoostPriority  (216, ...
 02913  1036   NtWaitForSingleObject  ... ) == 0x0
 03704  1036   NtSetEventBoostPriority  (216, ...
 02914  1248   NtWaitForSingleObject  ... ) == 0x0
 03705  1248   NtSetEventBoostPriority  (216, ...
 02915  1656   NtWaitForSingleObject  ... ) == 0x0
 03706  1656   NtSetEventBoostPriority  (216, ...
 02916  1740   NtWaitForSingleObject  ... ) == 0x0
 03707  1740   NtSetEventBoostPriority  (216, ...
 02917   928   NtWaitForSingleObject  ... ) == 0x0
 03708   928   NtSetEventBoostPriority  (216, ...
 02918  1784   NtWaitForSingleObject  ... ) == 0x0
 03709  1784   NtSetEventBoostPriority  (216, ...
 02919  1980   NtWaitForSingleObject  ... ) == 0x0
 03710  1980   NtSetEventBoostPriority  (216, ...
 02920  1956   NtWaitForSingleObject  ... ) == 0x0
 03711  1956   NtSetEventBoostPriority  (216, ...
 02921  1648   NtWaitForSingleObject  ... ) == 0x0
 03712  1648   NtSetEventBoostPriority  (216, ...
 02922   148   NtWaitForSingleObject  ... ) == 0x0
 03713   148   NtSetEventBoostPriority  (216, ...
 02923  1828   NtWaitForSingleObject  ... ) == 0x0
 03714  1828   NtSetEventBoostPriority  (216, ...
 02924  1864   NtWaitForSingleObject  ... ) == 0x0
 03715  1864   NtSetEventBoostPriority  (216, ...
 02925  1896   NtWaitForSingleObject  ... ) == 0x0
 03716  1896   NtSetEventBoostPriority  (216, ...
 02926  1524   NtWaitForSingleObject  ... ) == 0x0
 03717  1524   NtSetEventBoostPriority  (216, ...
 02927  1944   NtWaitForSingleObject  ... ) == 0x0
 03718  1944   NtSetEventBoostPriority  (216, ...
 02928  2044   NtWaitForSingleObject  ... ) == 0x0
 03719  2044   NtSetEventBoostPriority  (216, ...
 02929   240   NtWaitForSingleObject  ... ) == 0x0
 03720   240   NtSetEventBoostPriority  (216, ...
 02930   968   NtWaitForSingleObject  ... ) == 0x0
 03721   968   NtSetEventBoostPriority  (216, ...
 02931   308   NtWaitForSingleObject  ... ) == 0x0
 03722   308   NtSetEventBoostPriority  (216, ...
 02932   764   NtWaitForSingleObject  ... ) == 0x0
 03723   764   NtSetEventBoostPriority  (216, ...
 02933  2000   NtWaitForSingleObject  ... ) == 0x0
 03724  2000   NtSetEventBoostPriority  (216, ...
 02934  1852   NtWaitForSingleObject  ... ) == 0x0
 03725  1852   NtSetEventBoostPriority  (216, ...
 02935  1420   NtWaitForSingleObject  ... ) == 0x0
 03726  1420   NtSetEventBoostPriority  (216, ...
 02936   164   NtWaitForSingleObject  ... ) == 0x0
 03727   164   NtSetEventBoostPriority  (216, ...
 02937  1564   NtWaitForSingleObject  ... ) == 0x0
 03728  1564   NtSetEventBoostPriority  (216, ...
 02938  1592   NtWaitForSingleObject  ... ) == 0x0
 03729  1592   NtSetEventBoostPriority  (216, ...
 02939  2032   NtWaitForSingleObject  ... ) == 0x0
 03730  2032   NtSetEventBoostPriority  (216, ...
 02940  1500   NtWaitForSingleObject  ... ) == 0x0
 03731  1500   NtSetEventBoostPriority  (216, ...
 02941   932   NtWaitForSingleObject  ... ) == 0x0
 03732   932   NtSetEventBoostPriority  (216, ...
 02942  1528   NtWaitForSingleObject  ... ) == 0x0
 03733  1528   NtSetEventBoostPriority  (216, ...
 02943  1780   NtWaitForSingleObject  ... ) == 0x0
 03734  1780   NtSetEventBoostPriority  (216, ...
 02944  1804   NtWaitForSingleObject  ... ) == 0x0
 03735  1804   NtSetEventBoostPriority  (216, ...
 02945  1644   NtWaitForSingleObject  ... ) == 0x0
 03736  1644   NtSetEventBoostPriority  (216, ...
 02946   336   NtWaitForSingleObject  ... ) == 0x0
 03737   336   NtSetEventBoostPriority  (216, ...
 02947   800   NtWaitForSingleObject  ... ) == 0x0
 03738   800   NtSetEventBoostPriority  (216, ...
 02948   504   NtWaitForSingleObject  ... ) == 0x0
 03739   504   NtSetEventBoostPriority  (216, ...
 02949   888   NtWaitForSingleObject  ... ) == 0x0
 03740   888   NtSetEventBoostPriority  (216, ...
 02950  1392   NtWaitForSingleObject  ... ) == 0x0
 03741  1392   NtSetEventBoostPriority  (216, ...
 02951  2020   NtWaitForSingleObject  ... ) == 0x0
 03742  2020   NtSetEventBoostPriority  (216, ...
 02952   740   NtWaitForSingleObject  ... ) == 0x0
 03743   740   NtSetEventBoostPriority  (216, ...
 02953  1676   NtWaitForSingleObject  ... ) == 0x0
 03744  1676   NtSetEventBoostPriority  (216, ...
 02954   496   NtWaitForSingleObject  ... ) == 0x0
 03745   496   NtSetEventBoostPriority  (216, ...
 02955  1020   NtWaitForSingleObject  ... ) == 0x0
 03746  1020   NtSetEventBoostPriority  (216, ...
 02956   432   NtWaitForSingleObject  ... ) == 0x0
 03747   432   NtSetEventBoostPriority  (216, ...
 02957  1332   NtWaitForSingleObject  ... ) == 0x0
 03748  1332   NtSetEventBoostPriority  (216, ...
 02958  1328   NtWaitForSingleObject  ... ) == 0x0
 03749  1328   NtSetEventBoostPriority  (216, ...
 02959   752   NtWaitForSingleObject  ... ) == 0x0
 03750   752   NtSetEventBoostPriority  (216, ...
 02960   120   NtWaitForSingleObject  ... ) == 0x0
 03751   120   NtSetEventBoostPriority  (216, ...
 02961  1732   NtWaitForSingleObject  ... ) == 0x0
 03752  1732   NtSetEventBoostPriority  (216, ...
 02962   188   NtWaitForSingleObject  ... ) == 0x0
 03753   188   NtSetEventBoostPriority  (216, ...
 02963  1636   NtWaitForSingleObject  ... ) == 0x0
 03754  1636   NtSetEventBoostPriority  (216, ...
 02964   624   NtWaitForSingleObject  ... ) == 0x0
 03755   624   NtSetEventBoostPriority  (216, ...
 02965  1948   NtWaitForSingleObject  ... ) == 0x0
 03756  1948   NtSetEventBoostPriority  (216, ...
 02966   988   NtWaitForSingleObject  ... ) == 0x0
 03757   988   NtSetEventBoostPriority  (216, ...
 02967   468   NtWaitForSingleObject  ... ) == 0x0
 03758   468   NtSetEventBoostPriority  (216, ...
 02968   380   NtWaitForSingleObject  ... ) == 0x0
 03759   380   NtSetEventBoostPriority  (216, ...
 02969  1692   NtWaitForSingleObject  ... ) == 0x0
 03760  1692   NtSetEventBoostPriority  (216, ...
 02970  1792   NtWaitForSingleObject  ... ) == 0x0
 03761  1792   NtSetEventBoostPriority  (216, ...
 02971   784   NtWaitForSingleObject  ... ) == 0x0
 03762   784   NtSetEventBoostPriority  (216, ...
 02972  1520   NtWaitForSingleObject  ... ) == 0x0
 03763  1520   NtSetEventBoostPriority  (216, ...
 02973  1696   NtWaitForSingleObject  ... ) == 0x0
 03764  1696   NtSetEventBoostPriority  (216, ...
 02974  1744   NtWaitForSingleObject  ... ) == 0x0
 03765  1744   NtSetEventBoostPriority  (216, ...
 02975  1124   NtWaitForSingleObject  ... ) == 0x0
 03766  1124   NtSetEventBoostPriority  (216, ...
 02976  1496   NtWaitForSingleObject  ... ) == 0x0
 03767  1496   NtSetEventBoostPriority  (216, ...
 02977   168   NtWaitForSingleObject  ... ) == 0x0
 03768   168   NtSetEventBoostPriority  (216, ...
 02978  1284   NtWaitForSingleObject  ... ) == 0x0
 03769  1284   NtSetEventBoostPriority  (216, ...
 02979  1268   NtWaitForSingleObject  ... ) == 0x0
 03770  1268   NtSetEventBoostPriority  (216, ...
 02980   840   NtWaitForSingleObject  ... ) == 0x0
 03771   840   NtSetEventBoostPriority  (216, ...
 02981  1336   NtWaitForSingleObject  ... ) == 0x0
 03772  1336   NtSetEventBoostPriority  (216, ...
 02982  1200   NtWaitForSingleObject  ... ) == 0x0
 03773  1200   NtSetEventBoostPriority  (216, ...
 02983  1920   NtWaitForSingleObject  ... ) == 0x0
 03774  1920   NtSetEventBoostPriority  (216, ...
 02984   896   NtWaitForSingleObject  ... ) == 0x0
 03775   896   NtSetEventBoostPriority  (216, ...
 02985  2016   NtWaitForSingleObject  ... ) == 0x0
 03776  2016   NtSetEventBoostPriority  (216, ...
 02986  2012   NtWaitForSingleObject  ... ) == 0x0
 03777  2012   NtSetEventBoostPriority  (216, ...
 02987  1604   NtWaitForSingleObject  ... ) == 0x0
 03778  1604   NtSetEventBoostPriority  (216, ...
 02988  1572   NtWaitForSingleObject  ... ) == 0x0
 03779  1572   NtSetEventBoostPriority  (216, ...
 02989   596   NtWaitForSingleObject  ... ) == 0x0
 03780   596   NtSetEventBoostPriority  (216, ...
 02990   376   NtWaitForSingleObject  ... ) == 0x0
 03781   376   NtSetEventBoostPriority  (216, ...
 02991  1168   NtWaitForSingleObject  ... ) == 0x0
 03782  1168   NtSetEventBoostPriority  (216, ...
 02992   428   NtWaitForSingleObject  ... ) == 0x0
 03783   428   NtSetEventBoostPriority  (216, ...
 02993  1344   NtWaitForSingleObject  ... ) == 0x0
 03784  1344   NtSetEventBoostPriority  (216, ...
 02994  1300   NtWaitForSingleObject  ... ) == 0x0
 03785  1300   NtSetEventBoostPriority  (216, ...
 02995  1096   NtWaitForSingleObject  ... ) == 0x0
 03786  1096   NtSetEventBoostPriority  (216, ...
 02996   252   NtWaitForSingleObject  ... ) == 0x0
 03787   252   NtSetEventBoostPriority  (216, ...
 02997   500   NtWaitForSingleObject  ... ) == 0x0
 03788   500   NtSetEventBoostPriority  (216, ...
 02998  1132   NtWaitForSingleObject  ... ) == 0x0
 03789  1132   NtSetEventBoostPriority  (216, ...
 02999  1024   NtWaitForSingleObject  ... ) == 0x0
 03790  1024   NtSetEventBoostPriority  (216, ...
 03000   948   NtWaitForSingleObject  ... ) == 0x0
 03791   948   NtSetEventBoostPriority  (216, ...
 03001  1388   NtWaitForSingleObject  ... ) == 0x0
 03792  1388   NtSetEventBoostPriority  (216, ...
 03002   520   NtWaitForSingleObject  ... ) == 0x0
 03793   520   NtSetEventBoostPriority  (216, ...
 03003   276   NtWaitForSingleObject  ... ) == 0x0
 03794   276   NtSetEventBoostPriority  (216, ...
 03004   996   NtWaitForSingleObject  ... ) == 0x0
 03795   996   NtSetEventBoostPriority  (216, ...
 03005  1064   NtWaitForSingleObject  ... ) == 0x0
 03796  1064   NtSetEventBoostPriority  (216, ...
 03006  1600   NtWaitForSingleObject  ... ) == 0x0
 03797  1600   NtSetEventBoostPriority  (216, ...
 03007  1372   NtWaitForSingleObject  ... ) == 0x0
 03798  1372   NtSetEventBoostPriority  (216, ...
 03008  2040   NtWaitForSingleObject  ... ) == 0x0
 03799  2040   NtSetEventBoostPriority  (216, ...
 03009   216   NtWaitForSingleObject  ... ) == 0x0
 03800   216   NtWaitForSingleObject  (848, 0, 0x0, ...
 03799  2040   NtSetEventBoostPriority  ... ) == 0x0
 03798  1372   NtSetEventBoostPriority  ... ) == 0x0
 03797  1600   NtSetEventBoostPriority  ... ) == 0x0
 03796  1064   NtSetEventBoostPriority  ... ) == 0x0
 03795   996   NtSetEventBoostPriority  ... ) == 0x0
 03794   276   NtSetEventBoostPriority  ... ) == 0x0
 03793   520   NtSetEventBoostPriority  ... ) == 0x0
 03792  1388   NtSetEventBoostPriority  ... ) == 0x0
 03791   948   NtSetEventBoostPriority  ... ) == 0x0
 03790  1024   NtSetEventBoostPriority  ... ) == 0x0
 03789  1132   NtSetEventBoostPriority  ... ) == 0x0
 03788   500   NtSetEventBoostPriority  ... ) == 0x0
 03787   252   NtSetEventBoostPriority  ... ) == 0x0
 03786  1096   NtSetEventBoostPriority  ... ) == 0x0
 03785  1300   NtSetEventBoostPriority  ... ) == 0x0
 03784  1344   NtSetEventBoostPriority  ... ) == 0x0
 03783   428   NtSetEventBoostPriority  ... ) == 0x0
 03782  1168   NtSetEventBoostPriority  ... ) == 0x0
 03781   376   NtSetEventBoostPriority  ... ) == 0x0
 03780   596   NtSetEventBoostPriority  ... ) == 0x0
 03779  1572   NtSetEventBoostPriority  ... ) == 0x0
 03778  1604   NtSetEventBoostPriority  ... ) == 0x0
 03777  2012   NtSetEventBoostPriority  ... ) == 0x0
 03776  2016   NtSetEventBoostPriority  ... ) == 0x0
 03775   896   NtSetEventBoostPriority  ... ) == 0x0
 03774  1920   NtSetEventBoostPriority  ... ) == 0x0
 03773  1200   NtSetEventBoostPriority  ... ) == 0x0
 03772  1336   NtSetEventBoostPriority  ... ) == 0x0
 03771   840   NtSetEventBoostPriority  ... ) == 0x0
 03770  1268   NtSetEventBoostPriority  ... ) == 0x0
 03769  1284   NtSetEventBoostPriority  ... ) == 0x0
 03768   168   NtSetEventBoostPriority  ... ) == 0x0
 03767  1496   NtSetEventBoostPriority  ... ) == 0x0
 03766  1124   NtSetEventBoostPriority  ... ) == 0x0
 03765  1744   NtSetEventBoostPriority  ... ) == 0x0
 03764  1696   NtSetEventBoostPriority  ... ) == 0x0
 03763  1520   NtSetEventBoostPriority  ... ) == 0x0
 03762   784   NtSetEventBoostPriority  ... ) == 0x0
 03761  1792   NtSetEventBoostPriority  ... ) == 0x0
 03760  1692   NtSetEventBoostPriority  ... ) == 0x0
 03759   380   NtSetEventBoostPriority  ... ) == 0x0
 03758   468   NtSetEventBoostPriority  ... ) == 0x0
 03757   988   NtSetEventBoostPriority  ... ) == 0x0
 03756  1948   NtSetEventBoostPriority  ... ) == 0x0
 03755   624   NtSetEventBoostPriority  ... ) == 0x0
 03754  1636   NtSetEventBoostPriority  ... ) == 0x0
 03753   188   NtSetEventBoostPriority  ... ) == 0x0
 03752  1732   NtSetEventBoostPriority  ... ) == 0x0
 03751   120   NtSetEventBoostPriority  ... ) == 0x0
 03750   752   NtSetEventBoostPriority  ... ) == 0x0
 03749  1328   NtSetEventBoostPriority  ... ) == 0x0
 03748  1332   NtSetEventBoostPriority  ... ) == 0x0
 03747   432   NtSetEventBoostPriority  ... ) == 0x0
 03746  1020   NtSetEventBoostPriority  ... ) == 0x0
 03745   496   NtSetEventBoostPriority  ... ) == 0x0
 03744  1676   NtSetEventBoostPriority  ... ) == 0x0
 03743   740   NtSetEventBoostPriority  ... ) == 0x0
 03742  2020   NtSetEventBoostPriority  ... ) == 0x0
 03741  1392   NtSetEventBoostPriority  ... ) == 0x0
 03740   888   NtSetEventBoostPriority  ... ) == 0x0
 03739   504   NtSetEventBoostPriority  ... ) == 0x0
 03738   800   NtSetEventBoostPriority  ... ) == 0x0
 03737   336   NtSetEventBoostPriority  ... ) == 0x0
 03736  1644   NtSetEventBoostPriority  ... ) == 0x0
 03735  1804   NtSetEventBoostPriority  ... ) == 0x0
 03734  1780   NtSetEventBoostPriority  ... ) == 0x0
 03733  1528   NtSetEventBoostPriority  ... ) == 0x0
 03732   932   NtSetEventBoostPriority  ... ) == 0x0
 03731  1500   NtSetEventBoostPriority  ... ) == 0x0
 03730  2032   NtSetEventBoostPriority  ... ) == 0x0
 03729  1592   NtSetEventBoostPriority  ... ) == 0x0
 03728  1564   NtSetEventBoostPriority  ... ) == 0x0
 03727   164   NtSetEventBoostPriority  ... ) == 0x0
 03726  1420   NtSetEventBoostPriority  ... ) == 0x0
 03725  1852   NtSetEventBoostPriority  ... ) == 0x0
 03724  2000   NtSetEventBoostPriority  ... ) == 0x0
 03723   764   NtSetEventBoostPriority  ... ) == 0x0
 03722   308   NtSetEventBoostPriority  ... ) == 0x0
 03721   968   NtSetEventBoostPriority  ... ) == 0x0
 03720   240   NtSetEventBoostPriority  ... ) == 0x0
 03719  2044   NtSetEventBoostPriority  ... ) == 0x0
 03718  1944   NtSetEventBoostPriority  ... ) == 0x0
 03717  1524   NtSetEventBoostPriority  ... ) == 0x0
 03716  1896   NtSetEventBoostPriority  ... ) == 0x0
 03715  1864   NtSetEventBoostPriority  ... ) == 0x0
 03714  1828   NtSetEventBoostPriority  ... ) == 0x0
 03713   148   NtSetEventBoostPriority  ... ) == 0x0
 03712  1648   NtSetEventBoostPriority  ... ) == 0x0
 03711  1956   NtSetEventBoostPriority  ... ) == 0x0
 03710  1980   NtSetEventBoostPriority  ... ) == 0x0
 03709  1784   NtSetEventBoostPriority  ... ) == 0x0
 03708   928   NtSetEventBoostPriority  ... ) == 0x0
 03707  1740   NtSetEventBoostPriority  ... ) == 0x0
 03706  1656   NtSetEventBoostPriority  ... ) == 0x0
 03705  1248   NtSetEventBoostPriority  ... ) == 0x0
 03704  1036   NtSetEventBoostPriority  ... ) == 0x0
 03703  1936   NtSetEventBoostPriority  ... ) == 0x0
 03702  1904   NtSetEventBoostPriority  ... ) == 0x0
 03701   444   NtSetEventBoostPriority  ... ) == 0x0
 03700  1536   NtSetEventBoostPriority  ... ) == 0x0
 03699  1356   NtSetEventBoostPriority  ... ) == 0x0
 03698  1728   NtSetEventBoostPriority  ... ) == 0x0
 03697   712   NtSetEventBoostPriority  ... ) == 0x0
 03696  1156   NtSetEventBoostPriority  ... ) == 0x0
 03695  1700   NtSetEventBoostPriority  ... ) == 0x0
 03694  1808   NtSetEventBoostPriority  ... ) == 0x0
 03693  1796   NtSetEventBoostPriority  ... ) == 0x0
 03692  1800   NtSetEventBoostPriority  ... ) == 0x0
 03691   220   NtSetEventBoostPriority  ... ) == 0x0
 03690  1128   NtSetEventBoostPriority  ... ) == 0x0
 03689  1596   NtSetEventBoostPriority  ... ) == 0x0
 03688  1856   NtSetEventBoostPriority  ... ) == 0x0
 03687  1068   NtSetEventBoostPriority  ... ) == 0x0
 03686   460   NtSetEventBoostPriority  ... ) == 0x0
 03685  1556   NtSetEventBoostPriority  ... ) == 0x0
 03801  1756   NtAllocateVirtualMemory  (-1, 29413376, 0, 4096, 4096, 260, ...
 03802  1480   NtWaitForSingleObject  (848, 0, 0x0, ...
 03803  2040   NtWaitForSingleObject  (848, 0, 0x0, ...
 03804  1372   NtWaitForSingleObject  (848, 0, 0x0, ...
 03805  1600   NtWaitForSingleObject  (848, 0, 0x0, ...
 03806  1064   NtWaitForSingleObject  (848, 0, 0x0, ...
 03807   996   NtWaitForSingleObject  (848, 0, 0x0, ...
 03808   276   NtWaitForSingleObject  (848, 0, 0x0, ...
 03809   520   NtWaitForSingleObject  (848, 0, 0x0, ...
 03810  1388   NtWaitForSingleObject  (848, 0, 0x0, ...
 03811   948   NtWaitForSingleObject  (848, 0, 0x0, ...
 03812  1024   NtWaitForSingleObject  (848, 0, 0x0, ...
 03813  1132   NtWaitForSingleObject  (848, 0, 0x0, ...
 03814   500   NtWaitForSingleObject  (848, 0, 0x0, ...
 03815   252   NtWaitForSingleObject  (848, 0, 0x0, ...
 03816  1096   NtWaitForSingleObject  (848, 0, 0x0, ...
 03817  1300   NtWaitForSingleObject  (848, 0, 0x0, ...
 03818  1344   NtWaitForSingleObject  (848, 0, 0x0, ...
 03819   428   NtWaitForSingleObject  (848, 0, 0x0, ...
 03820  1168   NtWaitForSingleObject  (848, 0, 0x0, ...
 03821   376   NtWaitForSingleObject  (848, 0, 0x0, ...
 03822   596   NtWaitForSingleObject  (848, 0, 0x0, ...
 03823  1572   NtWaitForSingleObject  (848, 0, 0x0, ...
 03824  1604   NtWaitForSingleObject  (848, 0, 0x0, ...
 03825  2012   NtWaitForSingleObject  (848, 0, 0x0, ...
 03826  2016   NtWaitForSingleObject  (848, 0, 0x0, ...
 03827   896   NtWaitForSingleObject  (848, 0, 0x0, ...
 03828  1920   NtWaitForSingleObject  (848, 0, 0x0, ...
 03829  1200   NtWaitForSingleObject  (848, 0, 0x0, ...
 03830  1336   NtWaitForSingleObject  (848, 0, 0x0, ...
 03831   840   NtWaitForSingleObject  (848, 0, 0x0, ...
 03832  1268   NtWaitForSingleObject  (848, 0, 0x0, ...
 03833  1284   NtWaitForSingleObject  (848, 0, 0x0, ...
 03834   168   NtWaitForSingleObject  (848, 0, 0x0, ...
 03835  1496   NtWaitForSingleObject  (848, 0, 0x0, ...
 03836  1124   NtWaitForSingleObject  (848, 0, 0x0, ...
 03837  1744   NtWaitForSingleObject  (848, 0, 0x0, ...
 03838  1696   NtWaitForSingleObject  (848, 0, 0x0, ...
 03839  1520   NtWaitForSingleObject  (848, 0, 0x0, ...
 03840   784   NtWaitForSingleObject  (848, 0, 0x0, ...
 03841  1792   NtWaitForSingleObject  (848, 0, 0x0, ...
 03842  1692   NtWaitForSingleObject  (848, 0, 0x0, ...
 03843   380   NtWaitForSingleObject  (848, 0, 0x0, ...
 03844   468   NtWaitForSingleObject  (848, 0, 0x0, ...
 03845   988   NtWaitForSingleObject  (848, 0, 0x0, ...
 03846  1948   NtWaitForSingleObject  (848, 0, 0x0, ...
 03847   624   NtWaitForSingleObject  (848, 0, 0x0, ...
 03848  1636   NtWaitForSingleObject  (848, 0, 0x0, ...
 03849   188   NtWaitForSingleObject  (848, 0, 0x0, ...
 03850  1732   NtWaitForSingleObject  (848, 0, 0x0, ...
 03851   120   NtWaitForSingleObject  (848, 0, 0x0, ...
 03852   752   NtWaitForSingleObject  (848, 0, 0x0, ...
 03853  1328   NtWaitForSingleObject  (848, 0, 0x0, ...
 03854  1332   NtWaitForSingleObject  (848, 0, 0x0, ...
 03855   432   NtWaitForSingleObject  (848, 0, 0x0, ...
 03856  1020   NtWaitForSingleObject  (848, 0, 0x0, ...
 03857   496   NtWaitForSingleObject  (848, 0, 0x0, ...
 03858  1676   NtWaitForSingleObject  (848, 0, 0x0, ...
 03859   740   NtWaitForSingleObject  (848, 0, 0x0, ...
 03860  2020   NtWaitForSingleObject  (848, 0, 0x0, ...
 03861  1392   NtWaitForSingleObject  (848, 0, 0x0, ...
 03862   888   NtWaitForSingleObject  (848, 0, 0x0, ...
 03863   504   NtWaitForSingleObject  (848, 0, 0x0, ...
 03864   800   NtWaitForSingleObject  (848, 0, 0x0, ...
 03865   336   NtWaitForSingleObject  (848, 0, 0x0, ...
 03866  1644   NtWaitForSingleObject  (848, 0, 0x0, ...
 03867  1804   NtWaitForSingleObject  (848, 0, 0x0, ...
 03868  1780   NtWaitForSingleObject  (848, 0, 0x0, ...
 03869  1528   NtWaitForSingleObject  (848, 0, 0x0, ...
 03870   932   NtWaitForSingleObject  (848, 0, 0x0, ...
 03871  1500   NtWaitForSingleObject  (848, 0, 0x0, ...
 03872  2032   NtWaitForSingleObject  (848, 0, 0x0, ...
 03873  1592   NtWaitForSingleObject  (848, 0, 0x0, ...
 03874  1564   NtWaitForSingleObject  (848, 0, 0x0, ...
 03875   164   NtWaitForSingleObject  (848, 0, 0x0, ...
 03876  1420   NtWaitForSingleObject  (848, 0, 0x0, ...
 03877  1852   NtWaitForSingleObject  (848, 0, 0x0, ...
 03878  2000   NtWaitForSingleObject  (848, 0, 0x0, ...
 03879   764   NtWaitForSingleObject  (848, 0, 0x0, ...
 03880   308   NtWaitForSingleObject  (848, 0, 0x0, ...
 03881   968   NtWaitForSingleObject  (848, 0, 0x0, ...
 03882   240   NtWaitForSingleObject  (848, 0, 0x0, ...
 03883  2044   NtWaitForSingleObject  (848, 0, 0x0, ...
 03884  1944   NtWaitForSingleObject  (848, 0, 0x0, ...
 03885  1524   NtWaitForSingleObject  (848, 0, 0x0, ...
 03886  1896   NtWaitForSingleObject  (848, 0, 0x0, ...
 03887  1864   NtWaitForSingleObject  (848, 0, 0x0, ...
 03888  1828   NtWaitForSingleObject  (848, 0, 0x0, ...
 03889   148   NtWaitForSingleObject  (848, 0, 0x0, ...
 03890  1648   NtWaitForSingleObject  (848, 0, 0x0, ...
 03891  1956   NtWaitForSingleObject  (848, 0, 0x0, ...
 03892  1980   NtWaitForSingleObject  (848, 0, 0x0, ...
 03893  1784   NtWaitForSingleObject  (848, 0, 0x0, ...
 03894   928   NtWaitForSingleObject  (848, 0, 0x0, ...
 03895  1740   NtWaitForSingleObject  (848, 0, 0x0, ...
 03896  1656   NtWaitForSingleObject  (848, 0, 0x0, ...
 03897  1248   NtWaitForSingleObject  (848, 0, 0x0, ...
 03898  1036   NtWaitForSingleObject  (848, 0, 0x0, ...
 03899  1936   NtWaitForSingleObject  (848, 0, 0x0, ...
 03900  1904   NtWaitForSingleObject  (848, 0, 0x0, ...
 03901   444   NtWaitForSingleObject  (848, 0, 0x0, ...
 03902  1536   NtWaitForSingleObject  (848, 0, 0x0, ...
 03903  1356   NtWaitForSingleObject  (848, 0, 0x0, ...
 03904  1728   NtWaitForSingleObject  (848, 0, 0x0, ...
 03905   712   NtWaitForSingleObject  (848, 0, 0x0, ...
 03906  1156   NtWaitForSingleObject  (848, 0, 0x0, ...
 03907  1700   NtWaitForSingleObject  (848, 0, 0x0, ...
 03908  1808   NtWaitForSingleObject  (848, 0, 0x0, ...
 03909  1796   NtWaitForSingleObject  (848, 0, 0x0, ...
 03910  1800   NtWaitForSingleObject  (848, 0, 0x0, ...
 03911   220   NtWaitForSingleObject  (848, 0, 0x0, ...
 03912  1128   NtWaitForSingleObject  (848, 0, 0x0, ...
 03913  1596   NtWaitForSingleObject  (848, 0, 0x0, ...
 03914  1856   NtWaitForSingleObject  (848, 0, 0x0, ...
 03915  1068   NtWaitForSingleObject  (848, 0, 0x0, ...
 03916   460   NtWaitForSingleObject  (848, 0, 0x0, ...
 03917  1556   NtWaitForSingleObject  (848, 0, 0x0, ...
 03801  1756   NtAllocateVirtualMemory  ... 29413376, 4096, ) == 0x0
 03918  1756   NtCreateTimer  (0x1f0003, 0x0, 0, ... 864, ) == 0x0
 03919  1756   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 868, ) == 0x0
 03920  1756   NtSetInformationObject  (868, Handle, {Inherit=0,ProtectFromClose=1,}, -65280, ... ) == 0x0
 03921  1756   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 148766720, 1048576, ) == 0x0
 03922  1756   NtAllocateVirtualMemory  (-1, 149807104, 0, 8192, 4096, 4, ... 149807104, 8192, ) == 0x0
 03923  1756   NtProtectVirtualMemory  (-1, (0x8ede000), 4096, 260, ... (0x8ede000), 4096, 4, ) == 0x0
 03924  1756   NtCreateThread  (0x1f03ff, 0x0, -1, 29422468, 29422412, 1, ... 872, {940, 152}, ) == 0x0
 03925  1756   NtQueryInformationThread  (872, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff37000,Pid=940,Tid=152,}, 0x0, ) == 0x0
 03926  1756   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 29423212, 2, 2089878984}  (24, {28, 56, new_msg, 0, 0, 29423212, 2, 2089878984} "\0\0\0\0\1\0\1\0Q\5\221|(\33\24\0h\3\0\0\254\3\0\0\230\0\0\0" ... {28, 56, reply, 0, 940, 1756, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\33\24\0h\3\0\0\254\3\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 940, 1756, 58094, 0}  (24, {28, 56, new_msg, 0, 0, 29423212, 2, 2089878984} "\0\0\0\0\1\0\1\0Q\5\221|(\33\24\0h\3\0\0\254\3\0\0\230\0\0\0" ... {28, 56, reply, 0, 940, 1756, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\33\24\0h\3\0\0\254\3\0\0\230\0\0\0" )  ) == 0x0
 03927  1756   NtResumeThread  (872, ...
 03928   152   NtTestAlert  (... ) == 0x0
 03929   152   NtContinue  (149814576, 1, ...
 03930   152   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03931   152   NtCancelTimer  (864, 0, ... ) == 0x0
 03932   152   NtSetTimer  (864, {0, -2147483648}, 0x7c927c75, 0x0, 0, 0, 0, ... ) == 0x0
 03933   152   NtSetEvent  (868, ... 0x0, ) == 0x0
 03934   152   NtDelayExecution  (1, {0, -2147483648}, ...
 03927  1756   NtResumeThread  ... 0x0, ) == 0x0
 03935  1756   NtWaitForSingleObject  (868, 0, 0x0, ... ) == 0x0
 03936  1756   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03937  1756   NtCreateIoCompletion  (0x1f0003, 0x0, 1, ... 876, ) == 0x0
 03938  1756   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 149815296, 1048576, ) == 0x0
 03939  1756   NtAllocateVirtualMemory  (-1, 150855680, 0, 8192, 4096, 4, ... 150855680, 8192, ) == 0x0
 03940  1756   NtProtectVirtualMemory  (-1, (0x8fde000), 4096, 260, ... (0x8fde000), 4096, 4, ) == 0x0
 03941  1756   NtCreateThread  (0x1f03ff, 0x0, -1, 29422552, 29422496, 1, ... 880, {940, 900}, ) == 0x0
 03942  1756   NtQueryInformationThread  (880, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff36000,Pid=940,Tid=900,}, 0x0, ) == 0x0
 03943  1756   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089879886, 76, 0, 1}  (24, {28, 56, new_msg, 0, 2089879886, 76, 0, 1} "\0\0\0\0\1\0\1\0\0\4\24\0\5\20\220|p\3\0\0\254\3\0\0\204\3\0\0" ... {28, 56, reply, 0, 940, 1756, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\5\20\220|p\3\0\0\254\3\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 940, 1756, 58095, 0}  (24, {28, 56, new_msg, 0, 2089879886, 76, 0, 1} "\0\0\0\0\1\0\1\0\0\4\24\0\5\20\220|p\3\0\0\254\3\0\0\204\3\0\0" ... {28, 56, reply, 0, 940, 1756, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\5\20\220|p\3\0\0\254\3\0\0\204\3\0\0" )  ) == 0x0
 03944  1756   NtResumeThread  (880, ...
 03945   900   NtTestAlert  (... ) == 0x0
 03946   900   NtContinue  (150863152, 1, ...
 03947   900   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03948   900   NtRemoveIoCompletion  (876, {-400000000, -1}, ...
 03944  1756   NtResumeThread  ... 0x0, ) == 0x0
 03949  1756   NtClose  (880, ... ) == 0x0
 03950  1756   NtSetIoCompletion  (876, 2089973097, 1396232, 0, 1396072, ...
 03948   900   NtRemoveIoCompletion  ... 2089973097, 1396232, {status=0x0, info=1396072}, ) == 0x0
 03951   900   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03952   900   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 03953   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 150861364, ... }, 150861364, ...
 03950  1756   NtSetIoCompletion  ... ) == 0x0
 03954  1756   NtAllocateVirtualMemory  (-1, 1400832, 0, 20480, 4096, 4, ... 1400832, 20480, ) == 0x0
 03955  1756   NtWaitForSingleObject  (88, 0, 0x0, ...
 03953   900   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03956   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\RASAPI32.dll"}, 150861364, ... ) }, 150861364, ... ) == 0x0
 03957   900   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\RASAPI32.dll"}, 5, 96, ... 880, {status=0x0, info=1}, ) }, 5, 96, ... 880, {status=0x0, info=1}, ) == 0x0
 03958   900   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 880, ... 884, ) == 0x0
 03959   900   NtQuerySection  (884, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03960   900   NtClose  (880, ... ) == 0x0
 03961   900   NtMapViewOfSection  (884, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 245760, ) == 0x0
 03962   900   NtClose  (884, ... ) == 0x0
 03963   900   NtProtectVirtualMemory  (-1, (0x76ee1000), 860, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 03964   900   NtProtectVirtualMemory  (-1, (0x76ee1000), 4096, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 03965   900   NtFlushInstructionCache  (-1, 1995313152, 860, ... ) == 0x0
 03966   900   NtProtectVirtualMemory  (-1, (0x76ee1000), 860, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 03967   900   NtProtectVirtualMemory  (-1, (0x76ee1000), 4096, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 03968   900   NtFlushInstructionCache  (-1, 1995313152, 860, ... ) == 0x0
 03969   900   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03970   900   NtAllocateVirtualMemory  (-1, 150851584, 0, 4096, 4096, 260, ... 150851584, 4096, ) == 0x0
 03971   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 150860548, ... ) }, 150860548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03972   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasman.dll"}, 150860548, ... ) }, 150860548, ... ) == 0x0
 03973   900   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasman.dll"}, 5, 96, ... 884, {status=0x0, info=1}, ) }, 5, 96, ... 884, {status=0x0, info=1}, ) == 0x0
 03974   900   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 884, ... 880, ) == 0x0
 03975   900   NtQuerySection  (880, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03976   900   NtClose  (884, ... ) == 0x0
 03977   900   NtMapViewOfSection  (880, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 73728, ) == 0x0
 03978   900   NtClose  (880, ... ) == 0x0
 03979   900   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 03980   900   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 03981   900   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 03982   900   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 03983   900   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 03984   900   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 03985   900   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 03986   900   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 03987   900   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 03988   900   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 03989   900   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 03990   900   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 03991   900   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 880, ) }, ... 880, ) == 0x0
 03992   900   NtMapViewOfSection  (880, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 03993   900   NtClose  (880, ... ) == 0x0
 03994   900   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 03995   900   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 03996   900   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 03997   900   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 03998   900   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 03999   900   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04000   900   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 04001   900   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 04002   900   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04003   900   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 04004   900   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 04005   900   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04006   900   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 04007   900   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 04008   900   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04009   900   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 04010   900   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 04011   900   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 04012   900   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04013   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 150860548, ... ) }, 150860548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04014   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\TAPI32.dll"}, 150860548, ... ) }, 150860548, ... ) == 0x0
 04015   900   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\TAPI32.dll"}, 5, 96, ... 880, {status=0x0, info=1}, ) }, 5, 96, ... 880, {status=0x0, info=1}, ) == 0x0
 04016   900   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 880, ... 884, ) == 0x0
 04017   900   NtQuerySection  (884, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04018   900   NtClose  (880, ... ) == 0x0
 04019   900   NtMapViewOfSection  (884, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 192512, ) == 0x0
 04020   900   NtClose  (884, ... ) == 0x0
 04021   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04022   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04023   900   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04024   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04025   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04026   900   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04027   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04028   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04029   900   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04030   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04031   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04032   900   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04033   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04034   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04035   900   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04036   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04037   900   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04038   900   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04039   900   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04040   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 150859732, ... ) }, 150859732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04041   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rtutils.dll"}, 150859732, ... ) }, 150859732, ... ) == 0x0
 04042   900   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rtutils.dll"}, 5, 96, ... 884, {status=0x0, info=1}, ) }, 5, 96, ... 884, {status=0x0, info=1}, ) == 0x0
 04043   900   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 884, ... 880, ) == 0x0
 04044   900   NtQuerySection  (880, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04045   900   NtClose  (884, ... ) == 0x0
 04046   900   NtMapViewOfSection  (880, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 57344, ) == 0x0
 04047   900   NtClose  (880, ... ) == 0x0
 04048   900   NtProtectVirtualMemory  (-1, (0x76e81000), 528, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 04049   900   NtProtectVirtualMemory  (-1, (0x76e81000), 4096, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 04050   900   NtFlushInstructionCache  (-1, 1994919936, 528, ... ) == 0x0
 04051   900   NtProtectVirtualMemory  (-1, (0x76e81000), 528, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 04052   900   NtProtectVirtualMemory  (-1, (0x76e81000), 4096, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 04053   900   NtFlushInstructionCache  (-1, 1994919936, 528, ... ) == 0x0
 04054   900   NtProtectVirtualMemory  (-1, (0x76e81000), 528, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 04055   900   NtProtectVirtualMemory  (-1, (0x76e81000), 4096, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 04056   900   NtFlushInstructionCache  (-1, 1994919936, 528, ... ) == 0x0
 04057   900   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04058   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 150859732, ... ) }, 150859732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04059   900   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 150859732, ... ) }, 150859732, ... ) == 0x0
 04060   900   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 5, 96, ... 880, {status=0x0, info=1}, ) }, 5, 96, ... 880, {status=0x0, info=1}, ) == 0x0
 04061   900   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 880, ... 884, ) == 0x0
 04062   900   NtQuerySection  (884, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04063   900   NtClose  (880, ... ) == 0x0
 04064   900   NtMapViewOfSection  (884, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 184320, ) == 0x0
 04065   900   NtClose  (884, ... ) == 0x0
 04066   900   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 04067   900   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 04068   900   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 04069   900   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 04070   900   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 04071   900   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 04072   900   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 04073   900   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 04074   900   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 04075   900   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 04076   900   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 04077   900   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 04078   900   NtProtectVirtualMemory  (-1, (0x76ee1000), 860, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 04079   900   NtProtectVirtualMemory  (-1, (0x76ee1000), 4096, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 04080   900   NtFlushInstructionCache  (-1, 1995313152, 860, ... ) == 0x0
 04081   900   NtProtectVirtualMemory  (-1, (0x76ee1000), 860, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 04082   900   NtProtectVirtualMemory  (-1, (0x76ee1000), 4096, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 04083   900   NtFlushInstructionCache  (-1, 1995313152, 860, ... ) == 0x0
 04084   900   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04085   900   NtAllocateVirtualMemory  (-1, 8818688, 0, 4096, 4096, 4, ... 8818688, 4096, ) == 0x0
 04086   900   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04087   900   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04088   900   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04089   900   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 884, ) == 0x0
 04090   900   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 880, ) == 0x0
 04091   900   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 888, ) == 0x0
 04092   900   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 892, ) }, ... 892, ) == 0x0
 04093   900   NtQueryValueKey  (892,  (892, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (892, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04094   900   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 150863872, 524288, ) == 0x0
 04095   900   NtAllocateVirtualMemory  (-1, 150863872, 0, 4096, 4096, 4, ... 150863872, 4096, ) == 0x0
 04096   900   NtQueryValueKey  (892,  (892, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (892, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04097   900   NtQueryValueKey  (892,  (892, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (892, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04098   900   NtQueryValueKey  (892,  (892, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (892, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04099   900   NtQueryValueKey  (892,  (892, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04100   900   NtQueryValueKey  (892,  (892, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04101   900   NtQueryValueKey  (892,  (892, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04102   900   NtQueryValueKey  (892,  (892, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04103   900   NtQueryValueKey  (892,  (892, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04104   900   NtQueryValueKey  (892,  (892, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND