Summary:


NtDuplicateToken(>)  1 
NtOpenEvent(>)  2 
NtEnumerateKey(>)  8 
NtMapViewOfSection(>)  53 

NtEnumerateValueKey(>)  1 
NtQueryEvent(>)  2 
NtQueryInformationProcess(>)  9 
NtUserFindExistingCursorIcon(>)  56 

NtGdiCreateBitmap(>)  1 
NtQueryPerformanceCounter(>)  2 
NtSetInformationThread(>)  9 
NtOpenFile(>)  57 

NtGdiInit(>)  1 
NtQuerySystemTime(>)  2 
NtOpenProcessTokenEx(>)  11 
NtQueryVirtualMemory(>)  59 

NtGdiQueryFontAssocInfo(>)  1 
NtReadFile(>)  2 
NtOpenThreadTokenEx(>)  11 
NtUserRegisterClassExWOW(>)  62 

NtGdiSelectBitmap(>)  1 
NtUserGetDC(>)  2 
NtQueryDefaultUILanguage(>)  12 
NtQueryAttributesFile(>)  81 

NtOpenKeyedEvent(>)  1 
NtWaitForMultipleObjects(>)  2 
NtUserSystemParametersInfo(>)  13 
NtFlushInstructionCache(>)  93 

NtOpenProcess(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenMutant(>)  14 
NtContinue(>)  128 

NtOpenSymbolicLinkObject(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtQueryInformationToken(>)  14 
NtQuerySystemInformation(>)  134 

NtQueryInstallUILanguage(>)  1 
NtSecureConnectPort(>)  3 
NtQuerySection(>)  14 
NtResumeThread(>)  156 

NtQueryObject(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationFile(>)  15 
NtQueryInformationThread(>)  160 

NtQuerySymbolicLinkObject(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtReleaseMutant(>)  15 
NtCreateThread(>)  181 

NtRaiseException(>)  1 
NtWriteFile(>)  3 
NtOpenThreadToken(>)  17 
NtRequestWaitReplyPort(>)  197 

NtSetInformationProcess(>)  1 
NtAccessCheck(>)  4 
NtUnmapViewOfSection(>)  19 
NtSetEventBoostPriority(>)  207 

NtUserCallNoParam(>)  1 
NtConnectPort(>)  4 
NtQueryDebugFilterState(>)  21 
NtRegisterThreadTerminatePort(>)  246 

NtUserCallOneParam(>)  1 
NtCreateIoCompletion(>)  4 
NtCreateFile(>)  22 
NtTestAlert(>)  246 

NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtSetValueKey(>)  24 
NtOpenKey(>)  308 

NtUserGetThreadState(>)  1 
NtSetEvent(>)  5 
NtFreeVirtualMemory(>)  28 
NtClose(>)  345 

NtAddAtom(>)  2 
NtOpenProcessToken(>)  6 
NtCreateKey(>)  29 
NtWaitForSingleObject(>)  356 

NtCallbackReturn(>)  2 
NtReleaseSemaphore(>)  6 
NtCreateSection(>)  29 
NtProtectVirtualMemory(>)  365 

NtCreateMutant(>)  2 
NtCreateSemaphore(>)  7 
NtOpenSection(>)  33 
NtQueryValueKey(>)  420 

NtGdiCreateSolidBrush(>)  2 
NtFsControlFile(>)  7 
NtSetInformationFile(>)  33 
NtAllocateVirtualMemory(>)  468 

NtNotifyChangeKey(>)  2 
NtQueryDefaultLocale(>)  7 
NtDeviceIoControlFile(>)  47 

NtOpenDirectoryObject(>)  2 
NtDuplicateObject(>)  8 

Trace:
 00001  1516   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1516   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1516   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1516   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1516   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1516   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1516   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1516   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1516   NtClose  (12, ... ) == 0x0
 00015  1516   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1516   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1516   NtClose  (16, ... ) == 0x0
 00021  1516   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1516   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1516   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1516   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1516   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1516   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1516   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1516   NtClose  (16, ... ) == 0x0
 00030  1516   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1516   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1516   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1516   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57930, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57930, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57930, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036  1516   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1516   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1516   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1516   NtClose  (16, ... ) == 0x0
 00041  1516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1516   NtClose  (16, ... ) == 0x0
 00044  1516   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1516   NtClose  (16, ... ) == 0x0
 00048  1516   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1516   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1516   NtClose  (16, ... ) == 0x0
 00052  1516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1516   NtClose  (16, ... ) == 0x0
 00055  1516   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1516   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1516   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 808, 1516, 57931, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 808, 1516, 57931, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 808, 1516, 57931, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57932, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57932, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57932, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061  1516   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00062  1516   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00063  1516   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00064  1516   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1516   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1516   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1516   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1516   NtClose  (16, ... ) == 0x0
 00069  1516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1516   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1516   NtClose  (16, ... ) == 0x0
 00072  1516   NtTestAlert  (... ) == 0x0
 00073  1516   NtContinue  (1244464, 1, ...
 00074  1516   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4028de,}, 4, ... ) == 0x0
 00075  1516   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076  1516   NtContinue  (1244400, 0, ...
 00077  1516   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00078  1516   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079  1516   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1516   NtClose  (16, ... ) == 0x0
 00081  1516   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083  1516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00084  1516   NtClose  (16, ... ) == 0x0
 00085  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00086  1516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00087  1516   NtClose  (16, ... ) == 0x0
 00088  1516   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089  1516   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090  1516   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091  1516   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092  1516   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093  1516   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094  1516   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1516   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1516   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1516   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098  1516   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099  1516   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100  1516   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101  1516   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102  1516   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103  1516   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1516   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1516   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00109  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57933, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57933, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57933, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00110  1516   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00111  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00112  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00113  1516   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00114  1516   NtClose  (16, ... ) == 0x0
 00115  1516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00116  1516   NtClose  (28, ... ) == 0x0
 00117  1516   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00118  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00119  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00120  1516   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00121  1516   NtClose  (28, ... ) == 0x0
 00122  1516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00123  1516   NtClose  (16, ... ) == 0x0
 00124  1516   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00125  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00126  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00127  1516   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00128  1516   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00129  1516   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130  1516   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00131  1516   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132  1516   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00133  1516   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134  1516   NtClose  (36, ... ) == 0x0
 00135  1516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00136  1516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00137  1516   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00138  1516   NtClose  (36, ... ) == 0x0
 00139  1516   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140  1516   NtClose  (32, ... ) == 0x0
 00141  1516   NtClose  (16, ... ) == 0x0
 00142  1516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00143  1516   NtClose  (28, ... ) == 0x0
 00144  1516   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145  1516   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146  1516   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147  1516   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148  1516   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149  1516   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150  1516   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00151  1516   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00152  1516   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00153  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00154  1516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00155  1516   NtClose  (28, ... ) == 0x0
 00156  1516   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00157  1516   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00158  1516   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00159  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00160  1516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00161  1516   NtClose  (28, ... ) == 0x0
 00162  1516   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00163  1516   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164  1516   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165  1516   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166  1516   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167  1516   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168  1516   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169  1516   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00170  1516   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00171  1516   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00172  1516   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00173  1516   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00174  1516   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00175  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1516   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00177  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178  1516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00179  1516   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180  1516   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181  1516   NtClose  (28, ... ) == 0x0
 00182  1516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00183  1516   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184  1516   NtClose  (28, ... ) == 0x0
 00185  1516   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00186  1516   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00187  1516   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00191  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00194  1516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195  1516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00196  1516   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1516   NtClose  (16, ... ) == 0x0
 00198  1516   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00199  1516   NtClose  (-2147482740, ... ) == 0x0
 00200  1516   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00201  1516   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00202  1516   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00203  1516   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00204  1516   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00205  1516   NtClose  (-2147482740, ... ) == 0x0
 00206  1516   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00207  1516   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00208  1516   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00209  1516   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00210  1516   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1516   NtClose  (-2147482740, ... ) == 0x0
 00212  1516   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00213  1516   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1516   NtClose  (-2147482740, ... ) == 0x0
 00215  1516   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00216  1516   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00217  1516   NtUserCallNoParam  (24, ... ) == 0x0
 00218  1516   NtGdiCreateCompatibleDC  (0, ...
 00219  1516   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00218  1516   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00220  1516   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00221  1516   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00222  1516   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00223  1516   NtGdiCreateSolidBrush  (0, 0, ...
 00224  1516   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00223  1516   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00225  1516   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00226  1516   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00227  1516   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00228  1516   NtUserGetThreadDesktop  (1516, 0, ... ) == 0x24
 00229  1516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00230  1516   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00231  1516   NtClose  (44, ... ) == 0x0
 00232  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00233  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8178c017
 00234  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8178c01c
 00236  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8178c01e
 00238  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81788002
 00240  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00241  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8178c018
 00242  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00243  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8178c01a
 00244  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8178c01d
 00246  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8178c026
 00248  1516   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249  1516   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8178c019
 00250  1516   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8178c020
 00251  1516   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8178c022
 00252  1516   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8178c023
 00253  1516   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8178c024
 00254  1516   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8178c025
 00255  1516   NtCallbackReturn  (0, 0, 0, ...
 00256  1516   NtGdiInit  (... ) == 0x1
 00257  1516   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00258  1516   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00259  1516   NtAllocateVirtualMemory  (-1, 0, 0, 26624, 4096, 64, ... 8716288, 28672, ) == 0x0
 00260  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00263  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00264  1516   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00265  1516   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266  1516   NtClose  (44, ... ) == 0x0
 00267  1516   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00268  1516   NtClose  (48, ... ) == 0x0
 00269  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00270  1516   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00271  1516   NtClose  (48, ... ) == 0x0
 00272  1516   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00273  1516   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00274  1516   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00275  1516   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00276  1516   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00277  1516   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00278  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00281  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00282  1516   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00283  1516   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00284  1516   NtClose  (48, ... ) == 0x0
 00285  1516   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00286  1516   NtClose  (44, ... ) == 0x0
 00287  1516   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00288  1516   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00289  1516   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00290  1516   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00291  1516   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00292  1516   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00293  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00296  1516   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00297  1516   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00298  1516   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00299  1516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00300  1516   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00301  1516   NtClose  (44, ... ) == 0x0
 00302  1516   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00303  1516   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00304  1516   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00305  1516   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00306  1516   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00307  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00310  1516   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00311  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00312  1516   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 00313  1516   NtClose  (44, ... ) == 0x0
 00314  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00315  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00316  1516   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00317  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00318  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00319  1516   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00320  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00321  1516   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00322  1516   NtClose  (44, ... ) == 0x0
 00323  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00324  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00325  1516   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00326  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00327  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00328  1516   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00329  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00330  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00331  1516   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00332  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00333  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00334  1516   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00335  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00336  1516   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00337  1516   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00338  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00339  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00340  1516   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00341  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00342  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00343  1516   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00344  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00345  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00346  1516   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00347  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00348  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00349  1516   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00350  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00351  1516   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x880000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 00352  1516   NtProtectVirtualMemory  (-1, (0x881000), 18944, 4, ... (0x881000), 20480, 32, ) == 0x0
 00353  1516   NtProtectVirtualMemory  (-1, (0x887000), 1024, 4, ... (0x887000), 4096, 2, ) == 0x0
 00354  1516   NtProtectVirtualMemory  (-1, (0x888000), 1536, 4, ... (0x888000), 4096, 2, ) == 0x0
 00355  1516   NtMapViewOfSection  (44, -1, (0x880000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00356  1516   NtProtectVirtualMemory  (-1, (0x881000), 18944, 16, ... (0x881000), 20480, 4, ) == 0x0
 00357  1516   NtProtectVirtualMemory  (-1, (0x887000), 1024, 2, ... (0x887000), 4096, 8, ) == 0x0
 00358  1516   NtProtectVirtualMemory  (-1, (0x888000), 1536, 2, ... (0x888000), 4096, 8, ) == 0x0
 00359  1516   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00360  1516   NtClose  (44, ... ) == 0x0
 00361  1516   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00362  1516   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00363  1516   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00364  1516   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00365  1516   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00366  1516   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00367  1516   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00368  1516   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00369  1516   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00370  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00371  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00372  1516   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00373  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00374  1516   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00375  1516   NtClose  (44, ... ) == 0x0
 00376  1516   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00377  1516   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00378  1516   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00379  1516   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00380  1516   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00381  1516   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00382  1516   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00383  1516   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00384  1516   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00385  1516   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00386  1516   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00387  1516   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00388  1516   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00389  1516   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00390  1516   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00391  1516   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00392  1516   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00393  1516   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00394  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00395  1516   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00396  1516   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00397  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398  1516   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399  1516   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00400  1516   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1330488, 0,  (0x1f0003, {24, 44, 0x80, 1330488, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 48, ) }, 0, 2147483647, ... 48, ) == STATUS_OBJECT_NAME_EXISTS
 00401  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403  1516   NtQueryPerformanceCounter  (... {924398351, 10}, {3579545, 0}, ) == 0x0
 00404  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00405  1516   NtQueryPerformanceCounter  (... {924398919, 10}, {3579545, 0}, ) == 0x0
 00406  1516   NtAllocateVirtualMemory  (-1, 1331200, 0, 8192, 4096, 4, ... 1331200, 8192, ) == 0x0
 00407  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00408  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00409  1516   NtAllocateVirtualMemory  (-1, 8978432, 0, 4096, 4096, 4, ... 8978432, 4096, ) == 0x0
 00410  1516   NtAllocateVirtualMemory  (-1, 8982528, 0, 8192, 4096, 4, ... 8982528, 8192, ) == 0x0
 00411  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00412  1516   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242348,  (0xc0100080, {24, 0, 0x40, 0, 1242348, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) == 0x0
 00413  1516   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 60, ) == 0x0
 00414  1516   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f54c, 0x22414c,  (56, 60, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00415  1516   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00416  1516   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417  1516   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418  1516   NtClose  (-2147482740, ... ) == 0x0
 00419  1516   NtClose  (908, ... ) == 0x0
 00414  1516   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\350\16\37\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#e\0r\02\0-\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00420  1516   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242564,  (0xc0100080, {24, 0, 0x40, 0, 1242564, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) == 0x0
 00421  1516   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00422  1516   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 76, ) == 0x0
 00423  1516   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 80, ) == 0x0
 00424  1516   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00425  1516   NtAllocateVirtualMemory  (-1, 8990720, 0, 8192, 4096, 4, ... 8990720, 8192, ) == 0x0
 00426  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00427  1516   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00428  1516   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00429  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1241648, 1241592, 1, ... 88, {808, 1248}, ) == 0x0
 00430  1516   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=808,Tid=1248,}, 0x0, ) == 0x0
 00431  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808}  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0(\3\0\0\340\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0(\3\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57941, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0(\3\0\0\340\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0(\3\0\0\340\4\0\0" )  ) == 0x0
 00432  1516   NtResumeThread  (88, ... 1, ) == 0x0
 00433  1516   NtClose  (88, ... ) == 0x0
 00434  1516   NtSetEvent  (72, ...
 00435  1248   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 88, ) == 0x0
 00436  1248   NtWaitForSingleObject  (88, 0, 0x0, ...
 00434  1516   NtSetEvent  ... 0x0, ) == 0x0
 00437  1516   NtSetEvent  (52, ... 0x0, ) == 0x0
 00438  1516   NtClose  (52, ... ) == 0x0
 00439  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00440  1516   NtAllocateVirtualMemory  (-1, 8998912, 0, 4096, 4096, 4, ... 8998912, 4096, ) == 0x0
 00441  1516   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f54c, 0x22414c,  (56, 60, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00442  1516   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00443  1516   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444  1516   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445  1516   NtClose  (-2147482740, ... ) == 0x0
 00446  1516   NtClose  (908, ... ) == 0x0
 00441  1516   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\250\33\257\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344e\0r\0IoNm\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00447  1516   NtSetEvent  (72, ... 0x0, ) == 0x0
 00448  1516   NtSetEvent  (52, ... 0x0, ) == 0x0
 00449  1516   NtClose  (52, ... ) == 0x0
 00450  1516   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00451  1516   NtOpenProcessToken  (-1, 0xa, ... 52, ) == 0x0
 00452  1516   NtDuplicateToken  (52, 0xc, {24, 0, 0x0, 0, 1242832, 0x0}, 0, 2, ... 96, ) == 0x0
 00453  1516   NtClose  (52, ... ) == 0x0
 00454  1516   NtAccessCheck  (1336312, 96, 0x1, 1242908, 1242960, 56, 1242940, ... (0x1), ) == 0x0
 00455  1516   NtClose  (96, ... ) == 0x0
 00456  1516   NtQueryDefaultUILanguage  (1241712, ...
 00457  1516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00458  1516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00459  1516   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00460  1516   NtClose  (-2147482740, ... ) == 0x0
 00461  1516   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00462  1516   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463  1516   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00464  1516   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465  1516   NtClose  (-2147481328, ... ) == 0x0
 00466  1516   NtClose  (-2147482740, ... ) == 0x0
 00456  1516   NtQueryDefaultUILanguage  ... ) == 0x0
 00467  1516   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468  1516   NtQueryDefaultUILanguage  (2090319928, ...
 00469  1516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00470  1516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00471  1516   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00472  1516   NtClose  (-2147482740, ... ) == 0x0
 00473  1516   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00474  1516   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475  1516   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00476  1516   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477  1516   NtClose  (-2147481328, ... ) == 0x0
 00478  1516   NtClose  (-2147482740, ... ) == 0x0
 00468  1516   NtQueryDefaultUILanguage  ... ) == 0x0
 00479  1516   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00480  1516   NtQueryDefaultLocale  (1, 1239808, ... ) == 0x0
 00481  1516   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482  1516   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 808, 1516, 57942, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 808, 1516, 57942, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 808, 1516, 57942, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ) == 0x0
 00483  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00484  1516   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00485  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00486  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00487  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239036, ... ) }, 1239036, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00488  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00489  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00490  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00491  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239100, ... ) }, 1239100, ... ) == 0x0
 00492  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00493  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00494  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00495  1516   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00496  1516   NtClose  (52, ... ) == 0x0
 00497  1516   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaa0000), 0x0, 1056768, ) == 0x0
 00498  1516   NtClose  (100, ... ) == 0x0
 00499  1516   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00500  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00501  1516   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 52, ) == 0x0
 00502  1516   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00503  1516   NtClose  (100, ... ) == 0x0
 00504  1516   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00505  1516   NtClose  (52, ... ) == 0x0
 00506  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00507  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00508  1516   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00509  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00510  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00511  1516   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00512  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00513  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00514  1516   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00515  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00516  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00517  1516   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00518  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00519  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00520  1516   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00521  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00522  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00523  1516   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00524  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00525  1516   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00526  1516   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00527  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528  1516   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240580, ... ) , 42, 1240580, ... ) == 0x0
 00529  1516   NtQueryDefaultUILanguage  (1239264, ...
 00530  1516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00531  1516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00532  1516   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00533  1516   NtClose  (-2147482740, ... ) == 0x0
 00534  1516   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00535  1516   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536  1516   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00537  1516   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538  1516   NtClose  (-2147481328, ... ) == 0x0
 00539  1516   NtClose  (-2147482740, ... ) == 0x0
 00529  1516   NtQueryDefaultUILanguage  ... ) == 0x0
 00540  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238104, ... ) }, 1238104, ... ) == 0x0
 00541  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00542  1516   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00543  1516   NtClose  (52, ... ) == 0x0
 00544  1516   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaa0000), 0x0, 4096, ) == 0x0
 00545  1516   NtClose  (100, ... ) == 0x0
 00546  1516   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00547  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237700, ... ) }, 1237700, ... ) == 0x0
 00548  1516   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238444,  (0x80100080, {24, 0, 0x40, 0, 1238444, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00549  1516   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 100, ... 52, ) == 0x0
 00550  1516   NtClose  (100, ... ) == 0x0
 00551  1516   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xaa0000), {0, 0}, 4096, ) == 0x0
 00552  1516   NtClose  (52, ... ) == 0x0
 00553  1516   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00554  1516   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00555  1516   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 100, ) == 0x0
 00556  1516   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xaa0000), 0x0, 4096, ) == 0x0
 00557  1516   NtQueryInformationFile  (52, 1238096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00558  1516   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559  1516   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 808, 1516, 57945, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 808, 1516, 57945, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 808, 1516, 57945, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ) == 0x0
 00560  1516   NtClose  (52, ... ) == 0x0
 00561  1516   NtClose  (100, ... ) == 0x0
 00562  1516   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00563  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00564  1516   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00565  1516   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00566  1516   NtUserGetDC  (0, ... ) == 0x1010051
 00567  1516   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00568  1516   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00569  1516   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00570  1516   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00571  1516   NtContinue  (1238304, 0, ...
 00572  1516   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00573  1516   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 00574  1516   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00575  1516   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 00576  1516   NtClose  (96, ... ) == 0x0
 00577  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00578  1516   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00579  1516   NtClose  (96, ... ) == 0x0
 00580  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00581  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00582  1516   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00583  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00584  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00585  1516   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00586  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00587  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00588  1516   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00589  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00590  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00591  1516   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00592  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00593  1516   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00594  1516   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00595  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00597  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11075584, 65536, ) == 0x0
 00598  1516   NtAllocateVirtualMemory  (-1, 11075584, 0, 4096, 4096, 4, ... 11075584, 4096, ) == 0x0
 00599  1516   NtAllocateVirtualMemory  (-1, 11079680, 0, 8192, 4096, 4, ... 11079680, 8192, ) == 0x0
 00600  1516   NtAllocateVirtualMemory  (-1, 11087872, 0, 4096, 4096, 4, ... 11087872, 4096, ) == 0x0
 00601  1516   NtAllocateVirtualMemory  (-1, 11091968, 0, 4096, 4096, 4, ... 11091968, 4096, ) == 0x0
 00602  1516   NtQueryDefaultUILanguage  (1238736, ...
 00603  1516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00604  1516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00605  1516   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00606  1516   NtClose  (-2147482740, ... ) == 0x0
 00607  1516   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00608  1516   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609  1516   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00610  1516   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611  1516   NtClose  (-2147481328, ... ) == 0x0
 00612  1516   NtClose  (-2147482740, ... ) == 0x0
 00602  1516   NtQueryDefaultUILanguage  ... ) == 0x0
 00613  1516   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00614  1516   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00615  1516   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xac0000), 0x0, 618496, ) == 0x0
 00616  1516   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617  1516   NtQueryDefaultLocale  (1, 1236832, ... ) == 0x0
 00618  1516   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619  1516   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 808, 1516, 57946, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 808, 1516, 57946, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 808, 1516, 57946, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ) == 0x0
 00620  1516   NtClose  (96, ... ) == 0x0
 00621  1516   NtClose  (100, ... ) == 0x0
 00622  1516   NtUnmapViewOfSection  (-1, 0xac0000, ... ) == 0x0
 00623  1516   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00624  1516   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {808, 0}, ... 100, ) == 0x0
 00625  1516   NtQueryInformationProcess  (100, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00626  1516   NtClose  (100, ... ) == 0x0
 00627  1516   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00628  1516   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00629  1516   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00630  1516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00631  1516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00632  1516   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00633  1516   NtClose  (100, ... ) == 0x0
 00634  1516   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00635  1516   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00636  1516   NtAccessCheck  (1336312, 96, 0x1, 1239928, 1239980, 56, 1239960, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00637  1516   NtClose  (96, ... ) == 0x0
 00638  1516   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 96, ) }, ... 96, ) == 0x0
 00639  1516   NtQueryValueKey  (96,  (96, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00640  1516   NtClose  (96, ... ) == 0x0
 00641  1516   NtUserSystemParametersInfo  (41, 500, 1240108, 0, ... ) == 0x1
 00642  1516   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00643  1516   NtClose  (100, ... ) == 0x0
 00644  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00645  1516   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00646  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c03b
 00647  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c03d
 00648  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00649  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c03f
 00650  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00651  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c041
 00652  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00653  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c043
 00654  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c045
 00655  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00656  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c047
 00657  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00658  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c049
 00659  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00660  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c04b
 00661  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00662  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c04d
 00663  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00664  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c04f
 00665  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c051
 00666  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00667  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c053
 00668  1516   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 00669  1516   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x8178c055
 00670  1516   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 00671  1516   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x8178c057
 00672  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00673  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c059
 00674  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10013
 00675  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c05b
 00676  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00677  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c05d
 00678  1516   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00679  1516   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8178c05f
 00680  1516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00681  1516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00682  1516   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00683  1516   NtClose  (100, ... ) == 0x0
 00684  1516   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00685  1516   NtSetInformationObject  (100, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00686  1516   NtCreateKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00687  1516   NtSetEventBoostPriority  (88, ...
 00436  1248   NtWaitForSingleObject  ... ) == 0x0
 00688  1248   NtTestAlert  (... ) == 0x0
 00689  1248   NtContinue  (11074864, 1, ...
 00690  1248   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00691  1248   NtDeviceIoControlFile  (68, 80, 0x0, 0x77e466a0, 0x228144,  (68, 80, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0\\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00687  1516   NtSetEventBoostPriority  ... ) == 0x0
 00692  1248   NtWaitForMultipleObjects  (2, (72, 80, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 00693  1248   NtDeviceIoControlFile  (68, 84, 0x0, 0x77e46680, 0x228144,  (68, 84, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0\\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00694  1248   NtWaitForMultipleObjects  (2, (72, 84, ), 1, 1, {1294967296, -1}, ...
 00695  1516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00696  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697  1516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00698  1516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00699  1516   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 104, ) == 0x0
 00700  1516   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00701  1516   NtClose  (52, ... ) == 0x0
 00702  1516   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 00703  1516   NtClose  (104, ... ) == 0x0
 00704  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00705  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00706  1516   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00707  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00708  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00709  1516   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00710  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00711  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00712  1516   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00713  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00714  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00715  1516   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00716  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00717  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00718  1516   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00719  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00720  1516   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00721  1516   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00722  1516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00724  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11272192, 65536, ) == 0x0
 00725  1516   NtAllocateVirtualMemory  (-1, 11272192, 0, 4096, 4096, 4, ... 11272192, 4096, ) == 0x0
 00726  1516   NtAllocateVirtualMemory  (-1, 11276288, 0, 8192, 4096, 4, ... 11276288, 8192, ) == 0x0
 00727  1516   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 104, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 104, {status=0x0, info=0}, ) == 0x0
 00728  1516   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) == 0x0
 00729  1516   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 108, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 108, {status=0x0, info=0}, ) == 0x0
 00730  1516   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 112, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 112, {status=0x0, info=0}, ) == 0x0
 00731  1516   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242836,  (0x20100080, {24, 0, 0x40, 0, 1242836, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 116, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 116, {status=0x0, info=0}, ) == 0x0
 00732  1516   NtAllocateVirtualMemory  (-1, 11284480, 0, 36864, 4096, 4, ... 11284480, 36864, ) == 0x0
 00733  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00734  1516   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00735  1516   NtClose  (120, ... ) == 0x0
 00736  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00737  1516   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 00738  1516   NtClose  (120, ... ) == 0x0
 00739  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00740  1516   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363z\201\1\0\0\0\5\0\0\0\232A\250\25\324\211>\3\251\274\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\263\371%\0\204B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363z\201\1\0\0\0\5\0\0\0\232A\250\25\324\211>\3\251\274\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\263\371%\0\204B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 00741  1516   NtClose  (120, ... ) == 0x0
 00742  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00743  1516   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00744  1516   NtClose  (120, ... ) == 0x0
 00745  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00746  1516   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 00747  1516   NtClose  (120, ... ) == 0x0
 00748  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00749  1516   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 00750  1516   NtClose  (120, ... ) == 0x0
 00751  1516   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 120, ) == 0x0
 00752  1516   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 124, ) == 0x0
 00753  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00754  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00755  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00756  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00757  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00758  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00759  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00760  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00761  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00762  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00763  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00764  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00765  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00766  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00767  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00768  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00769  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00770  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00771  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00772  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00773  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00774  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00775  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00776  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00777  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00778  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00779  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00780  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00781  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00782  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00783  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00784  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00785  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00786  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00787  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00788  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00789  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00790  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00791  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00792  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00793  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00794  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00795  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00796  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00797  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00798  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00799  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00800  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00801  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00802  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00803  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00804  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00805  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00806  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00807  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00808  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00809  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00810  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00811  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00812  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00813  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00814  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00815  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00816  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00817  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00818  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00819  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00820  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00821  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00822  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00823  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00824  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00825  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00826  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00827  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00828  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00829  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00830  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00831  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00832  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00833  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00834  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00835  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00836  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00837  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00838  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00839  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00840  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00841  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00842  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00843  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00844  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00845  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00846  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00847  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00848  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00849  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00850  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00851  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00852  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00853  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00854  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00855  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00856  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00857  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00858  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00859  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00860  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00861  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00862  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00863  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00864  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00865  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00866  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00867  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00868  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00869  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00870  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00871  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00872  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00873  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00874  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00875  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00876  1516   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00877  1516   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00878  1516   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 128, ) }, ... 128, ) == 0x0
 00879  1516   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 132, ) }, ... 132, ) == 0x0
 00880  1516   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 136, ) }, ... 136, ) == 0x0
 00881  1516   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 140, ) }, ... 140, ) == 0x0
 00882  1516   NtQueryDefaultLocale  (1, 1242816, ... ) == 0x0
 00883  1516   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00884  1516   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00885  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00886  1516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00887  1516   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00888  1516   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00889  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11337728, 1048576, ) == 0x0
 00890  1516   NtAllocateVirtualMemory  (-1, 11337728, 0, 32768, 4096, 4, ... 11337728, 32768, ) == 0x0
 00891  1516   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 144, ) }, 0, ... 144, ) == 0x0
 00892  1516   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 00893  1516   NtQueryValueKey  (148,  (148, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00894  1516   NtQueryValueKey  (148,  (148, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00895  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 152, ) == 0x0
 00896  1516   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "Protocol_Catalog9"}, ... 156, ) }, ... 156, ) == 0x0
 00897  1516   NtQueryValueKey  (156,  (156, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00898  1516   NtNotifyChangeKey  (156, 152, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00899  1516   NtQueryValueKey  (156,  (156, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00900  1516   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901  1516   NtQueryValueKey  (156,  (156, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00902  1516   NtQueryValueKey  (156,  (156, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00903  1516   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, "Catalog_Entries"}, ... 160, ) }, ... 160, ) == 0x0
 00904  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000001"}, ... 164, ) }, ... 164, ) == 0x0
 00905  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00906  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00907  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\214\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\214\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\215\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\216\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\214\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\214\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\215\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\216\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\214\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\214\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\215\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\216\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00908  1516   NtClose  (164, ... ) == 0x0
 00909  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000002"}, ... 164, ) }, ... 164, ) == 0x0
 00910  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00911  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00912  1516   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00913  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\222\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\222\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\223\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\224\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\222\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\222\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\223\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\224\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\222\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\222\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\223\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\224\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00914  1516   NtClose  (164, ... ) == 0x0
 00915  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000003"}, ... 164, ) }, ... 164, ) == 0x0
 00916  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00917  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00918  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\227\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\227\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\230\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\231\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\227\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\227\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\230\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\231\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\227\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\227\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\230\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\231\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00919  1516   NtClose  (164, ... ) == 0x0
 00920  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000004"}, ... 164, ) }, ... 164, ) == 0x0
 00921  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00922  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00923  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\234\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\234\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\235\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\236\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\236\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\234\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\234\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\235\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\236\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\236\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\236\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\234\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\234\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\235\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\235\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\236\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\236\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\237\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00924  1516   NtClose  (164, ... ) == 0x0
 00925  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000005"}, ... 164, ) }, ... 164, ) == 0x0
 00926  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00927  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00928  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\241\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\241\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\242\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\243\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\241\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\241\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\242\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\243\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\241\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\241\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\242\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\243\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00929  1516   NtClose  (164, ... ) == 0x0
 00930  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000006"}, ... 164, ) }, ... 164, ) == 0x0
 00931  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00932  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00933  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\246\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\246\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\247\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\250\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\246\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\246\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\247\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\250\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\246\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\246\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\247\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\250\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00934  1516   NtClose  (164, ... ) == 0x0
 00935  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000007"}, ... 164, ) }, ... 164, ) == 0x0
 00936  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00937  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00938  1516   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00939  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\254\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\254\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\255\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\256\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\254\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\254\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\255\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\256\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\254\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\254\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\255\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\256\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00940  1516   NtClose  (164, ... ) == 0x0
 00941  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000008"}, ... 164, ) }, ... 164, ) == 0x0
 00942  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00943  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00944  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\261\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\261\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\262\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\263\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\261\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\261\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\262\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\263\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\261\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\261\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\262\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\262\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\263\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\263\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\264\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00945  1516   NtClose  (164, ... ) == 0x0
 00946  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000009"}, ... 164, ) }, ... 164, ) == 0x0
 00947  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00948  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00949  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\266\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\266\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\267\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\270\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\266\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\266\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\267\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\270\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\266\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\266\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\267\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\270\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00950  1516   NtClose  (164, ... ) == 0x0
 00951  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000010"}, ... 164, ) }, ... 164, ) == 0x0
 00952  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00953  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00954  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\273\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\273\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\274\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\275\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\273\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\273\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\274\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\275\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\273\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\273\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\274\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\275\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00955  1516   NtClose  (164, ... ) == 0x0
 00956  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000011"}, ... 164, ) }, ... 164, ) == 0x0
 00957  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00958  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00959  1516   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00960  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\301\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\301\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\302\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\303\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\301\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\301\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\302\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\303\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\301\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\301\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\302\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\303\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00961  1516   NtClose  (164, ... ) == 0x0
 00962  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000012"}, ... 164, ) }, ... 164, ) == 0x0
 00963  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00964  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00965  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\306\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\306\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\307\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\310\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\306\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\306\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\307\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\310\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\306\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\306\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\307\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\310\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00966  1516   NtClose  (164, ... ) == 0x0
 00967  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000013"}, ... 164, ) }, ... 164, ) == 0x0
 00968  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00969  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00970  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\313\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\313\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\314\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\315\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\313\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\313\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\314\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\315\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\313\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\313\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\314\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\314\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\315\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\315\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\316\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00971  1516   NtClose  (164, ... ) == 0x0
 00972  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000014"}, ... 164, ) }, ... 164, ) == 0x0
 00973  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00974  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00975  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\320\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\320\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\321\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\322\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\322\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\323\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\320\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\320\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\321\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\322\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\322\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\323\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\322\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\323\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\320\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\320\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\321\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\321\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\322\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\322\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\323\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00976  1516   NtClose  (164, ... ) == 0x0
 00977  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000015"}, ... 164, ) }, ... 164, ) == 0x0
 00978  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00979  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00980  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\325\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\325\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\326\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\327\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\327\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\330\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\325\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\325\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\326\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\327\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\327\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\330\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\327\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\330\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\325\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\325\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\326\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\327\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\327\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\330\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00981  1516   NtClose  (164, ... ) == 0x0
 00982  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000016"}, ... 164, ) }, ... 164, ) == 0x0
 00983  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00984  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00985  1516   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00986  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\333\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\333\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\334\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\335\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\333\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\333\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\334\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\335\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\333\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\333\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\334\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\335\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00987  1516   NtClose  (164, ... ) == 0x0
 00988  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000017"}, ... 164, ) }, ... 164, ) == 0x0
 00989  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00990  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00991  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\340\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\340\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\341\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\342\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\340\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\340\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\341\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\342\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\340\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\340\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\341\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\341\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\342\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\342\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\343\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00992  1516   NtClose  (164, ... ) == 0x0
 00993  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000018"}, ... 164, ) }, ... 164, ) == 0x0
 00994  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00995  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00996  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\345\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\345\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\346\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\347\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\345\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\345\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\346\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\347\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\345\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\345\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\346\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\347\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00997  1516   NtClose  (164, ... ) == 0x0
 00998  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000019"}, ... 164, ) }, ... 164, ) == 0x0
 00999  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01000  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01001  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\352\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\352\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\353\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\354\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\352\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\352\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\353\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\354\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\352\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\352\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\353\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\354\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01002  1516   NtClose  (164, ... ) == 0x0
 01003  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000020"}, ... 164, ) }, ... 164, ) == 0x0
 01004  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01005  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01006  1516   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01007  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\360\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\360\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\361\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\362\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\360\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\360\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\361\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\362\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\360\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\360\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\361\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\361\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\362\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\362\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\363\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01008  1516   NtClose  (164, ... ) == 0x0
 01009  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000021"}, ... 164, ) }, ... 164, ) == 0x0
 01010  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01011  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01012  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\365\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\365\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\366\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\367\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\365\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\365\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\366\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\367\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0 (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\365\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\365\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\240\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\366\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\244\0\0\0\367\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0(\3\0\0\354\5\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\244\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01013  1516   NtClose  (164, ... ) == 0x0
 01014  1516   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "000000000022"}, ... 164, ) }, ... 164, ) == 0x0
 01015  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01016  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01017  1516   NtQueryValueKey  (164,  (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\372\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\372\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\373\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\3\0\0(\3\0\0\354\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\230\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0(\3\0\0\354\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\375\3\0\0(\3\0\0\354\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\375\3\0\0(\3\0\0\354\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\376\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\224\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (164, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\372\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\372\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\373\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\3\0\0(\3\0\0\354\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\230\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0(\3\0\0\354\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\375\3\0\0(\3\0\0\354\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\375\3\0\0(\3\0\0\354\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\376\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\224\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\372\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\244\0\0\0\372\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\373\3\0\0(\3\0\0\354\5\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\374\3\0\0(\3\0\0\354\5\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\230\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0(\3\0\0\354\5\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\375\3\0\0(\3\0\0\354\5\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\375\3\0\0(\3\0\0\354\5\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\376\3\0\0(\3\0\0\354\5\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\224\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01018  1516   NtClose  (164, ... ) == 0x0
 01019  1516   NtClose  (160, ... ) == 0x0
 01020  1516   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x102
 01021  1516   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01022  1516   NtOpenKey  (0x2000000, {24, 148, 0x40, 0, 0,  (0x2000000, {24, 148, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 164, ) }, ... 164, ) == 0x0
 01023  1516   NtQueryValueKey  (164,  (164, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01024  1516   NtNotifyChangeKey  (164, 160, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01025  1516   NtQueryValueKey  (164,  (164, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01026  1516   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027  1516   NtQueryValueKey  (164,  (164, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01028  1516   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "Catalog_Entries"}, ... 168, ) }, ... 168, ) == 0x0
 01029  1516   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "000000000001"}, ... 172, ) }, ... 172, ) == 0x0
 01030  1516   NtQueryValueKey  (172,  (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01031  1516   NtQueryValueKey  (172,  (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01032  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01033  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01034  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01035  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01036  1516   NtQueryValueKey  (172,  (172, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (172, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01037  1516   NtQueryValueKey  (172,  (172, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01038  1516   NtQueryValueKey  (172,  (172, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01039  1516   NtQueryValueKey  (172,  (172, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040  1516   NtQueryValueKey  (172,  (172, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01041  1516   NtQueryValueKey  (172,  (172, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01042  1516   NtClose  (172, ... ) == 0x0
 01043  1516   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "000000000002"}, ... 172, ) }, ... 172, ) == 0x0
 01044  1516   NtQueryValueKey  (172,  (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01045  1516   NtQueryValueKey  (172,  (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01046  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01047  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01048  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01049  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01050  1516   NtQueryValueKey  (172,  (172, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (172, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01051  1516   NtQueryValueKey  (172,  (172, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01052  1516   NtQueryValueKey  (172,  (172, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01053  1516   NtQueryValueKey  (172,  (172, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01054  1516   NtQueryValueKey  (172,  (172, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01055  1516   NtQueryValueKey  (172,  (172, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01056  1516   NtClose  (172, ... ) == 0x0
 01057  1516   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "000000000003"}, ... 172, ) }, ... 172, ) == 0x0
 01058  1516   NtQueryValueKey  (172,  (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01059  1516   NtQueryValueKey  (172,  (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01060  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01061  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01062  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01063  1516   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01064  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01065  1516   NtQueryValueKey  (172,  (172, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (172, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01066  1516   NtQueryValueKey  (172,  (172, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067  1516   NtQueryValueKey  (172,  (172, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01068  1516   NtQueryValueKey  (172,  (172, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01069  1516   NtQueryValueKey  (172,  (172, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01070  1516   NtQueryValueKey  (172,  (172, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01071  1516   NtClose  (172, ... ) == 0x0
 01072  1516   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "000000000004"}, ... 172, ) }, ... 172, ) == 0x0
 01073  1516   NtQueryValueKey  (172,  (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01074  1516   NtQueryValueKey  (172,  (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01075  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01076  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01077  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01078  1516   NtQueryValueKey  (172,  (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01079  1516   NtQueryValueKey  (172,  (172, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (172, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01080  1516   NtQueryValueKey  (172,  (172, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081  1516   NtQueryValueKey  (172,  (172, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01082  1516   NtQueryValueKey  (172,  (172, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01083  1516   NtQueryValueKey  (172,  (172, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01084  1516   NtQueryValueKey  (172,  (172, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01085  1516   NtClose  (172, ... ) == 0x0
 01086  1516   NtClose  (168, ... ) == 0x0
 01087  1516   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 01088  1516   NtClose  (148, ... ) == 0x0
 01089  1516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01090  1516   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01091  1516   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01092  1516   NtQueryValueKey  (148,  (148, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093  1516   NtClose  (148, ... ) == 0x0
 01094  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 148, ) == 0x0
 01095  1516   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01096  1516   NtQueryInformationFile  (168, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01097  1516   NtQueryInformationFile  (168, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01098  1516   NtQueryInformationFile  (168, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01099  1516   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01100  1516   NtQueryInformationFile  (168, 1365432, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01101  1516   NtQueryInformationFile  (168, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01102  1516   NtQueryInformationFile  (168, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01103  1516   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\skynetave.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01104  1516   NtClose  (-2147482740, ... ) == 0x0
 01103  1516   NtCreateFile  ... 172, {status=0x0, info=2}, ) == 0x0
 01105  1516   NtQueryVolumeInformationFile  (172, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01106  1516   NtQueryInformationFile  (172, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01107  1516   NtQueryVolumeInformationFile  (168, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01108  1516   NtSetInformationFile  (172, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01109  1516   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 168, ... 176, ) == 0x0
 01110  1516   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 16384, ) == 0x0
 01111  1516   NtClose  (176, ... ) == 0x0
 01112  1516   NtWriteFile  (172, 0, 0, 0,  (172, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\330\7\312\202\234f\244\321\234f\244\321\234f\244\321\37n\371\321\236f\244\321\234f\244\321\237f\244\321ty\256\321\206f\244\321\37z\252\321\227f\244\321\234f\245\321\320f\244\321\376y\267\321\225f\244\321ty\257\321\230f\244\321$`\242\321\235f\244\321Rich\234f\244\321\0\0\0\0\0\0\0\0PE\0\0L\1\2\0w\13\225@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0$\0\0\0\0\0\0\336(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\02\0\0\0\4\0\02CEP", 16384, 0x0, 0, ... {status=0x0, info=16384}, ) , 16384, 0x0, 0, ... {status=0x0, info=16384}, ) == 0x0
 01113  1516   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01114  1516   NtSetInformationFile  (172, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01115  1516   NtClose  (168, ... ) == 0x0
 01116  1516   NtClose  (172, ... ) == 0x0
 01117  1516   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 172, ) }, ... 172, ) == 0x0
 01118  1516   NtSetValueKey  (172,  (172, "skynetave.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0k\0y\0n\0e\0t\0a\0v\0e\0.\0e\0x\0e\0\0\0", 50, ... , 0, 1,  (172, "skynetave.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0k\0y\0n\0e\0t\0a\0v\0e\0.\0e\0x\0e\0\0\0", 50, ... , 50, ...
 01119  1516   NtSetInformationFile  (-2147482448, -139610320, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01120  1516   NtSetInformationFile  (-2147482448, -139610412, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01121  1516   NtSetInformationFile  (-2147482448, -139610720, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01118  1516   NtSetValueKey  ... ) == 0x0
 01122  1516   NtClose  (172, ... ) == 0x0
 01123  1516   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "SkynetSasserVersionWithPingFast"}, 0, ... 172, ) }, 0, ... 172, ) == 0x0
 01124  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12386304, 1048576, ) == 0x0
 01125  1516   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 01126  1516   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 01127  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 168, {808, 860}, ) == 0x0
 01128  1516   NtQueryInformationThread  (168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=808,Tid=860,}, 0x0, ) == 0x0
 01129  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0(\3\0\0\\3\0\0" ... {28, 56, reply, 0, 808, 1516, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0(\3\0\0\\3\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57947, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0(\3\0\0\\3\0\0" ... {28, 56, reply, 0, 808, 1516, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0(\3\0\0\\3\0\0" )  ) == 0x0
 01130  1516   NtResumeThread  (168, ... 1, ) == 0x0
 01131  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 01132  1516   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ...
 01133   860   NtTestAlert  (... ) == 0x0
 01134   860   NtContinue  (13434160, 1, ...
 01135   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01136   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 176, ) == 0x0
 01137   860   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x102
 01138   860   NtAllocateVirtualMemory  (-1, 13422592, 0, 4096, 4096, 260, ...
 01132  1516   NtAllocateVirtualMemory  ... 14475264, 8192, ) == 0x0
 01139  1516   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ... (0xdce000), 4096, 4, ) == 0x0
 01140  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {808, 484}, ) == 0x0
 01141  1516   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=808,Tid=484,}, 0x0, ) == 0x0
 01142  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57947, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0(\3\0\0\344\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0(\3\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57948, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0(\3\0\0\344\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0(\3\0\0\344\1\0\0" )  ) == 0x0
 01143  1516   NtResumeThread  (180, ... 1, ) == 0x0
 01138   860   NtAllocateVirtualMemory  ... 13422592, 4096, ) == 0x0
 01144   484   NtWaitForSingleObject  (88, 0, 0x0, ...
 01145   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13431284, ... ) }, 13431284, ... ) == 0x0
 01146   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01147   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 184, ... 188, ) == 0x0
 01148   860   NtClose  (184, ... ) == 0x0
 01149   860   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdd0000), 0x0, 245760, ) == 0x0
 01150   860   NtClose  (188, ...
 01151  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 01152  1516   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01153  1516   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 01154  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 184, {808, 748}, ) == 0x0
 01155  1516   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=808,Tid=748,}, 0x0, ) == 0x0
 01156  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57948, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0(\3\0\0\354\2\0\0" ...  ...
 01150   860   NtClose  ... ) == 0x0
 01156  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57949, 0}  ... {28, 56, reply, 0, 808, 1516, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0(\3\0\0\354\2\0\0" )  ) == 0x0
 01157  1516   NtResumeThread  (184, ... 1, ) == 0x0
 01158  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01159  1516   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ...
 01160   748   NtWaitForSingleObject  (88, 0, 0x0, ...
 01159  1516   NtAllocateVirtualMemory  ... 16834560, 8192, ) == 0x0
 01161  1516   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ... (0x100e000), 4096, 4, ) == 0x0
 01162  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 188, {808, 1580}, ) == 0x0
 01163  1516   NtQueryInformationThread  (188, Basic, 28, ...
 01164   860   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 01165   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13431592, ... ) }, 13431592, ... ) == 0x0
 01166   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01167   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 192, ... 196, ) == 0x0
 01168   860   NtQuerySection  (196, Image, 48, ...
 01163  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=808,Tid=1580,}, 0x0, ) == 0x0
 01169  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57949, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0(\3\0\0,\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0(\3\0\0,\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57950, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0(\3\0\0,\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0(\3\0\0,\6\0\0" )  ) == 0x0
 01170  1516   NtResumeThread  (188, ... 1, ) == 0x0
 01171  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16842752, 1048576, ) == 0x0
 01172  1516   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ... 17883136, 8192, ) == 0x0
 01173  1516   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ... (0x110e000), 4096, 4, ) == 0x0
 01168   860   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01174  1580   NtWaitForSingleObject  (88, 0, 0x0, ...
 01175   860   NtClose  (192, ... ) == 0x0
 01176   860   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01177   860   NtClose  (196, ... ) == 0x0
 01178   860   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01179   860   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01180  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 196, {808, 1756}, ) == 0x0
 01181  1516   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=808,Tid=1756,}, 0x0, ) == 0x0
 01182  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57950, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0(\3\0\0\334\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0(\3\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57951, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0(\3\0\0\334\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0(\3\0\0\334\6\0\0" )  ) == 0x0
 01183  1516   NtResumeThread  (196, ... 1, ) == 0x0
 01184  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17891328, 1048576, ) == 0x0
 01185  1516   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ...
 01179   860   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01186  1756   NtWaitForSingleObject  (88, 0, 0x0, ...
 01187   860   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01188   860   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01189   860   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01190   860   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01191   860   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01192   860   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01185  1516   NtAllocateVirtualMemory  ... 18931712, 8192, ) == 0x0
 01193  1516   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 01194  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {808, 1292}, ) == 0x0
 01195  1516   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=808,Tid=1292,}, 0x0, ) == 0x0
 01196  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57951, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0(\3\0\0\14\5\0\0" ... {28, 56, reply, 0, 808, 1516, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0(\3\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57952, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0(\3\0\0\14\5\0\0" ... {28, 56, reply, 0, 808, 1516, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0(\3\0\0\14\5\0\0" )  ) == 0x0
 01197  1516   NtResumeThread  (192, ... 1, ) == 0x0
 01192   860   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01198  1292   NtWaitForSingleObject  (88, 0, 0x0, ...
 01199   860   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01200  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18939904, 1048576, ) == 0x0
 01201  1516   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01202  1516   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01203  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01204   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   860   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01206   860   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01207   860   NtSetEventBoostPriority  (88, ...
 01203  1516   NtCreateThread  ... 200, {808, 1956}, ) == 0x0
 01208  1516   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=808,Tid=1956,}, 0x0, ) == 0x0
 01209  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57952, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0(\3\0\0\244\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0(\3\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57953, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0(\3\0\0\244\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0(\3\0\0\244\7\0\0" )  ) == 0x0
 01210  1516   NtResumeThread  (200, ... 1, ) == 0x0
 01144   484   NtWaitForSingleObject  ... ) == 0x0
 01207   860   NtSetEventBoostPriority  ... ) == 0x0
 01211  1956   NtWaitForSingleObject  (88, 0, 0x0, ...
 01212   484   NtSetEventBoostPriority  (88, ...
 01213   860   NtWaitForSingleObject  (88, 0, 0x0, ...
 01160   748   NtWaitForSingleObject  ... ) == 0x0
 01212   484   NtSetEventBoostPriority  ... ) == 0x0
 01214   748   NtSetEventBoostPriority  (88, ...
 01215  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01174  1580   NtWaitForSingleObject  ... ) == 0x0
 01214   748   NtSetEventBoostPriority  ... ) == 0x0
 01216  1580   NtSetEventBoostPriority  (88, ...
 01215  1516   NtAllocateVirtualMemory  ... 19988480, 1048576, ) == 0x0
 01217   484   NtTestAlert  (...
 01186  1756   NtWaitForSingleObject  ... ) == 0x0
 01216  1580   NtSetEventBoostPriority  ... ) == 0x0
 01218  1516   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ...
 01219  1756   NtSetEventBoostPriority  (88, ...
 01217   484   NtTestAlert  ... ) == 0x0
 01220   748   NtTestAlert  (...
 01198  1292   NtWaitForSingleObject  ... ) == 0x0
 01219  1756   NtSetEventBoostPriority  ... ) == 0x0
 01218  1516   NtAllocateVirtualMemory  ... 21028864, 8192, ) == 0x0
 01221   484   NtContinue  (14482736, 1, ...
 01222  1292   NtSetEventBoostPriority  (88, ...
 01220   748   NtTestAlert  ... ) == 0x0
 01223  1580   NtTestAlert  (...
 01224  1516   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ...
 01211  1956   NtWaitForSingleObject  ... ) == 0x0
 01222  1292   NtSetEventBoostPriority  ... ) == 0x0
 01225   484   NtRegisterThreadTerminatePort  (24, ...
 01226   748   NtContinue  (15793456, 1, ...
 01223  1580   NtTestAlert  ... ) == 0x0
 01227  1956   NtSetEventBoostPriority  (88, ...
 01224  1516   NtProtectVirtualMemory  ... (0x140e000), 4096, 4, ) == 0x0
 01228  1756   NtTestAlert  (...
 01225   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01229   748   NtRegisterThreadTerminatePort  (24, ...
 01213   860   NtWaitForSingleObject  ... ) == 0x0
 01227  1956   NtSetEventBoostPriority  ... ) == 0x0
 01230  1580   NtContinue  (16842032, 1, ...
 01231  1292   NtTestAlert  (...
 01228  1756   NtTestAlert  ... ) == 0x0
 01232   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01229   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01233  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01234  1580   NtRegisterThreadTerminatePort  (24, ...
 01231  1292   NtTestAlert  ... ) == 0x0
 01232   860   NtCreateEvent  ... 204, ) == 0x0
 01235  1756   NtContinue  (17890608, 1, ...
 01233  1516   NtCreateThread  ... 208, {808, 1980}, ) == 0x0
 01234  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 01236  1292   NtContinue  (18939184, 1, ...
 01237  1956   NtTestAlert  (...
 01238   484   NtQueryValueKey  (96,  (96, "FromCacheTimeout", Partial, 144, ... , Partial, 144, ...
 01239  1756   NtRegisterThreadTerminatePort  (24, ...
 01240  1516   NtQueryInformationThread  (208, Basic, 28, ...
 01241  1580   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01242  1292   NtRegisterThreadTerminatePort  (24, ...
 01237  1956   NtTestAlert  ... ) == 0x0
 01238   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 01240  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=808,Tid=1980,}, 0x0, ) == 0x0
 01243   860   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01244   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01242  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 01245  1956   NtContinue  (19987760, 1, ...
 01246   484   NtQueryValueKey  (96,  (96, "SecureProtocols", Partial, 144, ... , Partial, 144, ...
 01247  1756   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01248  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57953, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0(\3\0\0\274\7\0\0" ...  ...
 01243   860   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   748   NtCreateEvent  ... 212, ) == 0x0
 01249  1292   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01250  1956   NtRegisterThreadTerminatePort  (24, ...
 01246   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 01241  1580   NtCreateEvent  ... 216, ) == 0x0
 01251   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 13431204, ... }, 13431204, ...
 01252   748   NtWaitForSingleObject  (212, 0, 0x0, ...
 01247  1756   NtCreateEvent  ... 220, ) == 0x0
 01248  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57954, 0}  ... {28, 56, reply, 0, 808, 1516, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0(\3\0\0\274\7\0\0" )  ) == 0x0
 01250  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01253   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 01254  1580   NtClose  (216, ...
 01255  1756   NtClose  (220, ...
 01256  1516   NtResumeThread  (208, ...
 01257  1956   NtWaitForSingleObject  (212, 0, 0x0, ...
 01249  1292   NtCreateEvent  ... 224, ) == 0x0
 01254  1580   NtClose  ... ) == 0x0
 01255  1756   NtClose  ... ) == 0x0
 01256  1516   NtResumeThread  ... 1, ) == 0x0
 01253   484   NtOpenKey  ... 220, ) == 0x0
 01258  1292   NtClose  (224, ...
 01259  1580   NtWaitForSingleObject  (212, 0, 0x0, ...
 01260  1756   NtWaitForSingleObject  (212, 0, 0x0, ...
 01261  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01262   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 01258  1292   NtClose  ... ) == 0x0
 01261  1516   NtAllocateVirtualMemory  ... 21037056, 1048576, ) == 0x0
 01262   484   NtOpenKey  ... 224, ) == 0x0
 01263  1292   NtWaitForSingleObject  (212, 0, 0x0, ...
 01264  1516   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ...
 01265   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software"}, ... }, ...
 01266  1980   NtWaitForSingleObject  (88, 0, 0x0, ...
 01265   484   NtOpenKey  ... 216, ) == 0x0
 01267   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software"}, ... 228, ) }, ... 228, ) == 0x0
 01268   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 01264  1516   NtAllocateVirtualMemory  ... 22077440, 8192, ) == 0x0
 01271  1516   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01272  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {808, 1784}, ) == 0x0
 01273  1516   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=808,Tid=1784,}, 0x0, ) == 0x0
 01274  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57954, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0(\3\0\0\370\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0(\3\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57955, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0(\3\0\0\370\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0(\3\0\0\370\6\0\0" )  ) == 0x0
 01275  1516   NtResumeThread  (232, ... 1, ) == 0x0
 01270   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276  1784   NtWaitForSingleObject  (88, 0, 0x0, ...
 01277   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 236, ) }, ... 236, ) == 0x0
 01278   484   NtQueryValueKey  (236,  (236, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01279   484   NtClose  (236, ... ) == 0x0
 01280   484   NtQueryValueKey  (96,  (96, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   484   NtQueryValueKey  (96,  (96, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   484   NtQueryValueKey  (96,  (96, "IdnEnabled", Partial, 144, ... , Partial, 144, ...
 01283  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01251   860   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283  1516   NtAllocateVirtualMemory  ... 22085632, 1048576, ) == 0x0
 01284   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 13431204, ... }, 13431204, ...
 01285  1516   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ...
 01284   860   NtQueryAttributesFile  ... ) == 0x0
 01285  1516   NtAllocateVirtualMemory  ... 23126016, 8192, ) == 0x0
 01286   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01287  1516   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ...
 01286   860   NtOpenFile  ... 236, {status=0x0, info=1}, ) == 0x0
 01287  1516   NtProtectVirtualMemory  ... (0x160e000), 4096, 4, ) == 0x0
 01288   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ...
 01282   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01289  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01290   484   NtQueryValueKey  (96,  (96, "CacheMode", Partial, 144, ... , Partial, 144, ...
 01289  1516   NtCreateThread  ... 240, {808, 1480}, ) == 0x0
 01290   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291  1516   NtQueryInformationThread  (240, Basic, 28, ...
 01292   484   NtQueryValueKey  (96,  (96, "EnableHttp1_1", Partial, 144, ... , Partial, 144, ...
 01291  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=808,Tid=1480,}, 0x0, ) == 0x0
 01292   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01293  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57955, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0(\3\0\0\310\5\0\0" ...  ...
 01294   484   NtQueryValueKey  (96,  (96, "ProxyHttp1.1", Partial, 144, ... , Partial, 144, ...
 01293  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57956, 0}  ... {28, 56, reply, 0, 808, 1516, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0(\3\0\0\310\5\0\0" )  ) == 0x0
 01288   860   NtCreateSection  ... 244, ) == 0x0
 01295  1516   NtResumeThread  (240, ...
 01296   860   NtQuerySection  (244, Image, 48, ...
 01295  1516   NtResumeThread  ... 1, ) == 0x0
 01296   860   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01297  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01298   860   NtClose  (236, ...
 01297  1516   NtAllocateVirtualMemory  ... 23134208, 1048576, ) == 0x0
 01298   860   NtClose  ... ) == 0x0
 01299  1516   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ...
 01300   860   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01294   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301  1480   NtWaitForSingleObject  (88, 0, 0x0, ...
 01299  1516   NtAllocateVirtualMemory  ... 24174592, 8192, ) == 0x0
 01302   484   NtQueryValueKey  (96,  (96, "EnableNegotiate", Partial, 144, ... , Partial, 144, ...
 01303  1516   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ...
 01302   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01303  1516   NtProtectVirtualMemory  ... (0x170e000), 4096, 4, ) == 0x0
 01304   484   NtQueryValueKey  (96,  (96, "DisableBasicOverClearChannel", Partial, 144, ... , Partial, 144, ...
 01305  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01304   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305  1516   NtCreateThread  ... 236, {808, 1556}, ) == 0x0
 01306   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 01307  1516   NtQueryInformationThread  (236, Basic, 28, ...
 01300   860   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 01306   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   860   NtClose  (244, ...
 01309   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 01308   860   NtClose  ... ) == 0x0
 01309   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01311   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 01310   860   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01311   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01313   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 01307  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=808,Tid=1556,}, 0x0, ) == 0x0
 01312   860   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01314  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57956, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0(\3\0\0\24\6\0\0" ...  ...
 01315   860   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01314  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57957, 0}  ... {28, 56, reply, 0, 808, 1516, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0(\3\0\0\24\6\0\0" )  ) == 0x0
 01315   860   NtFlushInstructionCache  ... ) == 0x0
 01316  1516   NtResumeThread  (236, ...
 01317   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01316  1516   NtResumeThread  ... 1, ) == 0x0
 01317   860   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01313   484   NtOpenKey  ... 244, ) == 0x0
 01318  1556   NtWaitForSingleObject  (88, 0, 0x0, ...
 01319   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01320   484   NtQueryValueKey  (244,  (244, "Feature_ClientAuthCertFilter", Partial, 144, ... , Partial, 144, ...
 01321  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01320   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321  1516   NtAllocateVirtualMemory  ... 24182784, 1048576, ) == 0x0
 01322   484   NtClose  (244, ...
 01323  1516   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ...
 01322   484   NtClose  ... ) == 0x0
 01323  1516   NtAllocateVirtualMemory  ... 25223168, 8192, ) == 0x0
 01324   484   NtWaitForSingleObject  (88, 0, 0x0, ...
 01325  1516   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ...
 01319   860   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01325  1516   NtProtectVirtualMemory  ... (0x180e000), 4096, 4, ) == 0x0
 01326   860   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01327   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01328   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01329   860   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01330   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01331   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01332  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {808, 460}, ) == 0x0
 01333  1516   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=808,Tid=460,}, 0x0, ) == 0x0
 01334  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57957, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0(\3\0\0\314\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0(\3\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57958, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0(\3\0\0\314\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0(\3\0\0\314\1\0\0" )  ) == 0x0
 01335  1516   NtResumeThread  (244, ... 1, ) == 0x0
 01336  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25231360, 1048576, ) == 0x0
 01337  1516   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ...
 01331   860   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01338   460   NtWaitForSingleObject  (88, 0, 0x0, ...
 01339   860   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01340   860   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01341   860   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01342   860   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01343   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   860   NtSetEventBoostPriority  (88, ...
 01337  1516   NtAllocateVirtualMemory  ... 26271744, 8192, ) == 0x0
 01345  1516   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01346  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {808, 1068}, ) == 0x0
 01347  1516   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=808,Tid=1068,}, 0x0, ) == 0x0
 01348  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57958, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0(\3\0\0,\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0(\3\0\0,\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57959, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0(\3\0\0,\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0(\3\0\0,\4\0\0" )  ) == 0x0
 01349  1516   NtResumeThread  (248, ... 1, ) == 0x0
 01266  1980   NtWaitForSingleObject  ... ) == 0x0
 01344   860   NtSetEventBoostPriority  ... ) == 0x0
 01350  1068   NtWaitForSingleObject  (88, 0, 0x0, ...
 01351  1980   NtSetEventBoostPriority  (88, ...
 01352   860   NtWaitForSingleObject  (88, 0, 0x0, ...
 01276  1784   NtWaitForSingleObject  ... ) == 0x0
 01351  1980   NtSetEventBoostPriority  ... ) == 0x0
 01353  1784   NtSetEventBoostPriority  (88, ...
 01354  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01301  1480   NtWaitForSingleObject  ... ) == 0x0
 01353  1784   NtSetEventBoostPriority  ... ) == 0x0
 01355  1480   NtSetEventBoostPriority  (88, ...
 01354  1516   NtAllocateVirtualMemory  ... 26279936, 1048576, ) == 0x0
 01356  1980   NtTestAlert  (...
 01318  1556   NtWaitForSingleObject  ... ) == 0x0
 01355  1480   NtSetEventBoostPriority  ... ) == 0x0
 01357  1516   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ...
 01358  1556   NtSetEventBoostPriority  (88, ...
 01356  1980   NtTestAlert  ... ) == 0x0
 01359  1784   NtTestAlert  (...
 01324   484   NtWaitForSingleObject  ... ) == 0x0
 01358  1556   NtSetEventBoostPriority  ... ) == 0x0
 01357  1516   NtAllocateVirtualMemory  ... 27320320, 8192, ) == 0x0
 01360  1980   NtContinue  (21036336, 1, ...
 01361   484   NtAllocateVirtualMemory  (-1, 14471168, 0, 4096, 4096, 260, ...
 01359  1784   NtTestAlert  ... ) == 0x0
 01362  1480   NtTestAlert  (...
 01363  1516   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ...
 01361   484   NtAllocateVirtualMemory  ... 14471168, 4096, ) == 0x0
 01364  1980   NtRegisterThreadTerminatePort  (24, ...
 01365  1784   NtContinue  (22084912, 1, ...
 01362  1480   NtTestAlert  ... ) == 0x0
 01366   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... }, ...
 01363  1516   NtProtectVirtualMemory  ... (0x1a0e000), 4096, 4, ) == 0x0
 01364  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 01367  1784   NtRegisterThreadTerminatePort  (24, ...
 01366   484   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368  1480   NtContinue  (23133488, 1, ...
 01369  1556   NtTestAlert  (...
 01370  1980   NtWaitForSingleObject  (212, 0, 0x0, ...
 01367  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01371  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01372  1480   NtRegisterThreadTerminatePort  (24, ...
 01369  1556   NtTestAlert  ... ) == 0x0
 01373   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 14478992, ... }, 14478992, ...
 01374  1784   NtWaitForSingleObject  (212, 0, 0x0, ...
 01371  1516   NtCreateThread  ... 252, {808, 1856}, ) == 0x0
 01372  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 01375  1556   NtContinue  (24182064, 1, ...
 01376  1516   NtQueryInformationThread  (252, Basic, 28, ...
 01377  1480   NtWaitForSingleObject  (212, 0, 0x0, ...
 01378  1556   NtRegisterThreadTerminatePort  (24, ...
 01376  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=808,Tid=1856,}, 0x0, ) == 0x0
 01378  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 01379  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57959, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0(\3\0\0@\7\0\0" ...  ...
 01380  1556   NtWaitForSingleObject  (212, 0, 0x0, ...
 01379  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57960, 0}  ... {28, 56, reply, 0, 808, 1516, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0(\3\0\0@\7\0\0" )  ) == 0x0
 01381  1516   NtResumeThread  (252, ... 1, ) == 0x0
 01382  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27328512, 1048576, ) == 0x0
 01383  1516   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ... 28368896, 8192, ) == 0x0
 01384  1516   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ... (0x1b0e000), 4096, 4, ) == 0x0
 01385  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {808, 1596}, ) == 0x0
 01386  1516   NtQueryInformationThread  (256, Basic, 28, ...
 01387  1856   NtWaitForSingleObject  (88, 0, 0x0, ...
 01386  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=808,Tid=1596,}, 0x0, ) == 0x0
 01388  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57960, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0(\3\0\0<\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0(\3\0\0<\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57961, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0(\3\0\0<\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0(\3\0\0<\6\0\0" )  ) == 0x0
 01389  1516   NtResumeThread  (256, ... 1, ) == 0x0
 01390  1596   NtWaitForSingleObject  (88, 0, 0x0, ...
 01391  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28377088, 1048576, ) == 0x0
 01392  1516   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ... 29417472, 8192, ) == 0x0
 01393  1516   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 01373   484   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 14478992, ... ) }, 14478992, ... ) == 0x0
 01395   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 01396   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 260, ... 264, ) == 0x0
 01397   484   NtQuerySection  (264, Image, 48, ...
 01398  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 268, {808, 1128}, ) == 0x0
 01399  1516   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=808,Tid=1128,}, 0x0, ) == 0x0
 01400  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57961, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0(\3\0\0h\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0(\3\0\0h\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57962, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0(\3\0\0h\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0(\3\0\0h\4\0\0" )  ) == 0x0
 01401  1516   NtResumeThread  (268, ... 1, ) == 0x0
 01402  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29425664, 1048576, ) == 0x0
 01403  1516   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ...
 01397   484   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01404  1128   NtWaitForSingleObject  (88, 0, 0x0, ...
 01405   484   NtClose  (260, ... ) == 0x0
 01406   484   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 01407   484   NtClose  (264, ... ) == 0x0
 01408   484   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 01409   484   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 01410   484   NtFlushInstructionCache  (-1, 2013138944, 388, ...
 01403  1516   NtAllocateVirtualMemory  ... 30466048, 8192, ) == 0x0
 01411  1516   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ... (0x1d0e000), 4096, 4, ) == 0x0
 01412  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 264, {808, 1256}, ) == 0x0
 01413  1516   NtQueryInformationThread  (264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=808,Tid=1256,}, 0x0, ) == 0x0
 01414  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57962, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0(\3\0\0\350\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0(\3\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57963, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0(\3\0\0\350\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0(\3\0\0\350\4\0\0" )  ) == 0x0
 01410   484   NtFlushInstructionCache  ... ) == 0x0
 01415   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 260, ) == 0x0
 01417   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 272, ) == 0x0
 01418   484   NtSetEventBoostPriority  (88, ...
 01338   460   NtWaitForSingleObject  ... ) == 0x0
 01419   460   NtSetEventBoostPriority  (88, ...
 01350  1068   NtWaitForSingleObject  ... ) == 0x0
 01420  1068   NtSetEventBoostPriority  (88, ...
 01352   860   NtWaitForSingleObject  ... ) == 0x0
 01421   860   NtSetEventBoostPriority  (88, ...
 01387  1856   NtWaitForSingleObject  ... ) == 0x0
 01422  1856   NtSetEventBoostPriority  (88, ...
 01390  1596   NtWaitForSingleObject  ... ) == 0x0
 01423  1596   NtSetEventBoostPriority  (88, ...
 01404  1128   NtWaitForSingleObject  ... ) == 0x0
 01424  1128   NtTestAlert  (... ) == 0x0
 01423  1596   NtSetEventBoostPriority  ... ) == 0x0
 01422  1856   NtSetEventBoostPriority  ... ) == 0x0
 01421   860   NtSetEventBoostPriority  ... ) == 0x0
 01420  1068   NtSetEventBoostPriority  ... ) == 0x0
 01419   460   NtSetEventBoostPriority  ... ) == 0x0
 01418   484   NtSetEventBoostPriority  ... ) == 0x0
 01425  1516   NtResumeThread  (264, ...
 01426  1128   NtContinue  (29424944, 1, ...
 01427  1596   NtTestAlert  (...
 01428  1856   NtTestAlert  (...
 01429   860   NtQuerySystemInformation  (Basic, 44, ...
 01430  1068   NtTestAlert  (...
 01431   484   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... }, ...
 01425  1516   NtResumeThread  ... 1, ) == 0x0
 01432  1128   NtRegisterThreadTerminatePort  (24, ...
 01427  1596   NtTestAlert  ... ) == 0x0
 01428  1856   NtTestAlert  ... ) == 0x0
 01429   860   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01430  1068   NtTestAlert  ... ) == 0x0
 01431   484   NtOpenEvent  ... 276, ) == 0x0
 01433  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01432  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 01434  1596   NtContinue  (28376368, 1, ...
 01435  1856   NtContinue  (27327792, 1, ...
 01436   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01437  1068   NtContinue  (26279216, 1, ...
 01438   484   NtQueryEvent  (276, Basic, 8, ...
 01433  1516   NtAllocateVirtualMemory  ... 30474240, 1048576, ) == 0x0
 01439  1128   NtWaitForSingleObject  (212, 0, 0x0, ...
 01440  1596   NtRegisterThreadTerminatePort  (24, ...
 01441  1856   NtRegisterThreadTerminatePort  (24, ...
 01436   860   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442  1068   NtRegisterThreadTerminatePort  (24, ...
 01443   460   NtTestAlert  (...
 01444  1256   NtTestAlert  (...
 01445  1516   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ...
 01440  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01441  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01446   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01442  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 01443   460   NtTestAlert  ... ) == 0x0
 01444  1256   NtTestAlert  ... ) == 0x0
 01445  1516   NtAllocateVirtualMemory  ... 31514624, 8192, ) == 0x0
 01447  1596   NtWaitForSingleObject  (212, 0, 0x0, ...
 01448  1856   NtWaitForSingleObject  (212, 0, 0x0, ...
 01446   860   NtOpenKey  ... 280, ) == 0x0
 01449  1068   NtWaitForSingleObject  (212, 0, 0x0, ...
 01450   460   NtContinue  (25230640, 1, ...
 01451  1256   NtContinue  (30473520, 1, ...
 01438   484   NtQueryEvent  ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01452  1516   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ...
 01453   860   NtQueryValueKey  (280,  (280, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01454   460   NtRegisterThreadTerminatePort  (24, ...
 01455  1256   NtRegisterThreadTerminatePort  (24, ...
 01456   484   NtClose  (276, ...
 01452  1516   NtProtectVirtualMemory  ... (0x1e0e000), 4096, 4, ) == 0x0
 01453   860   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 01455  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 01456   484   NtClose  ... ) == 0x0
 01457  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01458   860   NtClose  (280, ...
 01459   460   NtWaitForSingleObject  (212, 0, 0x0, ...
 01460   484   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 14480564, 140, ... , {12, 2, 1, 0}, 0x0, 0x0, 14480564, 140, ...
 01457  1516   NtCreateThread  ... 276, {808, 220}, ) == 0x0
 01458   860   NtClose  ... ) == 0x0
 01461  1256   NtWaitForSingleObject  (212, 0, 0x0, ...
 01460   484   NtConnectPort  ... 280, 0x0, 0x0, 256, 140, ) == 0x0
 01462  1516   NtQueryInformationThread  (276, Basic, 28, ...
 01463   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01462  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=808,Tid=220,}, 0x0, ) == 0x0
 01463   860   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   484   NtRequestWaitReplyPort  (280, {28, 52, new_msg, 0, 0, 0, 0, 0}  (280, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\220\36\24\0" ...  ...
 01465  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57963, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0(\3\0\0\334\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0(\3\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57966, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0(\3\0\0\334\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0(\3\0\0\334\0\0\0" )  ) == 0x0
 01466  1516   NtResumeThread  (276, ... 1, ) == 0x0
 01467  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01464   484   NtRequestWaitReplyPort  ... {188, 212, reply, 0, 808, 484, 57965, 0}  ... {188, 212, reply, 0, 808, 484, 57965, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 01468   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01469   220   NtTestAlert  (...
 01470   484   NtQueryValueKey  (96,  (96, "SyncMode5", Partial, 144, ... , Partial, 144, ...
 01468   860   NtCreateEvent  ... 284, ) == 0x0
 01469   220   NtTestAlert  ... ) == 0x0
 01470   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01472   220   NtContinue  (31522096, 1, ...
 01473   484   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 01471   860   NtCreateEvent  ... 288, ) == 0x0
 01474   220   NtRegisterThreadTerminatePort  (24, ...
 01467  1516   NtAllocateVirtualMemory  ... 31522816, 1048576, ) == 0x0
 01475   860   NtQuerySystemTime  (...
 01474   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01476  1516   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ...
 01475   860   NtQuerySystemTime  ... {-1638315810, 29915234}, ) == 0x0
 01473   484   NtOpenKey  ... 292, ) == 0x0
 01476  1516   NtAllocateVirtualMemory  ... 32563200, 8192, ) == 0x0
 01477   220   NtWaitForSingleObject  (212, 0, 0x0, ...
 01478   484   NtQueryValueKey  (292,  (292, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... , Partial, 144, ...
 01479  1516   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ...
 01478   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479  1516   NtProtectVirtualMemory  ... (0x1f0e000), 4096, 4, ) == 0x0
 01480   484   NtClose  (292, ...
 01481  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01480   484   NtClose  ... ) == 0x0
 01482   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01483   484   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 01482   860   NtCreateEvent  ... 292, ) == 0x0
 01481  1516   NtCreateThread  ... 296, {808, 1800}, ) == 0x0
 01484   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 01485  1516   NtQueryInformationThread  (296, Basic, 28, ...
 01484   860   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=808,Tid=1800,}, 0x0, ) == 0x0
 01486   860   NtQuerySystemInformation  (Performance, 312, ...
 01487  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57966, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0(\3\0\0\10\7\0\0" ...  ...
 01486   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01487  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57967, 0}  ... {28, 56, reply, 0, 808, 1516, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0(\3\0\0\10\7\0\0" )  ) == 0x0
 01483   484   NtOpenKey  ... 300, ) == 0x0
 01488   860   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 01489   484   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 01488   860   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01489   484   NtOpenKey  ... 304, ) == 0x0
 01490   860   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01491   484   NtOpenKey  (0x9, {24, 100, 0x40, 0, 0,  (0x9, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 01490   860   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01491   484   NtOpenKey  ... 308, ) == 0x0
 01492   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01493   484   NtQueryValueKey  (308,  (308, "Signature", Partial, 144, ... , Partial, 144, ...
 01492   860   NtCreateEvent  ... 312, ) == 0x0
 01494  1516   NtResumeThread  (296, ...
 01493   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01494  1516   NtResumeThread  ... 1, ) == 0x0
 01495   484   NtQueryValueKey  (308,  (308, "Signature", Partial, 144, ... , Partial, 144, ...
 01496  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01495   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01496  1516   NtAllocateVirtualMemory  ... 32571392, 1048576, ) == 0x0
 01497   484   NtClose  (308, ...
 01498  1516   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ...
 01497   484   NtClose  ... ) == 0x0
 01498  1516   NtAllocateVirtualMemory  ... 33611776, 8192, ) == 0x0
 01499   484   NtOpenKey  (0xf, {24, 304, 0x40, 0, 0,  (0xf, {24, 304, 0x40, 0, 0, "Content"}, ... }, ...
 01500   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01501  1800   NtTestAlert  (...
 01502  1516   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ...
 01500   860   NtDuplicateObject  ... 308, ) == 0x0
 01501  1800   NtTestAlert  ... ) == 0x0
 01502  1516   NtProtectVirtualMemory  ... (0x200e000), 4096, 4, ) == 0x0
 01503   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01504  1800   NtContinue  (32570672, 1, ...
 01505  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01503   860   NtOpenKey  ... 316, ) == 0x0
 01506  1800   NtRegisterThreadTerminatePort  (24, ...
 01505  1516   NtCreateThread  ... 320, {808, 1796}, ) == 0x0
 01507   860   NtQueryValueKey  (316,  (316, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01506  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01508  1516   NtQueryInformationThread  (320, Basic, 28, ...
 01507   860   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   484   NtOpenKey  ... 324, ) == 0x0
 01508  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=808,Tid=1796,}, 0x0, ) == 0x0
 01509  1800   NtWaitForSingleObject  (212, 0, 0x0, ...
 01510   484   NtQueryValueKey  (324,  (324, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 01511   860   NtClose  (316, ...
 01510   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   860   NtClose  ... ) == 0x0
 01512   484   NtOpenKey  (0xf, {24, 300, 0x40, 0, 0,  (0xf, {24, 300, 0x40, 0, 0, "Content"}, ... }, ...
 01513   860   NtOpenThreadToken  (-2, 0xc, 1, ...
 01512   484   NtOpenKey  ... 316, ) == 0x0
 01513   860   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01514   484   NtQueryValueKey  (316,  (316, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 01515   860   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01516  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57967, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0(\3\0\0\4\7\0\0" ...  ...
 01515   860   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01516  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57968, 0}  ... {28, 56, reply, 0, 808, 1516, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0(\3\0\0\4\7\0\0" )  ) == 0x0
 01514   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01517  1516   NtResumeThread  (320, ...
 01518   484   NtClose  (316, ...
 01517  1516   NtResumeThread  ... 1, ) == 0x0
 01518   484   NtClose  ... ) == 0x0
 01519  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01520   484   NtClose  (324, ...
 01521   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13430896, ... }, 13430896, ...
 01522  1796   NtWaitForSingleObject  (88, 0, 0x0, ...
 01520   484   NtClose  ... ) == 0x0
 01521   860   NtQueryAttributesFile  ... ) == 0x0
 01523   484   NtOpenKey  (0xf, {24, 304, 0x40, 0, 0,  (0xf, {24, 304, 0x40, 0, 0, "Content"}, ... }, ...
 01524   860   NtSetEventBoostPriority  (88, ...
 01519  1516   NtAllocateVirtualMemory  ... 33619968, 1048576, ) == 0x0
 01522  1796   NtWaitForSingleObject  ... ) == 0x0
 01524   860   NtSetEventBoostPriority  ... ) == 0x0
 01525  1796   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ...
 01526  1516   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ...
 01525  1796   NtAllocateVirtualMemory  ... 8802304, 4096, ) == 0x0
 01527   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01526  1516   NtAllocateVirtualMemory  ... 34660352, 8192, ) == 0x0
 01523   484   NtOpenKey  ... 324, ) == 0x0
 01527   860   NtOpenKey  ... 316, ) == 0x0
 01528  1516   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ...
 01529   484   NtWaitForSingleObject  (88, 0, 0x0, ...
 01530  1796   NtSetEventBoostPriority  (88, ...
 01528  1516   NtProtectVirtualMemory  ... (0x210e000), 4096, 4, ) == 0x0
 01529   484   NtWaitForSingleObject  ... ) == 0x0
 01530  1796   NtSetEventBoostPriority  ... ) == 0x0
 01531   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... }, ...
 01532  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01531   484   NtOpenSection  ... 328, ) == 0x0
 01533  1796   NtTestAlert  (...
 01534   860   NtQueryValueKey  (316,  (316, "Transports", Partial, 144, ... , Partial, 144, ...
 01532  1516   NtCreateThread  ... 332, {808, 1808}, ) == 0x0
 01533  1796   NtTestAlert  ... ) == 0x0
 01534   860   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01535  1516   NtQueryInformationThread  (332, Basic, 28, ...
 01536  1796   NtContinue  (33619248, 1, ...
 01537   860   NtQueryValueKey  (316,  (316, "Transports", Partial, 144, ... , Partial, 144, ...
 01535  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=808,Tid=1808,}, 0x0, ) == 0x0
 01538  1796   NtRegisterThreadTerminatePort  (24, ...
 01537   860   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01539  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57968, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0(\3\0\0\20\7\0\0" ...  ...
 01540   484   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01541   860   NtClose  (316, ...
 01539  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57969, 0}  ... {28, 56, reply, 0, 808, 1516, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0(\3\0\0\20\7\0\0" )  ) == 0x0
 01540   484   NtMapViewOfSection  ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 01541   860   NtClose  ... ) == 0x0
 01538  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01542   484   NtClose  (328, ...
 01543  1516   NtResumeThread  (332, ...
 01544  1796   NtWaitForSingleObject  (212, 0, 0x0, ...
 01542   484   NtClose  ... ) == 0x0
 01543  1516   NtResumeThread  ... 1, ) == 0x0
 01545   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ...
 01546  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01545   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 32, ) == 0x0
 01546  1516   NtAllocateVirtualMemory  ... 34668544, 1048576, ) == 0x0
 01547   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01548  1808   NtWaitForSingleObject  (88, 0, 0x0, ...
 01549  1516   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ...
 01547   860   NtOpenKey  ... 328, ) == 0x0
 01549  1516   NtAllocateVirtualMemory  ... 35708928, 8192, ) == 0x0
 01550   860   NtQueryValueKey  (328,  (328, "Mapping", Partial, 144, ... , Partial, 144, ...
 01551   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 01550   860   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01551   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 01552   860   NtQueryValueKey  (328,  (328, "Mapping", Partial, 144, ... , Partial, 144, ...
 01553   484   NtFlushInstructionCache  (-1, 2090602496, 4476, ...
 01552   860   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01553   484   NtFlushInstructionCache  ... ) == 0x0
 01554  1516   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ...
 01555   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ...
 01554  1516   NtProtectVirtualMemory  ... (0x220e000), 4096, 4, ) == 0x0
 01555   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 32, ) == 0x0
 01556  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01557   860   NtQueryValueKey  (328,  (328, "Mapping", Partial, 152, ... , Partial, 152, ...
 01556  1516   NtCreateThread  ... 316, {808, 1700}, ) == 0x0
 01557   860   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01558  1516   NtQueryInformationThread  (316, Basic, 28, ...
 01559   860   NtClose  (328, ...
 01558  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=808,Tid=1700,}, 0x0, ) == 0x0
 01559   860   NtClose  ... ) == 0x0
 01560   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 01561   860   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01560   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 01561   860   NtOpenKey  ... 328, ) == 0x0
 01562   484   NtFlushInstructionCache  (-1, 2090602496, 4476, ...
 01563  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57969, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0(\3\0\0\244\6\0\0" ...  ...
 01562   484   NtFlushInstructionCache  ... ) == 0x0
 01563  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 57970, 0}  ... {28, 56, reply, 0, 808, 1516, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0(\3\0\0\244\6\0\0" )  ) == 0x0
 01564   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ...
 01565  1516   NtResumeThread  (316, ...
 01564   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 32, ) == 0x0
 01565  1516   NtResumeThread  ... 1, ) == 0x0
 01566   860   NtQueryValueKey  (328,  (328, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01567  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01566   860   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01568   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 01569  1700   NtWaitForSingleObject  (88, 0, 0x0, ...
 01570   860   NtQueryValueKey  (328,  (328, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01568   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 01570   860   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01571   484   NtFlushInstructionCache  (-1, 2090602496, 4476, ...
 01572   860   NtQueryValueKey  (328,  (328, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01571   484   NtFlushInstructionCache  ... ) == 0x0
 01572   860   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01573   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ...
 01567  1516   NtAllocateVirtualMemory  ... 35717120, 1048576, ) == 0x0
 01573   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 32, ) == 0x0
 01574  1516   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ...
 01575   860   NtQueryValueKey  (328,  (328, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01574  1516   NtAllocateVirtualMemory  ... 36757504, 8192, ) == 0x0
 01575   860   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01576  1516   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ...
 01577   860   NtWaitForSingleObject  (88, 0, 0x0, ...
 01576  1516   NtProtectVirtualMemory  ... (0x230e000), 4096, 4, ) == 0x0
 01578  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 336, {808, 1156}, ) == 0x0
 01579  1516   NtQueryInformationThread  (336, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=808,Tid=1156,}, 0x0, ) == 0x0
 01580  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57970, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0(\3\0\0\204\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0(\3\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57971, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0(\3\0\0\204\4\0\0" ... {28, 56, reply, 0, 808, 1516, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0(\3\0\0\204\4\0\0" )  ) == 0x0
 01581   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01582   484   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01583   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01584   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01585   484   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01586   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01587  1516   NtResumeThread  (336, ... 1, ) == 0x0
 01588  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36765696, 1048576, ) == 0x0
 01589  1516   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ... 37806080, 8192, ) == 0x0
 01590  1516   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ... (0x240e000), 4096, 4, ) == 0x0
 01591  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 340, {808, 712}, ) == 0x0
 01592  1516   NtQueryInformationThread  (340, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=808,Tid=712,}, 0x0, ) == 0x0
 01593   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 01594  1156   NtWaitForSingleObject  (88, 0, 0x0, ...
 01593   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 01595   484   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01596   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01597   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01598   484   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01599   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01600  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57971, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0(\3\0\0\310\2\0\0" ... {28, 56, reply, 0, 808, 1516, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0(\3\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57972, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0(\3\0\0\310\2\0\0" ... {28, 56, reply, 0, 808, 1516, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0(\3\0\0\310\2\0\0" )  ) == 0x0
 01601  1516   NtResumeThread  (340, ... 1, ) == 0x0
 01602  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37814272, 1048576, ) == 0x0
 01603  1516   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ... 38854656, 8192, ) == 0x0
 01604  1516   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ... (0x250e000), 4096, 4, ) == 0x0
 01605  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01606   484   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 01607   712   NtWaitForSingleObject  (88, 0, 0x0, ...
 01606   484   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 01608   484   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01609   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 01611   484   NtQueryValueKey  (344,  (344, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01605  1516   NtCreateThread  ... 348, {808, 1728}, ) == 0x0
 01612  1516   NtQueryInformationThread  (348, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=808,Tid=1728,}, 0x0, ) == 0x0
 01613  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57972, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0(\3\0\0\300\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0(\3\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57973, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0(\3\0\0\300\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0(\3\0\0\300\6\0\0" )  ) == 0x0
 01614  1516   NtResumeThread  (348, ... 1, ) == 0x0
 01615  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38862848, 1048576, ) == 0x0
 01616  1516   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ... 39903232, 8192, ) == 0x0
 01617   484   NtAllocateVirtualMemory  (-1, 14467072, 0, 4096, 4096, 260, ...
 01618  1728   NtWaitForSingleObject  (88, 0, 0x0, ...
 01617   484   NtAllocateVirtualMemory  ... 14467072, 4096, ) == 0x0
 01619   484   NtClose  (344, ... ) == 0x0
 01620   484   NtQueryDefaultUILanguage  (14475588, ...
 01621   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01622   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01623   484   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01624   484   NtClose  (-2147482740, ...
 01625  1516   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ... (0x260e000), 4096, 4, ) == 0x0
 01626  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 344, {808, 1356}, ) == 0x0
 01627  1516   NtQueryInformationThread  (344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=808,Tid=1356,}, 0x0, ) == 0x0
 01628  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57973, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0(\3\0\0L\5\0\0" ... {28, 56, reply, 0, 808, 1516, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0(\3\0\0L\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57974, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0(\3\0\0L\5\0\0" ... {28, 56, reply, 0, 808, 1516, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0(\3\0\0L\5\0\0" )  ) == 0x0
 01629  1516   NtResumeThread  (344, ... 1, ) == 0x0
 01630  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01624   484   NtClose  ... ) == 0x0
 01631  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 01632   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01633   484   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   484   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01635   484   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636   484   NtClose  (-2147481328, ... ) == 0x0
 01637   484   NtClose  (-2147482740, ...
 01630  1516   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 01638  1516   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ... 40951808, 8192, ) == 0x0
 01639  1516   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ... (0x270e000), 4096, 4, ) == 0x0
 01640  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 352, {808, 1536}, ) == 0x0
 01641  1516   NtQueryInformationThread  (352, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=808,Tid=1536,}, 0x0, ) == 0x0
 01642  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57974, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0(\3\0\0\0\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0(\3\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57975, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0(\3\0\0\0\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0(\3\0\0\0\6\0\0" )  ) == 0x0
 01637   484   NtClose  ... ) == 0x0
 01620   484   NtQueryDefaultUILanguage  ... ) == 0x0
 01643   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 356, {status=0x0, info=1}, ) }, 1, 96, ... 356, {status=0x0, info=1}, ) == 0x0
 01644   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 356, ... 360, ) == 0x0
 01645   484   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2710000), 0x0, 8462336, ) == 0x0
 01646   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01647   484   NtAllocateVirtualMemory  (-1, 14462976, 0, 4096, 4096, 260, ... 14462976, 4096, ) == 0x0
 01648  1516   NtResumeThread  (352, ... 1, ) == 0x0
 01649  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 49479680, 1048576, ) == 0x0
 01650  1516   NtAllocateVirtualMemory  (-1, 50520064, 0, 8192, 4096, 4, ... 50520064, 8192, ) == 0x0
 01651  1516   NtProtectVirtualMemory  (-1, (0x302e000), 4096, 260, ... (0x302e000), 4096, 4, ) == 0x0
 01652  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 364, {808, 444}, ) == 0x0
 01653  1516   NtQueryInformationThread  (364, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=808,Tid=444,}, 0x0, ) == 0x0
 01654   484   NtQueryDefaultLocale  (1, 14473684, ...
 01655  1536   NtWaitForSingleObject  (88, 0, 0x0, ...
 01654   484   NtQueryDefaultLocale  ... ) == 0x0
 01656   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01657   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 14474720, 1179817, 14474444}  (24, {128, 156, new_msg, 0, 2088850039, 14474720, 1179817, 14474444} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1d\1\0\0\377\377\377\377\0\0\0\0@ \224\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\334\0\0\0\0\0" ... {128, 156, reply, 0, 808, 484, 57976, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1d\1\0\0\377\377\377\377\0\0\0\0@ \224\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\334\0\0\0\0\0" )  ... {128, 156, reply, 0, 808, 484, 57976, 0}  (24, {128, 156, new_msg, 0, 2088850039, 14474720, 1179817, 14474444} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1d\1\0\0\377\377\377\377\0\0\0\0@ \224\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\334\0\0\0\0\0" ... {128, 156, reply, 0, 808, 484, 57976, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1d\1\0\0\377\377\377\377\0\0\0\0@ \224\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\334\0\0\0\0\0" )  ) == 0x0
 01658   484   NtClose  (356, ... ) == 0x0
 01659   484   NtClose  (360, ... ) == 0x0
 01660   484   NtUnmapViewOfSection  (-1, 0x2710000, ...
 01661  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57975, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0(\3\0\0\274\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0(\3\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57977, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0(\3\0\0\274\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0(\3\0\0\274\1\0\0" )  ) == 0x0
 01662  1516   NtResumeThread  (364, ... 1, ) == 0x0
 01663  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50528256, 1048576, ) == 0x0
 01664  1516   NtAllocateVirtualMemory  (-1, 51568640, 0, 8192, 4096, 4, ... 51568640, 8192, ) == 0x0
 01665  1516   NtProtectVirtualMemory  (-1, (0x312e000), 4096, 260, ... (0x312e000), 4096, 4, ) == 0x0
 01666  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01660   484   NtUnmapViewOfSection  ... ) == 0x0
 01667   444   NtWaitForSingleObject  (88, 0, 0x0, ...
 01668   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01669   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01671   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01672   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 14472876, ... }, 14472876, ...
 01666  1516   NtCreateThread  ... 360, {808, 1904}, ) == 0x0
 01673  1516   NtQueryInformationThread  (360, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=808,Tid=1904,}, 0x0, ) == 0x0
 01674  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57977, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0(\3\0\0p\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0(\3\0\0p\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57978, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0(\3\0\0p\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0(\3\0\0p\7\0\0" )  ) == 0x0
 01675  1516   NtResumeThread  (360, ... 1, ) == 0x0
 01676  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40960000, 1048576, ) == 0x0
 01677  1516   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ... 42000384, 8192, ) == 0x0
 01678  1904   NtWaitForSingleObject  (88, 0, 0x0, ...
 01679  1516   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ... (0x280e000), 4096, 4, ) == 0x0
 01680  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 356, {808, 1936}, ) == 0x0
 01681  1516   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=808,Tid=1936,}, 0x0, ) == 0x0
 01682  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57978, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0(\3\0\0\220\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0(\3\0\0\220\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57979, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0(\3\0\0\220\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0(\3\0\0\220\7\0\0" )  ) == 0x0
 01683  1516   NtResumeThread  (356, ... 1, ) == 0x0
 01684  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01672   484   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01685  1936   NtWaitForSingleObject  (88, 0, 0x0, ...
 01686   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01687   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01688   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01689   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 14472940, ... ) }, 14472940, ... ) == 0x0
 01690   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 368, {status=0x0, info=1}, ) }, 3, 33, ... 368, {status=0x0, info=1}, ) == 0x0
 01684  1516   NtAllocateVirtualMemory  ... 42008576, 1048576, ) == 0x0
 01691  1516   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ... 43048960, 8192, ) == 0x0
 01692  1516   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ... (0x290e000), 4096, 4, ) == 0x0
 01693  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 372, {808, 1648}, ) == 0x0
 01694  1516   NtQueryInformationThread  (372, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=808,Tid=1648,}, 0x0, ) == 0x0
 01695  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57979, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0(\3\0\0p\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0(\3\0\0p\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57980, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0(\3\0\0p\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0(\3\0\0p\6\0\0" )  ) == 0x0
 01696   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01697   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 376, {status=0x0, info=1}, ) }, 5, 96, ... 376, {status=0x0, info=1}, ) == 0x0
 01698   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 376, ... 380, ) == 0x0
 01699   484   NtClose  (376, ... ) == 0x0
 01700   484   NtMapViewOfSection  (380, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2910000), 0x0, 1056768, ) == 0x0
 01701   484   NtClose  (380, ... ) == 0x0
 01702  1516   NtResumeThread  (372, ... 1, ) == 0x0
 01703  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44171264, 1048576, ) == 0x0
 01704  1516   NtAllocateVirtualMemory  (-1, 45211648, 0, 8192, 4096, 4, ... 45211648, 8192, ) == 0x0
 01705  1516   NtProtectVirtualMemory  (-1, (0x2b1e000), 4096, 260, ... (0x2b1e000), 4096, 4, ) == 0x0
 01706  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 380, {808, 148}, ) == 0x0
 01707  1516   NtQueryInformationThread  (380, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=808,Tid=148,}, 0x0, ) == 0x0
 01708   484   NtUnmapViewOfSection  (-1, 0x2910000, ...
 01709  1648   NtWaitForSingleObject  (88, 0, 0x0, ...
 01708   484   NtUnmapViewOfSection  ... ) == 0x0
 01710   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 376, {status=0x0, info=1}, ) }, 5, 96, ... 376, {status=0x0, info=1}, ) == 0x0
 01711   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 376, ... 384, ) == 0x0
 01712   484   NtQuerySection  (384, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01713   484   NtClose  (376, ... ) == 0x0
 01714   484   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01715  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57980, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0(\3\0\0\224\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0(\3\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57981, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0(\3\0\0\224\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0(\3\0\0\224\0\0\0" )  ) == 0x0
 01716  1516   NtResumeThread  (380, ... 1, ) == 0x0
 01717  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43057152, 1048576, ) == 0x0
 01718  1516   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ... 44097536, 8192, ) == 0x0
 01719  1516   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ... (0x2a0e000), 4096, 4, ) == 0x0
 01720  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01721   484   NtClose  (384, ...
 01722   148   NtWaitForSingleObject  (88, 0, 0x0, ...
 01721   484   NtClose  ... ) == 0x0
 01723   484   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01724   484   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01725   484   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01726   484   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01727   484   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01720  1516   NtCreateThread  ... 384, {808, 1828}, ) == 0x0
 01728  1516   NtQueryInformationThread  (384, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=808,Tid=1828,}, 0x0, ) == 0x0
 01729  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57981, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0(\3\0\0$\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0(\3\0\0$\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57982, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0(\3\0\0$\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0(\3\0\0$\7\0\0" )  ) == 0x0
 01730  1516   NtResumeThread  (384, ... 1, ) == 0x0
 01731  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45219840, 1048576, ) == 0x0
 01732  1516   NtAllocateVirtualMemory  (-1, 46260224, 0, 8192, 4096, 4, ... 46260224, 8192, ) == 0x0
 01733   484   NtFlushInstructionCache  (-1, 2000490496, 1924, ...
 01734  1828   NtWaitForSingleObject  (88, 0, 0x0, ...
 01733   484   NtFlushInstructionCache  ... ) == 0x0
 01735   484   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01736   484   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01737   484   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01738   484   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01739   484   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01740  1516   NtProtectVirtualMemory  (-1, (0x2c1e000), 4096, 260, ... (0x2c1e000), 4096, 4, ) == 0x0
 01741  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 376, {808, 1864}, ) == 0x0
 01742  1516   NtQueryInformationThread  (376, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=808,Tid=1864,}, 0x0, ) == 0x0
 01743  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57982, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0(\3\0\0H\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0(\3\0\0H\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57983, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0(\3\0\0H\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0(\3\0\0H\7\0\0" )  ) == 0x0
 01744  1516   NtResumeThread  (376, ... 1, ) == 0x0
 01745  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01746   484   NtFlushInstructionCache  (-1, 2000490496, 1924, ...
 01747  1864   NtWaitForSingleObject  (88, 0, 0x0, ...
 01746   484   NtFlushInstructionCache  ... ) == 0x0
 01748   484   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01749   484   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01750   484   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01751   484   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01752   484   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01745  1516   NtAllocateVirtualMemory  ... 46268416, 1048576, ) == 0x0
 01753  1516   NtAllocateVirtualMemory  (-1, 47308800, 0, 8192, 4096, 4, ... 47308800, 8192, ) == 0x0
 01754  1516   NtProtectVirtualMemory  (-1, (0x2d1e000), 4096, 260, ... (0x2d1e000), 4096, 4, ) == 0x0
 01755  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 388, {808, 1896}, ) == 0x0
 01756  1516   NtQueryInformationThread  (388, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=808,Tid=1896,}, 0x0, ) == 0x0
 01757  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57983, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0(\3\0\0h\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0(\3\0\0h\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57984, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0(\3\0\0h\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0(\3\0\0h\7\0\0" )  ) == 0x0
 01758   484   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01759   484   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01760   484   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01761   484   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01762   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01763   484   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 14474420, ... ) , 42, 14474420, ... ) == 0x0
 01764  1516   NtResumeThread  (388, ... 1, ) == 0x0
 01765  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47316992, 1048576, ) == 0x0
 01766  1516   NtAllocateVirtualMemory  (-1, 48357376, 0, 8192, 4096, 4, ... 48357376, 8192, ) == 0x0
 01767  1516   NtProtectVirtualMemory  (-1, (0x2e1e000), 4096, 260, ... (0x2e1e000), 4096, 4, ) == 0x0
 01768  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 392, {808, 1524}, ) == 0x0
 01769  1516   NtQueryInformationThread  (392, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=808,Tid=1524,}, 0x0, ) == 0x0
 01770   484   NtQueryDefaultUILanguage  (14473104, ...
 01771  1896   NtWaitForSingleObject  (88, 0, 0x0, ...
 01772   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01773   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01774   484   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01775   484   NtClose  (-2147482740, ... ) == 0x0
 01776   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01777   484   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... }, ...
 01778  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57984, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0(\3\0\0\364\5\0\0" ... {28, 56, reply, 0, 808, 1516, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0(\3\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57985, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0(\3\0\0\364\5\0\0" ... {28, 56, reply, 0, 808, 1516, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0(\3\0\0\364\5\0\0" )  ) == 0x0
 01779  1516   NtResumeThread  (392, ... 1, ) == 0x0
 01780  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 48365568, 1048576, ) == 0x0
 01781  1516   NtAllocateVirtualMemory  (-1, 49405952, 0, 8192, 4096, 4, ... 49405952, 8192, ) == 0x0
 01782  1516   NtProtectVirtualMemory  (-1, (0x2f1e000), 4096, 260, ... (0x2f1e000), 4096, 4, ) == 0x0
 01783  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01777   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784  1524   NtWaitForSingleObject  (88, 0, 0x0, ...
 01785   484   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01786   484   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01787   484   NtClose  (-2147481328, ... ) == 0x0
 01788   484   NtClose  (-2147482740, ... ) == 0x0
 01770   484   NtQueryDefaultUILanguage  ... ) == 0x0
 01789   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 14471944, ... ) }, 14471944, ... ) == 0x0
 01783  1516   NtCreateThread  ... 396, {808, 1944}, ) == 0x0
 01790  1516   NtQueryInformationThread  (396, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=808,Tid=1944,}, 0x0, ) == 0x0
 01791  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57985, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0(\3\0\0\230\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0(\3\0\0\230\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57986, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0(\3\0\0\230\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0(\3\0\0\230\7\0\0" )  ) == 0x0
 01792  1516   NtResumeThread  (396, ... 1, ) == 0x0
 01793  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51576832, 1048576, ) == 0x0
 01794  1516   NtAllocateVirtualMemory  (-1, 52617216, 0, 8192, 4096, 4, ... 52617216, 8192, ) == 0x0
 01795   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... }, 5, 96, ...
 01796  1944   NtWaitForSingleObject  (88, 0, 0x0, ...
 01795   484   NtOpenFile  ... 400, {status=0x0, info=1}, ) == 0x0
 01797   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 400, ... 404, ) == 0x0
 01798   484   NtClose  (400, ... ) == 0x0
 01799   484   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdd0000), 0x0, 4096, ) == 0x0
 01800   484   NtClose  (404, ... ) == 0x0
 01801   484   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 01802  1516   NtProtectVirtualMemory  (-1, (0x322e000), 4096, 260, ... (0x322e000), 4096, 4, ) == 0x0
 01803  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 404, {808, 2044}, ) == 0x0
 01804  1516   NtQueryInformationThread  (404, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=808,Tid=2044,}, 0x0, ) == 0x0
 01805  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57986, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0(\3\0\0\374\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0(\3\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57987, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0(\3\0\0\374\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0(\3\0\0\374\7\0\0" )  ) == 0x0
 01806  1516   NtResumeThread  (404, ... 1, ) == 0x0
 01807  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01808   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 14471540, ... }, 14471540, ...
 01809  2044   NtWaitForSingleObject  (88, 0, 0x0, ...
 01808   484   NtQueryAttributesFile  ... ) == 0x0
 01810   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 14472284,  (0x80100080, {24, 0, 0x40, 0, 14472284, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 01811   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 400, ... 408, ) == 0x0
 01812   484   NtClose  (400, ... ) == 0x0
 01813   484   NtMapViewOfSection  (408, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xdd0000), {0, 0}, 4096, ) == 0x0
 01814   484   NtClose  (408, ... ) == 0x0
 01807  1516   NtAllocateVirtualMemory  ... 52625408, 1048576, ) == 0x0
 01815  1516   NtAllocateVirtualMemory  (-1, 53665792, 0, 8192, 4096, 4, ... 53665792, 8192, ) == 0x0
 01816  1516   NtProtectVirtualMemory  (-1, (0x332e000), 4096, 260, ... (0x332e000), 4096, 4, ) == 0x0
 01817  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {808, 240}, ) == 0x0
 01818  1516   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=808,Tid=240,}, 0x0, ) == 0x0
 01819  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57987, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0(\3\0\0\360\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0(\3\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57988, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0(\3\0\0\360\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0(\3\0\0\360\0\0\0" )  ) == 0x0
 01820   484   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 01821   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 400, {status=0x0, info=1}, ) }, 1, 96, ... 400, {status=0x0, info=1}, ) == 0x0
 01822   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 400, ... 412, ) == 0x0
 01823   484   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xdd0000), 0x0, 4096, ) == 0x0
 01824   484   NtQueryInformationFile  (400, 14471936, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01825   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826  1516   NtResumeThread  (408, ... 1, ) == 0x0
 01827  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53673984, 1048576, ) == 0x0
 01828  1516   NtAllocateVirtualMemory  (-1, 54714368, 0, 8192, 4096, 4, ... 54714368, 8192, ) == 0x0
 01829  1516   NtProtectVirtualMemory  (-1, (0x342e000), 4096, 260, ... (0x342e000), 4096, 4, ) == 0x0
 01830  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 416, {808, 968}, ) == 0x0
 01831  1516   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=808,Tid=968,}, 0x0, ) == 0x0
 01832   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 14472236, 1179817, 14471960}  (24, {128, 156, new_msg, 0, 2088850039, 14472236, 1179817, 14471960} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\220\1\0\0\234\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\334\0\0\0\0\0" ...  ...
 01833   240   NtWaitForSingleObject  (88, 0, 0x0, ...
 01832   484   NtRequestWaitReplyPort  ... {128, 156, reply, 0, 808, 484, 57989, 0}  ... {128, 156, reply, 0, 808, 484, 57989, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\220\1\0\0\234\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\334\0\0\0\0\0" )  ) == 0x0
 01834   484   NtClose  (400, ... ) == 0x0
 01835   484   NtClose  (412, ... ) == 0x0
 01836   484   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 01837   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01838   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01839  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57988, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0(\3\0\0\310\3\0\0" ... {28, 56, reply, 0, 808, 1516, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0(\3\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57990, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0(\3\0\0\310\3\0\0" ... {28, 56, reply, 0, 808, 1516, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0(\3\0\0\310\3\0\0" )  ) == 0x0
 01840  1516   NtResumeThread  (416, ... 1, ) == 0x0
 01841  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54722560, 1048576, ) == 0x0
 01842  1516   NtAllocateVirtualMemory  (-1, 55762944, 0, 8192, 4096, 4, ... 55762944, 8192, ) == 0x0
 01843  1516   NtProtectVirtualMemory  (-1, (0x352e000), 4096, 260, ... (0x352e000), 4096, 4, ) == 0x0
 01844  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01838   484   NtCreateEvent  ... 412, ) == 0x0
 01845   968   NtWaitForSingleObject  (88, 0, 0x0, ...
 01846   484   NtCallbackReturn  (0, 0, 0, ...
 01847   484   NtUserGetThreadState  (18, ... ) == 0x1
 01848   484   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01849   484   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01850   484   NtUserGetDC  (0, ... ) == 0x1010052
 01851   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01844  1516   NtCreateThread  ... 400, {808, 308}, ) == 0x0
 01852  1516   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=808,Tid=308,}, 0x0, ) == 0x0
 01853  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57990, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0(\3\0\04\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0(\3\0\04\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57991, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0(\3\0\04\1\0\0" ... {28, 56, reply, 0, 808, 1516, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0(\3\0\04\1\0\0" )  ) == 0x0
 01854  1516   NtResumeThread  (400, ... 1, ) == 0x0
 01855  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55771136, 1048576, ) == 0x0
 01856  1516   NtAllocateVirtualMemory  (-1, 56811520, 0, 8192, 4096, 4, ... 56811520, 8192, ) == 0x0
 01857   484   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ...
 01858   308   NtWaitForSingleObject  (88, 0, 0x0, ...
 01857   484   NtUserSystemParametersInfo  ... ) == 0x1
 01859   484   NtUserSystemParametersInfo  (66, 12, 14473936, 0, ... ) == 0x1
 01860   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01861   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 420, ) == 0x0
 01862   484   NtQueryInformationToken  (420, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01863   484   NtClose  (420, ... ) == 0x0
 01864  1516   NtProtectVirtualMemory  (-1, (0x362e000), 4096, 260, ... (0x362e000), 4096, 4, ) == 0x0
 01865  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 420, {808, 764}, ) == 0x0
 01866  1516   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=808,Tid=764,}, 0x0, ) == 0x0
 01867  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57991, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0(\3\0\0\374\2\0\0" ... {28, 56, reply, 0, 808, 1516, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0(\3\0\0\374\2\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57992, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0(\3\0\0\374\2\0\0" ... {28, 56, reply, 0, 808, 1516, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0(\3\0\0\374\2\0\0" )  ) == 0x0
 01868  1516   NtResumeThread  (420, ... 1, ) == 0x0
 01869  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01870   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... }, ...
 01871   764   NtWaitForSingleObject  (88, 0, 0x0, ...
 01870   484   NtOpenKey  ... 424, ) == 0x0
 01872   484   NtOpenProcessToken  (-1, 0x8, ... 428, ) == 0x0
 01873   484   NtAccessCheck  (1336312, 428, 0x1, 14473768, 14473820, 56, 14473800, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01874   484   NtClose  (428, ... ) == 0x0
 01875   484   NtOpenKey  (0x20019, {24, 424, 0x40, 0, 0,  (0x20019, {24, 424, 0x40, 0, 0, "Control Panel\Desktop"}, ... 428, ) }, ... 428, ) == 0x0
 01876   484   NtQueryValueKey  (428,  (428, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869  1516   NtAllocateVirtualMemory  ... 56819712, 1048576, ) == 0x0
 01877  1516   NtAllocateVirtualMemory  (-1, 57860096, 0, 8192, 4096, 4, ... 57860096, 8192, ) == 0x0
 01878  1516   NtProtectVirtualMemory  (-1, (0x372e000), 4096, 260, ... (0x372e000), 4096, 4, ) == 0x0
 01879  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {808, 2000}, ) == 0x0
 01880  1516   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=808,Tid=2000,}, 0x0, ) == 0x0
 01881  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57992, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0(\3\0\0\320\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0(\3\0\0\320\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57993, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0(\3\0\0\320\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0(\3\0\0\320\7\0\0" )  ) == 0x0
 01882   484   NtClose  (428, ... ) == 0x0
 01883   484   NtUserSystemParametersInfo  (41, 500, 14473964, 0, ... ) == 0x1
 01884   484   NtOpenProcessToken  (-1, 0x8, ... 428, ) == 0x0
 01885   484   NtAccessCheck  (1336312, 428, 0x1, 14473768, 14473820, 56, 14473800, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01886   484   NtClose  (428, ... ) == 0x0
 01887   484   NtOpenKey  (0x20019, {24, 424, 0x40, 0, 0,  (0x20019, {24, 424, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 428, ) }, ... 428, ) == 0x0
 01888  1516   NtResumeThread  (432, ... 1, ) == 0x0
 01889  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57868288, 1048576, ) == 0x0
 01890  1516   NtAllocateVirtualMemory  (-1, 58908672, 0, 8192, 4096, 4, ... 58908672, 8192, ) == 0x0
 01891  1516   NtProtectVirtualMemory  (-1, (0x382e000), 4096, 260, ... (0x382e000), 4096, 4, ) == 0x0
 01892  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {808, 1852}, ) == 0x0
 01893  1516   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=808,Tid=1852,}, 0x0, ) == 0x0
 01894   484   NtQueryValueKey  (428,  (428, "EnableBalloonTips", Partial, 144, ... , Partial, 144, ...
 01895  2000   NtWaitForSingleObject  (88, 0, 0x0, ...
 01894   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01896   484   NtClose  (428, ... ) == 0x0
 01897   484   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 01898   484   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 01899   484   NtClose  (424, ... ) == 0x0
 01900   484   NtUserSystemParametersInfo  (4130, 0, 14474468, 0, ... ) == 0x1
 01901  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57993, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0(\3\0\0<\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0(\3\0\0<\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57994, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0(\3\0\0<\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0(\3\0\0<\7\0\0" )  ) == 0x0
 01902  1516   NtResumeThread  (436, ... 1, ) == 0x0
 01903  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58916864, 1048576, ) == 0x0
 01904  1516   NtAllocateVirtualMemory  (-1, 59957248, 0, 8192, 4096, 4, ... 59957248, 8192, ) == 0x0
 01905  1516   NtProtectVirtualMemory  (-1, (0x392e000), 4096, 260, ... (0x392e000), 4096, 4, ) == 0x0
 01906  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01907   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... }, ...
 01908  1852   NtWaitForSingleObject  (88, 0, 0x0, ...
 01907   484   NtOpenKey  ... 424, ) == 0x0
 01909   484   NtEnumerateValueKey  (424, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01910   484   NtClose  (424, ... ) == 0x0
 01911   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01912   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c03b
 01913   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c03d
 01906  1516   NtCreateThread  ... 424, {808, 1420}, ) == 0x0
 01914  1516   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=808,Tid=1420,}, 0x0, ) == 0x0
 01915  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57994, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0(\3\0\0\214\5\0\0" ... {28, 56, reply, 0, 808, 1516, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0(\3\0\0\214\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57995, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0(\3\0\0\214\5\0\0" ... {28, 56, reply, 0, 808, 1516, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0(\3\0\0\214\5\0\0" )  ) == 0x0
 01916  1516   NtResumeThread  (424, ... 1, ) == 0x0
 01917  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59965440, 1048576, ) == 0x0
 01918  1516   NtAllocateVirtualMemory  (-1, 61005824, 0, 8192, 4096, 4, ... 61005824, 8192, ) == 0x0
 01919   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ...
 01920  1420   NtWaitForSingleObject  (88, 0, 0x0, ...
 01919   484   NtUserFindExistingCursorIcon  ... ) == 0x10011
 01921   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c03f
 01922   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01923   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c041
 01924   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01925   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c043
 01926  1516   NtProtectVirtualMemory  (-1, (0x3a2e000), 4096, 260, ... (0x3a2e000), 4096, 4, ) == 0x0
 01927  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {808, 164}, ) == 0x0
 01928  1516   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=808,Tid=164,}, 0x0, ) == 0x0
 01929  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57995, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0(\3\0\0\244\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0(\3\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57996, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0(\3\0\0\244\0\0\0" ... {28, 56, reply, 0, 808, 1516, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0(\3\0\0\244\0\0\0" )  ) == 0x0
 01930  1516   NtResumeThread  (428, ... 1, ) == 0x0
 01931  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01932   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ...
 01933   164   NtWaitForSingleObject  (88, 0, 0x0, ...
 01932   484   NtUserRegisterClassExWOW  ... ) == 0x81a2c045
 01934   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01935   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c047
 01936   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01937   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c049
 01938   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01931  1516   NtAllocateVirtualMemory  ... 61014016, 1048576, ) == 0x0
 01939  1516   NtAllocateVirtualMemory  (-1, 62054400, 0, 8192, 4096, 4, ... 62054400, 8192, ) == 0x0
 01940  1516   NtProtectVirtualMemory  (-1, (0x3b2e000), 4096, 260, ... (0x3b2e000), 4096, 4, ) == 0x0
 01941  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {808, 1564}, ) == 0x0
 01942  1516   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=808,Tid=1564,}, 0x0, ) == 0x0
 01943  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57996, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0(\3\0\0\34\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0(\3\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57997, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0(\3\0\0\34\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0(\3\0\0\34\6\0\0" )  ) == 0x0
 01944   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c04b
 01945   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01946   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c04d
 01947   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01948   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c04f
 01949   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c051
 01950  1516   NtResumeThread  (440, ... 1, ) == 0x0
 01951  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62062592, 1048576, ) == 0x0
 01952  1516   NtAllocateVirtualMemory  (-1, 63102976, 0, 8192, 4096, 4, ... 63102976, 8192, ) == 0x0
 01953  1516   NtProtectVirtualMemory  (-1, (0x3c2e000), 4096, 260, ... (0x3c2e000), 4096, 4, ) == 0x0
 01954  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {808, 1592}, ) == 0x0
 01955  1516   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=808,Tid=1592,}, 0x0, ) == 0x0
 01956   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ...
 01957  1564   NtWaitForSingleObject  (88, 0, 0x0, ...
 01956   484   NtUserFindExistingCursorIcon  ... ) == 0x10011
 01958   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c053
 01959   484   NtUserFindExistingCursorIcon  (14473712, 14473728, 14473776, ... ) == 0x10011
 01960   484   NtUserRegisterClassExWOW  (14473656, 14473724, 14473740, 14473756, 0, 384, 0, ... ) == 0x81a2c055
 01961   484   NtUserFindExistingCursorIcon  (14473712, 14473728, 14473776, ... ) == 0x10011
 01962   484   NtUserRegisterClassExWOW  (14473656, 14473724, 14473740, 14473756, 0, 384, 0, ... ) == 0x81a2c057
 01963  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57997, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0(\3\0\08\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0(\3\0\08\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57998, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0(\3\0\08\6\0\0" ... {28, 56, reply, 0, 808, 1516, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0(\3\0\08\6\0\0" )  ) == 0x0
 01964  1516   NtResumeThread  (444, ... 1, ) == 0x0
 01965  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 63111168, 1048576, ) == 0x0
 01966  1516   NtAllocateVirtualMemory  (-1, 64151552, 0, 8192, 4096, 4, ... 64151552, 8192, ) == 0x0
 01967  1516   NtProtectVirtualMemory  (-1, (0x3d2e000), 4096, 260, ... (0x3d2e000), 4096, 4, ) == 0x0
 01968  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01969   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ...
 01970  1592   NtWaitForSingleObject  (88, 0, 0x0, ...
 01969   484   NtUserFindExistingCursorIcon  ... ) == 0x10011
 01971   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c059
 01972   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10013
 01973   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c05b
 01974   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01975   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c05d
 01968  1516   NtCreateThread  ... 448, {808, 2032}, ) == 0x0
 01976  1516   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=808,Tid=2032,}, 0x0, ) == 0x0
 01977  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57998, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0(\3\0\0\360\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0(\3\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 57999, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0(\3\0\0\360\7\0\0" ... {28, 56, reply, 0, 808, 1516, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0(\3\0\0\360\7\0\0" )  ) == 0x0
 01978  1516   NtResumeThread  (448, ... 1, ) == 0x0
 01979  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64159744, 1048576, ) == 0x0
 01980  1516   NtAllocateVirtualMemory  (-1, 65200128, 0, 8192, 4096, 4, ... 65200128, 8192, ) == 0x0
 01981   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ...
 01982  2032   NtWaitForSingleObject  (88, 0, 0x0, ...
 01981   484   NtUserFindExistingCursorIcon  ... ) == 0x10011
 01983   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c05f
 01984   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01985   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c017
 01986   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01987   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c019
 01988  1516   NtProtectVirtualMemory  (-1, (0x3e2e000), 4096, 260, ... (0x3e2e000), 4096, 4, ) == 0x0
 01989  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {808, 1500}, ) == 0x0
 01990  1516   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=808,Tid=1500,}, 0x0, ) == 0x0
 01991  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 57999, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0(\3\0\0\334\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0(\3\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58000, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0(\3\0\0\334\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0(\3\0\0\334\5\0\0" )  ) == 0x0
 01992  1516   NtResumeThread  (452, ... 1, ) == 0x0
 01993  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01994   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ...
 01995  1500   NtWaitForSingleObject  (88, 0, 0x0, ...
 01994   484   NtUserFindExistingCursorIcon  ... ) == 0x10013
 01996   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c018
 01997   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 01998   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c01a
 01999   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 02000   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c01c
 01993  1516   NtAllocateVirtualMemory  ... 65208320, 1048576, ) == 0x0
 02001  1516   NtAllocateVirtualMemory  (-1, 66248704, 0, 8192, 4096, 4, ... 66248704, 8192, ) == 0x0
 02002  1516   NtProtectVirtualMemory  (-1, (0x3f2e000), 4096, 260, ... (0x3f2e000), 4096, 4, ) == 0x0
 02003  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 456, {808, 932}, ) == 0x0
 02004  1516   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=808,Tid=932,}, 0x0, ) == 0x0
 02005  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58000, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0(\3\0\0\244\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0(\3\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58001, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0(\3\0\0\244\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0(\3\0\0\244\3\0\0" )  ) == 0x0
 02006   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 02007   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c01e
 02008   484   NtUserFindExistingCursorIcon  (14473708, 14473724, 14473772, ... ) == 0x10011
 02009   484   NtUserRegisterClassExWOW  (14473708, 14473776, 14473792, 14473808, 0, 384, 0, ... ) == 0x81a2c01b
 02010   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ... ) == 0x10011
 02011   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c068
 02012  1516   NtResumeThread  (456, ... 1, ) == 0x0
 02013  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66256896, 1048576, ) == 0x0
 02014  1516   NtAllocateVirtualMemory  (-1, 67297280, 0, 8192, 4096, 4, ... 67297280, 8192, ) == 0x0
 02015  1516   NtProtectVirtualMemory  (-1, (0x402e000), 4096, 260, ... (0x402e000), 4096, 4, ) == 0x0
 02016  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 460, {808, 1528}, ) == 0x0
 02017  1516   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=808,Tid=1528,}, 0x0, ) == 0x0
 02018   484   NtUserFindExistingCursorIcon  (14473716, 14473732, 14473780, ...
 02019   932   NtWaitForSingleObject  (88, 0, 0x0, ...
 02018   484   NtUserFindExistingCursorIcon  ... ) == 0x10011
 02020   484   NtUserRegisterClassExWOW  (14473660, 14473728, 14473744, 14473760, 0, 384, 0, ... ) == 0x81a2c06a
 02021   484   NtSetEventBoostPriority  (88, ...
 01548  1808   NtWaitForSingleObject  ... ) == 0x0
 02022  1808   NtSetEventBoostPriority  (88, ...
 01569  1700   NtWaitForSingleObject  ... ) == 0x0
 02023  1700   NtSetEventBoostPriority  (88, ...
 01577   860   NtWaitForSingleObject  ... ) == 0x0
 02024   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13431852, ... ) }, 13431852, ... ) == 0x0
 02023  1700   NtSetEventBoostPriority  ... ) == 0x0
 02022  1808   NtSetEventBoostPriority  ... ) == 0x0
 02021   484   NtSetEventBoostPriority  ... ) == 0x0
 02025  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58001, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0(\3\0\0\370\5\0\0" ...  ...
 02026   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 02027  1700   NtTestAlert  (...
 02028  1808   NtTestAlert  (...
 02025  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58002, 0}  ... {28, 56, reply, 0, 808, 1516, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0(\3\0\0\370\5\0\0" )  ) == 0x0
 02026   860   NtOpenFile  ... 464, {status=0x0, info=1}, ) == 0x0
 02027  1700   NtTestAlert  ... ) == 0x0
 02028  1808   NtTestAlert  ... ) == 0x0
 02029  1516   NtResumeThread  (460, ...
 02030   860   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 464, ...
 02031  1700   NtContinue  (35716400, 1, ...
 02032  1808   NtContinue  (34667824, 1, ...
 02029  1516   NtResumeThread  ... 1, ) == 0x0
 02030   860   NtCreateSection  ... 468, ) == 0x0
 02033  1700   NtRegisterThreadTerminatePort  (24, ...
 02034  1808   NtRegisterThreadTerminatePort  (24, ...
 02035  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02036   860   NtClose  (464, ...
 02033  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 02034  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 02037   484   NtWaitForSingleObject  (88, 0, 0x0, ...
 02038  1528   NtWaitForSingleObject  (88, 0, 0x0, ...
 02036   860   NtClose  ... ) == 0x0
 02039  1700   NtWaitForSingleObject  (212, 0, 0x0, ...
 02040  1808   NtWaitForSingleObject  (212, 0, 0x0, ...
 02035  1516   NtAllocateVirtualMemory  ... 67305472, 1048576, ) == 0x0
 02041   860   NtMapViewOfSection  (468, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02042  1516   NtAllocateVirtualMemory  (-1, 68345856, 0, 8192, 4096, 4, ...
 02041   860   NtMapViewOfSection  ... (0xdd0000), 0x0, 20480, ) == 0x0
 02042  1516   NtAllocateVirtualMemory  ... 68345856, 8192, ) == 0x0
 02043   860   NtClose  (468, ...
 02044  1516   NtProtectVirtualMemory  (-1, (0x412e000), 4096, 260, ...
 02043   860   NtClose  ... ) == 0x0
 02044  1516   NtProtectVirtualMemory  ... (0x412e000), 4096, 4, ) == 0x0
 02045  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02046   860   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 02047   860   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13432160, ... ) }, 13432160, ... ) == 0x0
 02048   860   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 468, {status=0x0, info=1}, ) }, 5, 96, ... 468, {status=0x0, info=1}, ) == 0x0
 02045  1516   NtCreateThread  ... 464, {808, 1780}, ) == 0x0
 02049  1516   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=808,Tid=1780,}, 0x0, ) == 0x0
 02050  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58002, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0(\3\0\0\364\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0(\3\0\0\364\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58003, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0(\3\0\0\364\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0(\3\0\0\364\6\0\0" )  ) == 0x0
 02051  1516   NtResumeThread  (464, ... 1, ) == 0x0
 02052  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68354048, 1048576, ) == 0x0
 02053  1516   NtAllocateVirtualMemory  (-1, 69394432, 0, 8192, 4096, 4, ... 69394432, 8192, ) == 0x0
 02054   860   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 468, ...
 02055  1780   NtWaitForSingleObject  (88, 0, 0x0, ...
 02054   860   NtCreateSection  ... 472, ) == 0x0
 02056   860   NtQuerySection  (472, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02057   860   NtClose  (468, ... ) == 0x0
 02058   860   NtMapViewOfSection  (472, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 02059   860   NtClose  (472, ... ) == 0x0
 02060   860   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 02061  1516   NtProtectVirtualMemory  (-1, (0x422e000), 4096, 260, ... (0x422e000), 4096, 4, ) == 0x0
 02062  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 472, {808, 1804}, ) == 0x0
 02063  1516   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=808,Tid=1804,}, 0x0, ) == 0x0
 02064  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58003, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0(\3\0\0\14\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0(\3\0\0\14\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58004, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0(\3\0\0\14\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0(\3\0\0\14\7\0\0" )  ) == 0x0
 02065  1516   NtResumeThread  (472, ... 1, ) == 0x0
 02066  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02067   860   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 02068  1804   NtWaitForSingleObject  (88, 0, 0x0, ...
 02067   860   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 02069   860   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 02070   860   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   860   NtSetEventBoostPriority  (88, ...
 01594  1156   NtWaitForSingleObject  ... ) == 0x0
 02072  1156   NtSetEventBoostPriority  (88, ...
 01607   712   NtWaitForSingleObject  ... ) == 0x0
 02073   712   NtSetEventBoostPriority  (88, ...
 01618  1728   NtWaitForSingleObject  ... ) == 0x0
 02074  1728   NtSetEventBoostPriority  (88, ...
 01631  1356   NtWaitForSingleObject  ... ) == 0x0
 02075  1356   NtSetEventBoostPriority  (88, ...
 01655  1536   NtWaitForSingleObject  ... ) == 0x0
 02076  1536   NtSetEventBoostPriority  (88, ...
 01667   444   NtWaitForSingleObject  ... ) == 0x0
 02077   444   NtSetEventBoostPriority  (88, ...
 01678  1904   NtWaitForSingleObject  ... ) == 0x0
 02078  1904   NtSetEventBoostPriority  (88, ...
 01685  1936   NtWaitForSingleObject  ... ) == 0x0
 02079  1936   NtSetEventBoostPriority  (88, ...
 01709  1648   NtWaitForSingleObject  ... ) == 0x0
 02080  1648   NtSetEventBoostPriority  (88, ...
 01722   148   NtWaitForSingleObject  ... ) == 0x0
 02081   148   NtSetEventBoostPriority  (88, ...
 01734  1828   NtWaitForSingleObject  ... ) == 0x0
 02082  1828   NtSetEventBoostPriority  (88, ...
 01747  1864   NtWaitForSingleObject  ... ) == 0x0
 02083  1864   NtSetEventBoostPriority  (88, ...
 01771  1896   NtWaitForSingleObject  ... ) == 0x0
 02084  1896   NtSetEventBoostPriority  (88, ...
 01784  1524   NtWaitForSingleObject  ... ) == 0x0
 02085  1524   NtSetEventBoostPriority  (88, ...
 01796  1944   NtWaitForSingleObject  ... ) == 0x0
 02086  1944   NtSetEventBoostPriority  (88, ...
 01809  2044   NtWaitForSingleObject  ... ) == 0x0
 02087  2044   NtSetEventBoostPriority  (88, ...
 01833   240   NtWaitForSingleObject  ... ) == 0x0
 02088   240   NtSetEventBoostPriority  (88, ...
 01845   968   NtWaitForSingleObject  ... ) == 0x0
 02089   968   NtSetEventBoostPriority  (88, ...
 01858   308   NtWaitForSingleObject  ... ) == 0x0
 02090   308   NtSetEventBoostPriority  (88, ...
 01871   764   NtWaitForSingleObject  ... ) == 0x0
 02091   764   NtSetEventBoostPriority  (88, ...
 01895  2000   NtWaitForSingleObject  ... ) == 0x0
 02092  2000   NtSetEventBoostPriority  (88, ...
 01908  1852   NtWaitForSingleObject  ... ) == 0x0
 02093  1852   NtSetEventBoostPriority  (88, ...
 01920  1420   NtWaitForSingleObject  ... ) == 0x0
 02094  1420   NtSetEventBoostPriority  (88, ...
 01933   164   NtWaitForSingleObject  ... ) == 0x0
 02095   164   NtSetEventBoostPriority  (88, ...
 01957  1564   NtWaitForSingleObject  ... ) == 0x0
 02096  1564   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ... 8806400, 4096, ) == 0x0
 02095   164   NtSetEventBoostPriority  ... ) == 0x0
 02094  1420   NtSetEventBoostPriority  ... ) == 0x0
 02093  1852   NtSetEventBoostPriority  ... ) == 0x0
 02092  2000   NtSetEventBoostPriority  ... ) == 0x0
 02091   764   NtSetEventBoostPriority  ... ) == 0x0
 02090   308   NtSetEventBoostPriority  ... ) == 0x0
 02089   968   NtSetEventBoostPriority  ... ) == 0x0
 02088   240   NtSetEventBoostPriority  ... ) == 0x0
 02087  2044   NtSetEventBoostPriority  ... ) == 0x0
 02086  1944   NtSetEventBoostPriority  ... ) == 0x0
 02085  1524   NtSetEventBoostPriority  ... ) == 0x0
 02084  1896   NtSetEventBoostPriority  ... ) == 0x0
 02083  1864   NtSetEventBoostPriority  ... ) == 0x0
 02082  1828   NtSetEventBoostPriority  ... ) == 0x0
 02081   148   NtSetEventBoostPriority  ... ) == 0x0
 02080  1648   NtSetEventBoostPriority  ... ) == 0x0
 02079  1936   NtSetEventBoostPriority  ... ) == 0x0
 02078  1904   NtSetEventBoostPriority  ... ) == 0x0
 02077   444   NtSetEventBoostPriority  ... ) == 0x0
 02076  1536   NtSetEventBoostPriority  ... ) == 0x0
 02075  1356   NtSetEventBoostPriority  ... ) == 0x0
 02074  1728   NtSetEventBoostPriority  ... ) == 0x0
 02073   712   NtSetEventBoostPriority  ... ) == 0x0
 02072  1156   NtSetEventBoostPriority  ... ) == 0x0
 02071   860   NtSetEventBoostPriority  ... ) == 0x0
 02066  1516   NtAllocateVirtualMemory  ... 69402624, 1048576, ) == 0x0
 02097  1564   NtSetEventBoostPriority  (88, ...
 02098   164   NtTestAlert  (...
 02099  1420   NtTestAlert  (...
 02100  1852   NtTestAlert  (...
 02101  2000   NtTestAlert  (...
 02102   764   NtTestAlert  (...
 02103   308   NtTestAlert  (...
 02104   968   NtTestAlert  (...
 02105   240   NtTestAlert  (...
 02106  2044   NtTestAlert  (...
 02107  1944   NtTestAlert  (...
 02108  1524   NtTestAlert  (...
 02109  1896   NtTestAlert  (...
 02110  1864   NtTestAlert  (...
 02111  1828   NtTestAlert  (...
 02112   148   NtTestAlert  (...
 02113  1648   NtTestAlert  (...
 02114  1936   NtTestAlert  (...
 02115  1904   NtTestAlert  (...
 02116   444   NtTestAlert  (...
 02117  1536   NtTestAlert  (...
 02118  1356   NtTestAlert  (...
 02119  1728   NtTestAlert  (...
 02120   712   NtTestAlert  (...
 02121  1156   NtTestAlert  (...
 02122  1516   NtAllocateVirtualMemory  (-1, 70443008, 0, 8192, 4096, 4, ...
 01970  1592   NtWaitForSingleObject  ... ) == 0x0
 02097  1564   NtSetEventBoostPriority  ... ) == 0x0
 02098   164   NtTestAlert  ... ) == 0x0
 02099  1420   NtTestAlert  ... ) == 0x0
 02100  1852   NtTestAlert  ... ) == 0x0
 02101  2000   NtTestAlert  ... ) == 0x0
 02102   764   NtTestAlert  ... ) == 0x0
 02103   308   NtTestAlert  ... ) == 0x0
 02104   968   NtTestAlert  ... ) == 0x0
 02105   240   NtTestAlert  ... ) == 0x0
 02106  2044   NtTestAlert  ... ) == 0x0
 02107  1944   NtTestAlert  ... ) == 0x0
 02108  1524   NtTestAlert  ... ) == 0x0
 02109  1896   NtTestAlert  ... ) == 0x0
 02110  1864   NtTestAlert  ... ) == 0x0
 02111  1828   NtTestAlert  ... ) == 0x0
 02112   148   NtTestAlert  ... ) == 0x0
 02113  1648   NtTestAlert  ... ) == 0x0
 02114  1936   NtTestAlert  ... ) == 0x0
 02115  1904   NtTestAlert  ... ) == 0x0
 02116   444   NtTestAlert  ... ) == 0x0
 02117  1536   NtTestAlert  ... ) == 0x0
 02118  1356   NtTestAlert  ... ) == 0x0
 02119  1728   NtTestAlert  ... ) == 0x0
 02120   712   NtTestAlert  ... ) == 0x0
 02121  1156   NtTestAlert  ... ) == 0x0
 02123  1592   NtSetEventBoostPriority  (88, ...
 02122  1516   NtAllocateVirtualMemory  ... 70443008, 8192, ) == 0x0
 02124  1564   NtTestAlert  (...
 02125   164   NtContinue  (61013296, 1, ...
 02126  1420   NtContinue  (59964720, 1, ...
 02127  1852   NtContinue  (58916144, 1, ...
 02128  2000   NtContinue  (57867568, 1, ...
 02129   764   NtContinue  (56818992, 1, ...
 02130   308   NtContinue  (55770416, 1, ...
 02131   968   NtContinue  (54721840, 1, ...
 02132   240   NtContinue  (53673264, 1, ...
 02133  2044   NtContinue  (52624688, 1, ...
 02134  1944   NtContinue  (49413424, 1, ...
 02135  1524   NtContinue  (48364848, 1, ...
 02136  1896   NtContinue  (47316272, 1, ...
 02137  1864   NtContinue  (46267696, 1, ...
 02138  1828   NtContinue  (44105008, 1, ...
 02139   148   NtContinue  (45219120, 1, ...
 02140  1648   NtContinue  (43056432, 1, ...
 02141  1936   NtContinue  (42007856, 1, ...
 02142  1904   NtContinue  (51576112, 1, ...
 02143   444   NtContinue  (50527536, 1, ...
 02144  1536   NtContinue  (40959280, 1, ...
 02145  1356   NtContinue  (39910704, 1, ...
 02146  1728   NtContinue  (38862128, 1, ...
 02147   712   NtContinue  (37813552, 1, ...
 01982  2032   NtWaitForSingleObject  ... ) == 0x0
 02123  1592   NtSetEventBoostPriority  ... ) == 0x0
 02148  1156   NtContinue  (36764976, 1, ...
 02149  1516   NtProtectVirtualMemory  (-1, (0x432e000), 4096, 260, ...
 02124  1564   NtTestAlert  ... ) == 0x0
 02150   164   NtRegisterThreadTerminatePort  (24, ...
 02151  1420   NtRegisterThreadTerminatePort  (24, ...
 02152  1852   NtRegisterThreadTerminatePort  (24, ...
 02153  2000   NtRegisterThreadTerminatePort  (24, ...
 02154   764   NtRegisterThreadTerminatePort  (24, ...
 02155   308   NtRegisterThreadTerminatePort  (24, ...
 02156   968   NtRegisterThreadTerminatePort  (24, ...
 02157   240   NtRegisterThreadTerminatePort  (24, ...
 02158  2044   NtRegisterThreadTerminatePort  (24, ...
 02159  1944   NtRegisterThreadTerminatePort  (24, ...
 02160  1524   NtRegisterThreadTerminatePort  (24, ...
 02161  1896   NtRegisterThreadTerminatePort  (24, ...
 02162  1864   NtRegisterThreadTerminatePort  (24, ...
 02163  1828   NtRegisterThreadTerminatePort  (24, ...
 02164   148   NtRegisterThreadTerminatePort  (24, ...
 02165  1648   NtRegisterThreadTerminatePort  (24, ...
 02166  1936   NtRegisterThreadTerminatePort  (24, ...
 02167  1904   NtRegisterThreadTerminatePort  (24, ...
 02168   444   NtRegisterThreadTerminatePort  (24, ...
 02169  1536   NtRegisterThreadTerminatePort  (24, ...
 02170  1356   NtRegisterThreadTerminatePort  (24, ...
 02171  1728   NtRegisterThreadTerminatePort  (24, ...
 02172  2032   NtSetEventBoostPriority  (88, ...
 02173   712   NtRegisterThreadTerminatePort  (24, ...
 02174   860   NtClose  (328, ...
 02175  1156   NtRegisterThreadTerminatePort  (24, ...
 02149  1516   NtProtectVirtualMemory  ... (0x432e000), 4096, 4, ) == 0x0
 02176  1564   NtContinue  (62061872, 1, ...
 02150   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 02151  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 02152  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 02153  2000   NtRegisterThreadTerminatePort  ... ) == 0x0
 02154   764   NtRegisterThreadTerminatePort  ... ) == 0x0
 02155   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02156   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 02157   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02158  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 02159  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 02160  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 02161  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02162  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 02163  1828   NtRegisterThreadTerminatePort  ... ) == 0x0
 02164   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 02165  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 02166  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 02167  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 02168   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 02169  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 02170  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 01995  1500   NtWaitForSingleObject  ... ) == 0x0
 02172  2032   NtSetEventBoostPriority  ... ) == 0x0
 02171  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 02173   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 02174   860   NtClose  ... ) == 0x0
 02175  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02177  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02178  1564   NtRegisterThreadTerminatePort  (24, ...
 02179   164   NtWaitForSingleObject  (212, 0, 0x0, ...
 02180  1420   NtWaitForSingleObject  (212, 0, 0x0, ...
 02181  1852   NtWaitForSingleObject  (212, 0, 0x0, ...
 02182  2000   NtWaitForSingleObject  (212, 0, 0x0, ...
 02183   764   NtWaitForSingleObject  (212, 0, 0x0, ...
 02184   308   NtWaitForSingleObject  (212, 0, 0x0, ...
 02185   968   NtWaitForSingleObject  (212, 0, 0x0, ...
 02186   240   NtWaitForSingleObject  (212, 0, 0x0, ...
 02187  2044   NtWaitForSingleObject  (212, 0, 0x0, ...
 02188  1944   NtWaitForSingleObject  (212, 0, 0x0, ...
 02189  1524   NtWaitForSingleObject  (212, 0, 0x0, ...
 02190  1896   NtWaitForSingleObject  (212, 0, 0x0, ...
 02191  1864   NtWaitForSingleObject  (212, 0, 0x0, ...
 02192  1828   NtWaitForSingleObject  (212, 0, 0x0, ...
 02193   148   NtWaitForSingleObject  (212, 0, 0x0, ...
 02194  1648   NtWaitForSingleObject  (212, 0, 0x0, ...
 02195  1936   NtWaitForSingleObject  (212, 0, 0x0, ...
 02196  1904   NtWaitForSingleObject  (212, 0, 0x0, ...
 02197   444   NtWaitForSingleObject  (212, 0, 0x0, ...
 02198  1536   NtWaitForSingleObject  (212, 0, 0x0, ...
 02199  1500   NtSetEventBoostPriority  (88, ...
 02200  1356   NtWaitForSingleObject  (212, 0, 0x0, ...
 02201  1592   NtTestAlert  (...
 02202  1728   NtWaitForSingleObject  (212, 0, 0x0, ...
 02203   712   NtWaitForSingleObject  (212, 0, 0x0, ...
 02204   860   NtWaitForSingleObject  (88, 0, 0x0, ...
 02205  1156   NtWaitForSingleObject  (212, 0, 0x0, ...
 02206  2032   NtTestAlert  (...
 02177  1516   NtCreateThread  ... 328, {808, 1644}, ) == 0x0
 02178  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 02019   932   NtWaitForSingleObject  ... ) == 0x0
 02199  1500   NtSetEventBoostPriority  ... ) == 0x0
 02201  1592   NtTestAlert  ... ) == 0x0
 02206  2032   NtTestAlert  ... ) == 0x0
 02207  1516   NtQueryInformationThread  (328, Basic, 28, ...
 02208   932   NtSetEventBoostPriority  (88, ...
 02209  1564   NtWaitForSingleObject  (212, 0, 0x0, ...
 02210  1592   NtContinue  (63110448, 1, ...
 02211  2032   NtContinue  (64159024, 1, ...
 02037   484   NtWaitForSingleObject  ... ) == 0x0
 02208   932   NtSetEventBoostPriority  ... ) == 0x0
 02207  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=808,Tid=1644,}, 0x0, ) == 0x0
 02212  1592   NtRegisterThreadTerminatePort  (24, ...
 02213   484   NtSetEventBoostPriority  (88, ...
 02214  2032   NtRegisterThreadTerminatePort  (24, ...
 02215  1500   NtTestAlert  (...
 02216  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58004, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0(\3\0\0l\6\0\0" ...  ...
 02038  1528   NtWaitForSingleObject  ... ) == 0x0
 02213   484   NtSetEventBoostPriority  ... ) == 0x0
 02212  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 02214  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 02215  1500   NtTestAlert  ... ) == 0x0
 02217  1528   NtSetEventBoostPriority  (88, ...
 02216  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58005, 0}  ... {28, 56, reply, 0, 808, 1516, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0(\3\0\0l\6\0\0" )  ) == 0x0
 02218   484   NtOpenThreadToken  (-2, 0xc, 1, ...
 02219  1592   NtWaitForSingleObject  (212, 0, 0x0, ...
 02220  2032   NtWaitForSingleObject  (212, 0, 0x0, ...
 02055  1780   NtWaitForSingleObject  ... ) == 0x0
 02217  1528   NtSetEventBoostPriority  ... ) == 0x0
 02221  1500   NtContinue  (65207600, 1, ...
 02222   932   NtTestAlert  (...
 02223  1516   NtResumeThread  (328, ...
 02218   484   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02224  1780   NtSetEventBoostPriority  (88, ...
 02225  1500   NtRegisterThreadTerminatePort  (24, ...
 02222   932   NtTestAlert  ... ) == 0x0
 02223  1516   NtResumeThread  ... 1, ) == 0x0
 02068  1804   NtWaitForSingleObject  ... ) == 0x0
 02224  1780   NtSetEventBoostPriority  ... ) == 0x0
 02226   484   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1330488, 0,  (0x1f0003, {24, 44, 0x80, 1330488, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... }, 0, 2147483647, ...
 02225  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02227   932   NtContinue  (66256176, 1, ...
 02228  1804   NtSetEventBoostPriority  (88, ...
 02229  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02230  1528   NtTestAlert  (...
 02231  1644   NtWaitForSingleObject  (88, 0, 0x0, ...
 02226   484   NtCreateSemaphore  ... 468, ) == STATUS_OBJECT_NAME_EXISTS
 02232  1500   NtWaitForSingleObject  (212, 0, 0x0, ...
 02204   860   NtWaitForSingleObject  ... ) == 0x0
 02228  1804   NtSetEventBoostPriority  ... ) == 0x0
 02233   932   NtRegisterThreadTerminatePort  (24, ...
 02229  1516   NtAllocateVirtualMemory  ... 70451200, 1048576, ) == 0x0
 02230  1528   NtTestAlert  ... ) == 0x0
 02234   484   NtReleaseSemaphore  (468, 1, ...
 02235  1780   NtTestAlert  (...
 02236   860   NtSetEventBoostPriority  (88, ...
 02233   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 02237  1516   NtAllocateVirtualMemory  (-1, 71491584, 0, 8192, 4096, 4, ...
 02238  1528   NtContinue  (67304752, 1, ...
 02234   484   NtReleaseSemaphore  ... 0, ) == 0x0
 02231  1644   NtWaitForSingleObject  ... ) == 0x0
 02236   860   NtSetEventBoostPriority  ... ) == 0x0
 02235  1780   NtTestAlert  ... ) == 0x0
 02239   932   NtWaitForSingleObject  (212, 0, 0x0, ...
 02237  1516   NtAllocateVirtualMemory  ... 71491584, 8192, ) == 0x0
 02240  1528   NtRegisterThreadTerminatePort  (24, ...
 02241  1644   NtTestAlert  (...
 02242   484   NtWaitForSingleObject  (468, 0, {0, 0}, ...
 02243  1804   NtTestAlert  (...
 02244  1780   NtContinue  (68353328, 1, ...
 02245   860   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 13434496, 67, ... }, 0x0, 0, 3, 3, 0, 13434496, 67, ...
 02241  1644   NtTestAlert  ... ) == 0x0
 02240  1528   NtRegisterThreadTerminatePort  ... ) == 0x0
 02246  1516   NtProtectVirtualMemory  (-1, (0x442e000), 4096, 260, ...
 02243  1804   NtTestAlert  ... ) == 0x0
 02247  1780   NtRegisterThreadTerminatePort  (24, ...
 02245   860   NtCreateFile  ... 476, {status=0x0, info=0}, ) == 0x0
 02242   484   NtWaitForSingleObject  ... ) == 0x0
 02248  1528   NtWaitForSingleObject  (212, 0, 0x0, ...
 02246  1516   NtProtectVirtualMemory  ... (0x442e000), 4096, 4, ) == 0x0
 02249  1804   NtContinue  (69401904, 1, ...
 02247  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02250   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x1207b,  (476, 204, 0x0, 0x0, 0x1207b, "\7\0\0\00\5\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 02251   484   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02252  1644   NtContinue  (70450480, 1, ...
 02253  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02254  1804   NtRegisterThreadTerminatePort  (24, ...
 02255  1780   NtWaitForSingleObject  (212, 0, 0x0, ...
 02250   860   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 02251   484   NtCreateKey  ... 480, 2, ) == 0x0
 02256  1644   NtRegisterThreadTerminatePort  (24, ...
 02253  1516   NtCreateThread  ... 484, {808, 336}, ) == 0x0
 02254  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 02257   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x1207b,  (476, 204, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 02258   484   NtQueryValueKey  (480,  (480, "Cache", Partial, 144, ... , Partial, 144, ...
 02256  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02259  1516   NtQueryInformationThread  (484, Basic, 28, ...
 02260  1804   NtWaitForSingleObject  (212, 0, 0x0, ...
 02257   860   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 02258   484   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 02261  1644   NtWaitForSingleObject  (212, 0, 0x0, ...
 02259  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=808,Tid=336,}, 0x0, ) == 0x0
 02262   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x12047,  (476, 204, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02263   484   NtClose  (480, ...
 02262   860   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02263   484   NtClose  ... ) == 0x0
 02264   860   NtWaitForSingleObject  (152, 0, {0, 0}, ...
 02265   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 14478660, ... }, 14478660, ...
 02264   860   NtWaitForSingleObject  ... ) == 0x102
 02265   484   NtQueryAttributesFile  ... ) == 0x0
 02266   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x12003,  (476, 204, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02267   484   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02268  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58005, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0(\3\0\0P\1\0\0" ...  ...
 02267   484   NtCreateKey  ... 480, 2, ) == 0x0
 02268  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58006, 0}  ... {28, 56, reply, 0, 808, 1516, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0(\3\0\0P\1\0\0" )  ) == 0x0
 02266   860   NtDeviceIoControlFile  ... {status=0x0, info=488},  ... {status=0x0, info=488}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02269  1516   NtResumeThread  (484, ...
 02270   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x12047,  (476, 204, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02269  1516   NtResumeThread  ... 1, ) == 0x0
 02270   860   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02271  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02272   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x12037,  (476, 204, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02273   484   NtSetValueKey  (480,  (480, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... , 0, 1,  (480, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... , 162, ...
 02274   336   NtTestAlert  (...
 02272   860   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02273   484   NtSetValueKey  ... ) == 0x0
 02274   336   NtTestAlert  ... ) == 0x0
 02271  1516   NtAllocateVirtualMemory  ... 71499776, 1048576, ) == 0x0
 02275   484   NtClose  (480, ...
 02276   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x1200b,  (476, 204, 0x0, 0x0, 0x1200b, "\0\376\314\0\5\0\0\0\0\324\24\0", 12, 0, ... , 12, 0, ...
 02277  1516   NtAllocateVirtualMemory  (-1, 72540160, 0, 8192, 4096, 4, ...
 02275   484   NtClose  ... ) == 0x0
 02276   860   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02277  1516   NtAllocateVirtualMemory  ... 72540160, 8192, ) == 0x0
 02278   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 14479352, ... }, 14479352, ...
 02279   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x12047,  (476, 204, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\314\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02280  1516   NtProtectVirtualMemory  (-1, (0x452e000), 4096, 260, ...
 02278   484   NtQueryAttributesFile  ... ) == 0x0
 02279   860   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02280  1516   NtProtectVirtualMemory  ... (0x452e000), 4096, 4, ) == 0x0
 02281   336   NtContinue  (71499056, 1, ...
 02282   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 02283  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02284   336   NtRegisterThreadTerminatePort  (24, ...
 02282   860   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02285   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 14478560, ... }, 14478560, ...
 02284   336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02283  1516   NtCreateThread  ... 480, {808, 800}, ) == 0x0
 02285   484   NtQueryAttributesFile  ... ) == 0x0
 02286   336   NtWaitForSingleObject  (212, 0, 0x0, ...
 02287  1516   NtQueryInformationThread  (480, Basic, 28, ...
 02288   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... }, 7, 2113568, ...
 02287  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=808,Tid=800,}, 0x0, ) == 0x0
 02288   484   NtOpenFile  ... 492, {status=0x0, info=1}, ) == 0x0
 02289  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58006, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0(\3\0\0 \3\0\0" ...  ...
 02290   484   NtSetInformationFile  (492, 14478532, 40, Basic, ...
 02289  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58007, 0}  ... {28, 56, reply, 0, 808, 1516, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0(\3\0\0 \3\0\0" )  ) == 0x0
 02290   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02291   860   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 02292   484   NtClose  (492, ...
 02291   860   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 02292   484   NtClose  ... ) == 0x0
 02293   860   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 02294   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 14478556, ... }, 14478556, ...
 02293   860   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 02295  1516   NtResumeThread  (480, ...
 02296   860   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 02295  1516   NtResumeThread  ... 1, ) == 0x0
 02296   860   NtOpenFile  ... 492, {status=0x0, info=0}, ) == 0x0
 02297  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02294   484   NtQueryAttributesFile  ... ) == 0x0
 02298   800   NtTestAlert  (...
 02297  1516   NtAllocateVirtualMemory  ... 72548352, 1048576, ) == 0x0
 02299   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 14479352, ... }, 14479352, ...
 02298   800   NtTestAlert  ... ) == 0x0
 02300  1516   NtAllocateVirtualMemory  (-1, 73588736, 0, 8192, 4096, 4, ...
 02299   484   NtQueryAttributesFile  ... ) == 0x0
 02301   800   NtContinue  (72547632, 1, ...
 02300  1516   NtAllocateVirtualMemory  ... 73588736, 8192, ) == 0x0
 02302   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 14478560, ... }, 14478560, ...
 02303   800   NtRegisterThreadTerminatePort  (24, ...
 02304   860   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "\323390\325\305l\347\361\203VQ\10|i\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02302   484   NtQueryAttributesFile  ... ) == 0x0
 02303   800   NtRegisterThreadTerminatePort  ... ) == 0x0
 02305   860   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02306   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... }, 7, 2113568, ...
 02307  1516   NtProtectVirtualMemory  (-1, (0x462e000), 4096, 260, ...
 02305   860   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02308   800   NtWaitForSingleObject  (212, 0, 0x0, ...
 02307  1516   NtProtectVirtualMemory  ... (0x462e000), 4096, 4, ) == 0x0
 02309   860   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02310  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02309   860   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02310  1516   NtCreateThread  ... 496, {808, 504}, ) == 0x0
 02311   860   NtQuerySystemInformation  (Performance, 312, ...
 02312  1516   NtQueryInformationThread  (496, Basic, 28, ...
 02306   484   NtOpenFile  ... 500, {status=0x0, info=1}, ) == 0x0
 02312  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=808,Tid=504,}, 0x0, ) == 0x0
 02313   484   NtSetInformationFile  (500, 14478532, 40, Basic, ...
 02311   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02313   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02314   860   NtQuerySystemInformation  (Exception, 16, ...
 02315  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58007, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0(\3\0\0\370\1\0\0" ...  ...
 02314   860   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02315  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58008, 0}  ... {28, 56, reply, 0, 808, 1516, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0(\3\0\0\370\1\0\0" )  ) == 0x0
 02316   860   NtQuerySystemInformation  (Lookaside, 32, ...
 02317  1516   NtResumeThread  (496, ...
 02316   860   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02317  1516   NtResumeThread  ... 1, ) == 0x0
 02318   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02319  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02320   484   NtClose  (500, ...
 02321   504   NtTestAlert  (...
 02318   860   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02320   484   NtClose  ... ) == 0x0
 02321   504   NtTestAlert  ... ) == 0x0
 02322   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02323   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 14478556, ... }, 14478556, ...
 02324   504   NtContinue  (73596208, 1, ...
 02322   860   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02323   484   NtQueryAttributesFile  ... ) == 0x0
 02325   504   NtRegisterThreadTerminatePort  (24, ...
 02326   484   NtQueryValueKey  (324,  (324, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02325   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 02326   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02327   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02319  1516   NtAllocateVirtualMemory  ... 73596928, 1048576, ) == 0x0
 02328   504   NtWaitForSingleObject  (212, 0, 0x0, ...
 02327   860   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02329  1516   NtAllocateVirtualMemory  (-1, 74637312, 0, 8192, 4096, 4, ...
 02330   860   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "_~\307\2147\323 \342$\306r\376z\225\363\314\24\366\223%\250[GU\353\13v\376\224\2034\377\273\262\323Z(I8)\207\230\302r}R\272\350a\360\260\230\3446\363\332\264X\322c[\302w5\267\336vt\216i\206*\267?f\266(\247\373\306", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "_~\307\2147\323 \342$\306r\376z\225\363\314\24\366\223%\250[GU\353\13v\376\224\2034\377\273\262\323Z(I8)\207\230\302r}R\272\350a\360\260\230\3446\363\332\264X\322c[\302w5\267\336vt\216i\206*\267?f\266(\247\373\306", 80, ... , 80, ...
 02329  1516   NtAllocateVirtualMemory  ... 74637312, 8192, ) == 0x0
 02330   860   NtSetValueKey  ... ) == 0x0
 02331  1516   NtProtectVirtualMemory  (-1, (0x472e000), 4096, 260, ...
 02332   860   NtClose  (-2147481344, ...
 02331  1516   NtProtectVirtualMemory  ... (0x472e000), 4096, 4, ) == 0x0
 02332   860   NtClose  ... ) == 0x0
 02333  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02334   484   NtQueryValueKey  (324,  (324, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02304   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "RGp'\216m\33\271\36\213\203@\327\315"w\225\376\35\12;\345o\250\374\326/Z\231\2163\223\316\200\304\6G\357k\370|\347\251\315Z\324\255\360\321l\3676~\347O\211\313Z\36\251li\265\230\303R\241@\203\2010\332\3236\2\266\364\327yc\206\331\231\254 E\"\303\303^\372\34V\336\353U\346%cR\353F\311CB[\205&|\374=#\251\356\241\232\225q\36n}\2\34\7\226\3470Y!\276\322A\247\257ghEB+\322v\232\214\321\250/g\325o\326XGh/\8\242H\256D\336q\316\310I\263\245\11\343\0j\275\325\377\205\226\213\311>\335\351\265\354!P\200n\220!\203\31nt\335 \351<=\326\2719x\350\203\347\350\315\374&\\3322\361\225yrH''(\353\226\16\262az"R7\270\321\303_\244P8\243\273\272\325k\260L\226J\273\13\336\231+\256\232)\352", ) w\225\376\35\12;\345o\250\374\326/Z\231\2163\223\316\200\304\6G\357k\370|\347\251\315Z\324\255\360\321l\3676~\347O\211\313Z\36\251li\265\230\303R\241@\203\2010\332\3236\2\266\364\327yc\206\331\231\254 E\ ... {status=0x0, info=256}, "RGp'\216m\33\271\36\213\203@\327\315"w\225\376\35\12;\345o\250\374\326/Z\231\2163\223\316\200\304\6G\357k\370|\347\251\315Z\324\255\360\321l\3676~\347O\211\313Z\36\251li\265\230\303R\241@\203\2010\332\3236\2\266\364\327yc\206\331\231\254 E\"\303\303^\372\34V\336\353U\346%cR\353F\311CB[\205&|\374=#\251\356\241\232\225q\36n}\2\34\7\226\3470Y!\276\322A\247\257ghEB+\322v\232\214\321\250/g\325o\326XGh/\8\242H\256D\336q\316\310I\263\245\11\343\0j\275\325\377\205\226\213\311>\335\351\265\354!P\200n\220!\203\31nt\335 \351<=\326\2719x\350\203\347\350\315\374&\\3322\361\225yrH''(\353\226\16\262az"R7\270\321\303_\244P8\243\273\272\325k\260L\226J\273\13\336\231+\256\232)\352", ) R7\270\321\303_\244P8\243\273\272\325k\260L\226J\273\13\336\231+\256\232)\352", ) == 0x0
 02334   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02335   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02336   484   NtQueryValueKey  (324,  (324, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 02335   860   NtCreateEvent  ... 500, ) == 0x0
 02336   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 02337   860   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 13431416, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 13431416, 188, ...
 02338   484   NtOpenKey  (0xf, {24, 304, 0x40, 0, 0,  (0xf, {24, 304, 0x40, 0, 0, "Cookies"}, ... 504, ) }, ... 504, ) == 0x0
 02337   860   NtConnectPort  ... 508, 0x0, 0x0, 0x0, 188, ) == 0x0
 02333  1516   NtCreateThread  ... 512, {808, 888}, ) == 0x0
 02339   484   NtQueryValueKey  (504,  (504, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 02340  1516   NtQueryInformationThread  (512, Basic, 28, ...
 02339   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02340  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=808,Tid=888,}, 0x0, ) == 0x0
 02341   484   NtOpenKey  (0xf, {24, 300, 0x40, 0, 0,  (0xf, {24, 300, 0x40, 0, 0, "Cookies"}, ... }, ...
 02342  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58008, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0(\3\0\0x\3\0\0" ...  ...
 02341   484   NtOpenKey  ... 516, ) == 0x0
 02342  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58010, 0}  ... {28, 56, reply, 0, 808, 1516, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0(\3\0\0x\3\0\0" )  ) == 0x0
 02343   484   NtQueryValueKey  (516,  (516, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 02344   860   NtRequestWaitReplyPort  (508, {200, 224, new_msg, 0, 2883626, 1370272, 12, 2}  (508, {200, 224, new_msg, 0, 2883626, 1370272, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\0\0\0\0x\1\24\0\230\1\24\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\251\12G\214\36\234\17\343p\31\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0H\31\25\0\231\3h\222x\1\24\0h\31\25\0h\1\24\0\0\0\0\0\0\0\0\0h\31\25\0P\0\0\0p\31\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\314\0\372\31\221|\214\370\314\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02343   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02344   860   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 808, 860, 58011, 0}  ... {200, 224, reply, 0, 808, 860, 58011, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\377\377\377\377\230\1\24\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\251\12G\214\36\234\17\343p\31\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0H\31\25\0\231\3h\222x\1\24\0h\31\25\0h\1\24\0\0\0\0\0\0\0\0\0h\31\25\0P\0\0\0p\31\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\314\0\372\31\221|\214\370\314\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02345  1516   NtResumeThread  (512, ...
 02346   860   NtRequestWaitReplyPort  (508, {44, 68, new_msg, 56, 0, 0, 0, 0}  (508, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0h\34\25\0\322\0\0\0" ...  ...
 02345  1516   NtResumeThread  ... 1, ) == 0x0
 02347  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74645504, 1048576, ) == 0x0
 02348  1516   NtAllocateVirtualMemory  (-1, 75685888, 0, 8192, 4096, 4, ... 75685888, 8192, ) == 0x0
 02346   860   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 808, 860, 58012, 0}  ... {40, 64, reply, 0, 808, 860, 58012, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 02349   484   NtClose  (516, ...
 02350   888   NtTestAlert  (...
 02351  1516   NtProtectVirtualMemory  (-1, (0x482e000), 4096, 260, ...
 02349   484   NtClose  ... ) == 0x0
 02350   888   NtTestAlert  ... ) == 0x0
 02351  1516   NtProtectVirtualMemory  ... (0x482e000), 4096, 4, ) == 0x0
 02352   484   NtClose  (504, ...
 02353   888   NtContinue  (74644784, 1, ...
 02354  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02352   484   NtClose  ... ) == 0x0
 02355   888   NtRegisterThreadTerminatePort  (24, ...
 02354  1516   NtCreateThread  ... 504, {808, 1392}, ) == 0x0
 02356   484   NtClose  (324, ...
 02355   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02357  1516   NtQueryInformationThread  (504, Basic, 28, ...
 02356   484   NtClose  ... ) == 0x0
 02358   860   NtRequestWaitReplyPort  (508, {64, 88, new_msg, 56, 1310720, 13431284, 1383520, 0}  (508, {64, 88, new_msg, 56, 1310720, 13431284, 1383520, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0H\35\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02357  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=808,Tid=1392,}, 0x0, ) == 0x0
 02359   888   NtWaitForSingleObject  (212, 0, 0x0, ...
 02358   860   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 808, 860, 58013, 0}  ... {64, 88, reply, 56, 808, 860, 58013, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0H\35\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02360   484   NtOpenKey  (0xf, {24, 304, 0x40, 0, 0,  (0xf, {24, 304, 0x40, 0, 0, "Cookies"}, ... }, ...
 02361   860   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 02360   484   NtOpenKey  ... 324, ) == 0x0
 02361   860   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 02362   484   NtOpenThreadToken  (-2, 0xc, 1, ...
 02363   860   NtRequestWaitReplyPort  (508, {44, 68, new_msg, 56, 808, 860, 58012, 0}  (508, {44, 68, new_msg, 56, 808, 860, 58012, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0h\34\25\0\322\0\0\0" ...  ...
 02362   484   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02364  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58010, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0(\3\0\0p\5\0\0" ...  ...
 02365   484   NtReleaseSemaphore  (468, 1, ...
 02364  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58014, 0}  ... {28, 56, reply, 0, 808, 1516, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0(\3\0\0p\5\0\0" )  ) == 0x0
 02365   484   NtReleaseSemaphore  ... 0, ) == 0x0
 02366  1516   NtResumeThread  (504, ...
 02363   860   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 808, 860, 58015, 0}  ... {40, 64, reply, 0, 808, 860, 58015, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02366  1516   NtResumeThread  ... 1, ) == 0x0
 02367   860   NtRequestWaitReplyPort  (508, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0}  (508, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0(*\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02368  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02367   860   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 808, 860, 58016, 0}  ... {64, 88, reply, 56, 808, 860, 58016, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0(*\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02369   484   NtWaitForSingleObject  (468, 0, {0, 0}, ...
 02370  1392   NtTestAlert  (...
 02371   860   NtRequestWaitReplyPort  (508, {44, 68, new_msg, 56, 808, 860, 58015, 0}  (508, {44, 68, new_msg, 56, 808, 860, 58015, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0h\34\25\0\322\0\0\0" ...  ...
 02369   484   NtWaitForSingleObject  ... ) == 0x0
 02370  1392   NtTestAlert  ... ) == 0x0
 02368  1516   NtAllocateVirtualMemory  ... 75694080, 1048576, ) == 0x0
 02372   484   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02373  1392   NtContinue  (75693360, 1, ...
 02374  1516   NtAllocateVirtualMemory  (-1, 76734464, 0, 8192, 4096, 4, ...
 02372   484   NtCreateKey  ... 516, 2, ) == 0x0
 02375  1392   NtRegisterThreadTerminatePort  (24, ...
 02374  1516   NtAllocateVirtualMemory  ... 76734464, 8192, ) == 0x0
 02376   484   NtQueryValueKey  (516,  (516, "Cookies", Partial, 144, ... , Partial, 144, ...
 02375  1392   NtRegisterThreadTerminatePort  ... ) == 0x0
 02377  1516   NtProtectVirtualMemory  (-1, (0x492e000), 4096, 260, ...
 02371   860   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 808, 860, 58017, 0}  ... {40, 64, reply, 0, 808, 860, 58017, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 02376   484   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02377  1516   NtProtectVirtualMemory  ... (0x492e000), 4096, 4, ) == 0x0
 02378   860   NtRequestWaitReplyPort  (508, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0}  (508, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0\300,\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02379   484   NtClose  (516, ...
 02380  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02379   484   NtClose  ... ) == 0x0
 02378   860   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 808, 860, 58018, 0}  ... {64, 88, reply, 56, 808, 860, 58018, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0\300,\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02381  1392   NtWaitForSingleObject  (212, 0, 0x0, ...
 02382   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 14478660, ... }, 14478660, ...
 02383   860   NtClose  (500, ...
 02382   484   NtQueryAttributesFile  ... ) == 0x0
 02380  1516   NtCreateThread  ... 516, {808, 2020}, ) == 0x0
 02384   484   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02385  1516   NtQueryInformationThread  (516, Basic, 28, ...
 02383   860   NtClose  ... ) == 0x0
 02385  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=808,Tid=2020,}, 0x0, ) == 0x0
 02386   860   NtClose  (508, ...
 02387  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58014, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0(\3\0\0\344\7\0\0" ...  ...
 02386   860   NtClose  ... ) == 0x0
 02387  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58020, 0}  ... {28, 56, reply, 0, 808, 1516, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0(\3\0\0\344\7\0\0" )  ) == 0x0
 02388   860   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "\323390\325\305l7\326\203\222\5\206\300\20\264?5\374\354\317\240\363\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02384   484   NtCreateKey  ... 508, 2, ) == 0x0
 02389   860   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02390   484   NtSetValueKey  (508,  (508, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... , 0, 1,  (508, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... , 98, ...
 02389   860   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02390   484   NtSetValueKey  ... ) == 0x0
 02391  1516   NtResumeThread  (516, ...
 02392   484   NtClose  (508, ...
 02391  1516   NtResumeThread  ... 1, ) == 0x0
 02392   484   NtClose  ... ) == 0x0
 02393  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02394   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 14479352, ... }, 14479352, ...
 02393  1516   NtAllocateVirtualMemory  ... 76742656, 1048576, ) == 0x0
 02395   860   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02396  2020   NtTestAlert  (...
 02397  1516   NtAllocateVirtualMemory  (-1, 77783040, 0, 8192, 4096, 4, ...
 02395   860   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02396  2020   NtTestAlert  ... ) == 0x0
 02397  1516   NtAllocateVirtualMemory  ... 77783040, 8192, ) == 0x0
 02398   860   NtQuerySystemInformation  (Performance, 312, ...
 02399  2020   NtContinue  (76741936, 1, ...
 02394   484   NtQueryAttributesFile  ... ) == 0x0
 02398   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02400  2020   NtRegisterThreadTerminatePort  (24, ...
 02401   484   NtQueryValueKey  (324,  (324, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02402   860   NtQuerySystemInformation  (Exception, 16, ...
 02400  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02401   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 02402   860   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02403  1516   NtProtectVirtualMemory  (-1, (0x4a2e000), 4096, 260, ...
 02404   484   NtQueryValueKey  (324,  (324, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02405  2020   NtWaitForSingleObject  (212, 0, 0x0, ...
 02403  1516   NtProtectVirtualMemory  ... (0x4a2e000), 4096, 4, ) == 0x0
 02404   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 02406  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02407   484   NtQueryValueKey  (324,  (324, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 02406  1516   NtCreateThread  ... 508, {808, 1676}, ) == 0x0
 02408   860   NtQuerySystemInformation  (Lookaside, 32, ...
 02409  1516   NtQueryInformationThread  (508, Basic, 28, ...
 02408   860   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02409  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=808,Tid=1676,}, 0x0, ) == 0x0
 02410   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02407   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02410   860   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02411   484   NtOpenKey  (0xf, {24, 304, 0x40, 0, 0,  (0xf, {24, 304, 0x40, 0, 0, "History"}, ... }, ...
 02412   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02411   484   NtOpenKey  ... 500, ) == 0x0
 02412   860   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02413   484   NtQueryValueKey  (500,  (500, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 02414  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58020, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0(\3\0\0\214\6\0\0" ...  ...
 02413   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58022, 0}  ... {28, 56, reply, 0, 808, 1516, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0(\3\0\0\214\6\0\0" )  ) == 0x0
 02415   484   NtOpenKey  (0xf, {24, 300, 0x40, 0, 0,  (0xf, {24, 300, 0x40, 0, 0, "History"}, ... }, ...
 02416  1516   NtResumeThread  (508, ...
 02417   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02416  1516   NtResumeThread  ... 1, ) == 0x0
 02417   860   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02418  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02419   860   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "O\246\333F\327?\364\237\213v5\345Zs\257\0\24VN\307\5\243Rc\2b\354\356\275J\251'\371\377f\314\273\265\231sw\302\244\27*+E\1\363\366y\374\303\343\201\270\207\325l\334(\352\3669\257TG%\7s\11\236\354\321\210\241\311\17\342\307", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "O\246\333F\327?\364\237\213v5\345Zs\257\0\24VN\307\5\243Rc\2b\354\356\275J\251'\371\377f\314\273\265\231sw\302\244\27*+E\1\363\366y\374\303\343\201\270\207\325l\334(\352\3669\257TG%\7s\11\236\354\321\210\241\311\17\342\307", 80, ... , 80, ...
 02415   484   NtOpenKey  ... 520, ) == 0x0
 02420  1676   NtTestAlert  (...
 02419   860   NtSetValueKey  ... ) == 0x0
 02421   484   NtQueryValueKey  (520,  (520, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 02420  1676   NtTestAlert  ... ) == 0x0
 02422   860   NtClose  (-2147481344, ...
 02421   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02423  1676   NtContinue  (77790512, 1, ...
 02422   860   NtClose  ... ) == 0x0
 02424   484   NtClose  (520, ...
 02425  1676   NtRegisterThreadTerminatePort  (24, ...
 02418  1516   NtAllocateVirtualMemory  ... 77791232, 1048576, ) == 0x0
 02424   484   NtClose  ... ) == 0x0
 02425  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 02426  1516   NtAllocateVirtualMemory  (-1, 78831616, 0, 8192, 4096, 4, ...
 02427   484   NtClose  (500, ...
 02388   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "h\372"\345\227\224\3435FF5\112\271YXBuJ"4X\230o\367t2\264&Ag\204\355Q|\215\376\20|9\30t\321&\366=\327\254 \326_\257\2672\27\370Kx\344ns\322\367\315\300>\37\263\335\15\264\340\6d\307y^x\235\2K\5P\315\222\304'\12\374*m\233\267\303\0+9\251\270^)?\12\233'2\230\356\325\15\31\357\223\321\311\332\367\32\344\216`\320\226n\234\317e\324\240;\202XwO\32=\331YHc\215\365)\25\202\204\343r\272\357\31\313a\347\4^s\1^\225\261\367\3711s^\210\203\260\200'\247\243\16\277k\343\13\271@\225\22Qn\361z\274\0\306>\5vt\243W\257\233\356Vsd8p>D!\216<\226\204\213\32-\234y\214?2\302r\355&<\25a\211\303\201S\2B\307M\236\372\334m\^\177c\204\317\302\316\3124.@J\204\5\226D\320", ) \345\227\224\3435FF5\112\271YXBuJ ... {status=0x0, info=256}, "h\372"\345\227\224\3435FF5\112\271YXBuJ"4X\230o\367t2\264&Ag\204\355Q|\215\376\20|9\30t\321&\366=\327\254 \326_\257\2672\27\370Kx\344ns\322\367\315\300>\37\263\335\15\264\340\6d\307y^x\235\2K\5P\315\222\304'\12\374*m\233\267\303\0+9\251\270^)?\12\233'2\230\356\325\15\31\357\223\321\311\332\367\32\344\216`\320\226n\234\317e\324\240;\202XwO\32=\331YHc\215\365)\25\202\204\343r\272\357\31\313a\347\4^s\1^\225\261\367\3711s^\210\203\260\200'\247\243\16\277k\343\13\271@\225\22Qn\361z\274\0\306>\5vt\243W\257\233\356Vsd8p>D!\216<\226\204\213\32-\234y\214?2\302r\355&<\25a\211\303\201S\2B\307M\236\372\334m\^\177c\204\317\302\316\3124.@J\204\5\226D\320", ) , ) == 0x0
 02426  1516   NtAllocateVirtualMemory  ... 78831616, 8192, ) == 0x0
 02428  1676   NtWaitForSingleObject  (212, 0, 0x0, ...
 02429   860   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "\323390\325\305l7\326\203\222\5\206\300;UM$\257;\7\314.?5\374\354\317\240\363\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02430  1516   NtProtectVirtualMemory  (-1, (0x4b2e000), 4096, 260, ...
 02431   860   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02430  1516   NtProtectVirtualMemory  ... (0x4b2e000), 4096, 4, ) == 0x0
 02431   860   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02432  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02433   860   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02427   484   NtClose  ... ) == 0x0
 02433   860   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02434   484   NtClose  (324, ...
 02432  1516   NtCreateThread  ... 500, {808, 496}, ) == 0x0
 02434   484   NtClose  ... ) == 0x0
 02435  1516   NtQueryInformationThread  (500, Basic, 28, ...
 02436   484   NtOpenKey  (0xf, {24, 304, 0x40, 0, 0,  (0xf, {24, 304, 0x40, 0, 0, "History"}, ... }, ...
 02435  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=808,Tid=496,}, 0x0, ) == 0x0
 02436   484   NtOpenKey  ... 324, ) == 0x0
 02437  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58022, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0(\3\0\0\360\1\0\0" ...  ...
 02438   484   NtOpenThreadToken  (-2, 0xc, 1, ...
 02437  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58023, 0}  ... {28, 56, reply, 0, 808, 1516, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0(\3\0\0\360\1\0\0" )  ) == 0x0
 02439   860   NtQuerySystemInformation  (Performance, 312, ...
 02438   484   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02439   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02440   484   NtReleaseSemaphore  (468, 1, ...
 02441   860   NtQuerySystemInformation  (Exception, 16, ...
 02440   484   NtReleaseSemaphore  ... 0, ) == 0x0
 02441   860   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02442   484   NtWaitForSingleObject  (468, 0, {0, 0}, ...
 02443   860   NtQuerySystemInformation  (Lookaside, 32, ...
 02442   484   NtWaitForSingleObject  ... ) == 0x0
 02443   860   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02444  1516   NtResumeThread  (500, ...
 02445   484   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02444  1516   NtResumeThread  ... 1, ) == 0x0
 02445   484   NtCreateKey  ... 520, 2, ) == 0x0
 02446  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02447   484   NtQueryValueKey  (520,  (520, "History", Partial, 144, ... , Partial, 144, ...
 02446  1516   NtAllocateVirtualMemory  ... 78839808, 1048576, ) == 0x0
 02447   484   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 02448  1516   NtAllocateVirtualMemory  (-1, 79880192, 0, 8192, 4096, 4, ...
 02449   484   NtClose  (520, ...
 02448  1516   NtAllocateVirtualMemory  ... 79880192, 8192, ) == 0x0
 02449   484   NtClose  ... ) == 0x0
 02450   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02451   496   NtTestAlert  (...
 02452  1516   NtProtectVirtualMemory  (-1, (0x4c2e000), 4096, 260, ...
 02450   860   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02451   496   NtTestAlert  ... ) == 0x0
 02452  1516   NtProtectVirtualMemory  ... (0x4c2e000), 4096, 4, ) == 0x0
 02453   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02454   496   NtContinue  (78839088, 1, ...
 02455  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02453   860   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02456   496   NtRegisterThreadTerminatePort  (24, ...
 02455  1516   NtCreateThread  ... 520, {808, 1020}, ) == 0x0
 02457   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02456   496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02458  1516   NtQueryInformationThread  (520, Basic, 28, ...
 02457   860   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02459   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 14478660, ... }, 14478660, ...
 02458  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=808,Tid=1020,}, 0x0, ) == 0x0
 02460   860   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "Z\275t\306\240\216O\263MKx\235x9\245\351\270\305a\340`\12mj\367\341\374\341\221\254\1\364\23r(\325\276\367\211\370\36(\275g\233#=\272\356\325\1\15g-%\250.\17\237\312\234\267\300\377B\315S \353p\2219\322.\355r\251\247\211", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "Z\275t\306\240\216O\263MKx\235x9\245\351\270\305a\340`\12mj\367\341\374\341\221\254\1\364\23r(\325\276\367\211\370\36(\275g\233#=\272\356\325\1\15g-%\250.\17\237\312\234\267\300\377B\315S \353p\2219\322.\355r\251\247\211", 80, ... , 80, ...
 02459   484   NtQueryAttributesFile  ... ) == 0x0
 02461   496   NtWaitForSingleObject  (212, 0, 0x0, ...
 02460   860   NtSetValueKey  ... ) == 0x0
 02462   484   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02463   860   NtClose  (-2147481344, ...
 02462   484   NtCreateKey  ... 524, 2, ) == 0x0
 02463   860   NtClose  ... ) == 0x0
 02464   484   NtSetValueKey  (524,  (524, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... , 0, 1,  (524, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... , 128, ...
 02429   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "i\272\250\206\253A\15\177\222\203{=\20\305\315x\307\334-\21J2$R\320\335z$g\363\273\265\206C\210yS\327\371\121\223\370\253\340\236\273\245\237\2\11W\332\330\12BfL\362\351\310\327M\363b\21\361WQ3\21\275C\326\317\356.\376\266\275\23\332@\331{\22\331i\301\267\21\3*\344|\307s%\234&\344\346\242\2634\254\21\325t\14\21\225\243\231=V?\4\262q\364d\251mh\316RRG\264\277\177\211#<[x\334q~\241\5\355\235}\360\276\257\5\31\351\241B\267#\227\315\244\35\366\255=S\374|f\275\23D\274\354\272\30Y\32\206&\4X=\37\2\331&R\11U\261Cb\2\13\7\312\30\346\0\276\374\224\367\206\323\343>\235\276v\361`\367?\203\312\216\7\371\273\247D\225\324\241$\251\332\346\357b"\273\5\210\37\26.Mj\341\26310\213W\316\355\307\325\373\3\341PN\340\370\246", ) \273\5\210\37\26.Mj\341\26310\213W\316\355\307\325\373\3\341PN\340\370\246", ) == 0x0
 02464   484   NtSetValueKey  ... ) == 0x0
 02465  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58023, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0(\3\0\0\374\3\0\0" ...  ...
 02466   860   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "\323390\325\305l7\326\203\222\5\206\300;UM$\257;\7\347\317M$\257;\7\314.?5\374\354\317\240\363\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02465  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58024, 0}  ... {28, 56, reply, 0, 808, 1516, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0(\3\0\0\374\3\0\0" )  ) == 0x0
 02467   860   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02468  1516   NtResumeThread  (520, ...
 02467   860   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02468  1516   NtResumeThread  ... 1, ) == 0x0
 02469   860   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02470  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02469   860   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02471   484   NtClose  (524, ...
 02472  1020   NtTestAlert  (...
 02473   860   NtQuerySystemInformation  (Performance, 312, ...
 02471   484   NtClose  ... ) == 0x0
 02472  1020   NtTestAlert  ... ) == 0x0
 02470  1516   NtAllocateVirtualMemory  ... 79888384, 1048576, ) == 0x0
 02474   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 14479352, ... }, 14479352, ...
 02475  1020   NtContinue  (79887664, 1, ...
 02476  1516   NtAllocateVirtualMemory  (-1, 80928768, 0, 8192, 4096, 4, ...
 02474   484   NtQueryAttributesFile  ... ) == 0x0
 02477  1020   NtRegisterThreadTerminatePort  (24, ...
 02476  1516   NtAllocateVirtualMemory  ... 80928768, 8192, ) == 0x0
 02478   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 14478560, ... }, 14478560, ...
 02477  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02479  1516   NtProtectVirtualMemory  (-1, (0x4d2e000), 4096, 260, ...
 02478   484   NtQueryAttributesFile  ... ) == 0x0
 02473   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02479  1516   NtProtectVirtualMemory  ... (0x4d2e000), 4096, 4, ) == 0x0
 02480  1020   NtWaitForSingleObject  (212, 0, 0x0, ...
 02481   860   NtQuerySystemInformation  (Exception, 16, ...
 02482  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02481   860   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02483   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... }, 7, 2113568, ...
 02484   860   NtQuerySystemInformation  (Lookaside, 32, ...
 02483   484   NtOpenFile  ... 524, {status=0x0, info=1}, ) == 0x0
 02484   860   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02485   484   NtSetInformationFile  (524, 14478532, 40, Basic, ...
 02486   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02485   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02482  1516   NtCreateThread  ... 528, {808, 432}, ) == 0x0
 02487   484   NtClose  (524, ...
 02488  1516   NtQueryInformationThread  (528, Basic, 28, ...
 02487   484   NtClose  ... ) == 0x0
 02488  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=808,Tid=432,}, 0x0, ) == 0x0
 02489   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 14478556, ... }, 14478556, ...
 02490  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58024, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0(\3\0\0\260\1\0\0" ...  ...
 02489   484   NtQueryAttributesFile  ... ) == 0x0
 02490  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58025, 0}  ... {28, 56, reply, 0, 808, 1516, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0(\3\0\0\260\1\0\0" )  ) == 0x0
 02491   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 14479352, ... }, 14479352, ...
 02486   860   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02492  1516   NtResumeThread  (528, ...
 02493   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02492  1516   NtResumeThread  ... 1, ) == 0x0
 02493   860   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02494  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02495   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02494  1516   NtAllocateVirtualMemory  ... 80936960, 1048576, ) == 0x0
 02495   860   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02496  1516   NtAllocateVirtualMemory  (-1, 81977344, 0, 8192, 4096, 4, ...
 02497   860   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "QPP\255\220b\262\2\4\31U\354\38a1\211\254|\341V\344E\30\344\17\234\203d\245\321\3211n\347~\374^\372\24q8\204W\356\310\200\265\6P5\254\254\274\351^\354\313\331\361]\37i\374\240=\\351\20&\206\334\210\331\322O\215\3144\200", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "QPP\255\220b\262\2\4\31U\354\38a1\211\254|\341V\344E\30\344\17\234\203d\245\321\3211n\347~\374^\372\24q8\204W\356\310\200\265\6P5\254\254\274\351^\354\313\331\361]\37i\374\240=\\351\20&\206\334\210\331\322O\215\3144\200", 80, ... , 80, ...
 02496  1516   NtAllocateVirtualMemory  ... 81977344, 8192, ) == 0x0
 02491   484   NtQueryAttributesFile  ... ) == 0x0
 02498   432   NtTestAlert  (...
 02497   860   NtSetValueKey  ... ) == 0x0
 02499   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 14478560, ... }, 14478560, ...
 02498   432   NtTestAlert  ... ) == 0x0
 02500   860   NtClose  (-2147481344, ...
 02499   484   NtQueryAttributesFile  ... ) == 0x0
 02501   432   NtContinue  (80936240, 1, ...
 02500   860   NtClose  ... ) == 0x0
 02502   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... }, 7, 2113568, ...
 02503   432   NtRegisterThreadTerminatePort  (24, ...
 02466   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\264\264P\334'o\311\212\344by\351\32\27\244\377q0l\244\333\352o\232\220\320\350\263\252HA\252\264\234&\222$u\345\341\250M=\372\337C\240D\2750N\217\243\253t\11X\203d1\221*\227\5\307f\35U\337C"%M\212\271\203\365\205\224&\270\11\371\257\24W`w\211\277~+\217.\263l%m&\221\322\24{\11\272\205\367'\312\24u\217\313i\277\3143\12\356\27\342\177ht)1a\215\203\367|\307L\212\372g\241\225\2150\347Q\203\2\232\204*f<\232\32\177\263:l\13\241\375\340\217cM"\335/\2(M\326\366\216\37G\26\272p\34\331\14C\346\177\250[\356\0\15NHu\200L@b8@\321\333C%X\335\231X5\364~I\306\232\327F\274\301-U\234\2652\25\333\347\316v\360\253\20\10\37Q{\26\15\4\202\207\241\322\307\344\212s\260\361\14\272\227U\36\236\2668\207T\201", ) %M\212\271\203\365\205\224&\270\11\371\257\24W`w\211\277~+\217.\263l%m&\221\322\24{\11\272\205\367'\312\24u\217\313i\277\3143\12\356\27\342\177ht)1a\215\203\367|\307L\212\372g\241\225\2150\347Q\203\2\232\204*f<\232\32\177\263:l\13\241\375\340\217cM ... {status=0x0, info=256}, "\264\264P\334'o\311\212\344by\351\32\27\244\377q0l\244\333\352o\232\220\320\350\263\252HA\252\264\234&\222$u\345\341\250M=\372\337C\240D\2750N\217\243\253t\11X\203d1\221*\227\5\307f\35U\337C"%M\212\271\203\365\205\224&\270\11\371\257\24W`w\211\277~+\217.\263l%m&\221\322\24{\11\272\205\367'\312\24u\217\313i\277\3143\12\356\27\342\177ht)1a\215\203\367|\307L\212\372g\241\225\2150\347Q\203\2\232\204*f<\232\32\177\263:l\13\241\375\340\217cM"\335/\2(M\326\366\216\37G\26\272p\34\331\14C\346\177\250[\356\0\15NHu\200L@b8@\321\333C%X\335\231X5\364~I\306\232\327F\274\301-U\234\2652\25\333\347\316v\360\253\20\10\37Q{\26\15\4\202\207\241\322\307\344\212s\260\361\14\272\227U\36\236\2668\207T\201", ) , ) == 0x0
 02502   484   NtOpenFile  ... 524, {status=0x0, info=1}, ) == 0x0
 02503   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 02504   860   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "\323390\325\305l7\326\203\222\5\206\300;UM$\257;\7\347\317M$\257;\7\347\317M$\257;\7\314.?5\374\354\317\240\363\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02505   484   NtSetInformationFile  (524, 14478532, 40, Basic, ...
 02506  1516   NtProtectVirtualMemory  (-1, (0x4e2e000), 4096, 260, ...
 02507   860   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02508   432   NtWaitForSingleObject  (212, 0, 0x0, ...
 02506  1516   NtProtectVirtualMemory  ... (0x4e2e000), 4096, 4, ) == 0x0
 02505   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02509  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02510   484   NtClose  (524, ...
 02509  1516   NtCreateThread  ... 532, {808, 1332}, ) == 0x0
 02510   484   NtClose  ... ) == 0x0
 02511  1516   NtQueryInformationThread  (532, Basic, 28, ...
 02507   860   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02511  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=808,Tid=1332,}, 0x0, ) == 0x0
 02512   860   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02513   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 14478556, ... }, 14478556, ...
 02512   860   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02513   484   NtQueryAttributesFile  ... ) == 0x0
 02514   860   NtQuerySystemInformation  (Performance, 312, ...
 02515   484   NtQueryValueKey  (324,  (324, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02514   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02515   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 02516   860   NtQuerySystemInformation  (Exception, 16, ...
 02517   484   NtQueryValueKey  (324,  (324, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02518  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58025, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0(\3\0\04\5\0\0" ...  ...
 02517   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 02518  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58026, 0}  ... {28, 56, reply, 0, 808, 1516, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0(\3\0\04\5\0\0" )  ) == 0x0
 02516   860   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02519  1516   NtResumeThread  (532, ...
 02520   860   NtQuerySystemInformation  (Lookaside, 32, ...
 02519  1516   NtResumeThread  ... 1, ) == 0x0
 02520   860   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02521  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02522   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02523   484   NtQueryValueKey  (324,  (324, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 02524  1332   NtTestAlert  (...
 02522   860   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02523   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02524  1332   NtTestAlert  ... ) == 0x0
 02525   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02526   484   NtClose  (324, ...
 02527  1332   NtContinue  (81984816, 1, ...
 02521  1516   NtAllocateVirtualMemory  ... 81985536, 1048576, ) == 0x0
 02526   484   NtClose  ... ) == 0x0
 02528  1332   NtRegisterThreadTerminatePort  (24, ...
 02529  1516   NtAllocateVirtualMemory  (-1, 83025920, 0, 8192, 4096, 4, ...
 02530   484   NtClose  (304, ...
 02528  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02529  1516   NtAllocateVirtualMemory  ... 83025920, 8192, ) == 0x0
 02530   484   NtClose  ... ) == 0x0
 02525   860   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02531  1516   NtProtectVirtualMemory  (-1, (0x4f2e000), 4096, 260, ...
 02532  1332   NtWaitForSingleObject  (212, 0, 0x0, ...
 02533   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02531  1516   NtProtectVirtualMemory  ... (0x4f2e000), 4096, 4, ) == 0x0
 02533   860   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02534  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02535   860   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\215\27\313\341\354\323\246\343\245\367v\230\243\1\216'\260\217+\371\247A\16S\257\322\354\325):K\345\356\222$\252\247B\352P\343\3173.\230|\335\234\35\351\377\246\177Y\202\2378\334\213\350\302\332\204w\222\0\6\336\307#\226\265o'\356\307\341\241\262", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\215\27\313\341\354\323\246\343\245\367v\230\243\1\216'\260\217+\371\247A\16S\257\322\354\325):K\345\356\222$\252\247B\352P\343\3173.\230|\335\234\35\351\377\246\177Y\202\2378\334\213\350\302\332\204w\222\0\6\336\307#\226\265o'\356\307\341\241\262", 80, ... , 80, ...
 02536   484   NtClose  (300, ...
 02535   860   NtSetValueKey  ... ) == 0x0
 02536   484   NtClose  ... ) == 0x0
 02537   860   NtClose  (-2147481344, ...
 02538   484   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... }, ...
 02534  1516   NtCreateThread  ... 300, {808, 1328}, ) == 0x0
 02538   484   NtOpenMutant  ... 304, ) == 0x0
 02539  1516   NtQueryInformationThread  (300, Basic, 28, ...
 02540   484   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... }, ...
 02539  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=808,Tid=1328,}, 0x0, ) == 0x0
 02540   484   NtOpenMutant  ... 324, ) == 0x0
 02541  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58026, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0(\3\0\00\5\0\0" ...  ...
 02537   860   NtClose  ... ) == 0x0
 02541  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58027, 0}  ... {28, 56, reply, 0, 808, 1516, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0(\3\0\00\5\0\0" )  ) == 0x0
 02504   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "i+`w\220k\264x\324\22x\3702OC\234\246\311\215\331\235\350}\275\370\345\223\312?\345"\1YQU\27\314C\4$\274\1\352\343\344P\341\360\377\214iW\17\313\376\316\366\210.{En=\232\25\275\236\356\220\225\350\201{b\302\226b\341\262\351\311\275\177\12\303\374\365(\347\16-\313\25\262b\316\0xz\225\322~\325\350\ze\3557\203\2\317 \7P\342\233\324\324\317s\24\367\273\17\362n\252\223\366\303\325Eu\324KB\233\1\2104\311\262d$\275\300\346_\264\22\330\372\200m\262\313\16:\315+\234\304\310O\341\212#\364\215\231\22#\25303c&\364ug\35\351\\327\340\221\222\12V\202\20279\34\317\336\203'\24\327\24\351\370\32\226\363\354!\220\211\365\323=\217\10\377\370\273k \253\263\30\233\226\235+\243\242\222\307\38\3\14\6/\232\\353J\4\31'\353\233\373\353\276\254\223u\245\263\214", ) \1YQU\27\314C\4$\274\1\352\343\344P\341\360\377\214iW\17\313\376\316\366\210.{En=\232\25\275\236\356\220\225\350\201{b\302\226b\341\262\351\311\275\177\12\303\374\365(\347\16-\313\25\262b\316\0xz\225\322~\325\350\ze\3557\203\2\317 \7P\342\233\324\324\317s\24\367\273\17\362n\252\223\366\303\325Eu\324KB\233\1\2104\311\262d$\275\300\346_\264\22\330\372\200m\262\313\16:\315+\234\304\310O\341\212#\364\215\231\22#\25303c&\364ug\35\351\\327\340\221\222\12V\202\20279\34\317\336\203'\24\327\24\351\370\32\226\363\354!\220\211\365\323=\217\10\377\370\273k \253\263\30\233\226\235+\243\242\222\307\38\3\14\6/\232\\353J\4\31'\353\233\373\353\276\254\223u\245\263\214", ) == 0x0
 02542   484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02543   860   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "\323390\325\305l7\326\203\222\5\206\300;UM$\257;\7\347\317M$\257;\7\347\317M$\257;\7\347\317M$\257;\7\314.?5\374\354\317\240\363\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02542   484   NtWaitForSingleObject  ... ) == 0x0
 02544   860   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02545   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 14480660, ... }, 14480660, ...
 02544   860   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02545   484   NtQueryAttributesFile  ... ) == 0x0
 02546   860   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02547   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... }, 7, 2113568, ...
 02548  1516   NtResumeThread  (300, ...
 02546   860   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02548  1516   NtResumeThread  ... 1, ) == 0x0
 02549   860   NtQuerySystemInformation  (Performance, 312, ...
 02550  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02549   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02550  1516   NtAllocateVirtualMemory  ... 83034112, 1048576, ) == 0x0
 02551   860   NtQuerySystemInformation  (Exception, 16, ...
 02552  1516   NtAllocateVirtualMemory  (-1, 84074496, 0, 8192, 4096, 4, ...
 02551   860   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02552  1516   NtAllocateVirtualMemory  ... 84074496, 8192, ) == 0x0
 02553   860   NtQuerySystemInformation  (Lookaside, 32, ...
 02547   484   NtOpenFile  ... 524, {status=0x0, info=1}, ) == 0x0
 02554  1328   NtTestAlert  (...
 02555  1516   NtProtectVirtualMemory  (-1, (0x502e000), 4096, 260, ...
 02556   484   NtSetInformationFile  (524, 14480636, 40, Basic, ...
 02554  1328   NtTestAlert  ... ) == 0x0
 02555  1516   NtProtectVirtualMemory  ... (0x502e000), 4096, 4, ) == 0x0
 02556   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02557  1328   NtContinue  (83033392, 1, ...
 02558  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02559   484   NtClose  (524, ...
 02560  1328   NtRegisterThreadTerminatePort  (24, ...
 02558  1516   NtCreateThread  ... 536, {808, 752}, ) == 0x0
 02559   484   NtClose  ... ) == 0x0
 02560  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02561  1516   NtQueryInformationThread  (536, Basic, 28, ...
 02562   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 14480576,  (0xc0100080, {24, 0, 0x40, 0, 14480576, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... }, 0x0, 8198, 3, 3, 2144, 0, 0, ...
 02553   860   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02561  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=808,Tid=752,}, 0x0, ) == 0x0
 02563  1328   NtWaitForSingleObject  (212, 0, 0x0, ...
 02564   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02562   484   NtCreateFile  ... 524, {status=0x0, info=1}, ) == 0x0
 02564   860   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02565   484   NtSetInformationFile  (524, 14480628, 40, Basic, ...
 02566   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02565   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02566   860   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02567   484   NtQueryInformationFile  (524, 14480628, 24, Standard, ...
 02568   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02567   484   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 02569  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58027, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0(\3\0\0\360\2\0\0" ...  ...
 02570   484   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... }, ...
 02569  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58028, 0}  ... {28, 56, reply, 0, 808, 1516, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0(\3\0\0\360\2\0\0" )  ) == 0x0
 02568   860   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02571  1516   NtResumeThread  (536, ...
 02572   860   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\271\2\264\345\225\14\347%\301C]kUY\320\371w\3028Z\305\212E\35\244\350E~3\225\332\333:Rx\225\345y\5\274\216\205n\204\355\33\2345El\25\255\3179|\270\242\3267\267n\234\352\241\263l\324\26\177\363\327\242\343\352\255\333\310\312g", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\271\2\264\345\225\14\347%\301C]kUY\320\371w\3028Z\305\212E\35\244\350E~3\225\332\333:Rx\225\345y\5\274\216\205n\204\355\33\2345El\25\255\3179|\270\242\3267\267n\234\352\241\263l\324\26\177\363\327\242\343\352\255\333\310\312g", 80, ... , 80, ...
 02571  1516   NtResumeThread  ... 1, ) == 0x0
 02572   860   NtSetValueKey  ... ) == 0x0
 02573  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02574   860   NtClose  (-2147481344, ...
 02570   484   NtOpenSection  ... 540, ) == 0x0
 02575   752   NtTestAlert  (...
 02574   860   NtClose  ... ) == 0x0
 02576   484   NtMapViewOfSection  (540, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 02575   752   NtTestAlert  ... ) == 0x0
 02543   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\377\206(L6\242\223\306I\336\1$y\3176u \273\276\224\201\177\304D\330\32\200\34\255\16\245\23\366\307A'\224\201\303\34T\32Xk\321\234\220\257\15t{\320\35159\4w\356\266\212L\312\232\273\225\205\23\225\374\245\253~\3\376\331\203\303\255\213r\333\222\305<\223\213\20\220\203\12\336\236\211\271\324\334\210z\311\305\362S\251Y\336\344\330{#'\376n\251QK\2[\36133\313\2176:\305]@\3262\371\245 2\217\341\303\372\375ebOO4Q\212\3565\27\222\10\220\7})\246\25+6\250\236\3309\221\361L\31\256\376M\374\316\253\20\374\6\261\251\342\270\270 ]\20}\310\364@\10\325}S\326\27s*\26\30ZpK\4\265\326\203\364\243\2225\340\372\275J{\215\370vm\305\304\266\2\362Bs@\210<\36V\27\4\15\272*\323\241}\17\32nh0G\264\360\3\204"\223M\364\255\15\16^%", ) \223M\364\255\15\16^%", ) == 0x0
 02576   484   NtMapViewOfSection  ... (0x5030000), {0, 0}, 802816, ) == 0x0
 02577   752   NtContinue  (84081968, 1, ...
 02573  1516   NtAllocateVirtualMemory  ... 84934656, 1048576, ) == 0x0
 02578   484   NtReleaseMutant  (324, ...
 02579   752   NtRegisterThreadTerminatePort  (24, ...
 02580  1516   NtAllocateVirtualMemory  (-1, 85975040, 0, 8192, 4096, 4, ...
 02578   484   NtReleaseMutant  ... 0x0, ) == 0x0
 02579   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02580  1516   NtAllocateVirtualMemory  ... 85975040, 8192, ) == 0x0
 02581   484   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... }, ...
 02582   860   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "\323390\325\305l7\326\203\222\5\206\300;UM$\257;\7\347\317M$\257;\7\347\317M$\257;\7\347\317M$\257;\7\347\317M$\257;\7\314.?5\374\354\317\240\363\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02583  1516   NtProtectVirtualMemory  (-1, (0x51fe000), 4096, 260, ...
 02584   752   NtWaitForSingleObject  (212, 0, 0x0, ...
 02585   860   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02583  1516   NtProtectVirtualMemory  ... (0x51fe000), 4096, 4, ) == 0x0
 02585   860   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02586  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02587   860   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02581   484   NtOpenMutant  ... 544, ) == 0x0
 02587   860   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02588   484   NtWaitForSingleObject  (544, 0, 0x0, ...
 02589   860   NtQuerySystemInformation  (Performance, 312, ...
 02588   484   NtWaitForSingleObject  ... ) == 0x0
 02586  1516   NtCreateThread  ... 548, {808, 120}, ) == 0x0
 02590   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 14480660, ... }, 14480660, ...
 02591  1516   NtQueryInformationThread  (548, Basic, 28, ...
 02590   484   NtQueryAttributesFile  ... ) == 0x0
 02591  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=808,Tid=120,}, 0x0, ) == 0x0
 02589   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02592  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58028, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0(\3\0\0x\0\0\0" ...  ...
 02593   860   NtQuerySystemInformation  (Exception, 16, ...
 02592  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58029, 0}  ... {28, 56, reply, 0, 808, 1516, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0(\3\0\0x\0\0\0" )  ) == 0x0
 02593   860   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02594   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... }, 7, 2113568, ...
 02595   860   NtQuerySystemInformation  (Lookaside, 32, ...
 02594   484   NtOpenFile  ... 552, {status=0x0, info=1}, ) == 0x0
 02595   860   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02596   484   NtSetInformationFile  (552, 14480636, 40, Basic, ...
 02597   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02596   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02598  1516   NtResumeThread  (548, ...
 02599   484   NtClose  (552, ...
 02598  1516   NtResumeThread  ... 1, ) == 0x0
 02599   484   NtClose  ... ) == 0x0
 02600  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02601   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 14480576,  (0xc0100080, {24, 0, 0x40, 0, 14480576, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... }, 0x0, 8198, 3, 3, 2144, 0, 0, ...
 02600  1516   NtAllocateVirtualMemory  ... 85983232, 1048576, ) == 0x0
 02601   484   NtCreateFile  ... 552, {status=0x0, info=1}, ) == 0x0
 02602  1516   NtAllocateVirtualMemory  (-1, 87023616, 0, 8192, 4096, 4, ...
 02603   484   NtSetInformationFile  (552, 14480628, 40, Basic, ...
 02602  1516   NtAllocateVirtualMemory  ... 87023616, 8192, ) == 0x0
 02597   860   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02604   120   NtTestAlert  (...
 02603   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02605   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02604   120   NtTestAlert  ... ) == 0x0
 02606   484   NtQueryInformationFile  (552, 14480628, 24, Standard, ...
 02605   860   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02607   120   NtContinue  (85982512, 1, ...
 02606   484   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 02608   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02609   120   NtRegisterThreadTerminatePort  (24, ...
 02610   484   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... }, ...
 02608   860   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02609   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02610   484   NtOpenSection  ... 556, ) == 0x0
 02611   860   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\255\3042\366\207=2\235\270\263\320\311\357U!\205\266`Y\227\205\203P\353\364\340\305\30\241\302oC\254\353\245Y\321n\4}n\360f\204\324d}\10\14\351\321#C\335\15(\343a\213\5\33\357e1_\364\204F\35\342O\5\30\226\350i\374\250c/", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\255\3042\366\207=2\235\270\263\320\311\357U!\205\266`Y\227\205\203P\353\364\340\305\30\241\302oC\254\353\245Y\321n\4}n\360f\204\324d}\10\14\351\321#C\335\15(\343a\213\5\33\357e1_\364\204F\35\342O\5\30\226\350i\374\250c/", 80, ... , 80, ...
 02612  1516   NtProtectVirtualMemory  (-1, (0x52fe000), 4096, 260, ...
 02613   484   NtMapViewOfSection  (556, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 02614   120   NtWaitForSingleObject  (212, 0, 0x0, ...
 02612  1516   NtProtectVirtualMemory  ... (0x52fe000), 4096, 4, ) == 0x0
 02611   860   NtSetValueKey  ... ) == 0x0
 02615  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02616   860   NtClose  (-2147481344, ...
 02615  1516   NtCreateThread  ... 560, {808, 1732}, ) == 0x0
 02616   860   NtClose  ... ) == 0x0
 02617  1516   NtQueryInformationThread  (560, Basic, 28, ...
 02582   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\214\2\240\2757\216?&\3\276\233\347\276/YT\366Z!\4\264\16(*\323\31\225\226  \220W\270=\301:y\0\377)\332\37\317\333\312\203\377U\25`\236\270\326\232e\2207\341O5\252\362u)!D\353h\103\261\210\207\345I\30\311\270\227\324\343\363\247P\22w\246\316\10\371l\271\31*\354`C\332Q\273\336\276;\327\225\207\263L\207O\34\270\335\347\235_C+\372\252\5W\261\30\360]\25\352~_\275\300\353WS\311Zy\231\237Q\207\212n\2402\235\312\341\214\365\216d\202\25\354\311:\30031\317Z\211\201B\35\36\306\276\30d\354\320i\6-D\371+\216\226\2635\260\30p])\12\256\315[cx\3651\211\346(\15U\356Y\275\300\225\344\247\214\231\253\236\352\205l\257m\371\10/\26\350\322\245\342W|C\0L1\23\303ROU.\313\331\227p\177&15\23\323$]\325\5Y\366jK", ) , ) == 0x0
 02617  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=808,Tid=1732,}, 0x0, ) == 0x0
 02618   860   NtDeviceIoControlFile  (492, 0, 0x0, 0x0, 0x390008,  (492, 0, 0x0, 0x0, 0x390008, "\323390\325\305l7\326\203\222\5\206\300;UM$\257;\7\347\317M$\257;\7\347\317M$\257;\7\347\317M$\257;\7\347\317M$\257;\7\347\317M$\257;\7\314.?5\374\354\317\240\363\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02613   484   NtMapViewOfSection  ... (0xdd0000), {0, 0}, 32768, ) == 0x0
 02619   860   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02620   484   NtReleaseMutant  (544, ...
 02621  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58029, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0(\3\0\0\304\6\0\0" ...  ...
 02620   484   NtReleaseMutant  ... 0x0, ) == 0x0
 02621  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58030, 0}  ... {28, 56, reply, 0, 808, 1516, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0(\3\0\0\304\6\0\0" )  ) == 0x0
 02622   484   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... }, ...
 02623  1516   NtResumeThread  (560, ...
 02622   484   NtOpenMutant  ... 564, ) == 0x0
 02623  1516   NtResumeThread  ... 1, ) == 0x0
 02624   484   NtWaitForSingleObject  (564, 0, 0x0, ...
 02625  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02619   860   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02626  1732   NtTestAlert  (...
 02624   484   NtWaitForSingleObject  ... ) == 0x0
 02627   860   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02626  1732   NtTestAlert  ... ) == 0x0
 02628   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 14480660, ... }, 14480660, ...
 02627   860   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02629  1732   NtContinue  (87031088, 1, ...
 02628   484   NtQueryAttributesFile  ... ) == 0x0
 02630   860   NtQuerySystemInformation  (Performance, 312, ...
 02631  1732   NtRegisterThreadTerminatePort  (24, ...
 02632   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... }, 7, 2113568, ...
 02630   860   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02631  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02632   484   NtOpenFile  ... 568, {status=0x0, info=1}, ) == 0x0
 02633   860   NtQuerySystemInformation  (Exception, 16, ...
 02625  1516   NtAllocateVirtualMemory  ... 87031808, 1048576, ) == 0x0
 02634  1732   NtWaitForSingleObject  (212, 0, 0x0, ...
 02635   484   NtSetInformationFile  (568, 14480636, 40, Basic, ...
 02636  1516   NtAllocateVirtualMemory  (-1, 88072192, 0, 8192, 4096, 4, ...
 02635   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02636  1516   NtAllocateVirtualMemory  ... 88072192, 8192, ) == 0x0
 02637   484   NtClose  (568, ...
 02638  1516   NtProtectVirtualMemory  (-1, (0x53fe000), 4096, 260, ...
 02637   484   NtClose  ... ) == 0x0
 02638  1516   NtProtectVirtualMemory  ... (0x53fe000), 4096, 4, ) == 0x0
 02639   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 14480576,  (0xc0100080, {24, 0, 0x40, 0, 14480576, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... }, 0x0, 8198, 3, 3, 2144, 0, 0, ...
 02640  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02639   484   NtCreateFile  ... 568, {status=0x0, info=1}, ) == 0x0
 02633   860   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02640  1516   NtCreateThread  ... 572, {808, 188}, ) == 0x0
 02641   860   NtQuerySystemInformation  (Lookaside, 32, ...
 02642  1516   NtQueryInformationThread  (572, Basic, 28, ...
 02641   860   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02642  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=808,Tid=188,}, 0x0, ) == 0x0
 02643   860   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02644  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58030, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0(\3\0\0\274\0\0\0" ...  ...
 02643   860   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02644  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58031, 0}  ... {28, 56, reply, 0, 808, 1516, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0(\3\0\0\274\0\0\0" )  ) == 0x0
 02645   860   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02646   484   NtSetInformationFile  (568, 14480628, 40, Basic, ...
 02647  1516   NtResumeThread  (572, ...
 02646   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02647  1516   NtResumeThread  ... 1, ) == 0x0
 02648   484   NtQueryInformationFile  (568, 14480628, 24, Standard, ...
 02649  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02648   484   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 02649  1516   NtAllocateVirtualMemory  ... 88080384, 1048576, ) == 0x0
 02650   484   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... }, ...
 02651  1516   NtAllocateVirtualMemory  (-1, 89120768, 0, 8192, 4096, 4, ...
 02650   484   NtOpenSection  ... 576, ) == 0x0
 02651  1516   NtAllocateVirtualMemory  ... 89120768, 8192, ) == 0x0
 02645   860   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02652   188   NtTestAlert  (...
 02653   484   NtMapViewOfSection  (576, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 02654   860   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02652   188   NtTestAlert  ... ) == 0x0
 02653   484   NtMapViewOfSection  ... (0xdf0000), {0, 0}, 81920, ) == 0x0
 02654   860   NtCreateKey  ... -2147481344, 2, ) == 0x0
 02655   188   NtContinue  (88079664, 1, ...
 02656   484   NtReleaseMutant  (564, ...
 02657   860   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\230\205Vl\25\234}I 8\341%*i\233\365|\214\226\27*\332\350\336\354\260\35\23\227\21\222\241m6 \345\301\3258\261k\322\3\360S\363jOu"\36\4\251\337\2778\356>\24\16,\2\33\340Kb\314\344]q4n\215\264/\326\200\351\213y", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\230\205Vl\25\234}I 8\341%*i\233\365|\214\226\27*\332\350\336\354\260\35\23\227\21\222\241m6 \345\301\3258\261k\322\3\360S\363jOu"\36\4\251\337\2778\356>\24\16,\2\33\340Kb\314\344]q4n\215\264/\326\200\351\213y", 80, ... \36\4\251\337\2778\356>\24\16,\2\33\340Kb\314\344]q4n\215\264/\326\200\351\213y", 80, ...
 02658   188   NtRegisterThreadTerminatePort  (24, ...
 02656   484   NtReleaseMutant  ... 0x0, ) == 0x0
 02657   860   NtSetValueKey  ... ) == 0x0
 02658   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 02659   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 14480236, ... }, 14480236, ...
 02660   860   NtClose  (-2147481344, ...
 02661  1516   NtProtectVirtualMemory  (-1, (0x54fe000), 4096, 260, ...
 02659   484   NtQueryAttributesFile  ... ) == 0x0
 02662   188   NtWaitForSingleObject  (212, 0, 0x0, ...
 02661  1516   NtProtectVirtualMemory  ... (0x54fe000), 4096, 4, ) == 0x0
 02660   860   NtClose  ... ) == 0x0
 02663  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02618   860   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\36Dkt3\33&\355\4@Z\245\247\341\21\33\233Yh\213|mw\15a\213\373a\244\26\304s:n;V\360i\306xN\205\213\35\256h9m)1\340\220V\376e\272X-\14r\365\257\210\335M=\311\250oL\7(\1T\256;\216\30q\360;T\306z\16\23\33l\245\265\304gF4\226\312:\366\264_\363\344\254\351X\210\200\210y\230\341)m\342N\11\23\203e\177xo\203\10\15\253,\263\275\314CkX\365\347e\317/ W\242\2603i\247\371{\3\243HZXc\37\327\376[\32C\325bGO\243P\222\320>,H\256\212\16\220\27\244h\215\372\341\342\322\255\341\177K\263\301c4\306h\365\36du]\223\320\252\361\2&\35\242\247\236\4\362V\271-=\376Jxj\37\215\3C\256q\304v\230*\241\36\262\243\237\305\206.k]\320\35~\246.\306=\320xG'R\247\314\177\244\233=", ) , ) == 0x0
 02663  1516   NtCreateThread  ... 580, {808, 1636}, ) == 0x0
 02664   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02665  1516   NtQueryInformationThread  (580, Basic, 28, ...
 02664   860   NtCreateEvent  ... 584, ) == 0x0
 02665  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=808,Tid=1636,}, 0x0, ) == 0x0
 02666   860   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02667   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... }, 7, 2113568, ...
 02666   860   NtOpenKey  ... 588, ) == 0x0
 02667   484   NtOpenFile  ... 592, {status=0x0, info=1}, ) == 0x0
 02668  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58031, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0(\3\0\0d\6\0\0" ...  ...
 02669   484   NtSetInformationFile  (592, 14480208, 40, Basic, ...
 02668  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58032, 0}  ... {28, 56, reply, 0, 808, 1516, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0(\3\0\0d\6\0\0" )  ) == 0x0
 02669   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02670  1516   NtResumeThread  (580, ...
 02671   484   NtClose  (592, ...
 02670  1516   NtResumeThread  ... 1, ) == 0x0
 02671   484   NtClose  ... ) == 0x0
 02672  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02673   860   NtOpenKey  (0x20019, {24, 588, 0x40, 0, 0,  (0x20019, {24, 588, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02674  1636   NtTestAlert  (...
 02675   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 14480232, ... }, 14480232, ...
 02673   860   NtOpenKey  ... 592, ) == 0x0
 02674  1636   NtTestAlert  ... ) == 0x0
 02675   484   NtQueryAttributesFile  ... ) == 0x0
 02676   860   NtQueryValueKey  (592,  (592, "ComputerName", Full, 108, ... , Full, 108, ...
 02677  1636   NtContinue  (89128240, 1, ...
 02678   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 14480236, ... }, 14480236, ...
 02676   860   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02679  1636   NtRegisterThreadTerminatePort  (24, ...
 02678   484   NtQueryAttributesFile  ... ) == 0x0
 02680   860   NtClose  (592, ...
 02679  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 02681   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... }, 7, 2113568, ...
 02680   860   NtClose  ... ) == 0x0
 02672  1516   NtAllocateVirtualMemory  ... 89128960, 1048576, ) == 0x0
 02681   484   NtOpenFile  ... 592, {status=0x0, info=1}, ) == 0x0
 02682  1636   NtWaitForSingleObject  (212, 0, 0x0, ...
 02683  1516   NtAllocateVirtualMemory  (-1, 90169344, 0, 8192, 4096, 4, ...
 02684   860   NtClose  (588, ...
 02683  1516   NtAllocateVirtualMemory  ... 90169344, 8192, ) == 0x0
 02684   860   NtClose  ... ) == 0x0
 02685  1516   NtProtectVirtualMemory  (-1, (0x55fe000), 4096, 260, ...
 02686   860   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 02685  1516   NtProtectVirtualMemory  ... (0x55fe000), 4096, 4, ) == 0x0
 02686   860   NtCreateIoCompletion  ... 588, ) == 0x0
 02687  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02688   860   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 02689   484   NtSetInformationFile  (592, 14480208, 40, Basic, ...
 02688   860   NtCreateIoCompletion  ... 596, ) == 0x0
 02689   484   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02687  1516   NtCreateThread  ... 600, {808, 624}, ) == 0x0
 02690   484   NtClose  (592, ...
 02691  1516   NtQueryInformationThread  (600, Basic, 28, ...
 02690   484   NtClose  ... ) == 0x0
 02691  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=808,Tid=624,}, 0x0, ) == 0x0
 02692   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 14480232, ... }, 14480232, ...
 02693  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58032, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0(\3\0\0p\2\0\0" ...  ...
 02692   484   NtQueryAttributesFile  ... ) == 0x0
 02693  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58033, 0}  ... {28, 56, reply, 0, 808, 1516, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0(\3\0\0p\2\0\0" )  ) == 0x0
 02694   860   NtDuplicateObject  (-1, 588, -1, 0x0, 0, 2, ...
 02695   484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02694   860   NtDuplicateObject  ... 592, ) == 0x0
 02695   484   NtWaitForSingleObject  ... ) == 0x0
 02696   860   NtOpenThreadToken  (-2, 0xc, 1, ...
 02697   484   NtReleaseMutant  (324, ...
 02696   860   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02697   484   NtReleaseMutant  ... 0x0, ) == 0x0
 02698   860   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 02699   484   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02698   860   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 02700  1516   NtResumeThread  (600, ...
 02699   484   NtCreateEvent  ... 604, ) == 0x0
 02700  1516   NtResumeThread  ... 1, ) == 0x0
 02701   484   NtWaitForSingleObject  (604, 0, 0x0, ...
 02702  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90177536, 1048576, ) == 0x0
 02703  1516   NtAllocateVirtualMemory  (-1, 91217920, 0, 8192, 4096, 4, ... 91217920, 8192, ) == 0x0
 02704  1516   NtProtectVirtualMemory  (-1, (0x56fe000), 4096, 260, ... (0x56fe000), 4096, 4, ) == 0x0
 02705  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {808, 1948}, ) == 0x0
 02706  1516   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=808,Tid=1948,}, 0x0, ) == 0x0
 02707   860   NtSetEventBoostPriority  (604, ...
 02708   624   NtTestAlert  (...
 02701   484   NtWaitForSingleObject  ... ) == 0x0
 02707   860   NtSetEventBoostPriority  ... ) == 0x0
 02709   484   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 02708   624   NtTestAlert  ... ) == 0x0
 02709   484   NtOpenKey  ... 612, ) == 0x0
 02710   860   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02711   624   NtContinue  (90176816, 1, ...
 02712  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58033, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0(\3\0\0\234\7\0\0" ...  ...
 02710   860   NtCreateEvent  ... 616, ) == 0x0
 02713   624   NtRegisterThreadTerminatePort  (24, ...
 02712  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58034, 0}  ... {28, 56, reply, 0, 808, 1516, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0(\3\0\0\234\7\0\0" )  ) == 0x0
 02714   860   NtOpenThreadToken  (-2, 0xc, 1, ...
 02713   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02715  1516   NtResumeThread  (608, ...
 02714   860   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02716   484   NtOpenKey  (0xf, {24, 612, 0x40, 0, 0,  (0xf, {24, 612, 0x40, 0, 0, "Extensible Cache"}, ... }, ...
 02715  1516   NtResumeThread  ... 1, ) == 0x0
 02717   624   NtWaitForSingleObject  (212, 0, 0x0, ...
 02716   484   NtOpenKey  ... 620, ) == 0x0
 02718  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02719   484   NtClose  (612, ...
 02720   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02721  1948   NtTestAlert  (...
 02719   484   NtClose  ... ) == 0x0
 02720   860   NtSetInformationThread  ... ) == 0x0
 02721  1948   NtTestAlert  ... ) == 0x0
 02722   484   NtWaitForSingleObject  (304, 0, {-600000000, -1}, ...
 02723   860   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 13430976,  (0xc0100080, {24, 0, 0x40, 0, 13430976, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02724  1948   NtContinue  (91225392, 1, ...
 02723   860   NtCreateFile  ... 612, {status=0x0, info=1}, ) == 0x0
 02725  1948   NtRegisterThreadTerminatePort  (24, ...
 02726   860   NtSetInformationFile  (612, 13431032, 8, Pipe, ...
 02725  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02726   860   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02718  1516   NtAllocateVirtualMemory  ... 91226112, 1048576, ) == 0x0
 02722   484   NtWaitForSingleObject  ... ) == 0x0
 02727  1948   NtWaitForSingleObject  (212, 0, 0x0, ...
 02728  1516   NtAllocateVirtualMemory  (-1, 92266496, 0, 8192, 4096, 4, ...
 02729   484   NtEnumerateKey  (620, 0, Basic, 288, ...
 02728  1516   NtAllocateVirtualMemory  ... 92266496, 8192, ) == 0x0
 02729   484   NtEnumerateKey  ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 02730  1516   NtProtectVirtualMemory  (-1, (0x57fe000), 4096, 260, ...
 02731   484   NtOpenKey  (0xf, {24, 620, 0x40, 0, 0,  (0xf, {24, 620, 0x40, 0, 0, "feedplat"}, ... }, ...
 02730  1516   NtProtectVirtualMemory  ... (0x57fe000), 4096, 4, ) == 0x0
 02731   484   NtOpenKey  ... 624, ) == 0x0
 02732  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02733   484   NtQueryValueKey  (624,  (624, "CacheRepair", Partial, 144, ... , Partial, 144, ...
 02734   860   NtSetInformationFile  (612, 13431020, 8, Completion, ...
 02732  1516   NtCreateThread  ... 628, {808, 988}, ) == 0x0
 02734   860   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02735  1516   NtQueryInformationThread  (628, Basic, 28, ...
 02736   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02735  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=808,Tid=988,}, 0x0, ) == 0x0
 02736   860   NtSetInformationThread  ... ) == 0x0
 02737  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58034, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0(\3\0\0\334\3\0\0" ...  ...
 02738   860   NtWriteFile  (612, 313, 0, 0,  (612, 313, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02737  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58035, 0}  ... {28, 56, reply, 0, 808, 1516, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0(\3\0\0\334\3\0\0" )  ) == 0x0
 02738   860   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02733   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02739  1516   NtResumeThread  (628, ...
 02740   484   NtQueryValueKey  (624,  (624, "CachePath", Partial, 144, ... , Partial, 144, ...
 02739  1516   NtResumeThread  ... 1, ) == 0x0
 02740   484   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02741  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02742   484   NtQueryValueKey  (624,  (624, "CachePath", Partial, 148, ... , Partial, 148, ...
 02741  1516   NtAllocateVirtualMemory  ... 92274688, 1048576, ) == 0x0
 02742   484   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 02743  1516   NtAllocateVirtualMemory  (-1, 93315072, 0, 8192, 4096, 4, ...
 02744   484   NtQueryValueKey  (624,  (624, "CachePath", Partial, 144, ... , Partial, 144, ...
 02743  1516   NtAllocateVirtualMemory  ... 93315072, 8192, ) == 0x0
 02745   860   NtReadFile  (612, 313, 0, 0, 1024, {0, 0}, 0, ...
 02746   988   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ...
 02744   484   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02745   860   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02746   988   NtAllocateVirtualMemory  ... 8810496, 4096, ) == 0x0
 02747   484   NtQueryValueKey  (624,  (624, "CachePath", Partial, 148, ... , Partial, 148, ...
 02748   860   NtFsControlFile  (612, 313, 0x0, 0x0, 0x11c017,  (612, 313, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\314\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02749   988   NtTestAlert  (...
 02747   484   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 02748   860   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02749   988   NtTestAlert  ... ) == 0x0
 02750   484   NtQueryValueKey  (624,  (624, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02751   860   NtFsControlFile  (612, 313, 0x0, 0x0, 0x11c017,  (612, 313, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\1\0\0\0\1\0\0\0&\0(\0x\377\24\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02752   988   NtContinue  (92273968, 1, ...
 02750   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 02751   860   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) , ) == 0x103
 02753  1516   NtProtectVirtualMemory  (-1, (0x58fe000), 4096, 260, ...
 02754   484   NtQueryValueKey  (624,  (624, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02755   988   NtRegisterThreadTerminatePort  (24, ...
 02753  1516   NtProtectVirtualMemory  ... (0x58fe000), 4096, 4, ) == 0x0
 02756   860   NtFsControlFile  (612, 313, 0x0, 0x0, 0x11c017,  (612, 313, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... , 44, 1024, ...
 02755   988   NtRegisterThreadTerminatePort  ... ) == 0x0
 02757  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02756   860   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0P!\25\0\1\0\0\0\!\25\0 \0\0\0\1\0\0\0\30\0\32\0h!\25\0\204!\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\0;\25\0\1\0\0\0\5\0i\0\20;\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02758   988   NtWaitForSingleObject  (212, 0, 0x0, ...
 02757  1516   NtCreateThread  ... 632, {808, 468}, ) == 0x0
 02759   860   NtClose  (616, ...
 02760  1516   NtQueryInformationThread  (632, Basic, 28, ...
 02759   860   NtClose  ... ) == 0x0
 02760  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=808,Tid=468,}, 0x0, ) == 0x0
 02761   860   NtClose  (612, ...
 02754   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 02761   860   NtClose  ... ) == 0x0
 02762   484   NtQueryValueKey  (624,  (624, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 02763  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58035, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0(\3\0\0\324\1\0\0" ...  ...
 02762   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02763  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58036, 0}  ... {28, 56, reply, 0, 808, 1516, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0(\3\0\0\324\1\0\0" )  ) == 0x0
 02764   484   NtQueryValueKey  (624,  (624, "CacheOptions", Partial, 144, ... , Partial, 144, ...
 02765  1516   NtResumeThread  (632, ...
 02764   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02765  1516   NtResumeThread  ... 1, ) == 0x0
 02766   484   NtClose  (624, ...
 02767  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02768   860   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1368992, 0x0, 13432900, 188, ... , {12, 2, 1, 1}, 0x0, 1368992, 0x0, 13432900, 188, ...
 02769   468   NtTestAlert  (...
 02766   484   NtClose  ... ) == 0x0
 02769   468   NtTestAlert  ... ) == 0x0
 02770   484   NtEnumerateKey  (620, 1, Basic, 288, ...
 02768   860   NtSecureConnectPort  ... 624, 0x0, 0x0, 0x0, 188, ) == 0x0
 02771   468   NtContinue  (93322544, 1, ...
 02770   484   NtEnumerateKey  ... {LastWrite={0x3124e1e0,0x1c877f6}, TitleIdx=0, Name= ... {LastWrite={0x3124e1e0,0x1c877f6}, TitleIdx=0, Name="MSHist012008022520080226"}, 64, ) }, 64, ) == 0x0
 02772   860   NtOpenThreadToken  (-2, 0xc, 1, ...
 02773   468   NtRegisterThreadTerminatePort  (24, ...
 02774   484   NtOpenKey  (0xf, {24, 620, 0x40, 0, 0,  (0xf, {24, 620, 0x40, 0, 0, "MSHist012008022520080226"}, ... }, ...
 02772   860   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02773   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02775   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02767  1516   NtAllocateVirtualMemory  ... 93323264, 1048576, ) == 0x0
 02774   484   NtOpenKey  ... 612, ) == 0x0
 02776   468   NtWaitForSingleObject  (212, 0, 0x0, ...
 02777  1516   NtAllocateVirtualMemory  (-1, 94363648, 0, 8192, 4096, 4, ...
 02778   484   NtQueryValueKey  (612,  (612, "CacheRepair", Partial, 144, ... , Partial, 144, ...
 02777  1516   NtAllocateVirtualMemory  ... 94363648, 8192, ) == 0x0
 02778   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02779  1516   NtProtectVirtualMemory  (-1, (0x59fe000), 4096, 260, ...
 02780   484   NtQueryValueKey  (612,  (612, "CachePath", Partial, 144, ... , Partial, 144, ...
 02779  1516   NtProtectVirtualMemory  ... (0x59fe000), 4096, 4, ) == 0x0
 02780   484   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02781  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02782   484   NtQueryValueKey  (612,  (612, "CachePath", Partial, 160, ... , Partial, 160, ...
 02775   860   NtSetInformationThread  ... ) == 0x0
 02781  1516   NtCreateThread  ... 616, {808, 380}, ) == 0x0
 02783   860   NtRequestWaitReplyPort  (624, {200, 224, new_msg, 0, 1370272, 12, 2, 1310977}  (624, {200, 224, new_msg, 0, 1370272, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0O~\265\356\300\234\0`i\10\325/3\23\204\213\12\0\0\0\361s\360\365\330k\255\323\0\0\0\0\250\377\24\0\245+4v\36F\374\273(\0\0\0q\360\00\0\0\24\0\240\366\314\0\254\327\224\0\0\0\0p\31\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\314\0\372\31\221|X\376\314\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02784  1516   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=808,Tid=380,}, 0x0, ) == 0x0
 02785  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58036, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0(\3\0\0|\1\0\0" ... {28, 56, reply, 0, 808, 1516, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0(\3\0\0|\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58039, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0(\3\0\0|\1\0\0" ... {28, 56, reply, 0, 808, 1516, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0(\3\0\0|\1\0\0" )  ) == 0x0
 02783   860   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 808, 860, 58038, 0}  ... {200, 224, reply, 0, 808, 860, 58038, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\2\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0O~\265\356\300\234\0`i\10\325/3\23\204\213\12\0\0\0\361s\360\365\330k\255\323\0\0\0\0\250\377\24\0\245+4v\36F\374\273(\0\0\0q\360\00\0\0\24\0\240\366\314\0\254\327\224\0\0\0\0p\31\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\314\0\372\31\221|X\376\314\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02782   484   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) }, 160, ) == 0x0
 02786   860   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02787   484   NtQueryValueKey  (612,  (612, "CachePath", Partial, 144, ... , Partial, 144, ...
 02786   860   NtSetInformationThread  ... ) == 0x0
 02787   484   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02788  1516   NtResumeThread  (616, ...
 02789   484   NtQueryValueKey  (612,  (612, "CachePath", Partial, 160, ... , Partial, 160, ...
 02788  1516   NtResumeThread  ... 1, ) == 0x0
 02789   484   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) }, 160, ) == 0x0
 02790  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02791   484   NtQueryValueKey  (612,  (612, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02790  1516   NtAllocateVirtualMemory  ... 94371840, 1048576, ) == 0x0
 02792   860   NtRequestWaitReplyPort  (624, {56, 80, new_msg, 0, 44, 3, 20, 0}  (624, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\215\373FC\227[\347p\214Nse\1\0\0\0\0\0\0\0&\0(\0\334\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02793   380   NtTestAlert  (...
 02794  1516   NtAllocateVirtualMemory  (-1, 95412224, 0, 8192, 4096, 4, ...
 02793   380   NtTestAlert  ... ) == 0x0
 02794  1516   NtAllocateVirtualMemory  ... 95412224, 8192, ) == 0x0
 02795   380   NtContinue  (94371120, 1, ...
 02791   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 02796   380   NtRegisterThreadTerminatePort  (24, ...
 02797   484   NtQueryValueKey  (612,  (612, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02796   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02797   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 02798  1516   NtProtectVirtualMemory  (-1, (0x5afe000), 4096, 260, ...
 02799   484   NtQueryValueKey  (612,  (612, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 02798  1516   NtProtectVirtualMemory  ... (0x5afe000), 4096, 4, ) == 0x0
 02799   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02800  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02801   484   NtQueryValueKey  (612,  (612, "CacheOptions", Partial, 144, ... , Partial, 144, ...
 02800  1516   NtCreateThread  ... 636, {808, 1692}, ) == 0x0
 02802   380   NtWaitForSingleObject  (212, 0, 0x0, ...
 02803  1516   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=808,Tid=1692,}, 0x0, ) == 0x0
 02804  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58039, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0(\3\0\0\234\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0(\3\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58041, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0(\3\0\0\234\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0(\3\0\0\234\6\0\0" )  ) == 0x0
 02805  1516   NtResumeThread  (636, ... 1, ) == 0x0
 02806  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02801   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 02807  1692   NtTestAlert  (...
 02792   860   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 808, 860, 58040, 0}  ... {44, 68, reply, 0, 808, 860, 58040, 0} "\4\31\221|\0\0\221|\200\300\227|p\31\221|\0\276\21\0\330\0\0\0\204-|\2\0\220\366\177\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02808   484   NtClose  (612, ...
 02807  1692   NtTestAlert  ... ) == 0x0
 02809   860   NtRaiseException  (13433360, 13432620, 1, ...
 02808   484   NtClose  ... ) == 0x0
 02810  1692   NtContinue  (95419696, 1, ...
 02811   860   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02812   484   NtEnumerateKey  (620, 2, Basic, 288, ...
 02813  1692   NtRegisterThreadTerminatePort  (24, ...
 02811   860   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02812   484   NtEnumerateKey  ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 02813  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02806  1516   NtAllocateVirtualMemory  ... 95420416, 1048576, ) == 0x0
 02814   484   NtOpenKey  (0xf, {24, 620, 0x40, 0, 0,  (0xf, {24, 620, 0x40, 0, 0, "UserData"}, ... }, ...
 02815   860   NtContinue  (13431588, 0, ...
 02816  1516   NtAllocateVirtualMemory  (-1, 96460800, 0, 8192, 4096, 4, ...
 02817  1692   NtWaitForSingleObject  (212, 0, 0x0, ...
 02816  1516   NtAllocateVirtualMemory  ... 96460800, 8192, ) == 0x0
 02818  1516   NtProtectVirtualMemory  (-1, (0x5bfe000), 4096, 260, ... (0x5bfe000), 4096, 4, ) == 0x0
 02819  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02820   860   NtDeviceIoControlFile  (476, 204, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 02821   860   NtWaitForSingleObject  (204, 1, {-5000000, -1}, ...
 02819  1516   NtCreateThread  ... 612, {808, 1792}, ) == 0x0
 02822  1516   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=808,Tid=1792,}, 0x0, ) == 0x0
 02823  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58041, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0(\3\0\0\0\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0(\3\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58042, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0(\3\0\0\0\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0(\3\0\0\0\7\0\0" )  ) == 0x0
 02814   484   NtOpenKey  ... 640, ) == 0x0
 02824   484   NtQueryValueKey  (640,  (640, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (640, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02825   484   NtQueryValueKey  (640,  (640, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02826   484   NtQueryValueKey  (640,  (640, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (640, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 02827   484   NtQueryValueKey  (640,  (640, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02828   484   NtQueryValueKey  (640,  (640, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (640, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 02829   484   NtQueryValueKey  (640,  (640, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02830  1516   NtResumeThread  (612, ... 1, ) == 0x0
 02831  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96468992, 1048576, ) == 0x0
 02832  1516   NtAllocateVirtualMemory  (-1, 97509376, 0, 8192, 4096, 4, ... 97509376, 8192, ) == 0x0
 02833  1516   NtProtectVirtualMemory  (-1, (0x5cfe000), 4096, 260, ... (0x5cfe000), 4096, 4, ) == 0x0
 02834  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {808, 784}, ) == 0x0
 02835  1516   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=808,Tid=784,}, 0x0, ) == 0x0
 02829   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 02836  1792   NtTestAlert  (...
 02837   484   NtQueryValueKey  (640,  (640, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02836  1792   NtTestAlert  ... ) == 0x0
 02837   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 02838  1792   NtContinue  (96468272, 1, ...
 02839   484   NtQueryValueKey  (640,  (640, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 02840  1792   NtRegisterThreadTerminatePort  (24, ...
 02839   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 02840  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02841   484   NtQueryValueKey  (640,  (640, "CacheOptions", Partial, 144, ... , Partial, 144, ...
 02842  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58042, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0(\3\0\0\20\3\0\0" ...  ...
 02843  1792   NtWaitForSingleObject  (212, 0, 0x0, ...
 02842  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58043, 0}  ... {28, 56, reply, 0, 808, 1516, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0(\3\0\0\20\3\0\0" )  ) == 0x0
 02844  1516   NtResumeThread  (644, ... 1, ) == 0x0
 02845  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97517568, 1048576, ) == 0x0
 02846  1516   NtAllocateVirtualMemory  (-1, 98557952, 0, 8192, 4096, 4, ... 98557952, 8192, ) == 0x0
 02847  1516   NtProtectVirtualMemory  (-1, (0x5dfe000), 4096, 260, ... (0x5dfe000), 4096, 4, ) == 0x0
 02848  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02841   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 02849   784   NtTestAlert  (...
 02850   484   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02849   784   NtTestAlert  ... ) == 0x0
 02850   484   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02851   784   NtContinue  (97516848, 1, ...
 02852   484   NtClose  (640, ...
 02853   784   NtRegisterThreadTerminatePort  (24, ...
 02852   484   NtClose  ... ) == 0x0
 02853   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02854   484   NtEnumerateKey  (620, 3, Basic, 288, ...
 02848  1516   NtCreateThread  ... 640, {808, 1520}, ) == 0x0
 02855   784   NtWaitForSingleObject  (212, 0, 0x0, ...
 02856  1516   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=808,Tid=1520,}, 0x0, ) == 0x0
 02857  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58043, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0(\3\0\0\360\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0(\3\0\0\360\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58044, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0(\3\0\0\360\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0(\3\0\0\360\5\0\0" )  ) == 0x0
 02858  1516   NtResumeThread  (640, ... 1, ) == 0x0
 02859  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98566144, 1048576, ) == 0x0
 02860  1516   NtAllocateVirtualMemory  (-1, 99606528, 0, 8192, 4096, 4, ... 99606528, 8192, ) == 0x0
 02854   484   NtEnumerateKey  ... ) == STATUS_NO_MORE_ENTRIES
 02861  1520   NtTestAlert  (...
 02862   484   NtReleaseMutant  (304, ...
 02861  1520   NtTestAlert  ... ) == 0x0
 02862   484   NtReleaseMutant  ... 0x0, ) == 0x0
 02863  1520   NtContinue  (98565424, 1, ...
 02864   484   NtClose  (620, ...
 02865  1520   NtRegisterThreadTerminatePort  (24, ...
 02864   484   NtClose  ... ) == 0x0
 02865  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02866   484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02867  1516   NtProtectVirtualMemory  (-1, (0x5efe000), 4096, 260, ...
 02868  1520   NtWaitForSingleObject  (212, 0, 0x0, ...
 02867  1516   NtProtectVirtualMemory  ... (0x5efe000), 4096, 4, ) == 0x0
 02869  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {808, 1696}, ) == 0x0
 02870  1516   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=808,Tid=1696,}, 0x0, ) == 0x0
 02871  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58044, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0(\3\0\0\240\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0(\3\0\0\240\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58045, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0(\3\0\0\240\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0(\3\0\0\240\6\0\0" )  ) == 0x0
 02872  1516   NtResumeThread  (620, ... 1, ) == 0x0
 02873  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02866   484   NtWaitForSingleObject  ... ) == 0x0
 02874  1696   NtTestAlert  (...
 02875   484   NtReleaseMutant  (324, ...
 02874  1696   NtTestAlert  ... ) == 0x0
 02875   484   NtReleaseMutant  ... 0x0, ) == 0x0
 02876  1696   NtContinue  (99614000, 1, ...
 02877   484   NtWaitForSingleObject  (324, 0, 0x0, ...
 02878  1696   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02879  1696   NtWaitForSingleObject  (212, 0, 0x0, ...
 02873  1516   NtAllocateVirtualMemory  ... 99614720, 1048576, ) == 0x0
 02880  1516   NtAllocateVirtualMemory  (-1, 100655104, 0, 8192, 4096, 4, ... 100655104, 8192, ) == 0x0
 02881  1516   NtProtectVirtualMemory  (-1, (0x5ffe000), 4096, 260, ... (0x5ffe000), 4096, 4, ) == 0x0
 02882  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02877   484   NtWaitForSingleObject  ... ) == 0x0
 02883   484   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 02884   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02885   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02886   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02887   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02888   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 02882  1516   NtCreateThread  ... 648, {808, 1744}, ) == 0x0
 02889  1516   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=808,Tid=1744,}, 0x0, ) == 0x0
 02890  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58045, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0(\3\0\0\320\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0(\3\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58046, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0(\3\0\0\320\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0(\3\0\0\320\6\0\0" )  ) == 0x0
 02891  1516   NtResumeThread  (648, ... 1, ) == 0x0
 02892  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100663296, 1048576, ) == 0x0
 02893  1516   NtAllocateVirtualMemory  (-1, 101703680, 0, 8192, 4096, 4, ... 101703680, 8192, ) == 0x0
 02888   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02894  1744   NtTestAlert  (...
 02895   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 02894  1744   NtTestAlert  ... ) == 0x0
 02895   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02896  1744   NtContinue  (100662576, 1, ...
 02897   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 02898  1744   NtRegisterThreadTerminatePort  (24, ...
 02897   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02898  1744   NtRegisterThreadTerminatePort  ... ) == 0x0
 02899   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 02900  1516   NtProtectVirtualMemory  (-1, (0x60fe000), 4096, 260, ...
 02901  1744   NtWaitForSingleObject  (212, 0, 0x0, ...
 02900  1516   NtProtectVirtualMemory  ... (0x60fe000), 4096, 4, ) == 0x0
 02902  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {808, 1124}, ) == 0x0
 02903  1516   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=808,Tid=1124,}, 0x0, ) == 0x0
 02904  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58046, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0(\3\0\0d\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0(\3\0\0d\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58047, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0(\3\0\0d\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0(\3\0\0d\4\0\0" )  ) == 0x0
 02905  1516   NtResumeThread  (652, ... 1, ) == 0x0
 02906  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02899   484   NtOpenKey  ... 656, ) == 0x0
 02907  1124   NtTestAlert  (...
 02908   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 02907  1124   NtTestAlert  ... ) == 0x0
 02908   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02909  1124   NtContinue  (101711152, 1, ...
 02910   484   NtOpenKey  (0x1, {24, 656, 0x40, 0, 0,  (0x1, {24, 656, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... }, ...
 02911  1124   NtRegisterThreadTerminatePort  (24, ...
 02910   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02911  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02912   484   NtClose  (656, ...
 02906  1516   NtAllocateVirtualMemory  ... 101711872, 1048576, ) == 0x0
 02913  1124   NtWaitForSingleObject  (212, 0, 0x0, ...
 02914  1516   NtAllocateVirtualMemory  (-1, 102752256, 0, 8192, 4096, 4, ... 102752256, 8192, ) == 0x0
 02915  1516   NtProtectVirtualMemory  (-1, (0x61fe000), 4096, 260, ... (0x61fe000), 4096, 4, ) == 0x0
 02916  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {808, 1496}, ) == 0x0
 02917  1516   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=808,Tid=1496,}, 0x0, ) == 0x0
 02918  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58047, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0(\3\0\0\330\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0(\3\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58048, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0(\3\0\0\330\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0(\3\0\0\330\5\0\0" )  ) == 0x0
 02912   484   NtClose  ... ) == 0x0
 02919   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02920   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02921   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 656, ) }, ... 656, ) == 0x0
 02922   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02923   484   NtOpenKey  (0x1, {24, 656, 0x40, 0, 0,  (0x1, {24, 656, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02924   484   NtClose  (656, ...
 02925  1516   NtResumeThread  (660, ... 1, ) == 0x0
 02926  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102760448, 1048576, ) == 0x0
 02927  1516   NtAllocateVirtualMemory  (-1, 103800832, 0, 8192, 4096, 4, ... 103800832, 8192, ) == 0x0
 02928  1516   NtProtectVirtualMemory  (-1, (0x62fe000), 4096, 260, ... (0x62fe000), 4096, 4, ) == 0x0
 02929  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02924   484   NtClose  ... ) == 0x0
 02930   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02931   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02932   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 02933  1496   NtTestAlert  (...
 02929  1516   NtCreateThread  ... 656, {808, 168}, ) == 0x0
 02933  1496   NtTestAlert  ... ) == 0x0
 02934  1516   NtQueryInformationThread  (656, Basic, 28, ...
 02935  1496   NtContinue  (102759728, 1, ...
 02934  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=808,Tid=168,}, 0x0, ) == 0x0
 02936  1496   NtRegisterThreadTerminatePort  (24, ...
 02937  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58048, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0(\3\0\0\250\0\0\0" ...  ...
 02936  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02937  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58049, 0}  ... {28, 56, reply, 0, 808, 1516, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0(\3\0\0\250\0\0\0" )  ) == 0x0
 02932   484   NtOpenKey  ... 664, ) == 0x0
 02938  1496   NtWaitForSingleObject  (212, 0, 0x0, ...
 02939   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02940   484   NtOpenKey  (0x1, {24, 664, 0x40, 0, 0,  (0x1, {24, 664, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02941   484   NtClose  (664, ... ) == 0x0
 02942   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02943   484   NtQueryValueKey  (96,  (96, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02944   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 02945  1516   NtResumeThread  (656, ... 1, ) == 0x0
 02946  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103809024, 1048576, ) == 0x0
 02947  1516   NtAllocateVirtualMemory  (-1, 104849408, 0, 8192, 4096, 4, ... 104849408, 8192, ) == 0x0
 02948  1516   NtProtectVirtualMemory  (-1, (0x63fe000), 4096, 260, ... (0x63fe000), 4096, 4, ) == 0x0
 02949  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {808, 1284}, ) == 0x0
 02950  1516   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=808,Tid=1284,}, 0x0, ) == 0x0
 02944   484   NtOpenKey  ... 668, ) == 0x0
 02951   168   NtTestAlert  (...
 02952   484   NtQueryValueKey  (668,  (668, "DisableWorkerThreadHibernation", Partial, 144, ... , Partial, 144, ...
 02951   168   NtTestAlert  ... ) == 0x0
 02952   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02953   168   NtContinue  (103808304, 1, ...
 02954   484   NtClose  (668, ...
 02955   168   NtRegisterThreadTerminatePort  (24, ...
 02954   484   NtClose  ... ) == 0x0
 02955   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02956   484   NtQueryValueKey  (96,  (96, "DisableReadRange", Partial, 144, ... , Partial, 144, ...
 02957  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58049, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0(\3\0\0\4\5\0\0" ...  ...
 02958   168   NtWaitForSingleObject  (212, 0, 0x0, ...
 02957  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58050, 0}  ... {28, 56, reply, 0, 808, 1516, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0(\3\0\0\4\5\0\0" )  ) == 0x0
 02959  1516   NtResumeThread  (664, ... 1, ) == 0x0
 02960  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104857600, 1048576, ) == 0x0
 02961  1516   NtAllocateVirtualMemory  (-1, 105897984, 0, 8192, 4096, 4, ... 105897984, 8192, ) == 0x0
 02962  1516   NtProtectVirtualMemory  (-1, (0x64fe000), 4096, 260, ... (0x64fe000), 4096, 4, ) == 0x0
 02963  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02956   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02964  1284   NtTestAlert  (...
 02965   484   NtQueryValueKey  (96,  (96, "SocketSendBufferLength", Partial, 144, ... , Partial, 144, ...
 02964  1284   NtTestAlert  ... ) == 0x0
 02965   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02966  1284   NtContinue  (104856880, 1, ...
 02967   484   NtQueryValueKey  (96,  (96, "SocketReceiveBufferLength", Partial, 144, ... , Partial, 144, ...
 02968  1284   NtRegisterThreadTerminatePort  (24, ...
 02967   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02968  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 02969   484   NtQueryValueKey  (96,  (96, "KeepAliveTimeout", Partial, 144, ... , Partial, 144, ...
 02963  1516   NtCreateThread  ... 668, {808, 1268}, ) == 0x0
 02970  1284   NtWaitForSingleObject  (212, 0, 0x0, ...
 02971  1516   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=808,Tid=1268,}, 0x0, ) == 0x0
 02972  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58050, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0(\3\0\0\364\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0(\3\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58051, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0(\3\0\0\364\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0(\3\0\0\364\4\0\0" )  ) == 0x0
 02973  1516   NtResumeThread  (668, ... 1, ) == 0x0
 02974  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 105906176, 1048576, ) == 0x0
 02975  1516   NtAllocateVirtualMemory  (-1, 106946560, 0, 8192, 4096, 4, ... 106946560, 8192, ) == 0x0
 02969   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02976  1268   NtTestAlert  (...
 02977   484   NtQueryValueKey  (96,  (96, "MaxHttpRedirects", Partial, 144, ... , Partial, 144, ...
 02976  1268   NtTestAlert  ... ) == 0x0
 02977   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02978  1268   NtContinue  (105905456, 1, ...
 02979   484   NtQueryValueKey  (96,  (96, "MaxConnectionsPerServer", Partial, 144, ... , Partial, 144, ...
 02980  1268   NtRegisterThreadTerminatePort  (24, ...
 02979   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02980  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02981   484   NtQueryValueKey  (96,  (96, "MaxConnectionsPer1_0Server", Partial, 144, ... , Partial, 144, ...
 02982  1516   NtProtectVirtualMemory  (-1, (0x65fe000), 4096, 260, ...
 02983  1268   NtWaitForSingleObject  (212, 0, 0x0, ...
 02982  1516   NtProtectVirtualMemory  ... (0x65fe000), 4096, 4, ) == 0x0
 02984  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {808, 840}, ) == 0x0
 02985  1516   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=808,Tid=840,}, 0x0, ) == 0x0
 02986  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58051, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0(\3\0\0H\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0(\3\0\0H\3\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58052, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0(\3\0\0H\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0(\3\0\0H\3\0\0" )  ) == 0x0
 02987  1516   NtResumeThread  (672, ... 1, ) == 0x0
 02988  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02981   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02989   840   NtTestAlert  (...
 02990   484   NtQueryValueKey  (96,  (96, "ServerInfoTimeout", Partial, 144, ... , Partial, 144, ...
 02989   840   NtTestAlert  ... ) == 0x0
 02990   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02991   840   NtContinue  (106954032, 1, ...
 02992   484   NtQueryValueKey  (96,  (96, "ConnectTimeOut", Partial, 144, ... , Partial, 144, ...
 02993   840   NtRegisterThreadTerminatePort  (24, ...
 02992   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02993   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 02994   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 02988  1516   NtAllocateVirtualMemory  ... 106954752, 1048576, ) == 0x0
 02995   840   NtWaitForSingleObject  (212, 0, 0x0, ...
 02996  1516   NtAllocateVirtualMemory  (-1, 107995136, 0, 8192, 4096, 4, ... 107995136, 8192, ) == 0x0
 02997  1516   NtProtectVirtualMemory  (-1, (0x66fe000), 4096, 260, ... (0x66fe000), 4096, 4, ) == 0x0
 02998  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {808, 1336}, ) == 0x0
 02999  1516   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=808,Tid=1336,}, 0x0, ) == 0x0
 03000  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58052, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0(\3\0\08\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0(\3\0\08\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58053, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0(\3\0\08\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0(\3\0\08\5\0\0" )  ) == 0x0
 02994   484   NtOpenKey  ... 680, ) == 0x0
 03001   484   NtQueryValueKey  (680,  (680, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03002   484   NtClose  (680, ... ) == 0x0
 03003   484   NtQueryValueKey  (96,  (96, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03004   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 680, ) }, ... 680, ) == 0x0
 03005   484   NtQueryValueKey  (680,  (680, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03006   484   NtClose  (680, ...
 03007  1516   NtResumeThread  (676, ... 1, ) == 0x0
 03008  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108003328, 1048576, ) == 0x0
 03009  1516   NtAllocateVirtualMemory  (-1, 109043712, 0, 8192, 4096, 4, ... 109043712, 8192, ) == 0x0
 03010  1516   NtProtectVirtualMemory  (-1, (0x67fe000), 4096, 260, ... (0x67fe000), 4096, 4, ) == 0x0
 03011  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {808, 1200}, ) == 0x0
 03012  1516   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=808,Tid=1200,}, 0x0, ) == 0x0
 03006   484   NtClose  ... ) == 0x0
 03013  1336   NtTestAlert  (...
 03014   484   NtQueryValueKey  (96,  (96, "SendTimeOut", Partial, 144, ... , Partial, 144, ...
 03013  1336   NtTestAlert  ... ) == 0x0
 03014   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03015  1336   NtContinue  (108002608, 1, ...
 03016   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03017  1336   NtRegisterThreadTerminatePort  (24, ...
 03016   484   NtOpenKey  ... 680, ) == 0x0
 03017  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 03018   484   NtQueryValueKey  (680,  (680, "SendTimeOut", Partial, 144, ... , Partial, 144, ...
 03019  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58053, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0(\3\0\0\260\4\0\0" ...  ...
 03020  1336   NtWaitForSingleObject  (212, 0, 0x0, ...
 03019  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58054, 0}  ... {28, 56, reply, 0, 808, 1516, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0(\3\0\0\260\4\0\0" )  ) == 0x0
 03021  1516   NtResumeThread  (684, ... 1, ) == 0x0
 03022  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109051904, 1048576, ) == 0x0
 03023  1516   NtAllocateVirtualMemory  (-1, 110092288, 0, 8192, 4096, 4, ... 110092288, 8192, ) == 0x0
 03024  1516   NtProtectVirtualMemory  (-1, (0x68fe000), 4096, 260, ... (0x68fe000), 4096, 4, ) == 0x0
 03025  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03018   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03026  1200   NtTestAlert  (...
 03027   484   NtClose  (680, ...
 03026  1200   NtTestAlert  ... ) == 0x0
 03027   484   NtClose  ... ) == 0x0
 03028  1200   NtContinue  (109051184, 1, ...
 03029   484   NtQueryValueKey  (96,  (96, "ReceiveTimeOut", Partial, 144, ... , Partial, 144, ...
 03030  1200   NtRegisterThreadTerminatePort  (24, ...
 03029   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03030  1200   NtRegisterThreadTerminatePort  ... ) == 0x0
 03031   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03025  1516   NtCreateThread  ... 680, {808, 1920}, ) == 0x0
 03032  1200   NtWaitForSingleObject  (212, 0, 0x0, ...
 03033  1516   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=808,Tid=1920,}, 0x0, ) == 0x0
 03034  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58054, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0(\3\0\0\200\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0(\3\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58055, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0(\3\0\0\200\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0(\3\0\0\200\7\0\0" )  ) == 0x0
 03035  1516   NtResumeThread  (680, ... 1, ) == 0x0
 03036  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110100480, 1048576, ) == 0x0
 03037  1516   NtAllocateVirtualMemory  (-1, 111140864, 0, 8192, 4096, 4, ... 111140864, 8192, ) == 0x0
 03031   484   NtOpenKey  ... 688, ) == 0x0
 03038  1920   NtTestAlert  (...
 03039   484   NtQueryValueKey  (688,  (688, "ReceiveTimeOut", Partial, 144, ... , Partial, 144, ...
 03038  1920   NtTestAlert  ... ) == 0x0
 03039   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040  1920   NtContinue  (110099760, 1, ...
 03041   484   NtClose  (688, ...
 03042  1920   NtRegisterThreadTerminatePort  (24, ...
 03041   484   NtClose  ... ) == 0x0
 03042  1920   NtRegisterThreadTerminatePort  ... ) == 0x0
 03043   484   NtQueryValueKey  (96,  (96, "DisableNTLMPreAuth", Partial, 144, ... , Partial, 144, ...
 03044  1516   NtProtectVirtualMemory  (-1, (0x69fe000), 4096, 260, ...
 03045  1920   NtWaitForSingleObject  (212, 0, 0x0, ...
 03044  1516   NtProtectVirtualMemory  ... (0x69fe000), 4096, 4, ) == 0x0
 03046  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {808, 896}, ) == 0x0
 03047  1516   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=808,Tid=896,}, 0x0, ) == 0x0
 03048  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58055, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0(\3\0\0\200\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0(\3\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58056, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0(\3\0\0\200\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0(\3\0\0\200\3\0\0" )  ) == 0x0
 03049  1516   NtResumeThread  (688, ... 1, ) == 0x0
 03050  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03043   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03051   896   NtTestAlert  (...
 03052   484   NtQueryValueKey  (96,  (96, "ScavengeCacheLowerBound", Partial, 144, ... , Partial, 144, ...
 03051   896   NtTestAlert  ... ) == 0x0
 03052   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03053   896   NtContinue  (111148336, 1, ...
 03054   484   NtQueryValueKey  (96,  (96, "CertCacheNoValidate", Partial, 144, ... , Partial, 144, ...
 03055   896   NtRegisterThreadTerminatePort  (24, ...
 03054   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03055   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 03056   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 03050  1516   NtAllocateVirtualMemory  ... 111149056, 1048576, ) == 0x0
 03057   896   NtWaitForSingleObject  (212, 0, 0x0, ...
 03058  1516   NtAllocateVirtualMemory  (-1, 112189440, 0, 8192, 4096, 4, ... 112189440, 8192, ) == 0x0
 03059  1516   NtProtectVirtualMemory  (-1, (0x6afe000), 4096, 260, ... (0x6afe000), 4096, 4, ) == 0x0
 03060  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {808, 2016}, ) == 0x0
 03061  1516   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=808,Tid=2016,}, 0x0, ) == 0x0
 03062  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58056, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0(\3\0\0\340\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0(\3\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58057, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0(\3\0\0\340\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0(\3\0\0\340\7\0\0" )  ) == 0x0
 03056   484   NtOpenKey  ... 696, ) == 0x0
 03063   484   NtQueryValueKey  (696,  (696, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03064   484   NtClose  (696, ... ) == 0x0
 03065   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03066   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03067   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03068   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 03069  1516   NtResumeThread  (692, ... 1, ) == 0x0
 03070  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112197632, 1048576, ) == 0x0
 03071  1516   NtAllocateVirtualMemory  (-1, 113238016, 0, 8192, 4096, 4, ... 113238016, 8192, ) == 0x0
 03072  1516   NtProtectVirtualMemory  (-1, (0x6bfe000), 4096, 260, ... (0x6bfe000), 4096, 4, ) == 0x0
 03073  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {808, 2012}, ) == 0x0
 03074  1516   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=808,Tid=2012,}, 0x0, ) == 0x0
 03068   484   NtOpenKey  ... 700, ) == 0x0
 03075  2016   NtTestAlert  (...
 03076   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 03075  2016   NtTestAlert  ... ) == 0x0
 03076   484   NtOpenKey  ... 704, ) == 0x0
 03077  2016   NtContinue  (112196912, 1, ...
 03078   484   NtQueryValueKey  (704,  (704, "ScavengeCacheFileLimit", Partial, 144, ... , Partial, 144, ...
 03079  2016   NtRegisterThreadTerminatePort  (24, ...
 03078   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03079  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 03080   484   NtQueryValueKey  (700,  (700, "ScavengeCacheFileLimit", Partial, 144, ... , Partial, 144, ...
 03081  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58057, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0(\3\0\0\334\7\0\0" ...  ...
 03082  2016   NtWaitForSingleObject  (212, 0, 0x0, ...
 03081  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58058, 0}  ... {28, 56, reply, 0, 808, 1516, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0(\3\0\0\334\7\0\0" )  ) == 0x0
 03083  1516   NtResumeThread  (696, ... 1, ) == 0x0
 03084  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 113246208, 1048576, ) == 0x0
 03085  1516   NtAllocateVirtualMemory  (-1, 114286592, 0, 8192, 4096, 4, ... 114286592, 8192, ) == 0x0
 03086  1516   NtProtectVirtualMemory  (-1, (0x6cfe000), 4096, 260, ... (0x6cfe000), 4096, 4, ) == 0x0
 03087  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03080   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03088  2012   NtTestAlert  (...
 03089   484   NtClose  (700, ...
 03088  2012   NtTestAlert  ... ) == 0x0
 03089   484   NtClose  ... ) == 0x0
 03090  2012   NtContinue  (113245488, 1, ...
 03091   484   NtClose  (704, ...
 03092  2012   NtRegisterThreadTerminatePort  (24, ...
 03091   484   NtClose  ... ) == 0x0
 03092  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 03093   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03087  1516   NtCreateThread  ... 704, {808, 1604}, ) == 0x0
 03094  2012   NtWaitForSingleObject  (212, 0, 0x0, ...
 03095  1516   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=808,Tid=1604,}, 0x0, ) == 0x0
 03096  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58058, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0(\3\0\0D\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0(\3\0\0D\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58059, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0(\3\0\0D\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0(\3\0\0D\6\0\0" )  ) == 0x0
 03097  1516   NtResumeThread  (704, ... 1, ) == 0x0
 03098  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 114294784, 1048576, ) == 0x0
 03099  1516   NtAllocateVirtualMemory  (-1, 115335168, 0, 8192, 4096, 4, ... 115335168, 8192, ) == 0x0
 03093   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03100  1604   NtTestAlert  (...
 03101   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03100  1604   NtTestAlert  ... ) == 0x0
 03101   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03102  1604   NtContinue  (114294064, 1, ...
 03103   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03104  1604   NtRegisterThreadTerminatePort  (24, ...
 03103   484   NtOpenKey  ... 700, ) == 0x0
 03104  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 03105   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03106  1516   NtProtectVirtualMemory  (-1, (0x6dfe000), 4096, 260, ...
 03107  1604   NtWaitForSingleObject  (212, 0, 0x0, ...
 03106  1516   NtProtectVirtualMemory  ... (0x6dfe000), 4096, 4, ) == 0x0
 03108  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {808, 1572}, ) == 0x0
 03109  1516   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=808,Tid=1572,}, 0x0, ) == 0x0
 03110  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58059, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0(\3\0\0$\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0(\3\0\0$\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58060, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0(\3\0\0$\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0(\3\0\0$\6\0\0" )  ) == 0x0
 03111  1516   NtResumeThread  (708, ... 1, ) == 0x0
 03112  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03105   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03113  1572   NtTestAlert  (...
 03114   484   NtOpenKey  (0x1, {24, 700, 0x40, 0, 0,  (0x1, {24, 700, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... }, ...
 03113  1572   NtTestAlert  ... ) == 0x0
 03114   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03115  1572   NtContinue  (115342640, 1, ...
 03116   484   NtClose  (700, ...
 03117  1572   NtRegisterThreadTerminatePort  (24, ...
 03116   484   NtClose  ... ) == 0x0
 03117  1572   NtRegisterThreadTerminatePort  ... ) == 0x0
 03118   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03112  1516   NtAllocateVirtualMemory  ... 115343360, 1048576, ) == 0x0
 03119  1572   NtWaitForSingleObject  (212, 0, 0x0, ...
 03120  1516   NtAllocateVirtualMemory  (-1, 116383744, 0, 8192, 4096, 4, ... 116383744, 8192, ) == 0x0
 03121  1516   NtProtectVirtualMemory  (-1, (0x6efe000), 4096, 260, ... (0x6efe000), 4096, 4, ) == 0x0
 03122  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {808, 596}, ) == 0x0
 03123  1516   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=808,Tid=596,}, 0x0, ) == 0x0
 03124  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58060, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0(\3\0\0T\2\0\0" ... {28, 56, reply, 0, 808, 1516, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0(\3\0\0T\2\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58061, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0(\3\0\0T\2\0\0" ... {28, 56, reply, 0, 808, 1516, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0(\3\0\0T\2\0\0" )  ) == 0x0
 03118   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03125   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03126   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 712, ) }, ... 712, ) == 0x0
 03127   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03128   484   NtOpenKey  (0x1, {24, 712, 0x40, 0, 0,  (0x1, {24, 712, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03129   484   NtClose  (712, ... ) == 0x0
 03130   484   NtQueryValueKey  (96,  (96, "HttpDefaultExpiryTimeSecs", Partial, 144, ... , Partial, 144, ...
 03131  1516   NtResumeThread  (700, ... 1, ) == 0x0
 03132  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 116391936, 1048576, ) == 0x0
 03133  1516   NtAllocateVirtualMemory  (-1, 117432320, 0, 8192, 4096, 4, ... 117432320, 8192, ) == 0x0
 03134  1516   NtProtectVirtualMemory  (-1, (0x6ffe000), 4096, 260, ... (0x6ffe000), 4096, 4, ) == 0x0
 03135  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {808, 376}, ) == 0x0
 03136  1516   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=808,Tid=376,}, 0x0, ) == 0x0
 03130   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03137   596   NtTestAlert  (...
 03138   484   NtQueryValueKey  (96,  (96, "FtpDefaultExpiryTimeSecs", Partial, 144, ... , Partial, 144, ...
 03137   596   NtTestAlert  ... ) == 0x0
 03138   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03139   596   NtContinue  (116391216, 1, ...
 03140   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03141   596   NtRegisterThreadTerminatePort  (24, ...
 03140   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03141   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 03142   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03143  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58061, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0(\3\0\0x\1\0\0" ...  ...
 03144   596   NtWaitForSingleObject  (212, 0, 0x0, ...
 03143  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58062, 0}  ... {28, 56, reply, 0, 808, 1516, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0(\3\0\0x\1\0\0" )  ) == 0x0
 03145  1516   NtResumeThread  (712, ... 1, ) == 0x0
 03146  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 117440512, 1048576, ) == 0x0
 03147  1516   NtAllocateVirtualMemory  (-1, 118480896, 0, 8192, 4096, 4, ... 118480896, 8192, ) == 0x0
 03148  1516   NtProtectVirtualMemory  (-1, (0x70fe000), 4096, 260, ... (0x70fe000), 4096, 4, ) == 0x0
 03149  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03142   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03150   376   NtTestAlert  (...
 03151   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03150   376   NtTestAlert  ... ) == 0x0
 03151   484   NtOpenKey  ... 716, ) == 0x0
 03152   376   NtContinue  (117439792, 1, ...
 03153   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03154   376   NtRegisterThreadTerminatePort  (24, ...
 03153   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03154   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 03155   484   NtOpenKey  (0x1, {24, 716, 0x40, 0, 0,  (0x1, {24, 716, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... }, ...
 03149  1516   NtCreateThread  ... 720, {808, 1168}, ) == 0x0
 03156   376   NtWaitForSingleObject  (212, 0, 0x0, ...
 03157  1516   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=808,Tid=1168,}, 0x0, ) == 0x0
 03158  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58062, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0(\3\0\0\220\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0(\3\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58063, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0(\3\0\0\220\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0(\3\0\0\220\4\0\0" )  ) == 0x0
 03159  1516   NtResumeThread  (720, ... 1, ) == 0x0
 03160  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 118489088, 1048576, ) == 0x0
 03161  1516   NtAllocateVirtualMemory  (-1, 119529472, 0, 8192, 4096, 4, ... 119529472, 8192, ) == 0x0
 03155   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03162  1168   NtTestAlert  (...
 03163   484   NtClose  (716, ...
 03162  1168   NtTestAlert  ... ) == 0x0
 03163   484   NtClose  ... ) == 0x0
 03164  1168   NtContinue  (118488368, 1, ...
 03165   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03166  1168   NtRegisterThreadTerminatePort  (24, ...
 03165   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03166  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 03167   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03168  1516   NtProtectVirtualMemory  (-1, (0x71fe000), 4096, 260, ...
 03169  1168   NtWaitForSingleObject  (212, 0, 0x0, ...
 03168  1516   NtProtectVirtualMemory  ... (0x71fe000), 4096, 4, ) == 0x0
 03170  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {808, 428}, ) == 0x0
 03171  1516   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=808,Tid=428,}, 0x0, ) == 0x0
 03172  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58063, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0(\3\0\0\254\1\0\0" ... {28, 56, reply, 0, 808, 1516, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0(\3\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58064, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0(\3\0\0\254\1\0\0" ... {28, 56, reply, 0, 808, 1516, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0(\3\0\0\254\1\0\0" )  ) == 0x0
 03173  1516   NtResumeThread  (716, ... 1, ) == 0x0
 03174  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03167   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175   428   NtTestAlert  (...
 03176   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03175   428   NtTestAlert  ... ) == 0x0
 03176   484   NtOpenKey  ... 724, ) == 0x0
 03177   428   NtContinue  (119536944, 1, ...
 03178   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03179   428   NtRegisterThreadTerminatePort  (24, ...
 03178   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03179   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 03180   484   NtOpenKey  (0x1, {24, 724, 0x40, 0, 0,  (0x1, {24, 724, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... }, ...
 03174  1516   NtAllocateVirtualMemory  ... 119537664, 1048576, ) == 0x0
 03181   428   NtWaitForSingleObject  (212, 0, 0x0, ...
 03182  1516   NtAllocateVirtualMemory  (-1, 120578048, 0, 8192, 4096, 4, ... 120578048, 8192, ) == 0x0
 03183  1516   NtProtectVirtualMemory  (-1, (0x72fe000), 4096, 260, ... (0x72fe000), 4096, 4, ) == 0x0
 03184  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {808, 1344}, ) == 0x0
 03185  1516   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=808,Tid=1344,}, 0x0, ) == 0x0
 03186  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58064, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0(\3\0\0@\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0(\3\0\0@\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58065, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0(\3\0\0@\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0(\3\0\0@\5\0\0" )  ) == 0x0
 03180   484   NtOpenKey  ... 732, ) == 0x0
 03187   484   NtQueryValueKey  (732,  (732, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03188   484   NtQueryValueKey  (732,  (732, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03189   484   NtClose  (732, ... ) == 0x0
 03190   484   NtClose  (724, ... ) == 0x0
 03191   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03193  1516   NtResumeThread  (728, ... 1, ) == 0x0
 03194  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 120586240, 1048576, ) == 0x0
 03195  1516   NtAllocateVirtualMemory  (-1, 121626624, 0, 8192, 4096, 4, ... 121626624, 8192, ) == 0x0
 03196  1516   NtProtectVirtualMemory  (-1, (0x73fe000), 4096, 260, ... (0x73fe000), 4096, 4, ) == 0x0
 03197  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {808, 1300}, ) == 0x0
 03198  1516   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=808,Tid=1300,}, 0x0, ) == 0x0
 03192   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03199  1344   NtTestAlert  (...
 03200   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03199  1344   NtTestAlert  ... ) == 0x0
 03200   484   NtOpenKey  ... 732, ) == 0x0
 03201  1344   NtContinue  (120585520, 1, ...
 03202   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03203  1344   NtRegisterThreadTerminatePort  (24, ...
 03202   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03203  1344   NtRegisterThreadTerminatePort  ... ) == 0x0
 03204   484   NtOpenKey  (0x1, {24, 732, 0x40, 0, 0,  (0x1, {24, 732, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... }, ...
 03205  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58065, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0(\3\0\0\24\5\0\0" ...  ...
 03206  1344   NtWaitForSingleObject  (212, 0, 0x0, ...
 03205  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58066, 0}  ... {28, 56, reply, 0, 808, 1516, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0(\3\0\0\24\5\0\0" )  ) == 0x0
 03207  1516   NtResumeThread  (724, ... 1, ) == 0x0
 03208  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 121634816, 1048576, ) == 0x0
 03209  1516   NtAllocateVirtualMemory  (-1, 122675200, 0, 8192, 4096, 4, ... 122675200, 8192, ) == 0x0
 03210  1516   NtProtectVirtualMemory  (-1, (0x74fe000), 4096, 260, ... (0x74fe000), 4096, 4, ) == 0x0
 03211  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03204   484   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03212  1300   NtAllocateVirtualMemory  (-1, 8814592, 0, 4096, 4096, 4, ...
 03213   484   NtClose  (732, ...
 03212  1300   NtAllocateVirtualMemory  ... 8814592, 4096, ) == 0x0
 03213   484   NtClose  ... ) == 0x0
 03214  1300   NtTestAlert  (...
 03215   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03214  1300   NtTestAlert  ... ) == 0x0
 03215   484   NtOpenKey  ... 732, ) == 0x0
 03216  1300   NtContinue  (121634096, 1, ...
 03217   484   NtQueryValueKey  (732,  (732, "DisableCachingOfSSLPages", Partial, 144, ... , Partial, 144, ...
 03211  1516   NtCreateThread  ... 736, {808, 1096}, ) == 0x0
 03218  1300   NtRegisterThreadTerminatePort  (24, ...
 03219  1516   NtQueryInformationThread  (736, Basic, 28, ...
 03218  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 03219  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=808,Tid=1096,}, 0x0, ) == 0x0
 03220  1300   NtWaitForSingleObject  (212, 0, 0x0, ...
 03221  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58066, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0(\3\0\0H\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0(\3\0\0H\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58067, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0(\3\0\0H\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0(\3\0\0H\4\0\0" )  ) == 0x0
 03222  1516   NtResumeThread  (736, ... 1, ) == 0x0
 03223  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 122683392, 1048576, ) == 0x0
 03224  1516   NtAllocateVirtualMemory  (-1, 123723776, 0, 8192, 4096, 4, ... 123723776, 8192, ) == 0x0
 03217   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03225  1096   NtTestAlert  (...
 03226   484   NtClose  (732, ...
 03225  1096   NtTestAlert  ... ) == 0x0
 03226   484   NtClose  ... ) == 0x0
 03227  1096   NtContinue  (122682672, 1, ...
 03228   484   NtQueryValueKey  (96,  (96, "PerUserCookies", Partial, 144, ... , Partial, 144, ...
 03229  1096   NtRegisterThreadTerminatePort  (24, ...
 03228   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03229  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 03230   484   NtQueryValueKey  (96,  (96, "LeashLegacyCookies", Partial, 144, ... , Partial, 144, ...
 03231  1516   NtProtectVirtualMemory  (-1, (0x75fe000), 4096, 260, ...
 03232  1096   NtWaitForSingleObject  (212, 0, 0x0, ...
 03231  1516   NtProtectVirtualMemory  ... (0x75fe000), 4096, 4, ) == 0x0
 03233  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {808, 252}, ) == 0x0
 03234  1516   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=808,Tid=252,}, 0x0, ) == 0x0
 03235  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58067, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0(\3\0\0\374\0\0\0" ... {28, 56, reply, 0, 808, 1516, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0(\3\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58068, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0(\3\0\0\374\0\0\0" ... {28, 56, reply, 0, 808, 1516, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0(\3\0\0\374\0\0\0" )  ) == 0x0
 03236  1516   NtResumeThread  (732, ... 1, ) == 0x0
 03237  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03230   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03238   252   NtTestAlert  (...
 03239   484   NtQueryValueKey  (96,  (96, "DisableNT4RasCheck", Partial, 144, ... , Partial, 144, ...
 03238   252   NtTestAlert  ... ) == 0x0
 03239   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03240   252   NtContinue  (123731248, 1, ...
 03241   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03242   252   NtRegisterThreadTerminatePort  (24, ...
 03241   484   NtOpenKey  ... 740, ) == 0x0
 03242   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 03243   484   NtQueryValueKey  (740,  (740, "DialupUseLanSettings", Partial, 144, ... , Partial, 144, ...
 03237  1516   NtAllocateVirtualMemory  ... 123731968, 1048576, ) == 0x0
 03244   252   NtWaitForSingleObject  (212, 0, 0x0, ...
 03245  1516   NtAllocateVirtualMemory  (-1, 124772352, 0, 8192, 4096, 4, ... 124772352, 8192, ) == 0x0
 03246  1516   NtProtectVirtualMemory  (-1, (0x76fe000), 4096, 260, ... (0x76fe000), 4096, 4, ) == 0x0
 03247  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {808, 500}, ) == 0x0
 03248  1516   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=808,Tid=500,}, 0x0, ) == 0x0
 03249  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58068, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0(\3\0\0\364\1\0\0" ... {28, 56, reply, 0, 808, 1516, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0(\3\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58069, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0(\3\0\0\364\1\0\0" ... {28, 56, reply, 0, 808, 1516, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0(\3\0\0\364\1\0\0" )  ) == 0x0
 03243   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03250   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 748, ) }, ... 748, ) == 0x0
 03251   484   NtQueryValueKey  (748,  (748, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03252   484   NtClose  (740, ... ) == 0x0
 03253   484   NtClose  (748, ... ) == 0x0
 03254   484   NtQueryValueKey  (96,  (96, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03255   484   NtQueryValueKey  (96,  (96, "BypassFtpTimeCheck", Partial, 144, ... , Partial, 144, ...
 03256  1516   NtResumeThread  (744, ... 1, ) == 0x0
 03257  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 124780544, 1048576, ) == 0x0
 03258  1516   NtAllocateVirtualMemory  (-1, 125820928, 0, 8192, 4096, 4, ... 125820928, 8192, ) == 0x0
 03259  1516   NtProtectVirtualMemory  (-1, (0x77fe000), 4096, 260, ... (0x77fe000), 4096, 4, ) == 0x0
 03260  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {808, 1132}, ) == 0x0
 03261  1516   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=808,Tid=1132,}, 0x0, ) == 0x0
 03255   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03262   500   NtTestAlert  (...
 03263   484   NtQueryValueKey  (96,  (96, "ReleaseSocketDuringAuth", Partial, 144, ... , Partial, 144, ...
 03262   500   NtTestAlert  ... ) == 0x0
 03263   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03264   500   NtContinue  (124779824, 1, ...
 03265   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03266   500   NtRegisterThreadTerminatePort  (24, ...
 03265   484   NtOpenKey  ... 740, ) == 0x0
 03266   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 03267   484   NtQueryValueKey  (740,  (740, "ReleaseSocketDuring401Auth", Partial, 144, ... , Partial, 144, ...
 03268  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58069, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0(\3\0\0l\4\0\0" ...  ...
 03269   500   NtWaitForSingleObject  (212, 0, 0x0, ...
 03268  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58070, 0}  ... {28, 56, reply, 0, 808, 1516, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0(\3\0\0l\4\0\0" )  ) == 0x0
 03270  1516   NtResumeThread  (748, ... 1, ) == 0x0
 03271  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125829120, 1048576, ) == 0x0
 03272  1516   NtAllocateVirtualMemory  (-1, 126869504, 0, 8192, 4096, 4, ... 126869504, 8192, ) == 0x0
 03273  1516   NtProtectVirtualMemory  (-1, (0x78fe000), 4096, 260, ... (0x78fe000), 4096, 4, ) == 0x0
 03274  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03267   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03275  1132   NtTestAlert  (...
 03276   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03275  1132   NtTestAlert  ... ) == 0x0
 03276   484   NtOpenKey  ... 752, ) == 0x0
 03277  1132   NtContinue  (125828400, 1, ...
 03278   484   NtQueryValueKey  (752,  (752, "ReleaseSocketDuring401Auth", Partial, 144, ... , Partial, 144, ...
 03279  1132   NtRegisterThreadTerminatePort  (24, ...
 03278   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03279  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 03280   484   NtClose  (740, ...
 03274  1516   NtCreateThread  ... 756, {808, 1024}, ) == 0x0
 03281  1132   NtWaitForSingleObject  (212, 0, 0x0, ...
 03282  1516   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=808,Tid=1024,}, 0x0, ) == 0x0
 03283  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58070, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0(\3\0\0\0\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0(\3\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58071, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0(\3\0\0\0\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0(\3\0\0\0\4\0\0" )  ) == 0x0
 03284  1516   NtResumeThread  (756, ... 1, ) == 0x0
 03285  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 126877696, 1048576, ) == 0x0
 03286  1516   NtAllocateVirtualMemory  (-1, 127918080, 0, 8192, 4096, 4, ... 127918080, 8192, ) == 0x0
 03280   484   NtClose  ... ) == 0x0
 03287  1024   NtTestAlert  (...
 03288   484   NtClose  (752, ...
 03287  1024   NtTestAlert  ... ) == 0x0
 03288   484   NtClose  ... ) == 0x0
 03289  1024   NtContinue  (126876976, 1, ...
 03290   484   NtQueryValueKey  (96,  (96, "WpadSearchAllDomains", Partial, 144, ... , Partial, 144, ...
 03291  1024   NtRegisterThreadTerminatePort  (24, ...
 03290   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03291  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 03292   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03293  1516   NtProtectVirtualMemory  (-1, (0x79fe000), 4096, 260, ...
 03294  1024   NtWaitForSingleObject  (212, 0, 0x0, ...
 03293  1516   NtProtectVirtualMemory  ... (0x79fe000), 4096, 4, ) == 0x0
 03295  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {808, 948}, ) == 0x0
 03296  1516   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=808,Tid=948,}, 0x0, ) == 0x0
 03297  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58071, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0(\3\0\0\264\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0(\3\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58072, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0(\3\0\0\264\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0(\3\0\0\264\3\0\0" )  ) == 0x0
 03298  1516   NtResumeThread  (752, ... 1, ) == 0x0
 03299  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03292   484   NtOpenKey  ... 740, ) == 0x0
 03300   948   NtTestAlert  (...
 03301   484   NtQueryValueKey  (740,  (740, "DisableLegacyPreAuthAsServer", Partial, 144, ... , Partial, 144, ...
 03300   948   NtTestAlert  ... ) == 0x0
 03301   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03302   948   NtContinue  (127925552, 1, ...
 03303   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03304   948   NtRegisterThreadTerminatePort  (24, ...
 03303   484   NtOpenKey  ... 760, ) == 0x0
 03304   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 03305   484   NtQueryValueKey  (760,  (760, "DisableLegacyPreAuthAsServer", Partial, 144, ... , Partial, 144, ...
 03299  1516   NtAllocateVirtualMemory  ... 127926272, 1048576, ) == 0x0
 03306   948   NtWaitForSingleObject  (212, 0, 0x0, ...
 03307  1516   NtAllocateVirtualMemory  (-1, 128966656, 0, 8192, 4096, 4, ... 128966656, 8192, ) == 0x0
 03308  1516   NtProtectVirtualMemory  (-1, (0x7afe000), 4096, 260, ... (0x7afe000), 4096, 4, ) == 0x0
 03309  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {808, 1388}, ) == 0x0
 03310  1516   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=808,Tid=1388,}, 0x0, ) == 0x0
 03311  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58072, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0(\3\0\0l\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0(\3\0\0l\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58073, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0(\3\0\0l\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0(\3\0\0l\5\0\0" )  ) == 0x0
 03305   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03312   484   NtClose  (740, ... ) == 0x0
 03313   484   NtClose  (760, ... ) == 0x0
 03314   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 760, ) }, ... 760, ) == 0x0
 03315   484   NtQueryValueKey  (760,  (760, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03316   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 740, ) }, ... 740, ) == 0x0
 03317   484   NtQueryValueKey  (740,  (740, "BypassHTTPNoCacheCheck", Partial, 144, ... , Partial, 144, ...
 03318  1516   NtResumeThread  (764, ... 1, ) == 0x0
 03319  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 128974848, 1048576, ) == 0x0
 03320  1516   NtAllocateVirtualMemory  (-1, 130015232, 0, 8192, 4096, 4, ... 130015232, 8192, ) == 0x0
 03321  1516   NtProtectVirtualMemory  (-1, (0x7bfe000), 4096, 260, ... (0x7bfe000), 4096, 4, ) == 0x0
 03322  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {808, 520}, ) == 0x0
 03323  1516   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=808,Tid=520,}, 0x0, ) == 0x0
 03317   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03324  1388   NtTestAlert  (...
 03325   484   NtClose  (760, ...
 03324  1388   NtTestAlert  ... ) == 0x0
 03325   484   NtClose  ... ) == 0x0
 03326  1388   NtContinue  (128974128, 1, ...
 03327   484   NtClose  (740, ...
 03328  1388   NtRegisterThreadTerminatePort  (24, ...
 03327   484   NtClose  ... ) == 0x0
 03328  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 03329   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03330  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58073, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0(\3\0\0\10\2\0\0" ...  ...
 03331  1388   NtWaitForSingleObject  (212, 0, 0x0, ...
 03330  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58074, 0}  ... {28, 56, reply, 0, 808, 1516, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0(\3\0\0\10\2\0\0" )  ) == 0x0
 03332  1516   NtResumeThread  (768, ... 1, ) == 0x0
 03333  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 130023424, 1048576, ) == 0x0
 03334  1516   NtAllocateVirtualMemory  (-1, 131063808, 0, 8192, 4096, 4, ... 131063808, 8192, ) == 0x0
 03335  1516   NtProtectVirtualMemory  (-1, (0x7cfe000), 4096, 260, ... (0x7cfe000), 4096, 4, ) == 0x0
 03336  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03329   484   NtOpenKey  ... 740, ) == 0x0
 03337   520   NtTestAlert  (...
 03338   484   NtQueryValueKey  (740,  (740, "BypassSSLNoCacheCheck", Partial, 144, ... , Partial, 144, ...
 03337   520   NtTestAlert  ... ) == 0x0
 03338   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03339   520   NtContinue  (130022704, 1, ...
 03340   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03341   520   NtRegisterThreadTerminatePort  (24, ...
 03340   484   NtOpenKey  ... 760, ) == 0x0
 03341   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 03342   484   NtQueryValueKey  (760,  (760, "BypassSSLNoCacheCheck", Partial, 144, ... , Partial, 144, ...
 03336  1516   NtCreateThread  ... 772, {808, 276}, ) == 0x0
 03343   520   NtWaitForSingleObject  (212, 0, 0x0, ...
 03344  1516   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=808,Tid=276,}, 0x0, ) == 0x0
 03345  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58074, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0(\3\0\0\24\1\0\0" ... {28, 56, reply, 0, 808, 1516, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0(\3\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58075, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0(\3\0\0\24\1\0\0" ... {28, 56, reply, 0, 808, 1516, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0(\3\0\0\24\1\0\0" )  ) == 0x0
 03346  1516   NtResumeThread  (772, ... 1, ) == 0x0
 03347  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 131072000, 1048576, ) == 0x0
 03348  1516   NtAllocateVirtualMemory  (-1, 132112384, 0, 8192, 4096, 4, ... 132112384, 8192, ) == 0x0
 03342   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03349   276   NtTestAlert  (...
 03350   484   NtClose  (740, ...
 03349   276   NtTestAlert  ... ) == 0x0
 03350   484   NtClose  ... ) == 0x0
 03351   276   NtContinue  (131071280, 1, ...
 03352   484   NtClose  (760, ...
 03353   276   NtRegisterThreadTerminatePort  (24, ...
 03352   484   NtClose  ... ) == 0x0
 03353   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 03354   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03355  1516   NtProtectVirtualMemory  (-1, (0x7dfe000), 4096, 260, ...
 03356   276   NtWaitForSingleObject  (212, 0, 0x0, ...
 03355  1516   NtProtectVirtualMemory  ... (0x7dfe000), 4096, 4, ) == 0x0
 03357  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {808, 996}, ) == 0x0
 03358  1516   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=808,Tid=996,}, 0x0, ) == 0x0
 03359  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58075, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0(\3\0\0\344\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0(\3\0\0\344\3\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58076, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0(\3\0\0\344\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0(\3\0\0\344\3\0\0" )  ) == 0x0
 03360  1516   NtResumeThread  (760, ... 1, ) == 0x0
 03361  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03354   484   NtOpenKey  ... 740, ) == 0x0
 03362   996   NtTestAlert  (...
 03363   484   NtQueryValueKey  (740,  (740, "EnableHttpTrace", Partial, 144, ... , Partial, 144, ...
 03362   996   NtTestAlert  ... ) == 0x0
 03363   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03364   996   NtContinue  (132119856, 1, ...
 03365   484   NtClose  (740, ...
 03366   996   NtRegisterThreadTerminatePort  (24, ...
 03365   484   NtClose  ... ) == 0x0
 03366   996   NtRegisterThreadTerminatePort  ... ) == 0x0
 03367   484   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03361  1516   NtAllocateVirtualMemory  ... 132120576, 1048576, ) == 0x0
 03368   996   NtWaitForSingleObject  (212, 0, 0x0, ...
 03369  1516   NtAllocateVirtualMemory  (-1, 133160960, 0, 8192, 4096, 4, ... 133160960, 8192, ) == 0x0
 03370  1516   NtProtectVirtualMemory  (-1, (0x7efe000), 4096, 260, ... (0x7efe000), 4096, 4, ) == 0x0
 03371  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {808, 1064}, ) == 0x0
 03372  1516   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=808,Tid=1064,}, 0x0, ) == 0x0
 03373  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58076, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0(\3\0\0(\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0(\3\0\0(\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58077, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0(\3\0\0(\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0(\3\0\0(\4\0\0" )  ) == 0x0
 03367   484   NtOpenKey  ... 776, ) == 0x0
 03374   484   NtQueryValueKey  (776,  (776, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03375   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 780, ) }, ... 780, ) == 0x0
 03376   484   NtQueryValueKey  (780,  (780, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03377   484   NtClose  (776, ... ) == 0x0
 03378   484   NtClose  (780, ... ) == 0x0
 03379   484   NtQueryValueKey  (96,  (96, "DontUseDNSLoadBalancing", Partial, 144, ... , Partial, 144, ...
 03380  1516   NtResumeThread  (740, ... 1, ) == 0x0
 03381  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 133169152, 1048576, ) == 0x0
 03382  1516   NtAllocateVirtualMemory  (-1, 134209536, 0, 8192, 4096, 4, ... 134209536, 8192, ) == 0x0
 03383  1516   NtProtectVirtualMemory  (-1, (0x7ffe000), 4096, 260, ... (0x7ffe000), 4096, 4, ) == 0x0
 03384  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 780, {808, 1600}, ) == 0x0
 03385  1516   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=808,Tid=1600,}, 0x0, ) == 0x0
 03379   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03386  1064   NtTestAlert  (...
 03387   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03386  1064   NtTestAlert  ... ) == 0x0
 03387   484   NtOpenKey  ... 776, ) == 0x0
 03388  1064   NtContinue  (133168432, 1, ...
 03389   484   NtQueryValueKey  (776,  (776, "DontUseDNSLoadBalancing", Partial, 144, ... , Partial, 144, ...
 03390  1064   NtRegisterThreadTerminatePort  (24, ...
 03389   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03390  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 03391   484   NtClose  (776, ...
 03392  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58077, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0(\3\0\0@\6\0\0" ...  ...
 03393  1064   NtWaitForSingleObject  (212, 0, 0x0, ...
 03392  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58078, 0}  ... {28, 56, reply, 0, 808, 1516, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0(\3\0\0@\6\0\0" )  ) == 0x0
 03394  1516   NtResumeThread  (780, ... 1, ) == 0x0
 03395  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 134217728, 1048576, ) == 0x0
 03396  1516   NtAllocateVirtualMemory  (-1, 135258112, 0, 8192, 4096, 4, ... 135258112, 8192, ) == 0x0
 03397  1516   NtProtectVirtualMemory  (-1, (0x80fe000), 4096, 260, ... (0x80fe000), 4096, 4, ) == 0x0
 03398  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03391   484   NtClose  ... ) == 0x0
 03399  1600   NtTestAlert  (...
 03400   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03399  1600   NtTestAlert  ... ) == 0x0
 03400   484   NtOpenKey  ... 776, ) == 0x0
 03401  1600   NtContinue  (134217008, 1, ...
 03402   484   NtQueryValueKey  (776,  (776, "ShareCredsWithWinHttp", Partial, 144, ... , Partial, 144, ...
 03403  1600   NtRegisterThreadTerminatePort  (24, ...
 03402   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03403  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 03404   484   NtClose  (776, ...
 03398  1516   NtCreateThread  ... 784, {808, 1372}, ) == 0x0
 03405  1600   NtWaitForSingleObject  (212, 0, 0x0, ...
 03406  1516   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=808,Tid=1372,}, 0x0, ) == 0x0
 03407  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58078, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0(\3\0\0\\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0(\3\0\0\\5\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58079, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0(\3\0\0\\5\0\0" ... {28, 56, reply, 0, 808, 1516, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0(\3\0\0\\5\0\0" )  ) == 0x0
 03408  1516   NtResumeThread  (784, ... 1, ) == 0x0
 03409  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 135266304, 1048576, ) == 0x0
 03410  1516   NtAllocateVirtualMemory  (-1, 136306688, 0, 8192, 4096, 4, ... 136306688, 8192, ) == 0x0
 03404   484   NtClose  ... ) == 0x0
 03411  1372   NtTestAlert  (...
 03412   484   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... , Partial, 144, ...
 03411  1372   NtTestAlert  ... ) == 0x0
 03412   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03413  1372   NtContinue  (135265584, 1, ...
 03414   484   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... , Partial, 144, ...
 03415  1372   NtRegisterThreadTerminatePort  (24, ...
 03414   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03415  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 03416   484   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... , Partial, 144, ...
 03417  1516   NtProtectVirtualMemory  (-1, (0x81fe000), 4096, 260, ...
 03418  1372   NtWaitForSingleObject  (212, 0, 0x0, ...
 03417  1516   NtProtectVirtualMemory  ... (0x81fe000), 4096, 4, ) == 0x0
 03419  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 776, {808, 2040}, ) == 0x0
 03420  1516   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=808,Tid=2040,}, 0x0, ) == 0x0
 03421  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58079, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0(\3\0\0\370\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0(\3\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58080, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0(\3\0\0\370\7\0\0" ... {28, 56, reply, 0, 808, 1516, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0(\3\0\0\370\7\0\0" )  ) == 0x0
 03422  1516   NtResumeThread  (776, ... 1, ) == 0x0
 03423  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03416   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03424  2040   NtTestAlert  (...
 03425   484   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... , Partial, 144, ...
 03424  2040   NtTestAlert  ... ) == 0x0
 03425   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03426  2040   NtContinue  (136314160, 1, ...
 03427   484   NtQueryValueKey  (96,  (96, "HeaderExclusionListForCache", Partial, 144, ... , Partial, 144, ...
 03428  2040   NtRegisterThreadTerminatePort  (24, ...
 03427   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03428  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 03429   484   NtQueryValueKey  (96,  (96, "DnsCacheEnabled", Partial, 144, ... , Partial, 144, ...
 03423  1516   NtAllocateVirtualMemory  ... 136314880, 1048576, ) == 0x0
 03430  2040   NtWaitForSingleObject  (212, 0, 0x0, ...
 03431  1516   NtAllocateVirtualMemory  (-1, 137355264, 0, 8192, 4096, 4, ... 137355264, 8192, ) == 0x0
 03432  1516   NtProtectVirtualMemory  (-1, (0x82fe000), 4096, 260, ... (0x82fe000), 4096, 4, ) == 0x0
 03433  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 788, {808, 216}, ) == 0x0
 03434  1516   NtQueryInformationThread  (788, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=808,Tid=216,}, 0x0, ) == 0x0
 03435  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58080, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0(\3\0\0\330\0\0\0" ... {28, 56, reply, 0, 808, 1516, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0(\3\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58081, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0(\3\0\0\330\0\0\0" ... {28, 56, reply, 0, 808, 1516, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0(\3\0\0\330\0\0\0" )  ) == 0x0
 03429   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03436   484   NtQueryValueKey  (96,  (96, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03437   484   NtQueryValueKey  (96,  (96, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03438   484   NtQueryValueKey  (96,  (96, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (96, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03439   484   NtQueryValueKey  (96,  (96, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03440   484   NtQueryValueKey  (96,  (96, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03441   484   NtQueryValueKey  (96,  (96, "WarnOnBadCertSending", Partial, 144, ... , Partial, 144, ...
 03442  1516   NtResumeThread  (788, ... 1, ) == 0x0
 03443  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 137363456, 1048576, ) == 0x0
 03444  1516   NtAllocateVirtualMemory  (-1, 138403840, 0, 8192, 4096, 4, ... 138403840, 8192, ) == 0x0
 03445  1516   NtProtectVirtualMemory  (-1, (0x83fe000), 4096, 260, ... (0x83fe000), 4096, 4, ) == 0x0
 03446  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 792, {808, 152}, ) == 0x0
 03447  1516   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=808,Tid=152,}, 0x0, ) == 0x0
 03441   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03448   216   NtTestAlert  (...
 03449   484   NtQueryValueKey  (96,  (96, "WarnOnBadCertRecving", Partial, 144, ... , Partial, 144, ...
 03448   216   NtTestAlert  ... ) == 0x0
 03449   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03450   216   NtContinue  (137362736, 1, ...
 03451   484   NtQueryValueKey  (96,  (96, "WarnOnPostRedirect", Partial, 144, ... , Partial, 144, ...
 03452   216   NtRegisterThreadTerminatePort  (24, ...
 03451   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03452   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 03453   484   NtQueryValueKey  (96,  (96, "AlwaysDrainOnRedirect", Partial, 144, ... , Partial, 144, ...
 03454  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58081, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0(\3\0\0\230\0\0\0" ...  ...
 03455   216   NtWaitForSingleObject  (212, 0, 0x0, ...
 03454  1516   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 808, 1516, 58082, 0}  ... {28, 56, reply, 0, 808, 1516, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0(\3\0\0\230\0\0\0" )  ) == 0x0
 03456  1516   NtResumeThread  (792, ... 1, ) == 0x0
 03457  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 138412032, 1048576, ) == 0x0
 03458  1516   NtAllocateVirtualMemory  (-1, 139452416, 0, 8192, 4096, 4, ... 139452416, 8192, ) == 0x0
 03459  1516   NtProtectVirtualMemory  (-1, (0x84fe000), 4096, 260, ... (0x84fe000), 4096, 4, ) == 0x0
 03460  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03453   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03461   152   NtTestAlert  (...
 03462   484   NtQueryValueKey  (96,  (96, "WarnOnHTTPSToHTTPRedirect", Partial, 144, ... , Partial, 144, ...
 03461   152   NtTestAlert  ... ) == 0x0
 03462   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03463   152   NtContinue  (138411312, 1, ...
 03464   484   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetStartupMutex"}, ... }, ...
 03465   152   NtRegisterThreadTerminatePort  (24, ...
 03464   484   NtOpenMutant  ... 796, ) == 0x0
 03465   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 03466   484   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ...
 03460  1516   NtCreateThread  ... 800, {808, 900}, ) == 0x0
 03467   152   NtWaitForSingleObject  (212, 0, 0x0, ...
 03468  1516   NtQueryInformationThread  (800, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=808,Tid=900,}, 0x0, ) == 0x0
 03469  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58082, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0(\3\0\0\204\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0(\3\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58083, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0(\3\0\0\204\3\0\0" ... {28, 56, reply, 0, 808, 1516, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0(\3\0\0\204\3\0\0" )  ) == 0x0
 03470  1516   NtResumeThread  (800, ... 1, ) == 0x0
 03471  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 139460608, 1048576, ) == 0x0
 03472  1516   NtAllocateVirtualMemory  (-1, 140500992, 0, 8192, 4096, 4, ... 140500992, 8192, ) == 0x0
 03466   484   NtCreateEvent  ... 804, ) == 0x0
 03473   900   NtTestAlert  (...
 03474   484   NtQueryValueKey  (96,  (96, "GlobalUserOffline", Partial, 144, ... , Partial, 144, ...
 03473   900   NtTestAlert  ... ) == 0x0
 03474   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03475   900   NtContinue  (139459888, 1, ...
 03476   484   NtWaitForSingleObject  (324, 0, 0x0, ...
 03477   900   NtRegisterThreadTerminatePort  (24, ...
 03476   484   NtWaitForSingleObject  ... ) == 0x0
 03477   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 03478  1516   NtProtectVirtualMemory  (-1, (0x85fe000), 4096, 260, ...
 03479   484   NtReleaseMutant  (324, ...
 03478  1516   NtProtectVirtualMemory  ... (0x85fe000), 4096, 4, ) == 0x0
 03479   484   NtReleaseMutant  ... 0x0, ) == 0x0
 03480  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03481   484   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetConnectionMutex"}, ... }, ...
 03480  1516   NtCreateThread  ... 808, {808, 1272}, ) == 0x0
 03481   484   NtOpenMutant  ... 812, ) == 0x0
 03482  1516   NtQueryInformationThread  (808, Basic, 28, ...
 03483   484   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetProxyRegistryMutex"}, ... }, ...
 03482  1516   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=808,Tid=1272,}, 0x0, ) == 0x0
 03483   484   NtOpenMutant  ... 816, ) == 0x0
 03484   900   NtWaitForSingleObject  (212, 0, 0x0, ...
 03485  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58083, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0(\3\0\0\370\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0(\3\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58084, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0(\3\0\0\370\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0(\3\0\0\370\4\0\0" )  ) == 0x0
 03486  1516   NtResumeThread  (808, ... 1, ) == 0x0
 03487  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 140509184, 1048576, ) == 0x0
 03488  1516   NtAllocateVirtualMemory  (-1, 141549568, 0, 8192, 4096, 4, ... 141549568, 8192, ) == 0x0
 03489  1516   NtProtectVirtualMemory  (-1, (0x86fe000), 4096, 260, ... (0x86fe000), 4096, 4, ) == 0x0
 03490  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03491   484   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ...
 03492  1272   NtTestAlert  (...
 03491   484   NtCreateEvent  ... 820, ) == 0x0
 03492  1272   NtTestAlert  ... ) == 0x0
 03493   484   NtQueryValueKey  (96,  (96, "EnableAutodial", Partial, 144, ... , Partial, 144, ...
 03494  1272   NtContinue  (140508464, 1, ...
 03493   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03495  1272   NtRegisterThreadTerminatePort  (24, ...
 03496   484   NtQueryValueKey  (96,  (96, "NoNetAutodial", Partial, 144, ... , Partial, 144, ...
 03495  1272   NtRegisterThreadTerminatePort  ... ) == 0x0
 03496   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03490  1516   NtCreateThread  ... 824, {808, 1240}, ) == 0x0
 03497  1272   NtWaitForSingleObject  (212, 0, 0x0, ...
 03498  1516   NtQueryInformationThread  (824, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=808,Tid=1240,}, 0x0, ) == 0x0
 03499  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58084, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0(\3\0\0\330\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0(\3\0\0\330\4\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58085, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0(\3\0\0\330\4\0\0" ... {28, 56, reply, 0, 808, 1516, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0(\3\0\0\330\4\0\0" )  ) == 0x0
 03500  1516   NtResumeThread  (824, ... 1, ) == 0x0
 03501  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 141557760, 1048576, ) == 0x0
 03502  1516   NtAllocateVirtualMemory  (-1, 142598144, 0, 8192, 4096, 4, ... 142598144, 8192, ) == 0x0
 03503   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03504  1240   NtTestAlert  (...
 03503   484   NtCreateEvent  ... 828, ) == 0x0
 03504  1240   NtTestAlert  ... ) == 0x0
 03505   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03506  1240   NtContinue  (141557040, 1, ...
 03505   484   NtOpenKey  ... 832, ) == 0x0
 03507  1240   NtRegisterThreadTerminatePort  (24, ...
 03508   484   NtQueryValueKey  (832,  (832, "UrlEncoding", Partial, 144, ... , Partial, 144, ...
 03507  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 03508   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 03509  1516   NtProtectVirtualMemory  (-1, (0x87fe000), 4096, 260, ...
 03510  1240   NtWaitForSingleObject  (212, 0, 0x0, ...
 03509  1516   NtProtectVirtualMemory  ... (0x87fe000), 4096, 4, ) == 0x0
 03511  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 836, {808, 1776}, ) == 0x0
 03512  1516   NtQueryInformationThread  (836, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=808,Tid=1776,}, 0x0, ) == 0x0
 03513  1516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 808, 1516, 58085, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0(\3\0\0\360\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0(\3\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 808, 1516, 58086, 0}  (24, {28, 56, new_msg, 0, 808, 1516, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0(\3\0\0\360\6\0\0" ... {28, 56, reply, 0, 808, 1516, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0(\3\0\0\360\6\0\0" )  ) == 0x0
 03514  1516   NtResumeThread  (836, ... 1, ) == 0x0
 03515  1516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03516   484   NtQueryValueKey  (832,  (832, "UrlEncoding", Partial, 144, ... , Partial, 144, ...
 03517  1776   NtTestAlert  (...
 03516   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 03517  1776   NtTestAlert  ... ) == 0x0
 03518   484   NtClose  (832, ...
 03519  1776   NtContinue  (142605616, 1, ...
 03518   484   NtClose  ... ) == 0x0
 03520  1776   NtRegisterThreadTerminatePort  (24, ...
 03521   484   NtQueryValueKey  (96,  (96, "TruncateFileName", Partial, 144, ... , Partial, 144, ...
 03520  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 03521   484   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03515  1516   NtAllocateVirtualMemory  ... 142606336, 1048576, ) == 0x0
 03522  1776   NtWaitForSingleObject  (212, 0, 0x0, ...
 03523  1516   NtAllocateVirtualMemory  (-1, 143646720, 0, 8192, 4096, 4, ... 143646720, 8192, ) == 0x0
 03524  1516   NtProtectVirtualMemory  (-1, (0x88fe000), 4096, 260, ... (0x88fe000), 4096, 4, ) == 0x0
 03525  1516   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 832, {808, 1324}, ) == 0x0
 03526  1516   NtQueryInformationThread  (832, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=808,Tid=1324,}, 0x0, ) == 0x0
 03527   484   NtQueryValueKey  (96,  (96, "BadProxyExpiresTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03528   484   NtSetEventBoostPriority  (212, ...
 01252   748   NtWaitForSingleObject  ... ) == 0x0
 03529   748   NtSetEventBoostPriority  (212, ...
 01259  1580   NtWaitForSingleObject  ... ) == 0x0
 03530  1580   NtSetEventBoostPriority  (212, ...
 01260  1756   NtWaitForSingleObject  ... ) == 0x0
 03531  1756   NtSetEventBoostPriority  (212, ...
 01263  1292   NtWaitForSingleObject  ... ) == 0x0
 03532  1292   NtSetEventBoostPriority  (212, ...
 01257  1956   NtWaitForSingleObject  ... ) == 0x0
 03533  1956   NtSetEventBoostPriority  (212, ...
 01370  1980   NtWaitForSingleObject  ... ) == 0x0
 03534  1980   NtSetEventBoostPriority  (212, ...
 01374  1784   NtWaitForSingleObject  ... ) == 0x0
 03535  1784   NtSetEventBoostPriority  (212, ...
 01377  1480   NtWaitForSingleObject  ... ) == 0x0
 03536  1480   NtSetEventBoostPriority  (212, ...
 01380  1556   NtWaitForSingleObject  ... ) == 0x0
 03537  1556   NtSetEventBoostPriority  (212, ...
 01439  1128   NtWaitForSingleObject  ... ) == 0x0
 03538  1128   NtSetEventBoostPriority  (212, ...
 01447  1596   NtWaitForSingleObject  ... ) == 0x0
 03539  1596   NtSetEventBoostPriority  (212, ...
 01448  1856   NtWaitForSingleObject  ... ) == 0x0
 03540  1856   NtSetEventBoostPriority  (212, ...
 01449  1068   NtWaitForSingleObject  ... ) == 0x0
 03541  1068   NtSetEventBoostPriority  (212, ...
 01461  1256   NtWaitForSingleObject  ... ) == 0x0
 03542  1256   NtSetEventBoostPriority  (212, ...
 01459   460   NtWaitForSingleObject  ... ) == 0x0
 03543   460   NtSetEventBoostPriority  (212, ...
 01477   220   NtWaitForSingleObject  ... ) == 0x0
 03544   220   NtSetEventBoostPriority  (212, ...
 01509  1800   NtWaitForSingleObject  ... ) == 0x0
 03545  1800   NtSetEventBoostPriority  (212, ...
 01544  1796   NtWaitForSingleObject  ... ) == 0x0
 03546  1796   NtSetEventBoostPriority  (212, ...
 02039  1700   NtWaitForSingleObject  ... ) == 0x0
 03547  1700   NtSetEventBoostPriority  (212, ...
 02040  1808   NtWaitForSingleObject  ... ) == 0x0
 03548  1808   NtSetEventBoostPriority  (212, ...
 02179   164   NtWaitForSingleObject  ... ) == 0x0
 03549   164   NtSetEventBoostPriority  (212, ...
 02180  1420   NtWaitForSingleObject  ... ) == 0x0
 03550  1420   NtSetEventBoostPriority  (212, ...
 02181  1852   NtWaitForSingleObject  ... ) == 0x0
 03551  1852   NtSetEventBoostPriority  (212, ...
 02182  2000   NtWaitForSingleObject  ... ) == 0x0
 03552  2000   NtSetEventBoostPriority  (212, ...
 02183   764   NtWaitForSingleObject  ... ) == 0x0
 03553   764   NtSetEventBoostPriority  (212, ...
 02184   308   NtWaitForSingleObject  ... ) == 0x0
 03554   308   NtSetEventBoostPriority  (212, ...
 02185   968   NtWaitForSingleObject  ... ) == 0x0
 03555   968   NtSetEventBoostPriority  (212, ...
 02186   240   NtWaitForSingleObject  ... ) == 0x0
 03556   240   NtSetEventBoostPriority  (212, ...
 02187  2044   NtWaitForSingleObject  ... ) == 0x0
 03557  2044   NtSetEventBoostPriority  (212, ...
 02188  1944   NtWaitForSingleObject  ... ) == 0x0
 03558  1944   NtSetEventBoostPriority  (212, ...
 02189  1524   NtWaitForSingleObject  ... ) == 0x0
 03559  1524   NtSetEventBoostPriority  (212, ...
 02190  1896   NtWaitForSingleObject  ... ) == 0x0
 03560  1896   NtSetEventBoostPriority  (212, ...
 02191  1864   NtWaitForSingleObject  ... ) == 0x0
 03561  1864   NtSetEventBoostPriority  (212, ...
 02192  1828   NtWaitForSingleObject  ... ) == 0x0
 03562  1828   NtSetEventBoostPriority  (212, ...
 02193   148   NtWaitForSingleObject  ... ) == 0x0
 03563   148   NtSetEventBoostPriority  (212, ...
 02194  1648   NtWaitForSingleObject  ... ) == 0x0
 03564  1648   NtSetEventBoostPriority  (212, ...
 02195  1936   NtWaitForSingleObject  ... ) == 0x0
 03565  1936   NtSetEventBoostPriority  (212, ...
 02196  1904   NtWaitForSingleObject  ... ) == 0x0
 03566  1904   NtSetEventBoostPriority  (212, ...
 02197   444   NtWaitForSingleObject  ... ) == 0x0
 03567   444   NtSetEventBoostPriority  (212, ...
 02198  1536   NtWaitForSingleObject  ... ) == 0x0
 03568  1536   NtSetEventBoostPriority  (212, ...
 02200  1356   NtWaitForSingleObject  ... ) == 0x0
 03569  1356   NtSetEventBoostPriority  (212, ...
 02202  1728   NtWaitForSingleObject  ... ) == 0x0
 03570  1728   NtSetEventBoostPriority  (212, ...
 02203   712   NtWaitForSingleObject  ... ) == 0x0
 03571   712   NtSetEventBoostPriority  (212, ...
 02205  1156   NtWaitForSingleObject  ... ) == 0x0
 03572  1156   NtSetEventBoostPriority  (212, ...
 02209  1564   NtWaitForSingleObject  ... ) == 0x0
 03573  1564   NtSetEventBoostPriority  (212, ...
 02219  1592   NtWaitForSingleObject  ... ) == 0x0
 03574  1592   NtSetEventBoostPriority  (212, ...
 02220  2032   NtWaitForSingleObject  ... ) == 0x0
 03575  2032   NtSetEventBoostPriority  (212, ...
 02232  1500   NtWaitForSingleObject  ... ) == 0x0
 03576  1500   NtSetEventBoostPriority  (212, ...
 02239   932   NtWaitForSingleObject  ... ) == 0x0
 03577   932   NtSetEventBoostPriority  (212, ...
 02248  1528   NtWaitForSingleObject  ... ) == 0x0
 03578  1528   NtSetEventBoostPriority  (212, ...
 02255  1780   NtWaitForSingleObject  ... ) == 0x0
 03579  1780   NtSetEventBoostPriority  (212, ...
 02260  1804   NtWaitForSingleObject  ... ) == 0x0
 03580  1804   NtSetEventBoostPriority  (212, ...
 02261  1644   NtWaitForSingleObject  ... ) == 0x0
 03581  1644   NtSetEventBoostPriority  (212, ...
 02286   336   NtWaitForSingleObject  ... ) == 0x0
 03582   336   NtSetEventBoostPriority  (212, ...
 02308   800   NtWaitForSingleObject  ... ) == 0x0
 03583   800   NtSetEventBoostPriority  (212, ...
 02328   504   NtWaitForSingleObject  ... ) == 0x0
 03584   504   NtSetEventBoostPriority  (212, ...
 02359   888   NtWaitForSingleObject  ... ) == 0x0
 03585   888   NtSetEventBoostPriority  (212, ...
 02381  1392   NtWaitForSingleObject  ... ) == 0x0
 03586  1392   NtSetEventBoostPriority  (212, ...
 02405  2020   NtWaitForSingleObject  ... ) == 0x0
 03587  2020   NtSetEventBoostPriority  (212, ...
 02428  1676   NtWaitForSingleObject  ... ) == 0x0
 03588  1676   NtSetEventBoostPriority  (212, ...
 02461   496   NtWaitForSingleObject  ... ) == 0x0
 03589   496   NtSetEventBoostPriority  (212, ...
 02480  1020   NtWaitForSingleObject  ... ) == 0x0
 03590  1020   NtSetEventBoostPriority  (212, ...
 02508   432   NtWaitForSingleObject  ... ) == 0x0
 03591   432   NtSetEventBoostPriority  (212, ...
 02532  1332   NtWaitForSingleObject  ... ) == 0x0
 03592  1332   NtSetEventBoostPriority  (212, ...
 02563  1328   NtWaitForSingleObject  ... ) == 0x0
 03593  1328   NtSetEventBoostPriority  (212, ...
 02584   752   NtWaitForSingleObject  ... ) == 0x0
 03594   752   NtSetEventBoostPriority  (212, ...
 02614   120   NtWaitForSingleObject  ... ) == 0x0
 03595   120   NtSetEventBoostPriority  (212, ...
 02634  1732   NtWaitForSingleObject  ... ) == 0x0
 03596  1732   NtSetEventBoostPriority  (212, ...
 02662   188   NtWaitForSingleObject  ... ) == 0x0
 03597   188   NtSetEventBoostPriority  (212, ...
 02682  1636   NtWaitForSingleObject  ... ) == 0x0
 03598  1636   NtSetEventBoostPriority  (212, ...
 02717   624   NtWaitForSingleObject  ... ) == 0x0
 03599   624   NtSetEventBoostPriority  (212, ...
 02727  1948   NtWaitForSingleObject  ... ) == 0x0
 03600  1948   NtSetEventBoostPriority  (212, ...
 02758   988   NtWaitForSingleObject  ... ) == 0x0
 03601   988   NtSetEventBoostPriority  (212, ...
 02776   468   NtWaitForSingleObject  ... ) == 0x0
 03602   468   NtSetEventBoostPriority  (212, ...
 02802   380   NtWaitForSingleObject  ... ) == 0x0
 03603   380   NtSetEventBoostPriority  (212, ...
 02817  1692   NtWaitForSingleObject  ... ) == 0x0
 03604  1692   NtSetEventBoostPriority  (212, ...
 02843  1792   NtWaitForSingleObject  ... ) == 0x0
 03605  1792   NtSetEventBoostPriority  (212, ...
 02855   784   NtWaitForSingleObject  ... ) == 0x0
 03606   784   NtSetEventBoostPriority  (212, ...
 02868  1520   NtWaitForSingleObject  ... ) == 0x0
 03607  1520   NtSetEventBoostPriority  (212, ...
 02879  1696   NtWaitForSingleObject  ... ) == 0x0
 03608  1696   NtSetEventBoostPriority  (212, ...
 02901  1744   NtWaitForSingleObject  ... ) == 0x0
 03609  1744   NtSetEventBoostPriority  (212, ...
 02913  1124   NtWaitForSingleObject  ... ) == 0x0
 03610  1124   NtSetEventBoostPriority  (212, ...
 02938  1496   NtWaitForSingleObject  ... ) == 0x0
 03611  1496   NtSetEventBoostPriority  (212, ...
 02958   168   NtWaitForSingleObject  ... ) == 0x0
 03612   168   NtSetEventBoostPriority  (212, ...
 02970  1284   NtWaitForSingleObject  ... ) == 0x0
 03613  1284   NtSetEventBoostPriority  (212, ...
 02983  1268   NtWaitForSingleObject  ... ) == 0x0
 03614  1268   NtSetEventBoostPriority  (212, ...
 02995   840   NtWaitForSingleObject  ... ) == 0x0
NtDuplicateToken(>)	1	NtOpenEvent(>)	2	NtEnumerateKey(>)	8	NtMapViewOfSection(>)	53
NtEnumerateValueKey(>)	1	NtQueryEvent(>)	2	NtQueryInformationProcess(>)	9	NtUserFindExistingCursorIcon(>)	56
NtGdiCreateBitmap(>)	1	NtQueryPerformanceCounter(>)	2	NtSetInformationThread(>)	9	NtOpenFile(>)	57
NtGdiInit(>)	1	NtQuerySystemTime(>)	2	NtOpenProcessTokenEx(>)	11	NtQueryVirtualMemory(>)	59
NtGdiQueryFontAssocInfo(>)	1	NtReadFile(>)	2	NtOpenThreadTokenEx(>)	11	NtUserRegisterClassExWOW(>)	62
NtGdiSelectBitmap(>)	1	NtUserGetDC(>)	2	NtQueryDefaultUILanguage(>)	12	NtQueryAttributesFile(>)	81
NtOpenKeyedEvent(>)	1	NtWaitForMultipleObjects(>)	2	NtUserSystemParametersInfo(>)	13	NtFlushInstructionCache(>)	93
NtOpenProcess(>)	1	NtGdiCreateCompatibleDC(>)	3	NtOpenMutant(>)	14	NtContinue(>)	128
NtOpenSymbolicLinkObject(>)	1	NtQueryVolumeInformationFile(>)	3	NtQueryInformationToken(>)	14	NtQuerySystemInformation(>)	134
NtQueryInstallUILanguage(>)	1	NtSecureConnectPort(>)	3	NtQuerySection(>)	14	NtResumeThread(>)	156
NtQueryObject(>)	1	NtSetInformationObject(>)	3	NtQueryInformationFile(>)	15	NtQueryInformationThread(>)	160
NtQuerySymbolicLinkObject(>)	1	NtUserRegisterWindowMessage(>)	3	NtReleaseMutant(>)	15	NtCreateThread(>)	181
NtRaiseException(>)	1	NtWriteFile(>)	3	NtOpenThreadToken(>)	17	NtRequestWaitReplyPort(>)	197
NtSetInformationProcess(>)	1	NtAccessCheck(>)	4	NtUnmapViewOfSection(>)	19	NtSetEventBoostPriority(>)	207
NtUserCallNoParam(>)	1	NtConnectPort(>)	4	NtQueryDebugFilterState(>)	21	NtRegisterThreadTerminatePort(>)	246
NtUserCallOneParam(>)	1	NtCreateIoCompletion(>)	4	NtCreateFile(>)	22	NtTestAlert(>)	246
NtUserGetThreadDesktop(>)	1	NtGdiGetStockObject(>)	5	NtSetValueKey(>)	24	NtOpenKey(>)	308
NtUserGetThreadState(>)	1	NtSetEvent(>)	5	NtFreeVirtualMemory(>)	28	NtClose(>)	345
NtAddAtom(>)	2	NtOpenProcessToken(>)	6	NtCreateKey(>)	29	NtWaitForSingleObject(>)	356
NtCallbackReturn(>)	2	NtReleaseSemaphore(>)	6	NtCreateSection(>)	29	NtProtectVirtualMemory(>)	365
NtCreateMutant(>)	2	NtCreateSemaphore(>)	7	NtOpenSection(>)	33	NtQueryValueKey(>)	420
NtGdiCreateSolidBrush(>)	2	NtFsControlFile(>)	7	NtSetInformationFile(>)	33	NtAllocateVirtualMemory(>)	468
NtNotifyChangeKey(>)	2	NtQueryDefaultLocale(>)	7	NtDeviceIoControlFile(>)	47
NtOpenDirectoryObject(>)	2	NtDuplicateObject(>)	8