Summary:


NtAdjustPrivilegesToken(>)  1 
NtOpenDirectoryObject(>)  2 
NtFsControlFile(>)  11 
NtCreateSection(>)  71 

NtCallbackReturn(>)  1 
NtOpenProcessTokenEx(>)  2 
NtQuerySection(>)  11 
NtTestAlert(>)  91 

NtDelayExecution(>)  1 
NtOpenThreadTokenEx(>)  2 
NtSetInformationThread(>)  11 
NtRegisterThreadTerminatePort(>)  94 

NtGdiCreateBitmap(>)  1 
NtQueryDefaultLocale(>)  2 
NtOpenThreadToken(>)  12 
NtOpenKey(>)  96 

NtGdiInit(>)  1 
NtSetInformationObject(>)  2 
NtSetInformationFile(>)  13 
NtMapViewOfSection(>)  98 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryDirectoryFile(>)  14 
NtDuplicateObject(>)  101 

NtGdiSelectBitmap(>)  1 
NtOpenProcessToken(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtQuerySystemInformation(>)  116 

NtOpenKeyedEvent(>)  1 
NtSecureConnectPort(>)  3 
NtCreateFile(>)  16 
NtWriteVirtualMemory(>)  116 

NtOpenSymbolicLinkObject(>)  1 
NtFreeVirtualMemory(>)  4 
NtSetValueKey(>)  16 
NtSetEventBoostPriority(>)  178 

NtQueryObject(>)  1 
NtReadFile(>)  4 
NtCreateKey(>)  18 
NtQueryValueKey(>)  221 

NtQuerySymbolicLinkObject(>)  1 
NtWriteFile(>)  4 
NtOpenFile(>)  25 
NtResumeThread(>)  270 

NtQuerySystemTime(>)  1 
NtConnectPort(>)  5 
NtOpenProcess(>)  29 
NtCreateThread(>)  277 

NtSetInformationProcess(>)  1 
NtGdiGetStockObject(>)  5 
NtDeviceIoControlFile(>)  34 
NtQueryInformationThread(>)  277 

NtUserCallNoParam(>)  1 
NtQueryInformationToken(>)  5 
NtFlushInstructionCache(>)  42 
NtRequestWaitReplyPort(>)  305 

NtUserGetThreadDesktop(>)  1 
NtQueryVirtualMemory(>)  5 
NtUnmapViewOfSection(>)  44 
NtClose(>)  354 

NtCreateIoCompletion(>)  2 
NtQueryVolumeInformationFile(>)  5 
NtContinue(>)  50 
NtProtectVirtualMemory(>)  485 

NtCreateMutant(>)  2 
NtQueryInformationProcess(>)  6 
NtOpenSection(>)  50 
NtWaitForSingleObject(>)  520 

NtGdiCreateSolidBrush(>)  2 
NtQueryInformationFile(>)  8 
NtQueryAttributesFile(>)  52 
NtAllocateVirtualMemory(>)  705 

NtNotifyChangeKey(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtCreateEvent(>)  61 

Trace:
 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482756, {status=0x0, info=1}, ) }, 0, 32, ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147482756, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147482756, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147482756, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147482756, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147482756, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147482756, 0, 0x0, 0x0, 0x90120,  (-2147482756, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147482764, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147482764, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147482764, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147482764, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147482764, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037   896   NtClose  (-2147482688, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053   896   NtClose  (-2147482760, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055   896   NtClose  (-2147481628, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057   896   NtClose  (-2147481484, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00059   896   NtClose  (-2147482104, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482592, ) == 0x0
 00061   896   NtClose  (-2147482592, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482592, ... -2147481624, ) == 0x0
 00063   896   NtClose  (-2147481624, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481624, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147482764, ... ) == 0x0
 00093   896   NtClose  (-2147482688, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147482760, ... ) == 0x0
 00102   896   NtClose  (-2147481628, ... ) == 0x0
 00103   896   NtClose  (-2147481484, ... ) == 0x0
 00104   896   NtClose  (-2147482104, ... ) == 0x0
 00105   896   NtClose  (-2147482592, ... ) == 0x0
 00106   896   NtClose  (-2147481624, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481624, ) == 0x0
 00145   896   NtClose  (-2147481624, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481624, ... -2147482592, ) == 0x0
 00147   896   NtClose  (-2147482592, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482592, ... -2147482104, ) == 0x0
 00149   896   NtClose  (-2147482104, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482104, ... -2147481484, ) == 0x0
 00151   896   NtClose  (-2147481484, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153   896   NtClose  (-2147481628, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155   896   NtClose  (-2147482760, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147481624, ... ) == 0x0
 00178   896   NtClose  (-2147482592, ... ) == 0x0
 00179   896   NtClose  (-2147482104, ... ) == 0x0
 00180   896   NtClose  (-2147481484, ... ) == 0x0
 00181   896   NtClose  (-2147481628, ... ) == 0x0
 00182   896   NtClose  (-2147482760, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147482756, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81831, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81832, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81833, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x409000), 94224, 4, ... (0x409000), 98304, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x409000), 98304, 128, ... (0x409000), 98304, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 4231168, 94224, ... ) == 0x0
 00249   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00251   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00252   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00253   896   NtClose  (16, ... ) == 0x0
 00254   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00255   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   896   NtClose  (16, ... ) == 0x0
 00257   896   NtTestAlert  (... ) == 0x0
 00258   896   NtContinue  (1244464, 1, ...
 00259   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00260   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00261   896   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   896   NtClose  (16, ... ) == 0x0
 00263   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00264   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00267   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00268   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   896   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ".dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00271   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00276   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00277   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242980, ... ) }, 1242980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00285   896   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00286   896   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 32, ) }, {27086, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00287   896   NtMapViewOfSection  (32, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x320000), 0x0, 28672, ) == 0x0
 00288   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00289   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00290   896   NtClose  (36, ... ) == 0x0
 00291   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00292   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00293   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00294   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00295   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00296   896   NtClose  (36, ... ) == 0x0
 00297   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00298   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00299   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00300   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00301   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00302   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00303   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00304   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00305   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00306   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00307   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00308   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00309   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00311   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00313   896   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00314   896   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00315   896   NtClose  (36, ... ) == 0x0
 00316   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00317   896   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   896   NtClose  (36, ... ) == 0x0
 00319   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00320   896   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00321   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00323   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   896   NtOpenProcessToken  (-1, 0x20, ... 40, ) == 0x0
 00325   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00326   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00328   896   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   896   NtClose  (44, ... ) == 0x0
 00330   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00332   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00333   896   NtQuerySystemTime  (... {1412579164, 29929616}, ) == 0x0
 00334   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00335   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00337   896   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00338   896   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00339   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00340   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00341   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00342   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00343   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00344   896   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00345   896   NtClose  (68, ... ) == 0x0
 00346   896   NtClose  (64, ... ) == 0x0
 00347   896   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00348   896   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00349   896   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00350   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00351   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00352   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00353   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00354   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00355   896   NtSetInformationFile  (80, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00356   896   NtSetInformationFile  (80, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00357   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00358   896   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00359   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00360   896   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00361   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00362   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0PD\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) == 0x103
 00363   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00364   896   NtClose  (76, ... ) == 0x0
 00365   896   NtClose  (80, ... ) == 0x0
 00366   896   NtAdjustPrivilegesToken  (40, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00367   896   NtClose  (40, ... ) == 0x0
 00368   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00369   896   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00370   896   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 40, ) == 0x0
 00371   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00372   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00373   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00374   896   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00375   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00376   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00377   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00378   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00379   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00380   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00381   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00382   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00383   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00384   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00385   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00386   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00387   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 76, ) }, ... 76, ) == 0x0
 00388   896   NtMapViewOfSection  (76, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00389   896   NtClose  (76, ... ) == 0x0
 00390   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00391   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00392   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00393   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00394   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00395   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00396   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00397   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00398   896   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00399   896   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00400   896   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00401   896   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 2016}, ) == 0x0
 00402   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81834, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" )  ) == 0x0
 00403   896   NtResumeThread  (76, ... 1, ) == 0x0
 00404   896   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00405   896   NtClose  (80, ... ) == 0x0
 00406   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00407   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00408   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00409   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00410   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00411   896   NtClose  (84, ... ) == 0x0
 00412   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00413   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00414   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00415   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00416   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00417   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00418   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00419   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00420   896   NtClose  (80, ... ) == 0x0
 00421   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00422   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00423   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00424   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00425   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00426   896   NtClose  (84, ... ) == 0x0
 00427   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00428   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00429   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00430   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00431   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00432   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00433   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00434   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00435   896   NtClose  (80, ... ) == 0x0
 00436   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00437   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00438   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00439   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00440   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00441   896   NtClose  (84, ... ) == 0x0
 00442   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00443   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00444   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00445   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00446   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00447   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00448   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00449   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00450   896   NtClose  (80, ... ) == 0x0
 00451   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00452   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00453   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00454   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00455   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00456   896   NtClose  (84, ... ) == 0x0
 00457   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00458   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00459   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00460   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00461   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00462   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00463   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00464   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00465   896   NtClose  (80, ... ) == 0x0
 00466   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00467   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00468   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00469   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00470   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00471   896   NtClose  (84, ... ) == 0x0
 00472   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00473   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00474   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00475   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00476   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00477   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00478   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00479   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00480   896   NtClose  (80, ... ) == 0x0
 00481   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00482   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00483   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00484   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00485   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00486   896   NtClose  (84, ... ) == 0x0
 00487   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00488   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00489   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00490   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00491   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00492   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00493   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00494   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00495   896   NtClose  (80, ... ) == 0x0
 00496   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00497   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00498   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00499   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00500   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00501   896   NtClose  (84, ... ) == 0x0
 00502   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00503   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00504   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00505   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00506   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00507   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00508   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00509   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00510   896   NtClose  (80, ... ) == 0x0
 00511   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00512   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00513   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00514   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00515   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00516   896   NtClose  (84, ... ) == 0x0
 00517   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00518   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00519   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00520   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00521   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00522   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00523   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00524   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00525   896   NtClose  (80, ... ) == 0x0
 00526   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00527   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00528   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00529   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00530   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00531   896   NtClose  (84, ... ) == 0x0
 00532   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00533   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00534   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00535   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00536   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00537   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00538   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00539   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00540   896   NtClose  (80, ... ) == 0x0
 00541   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00542   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00543   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00544   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00545   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00546   896   NtClose  (84, ... ) == 0x0
 00547   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00548   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00549   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00550   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00551   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00552   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00553   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00554   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00555   896   NtClose  (80, ... ) == 0x0
 00556   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00557   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00558   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00559   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00560   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00561   896   NtClose  (84, ... ) == 0x0
 00562   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00563   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00564   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00565   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00566   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00567   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00568   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00569   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00570   896   NtClose  (80, ... ) == 0x0
 00571   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00572   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00573   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00574   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00575   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00576   896   NtClose  (84, ... ) == 0x0
 00577   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00578   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00579   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00580   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00581   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00582   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00583   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00584   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00585   896   NtClose  (80, ... ) == 0x0
 00586   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00587   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00588   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00589   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00590   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00591   896   NtClose  (84, ... ) == 0x0
 00592   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00593   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00594   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00595   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00596   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00597   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00598   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00599   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00600   896   NtClose  (80, ... ) == 0x0
 00601   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00602   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00603   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00604   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00605   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00606   896   NtClose  (84, ... ) == 0x0
 00607   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00608   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00609   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00610   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00611   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00612   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00613   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00614   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00615   896   NtClose  (80, ... ) == 0x0
 00616   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00617   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00618   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00619   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00620   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00621   896   NtClose  (84, ... ) == 0x0
 00622   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00623   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00624   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00625   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00626   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00627   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00628   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00629   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00630   896   NtClose  (80, ... ) == 0x0
 00631   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00632   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00633   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00634   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00635   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00636   896   NtClose  (84, ... ) == 0x0
 00637   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00638   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00639   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00640   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00641   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00642   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00643   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00644   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00645   896   NtClose  (80, ... ) == 0x0
 00646   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00647   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00648   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00649   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00650   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00651   896   NtClose  (84, ... ) == 0x0
 00652   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00653   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00654   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00655   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00656   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00657   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00658   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00659   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00660   896   NtClose  (80, ... ) == 0x0
 00661   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00662   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00663   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00664   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00665   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00666   896   NtClose  (84, ... ) == 0x0
 00667   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00668   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00669   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00670   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00671   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00672   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00673   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00674   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00675   896   NtClose  (80, ... ) == 0x0
 00676   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00677   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00678   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00679   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00680   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00681   896   NtClose  (84, ... ) == 0x0
 00682   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00683   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00684   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00685   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00686   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00687   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00688   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00689   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00690   896   NtClose  (80, ... ) == 0x0
 00691   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00692   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00693   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00694   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00695   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00696   896   NtClose  (84, ... ) == 0x0
 00697   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00698   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00699   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00700   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00701   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00702   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00703   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00704   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00705   896   NtClose  (80, ... ) == 0x0
 00706   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00707   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00708   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {784, 0}, ... 80, ) == 0x0
 00709   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00710   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00711   896   NtClose  (84, ... ) == 0x0
 00712   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00713   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00714   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00715   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00716   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00717   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00718   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00719   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00720   896   NtClose  (80, ... ) == 0x0
 00721   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00722   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00723   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {488, 0}, ... 80, ) == 0x0
 00724   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00725   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00726   896   NtClose  (84, ... ) == 0x0
 00727   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00728   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00729   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00730   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00731   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00732   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00733   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00734   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00735   896   NtClose  (80, ... ) == 0x0
 00736   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00737   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00738   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1208, 0}, ... 80, ) == 0x0
 00739   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00740   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00741   896   NtClose  (84, ... ) == 0x0
 00742   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00743   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00744   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00745   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00746   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00747   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00748   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00749   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00750   896   NtClose  (80, ... ) == 0x0
 00751   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00752   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00753   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {168, 0}, ... 80, ) == 0x0
 00754   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00755   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00756   896   NtClose  (84, ... ) == 0x0
 00757   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00758   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00759   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00760   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00761   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00762   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00763   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00764   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00765   896   NtClose  (80, ... ) == 0x0
 00766   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00767   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00768   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {764, 0}, ... 80, ) == 0x0
 00769   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00770   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00771   896   NtClose  (84, ... ) == 0x0
 00772   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00773   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00774   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00775   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00776   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00777   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00778   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00779   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00780   896   NtClose  (80, ... ) == 0x0
 00781   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00782   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00783   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {868, 0}, ... 80, ) == 0x0
 00784   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00785   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00786   896   NtClose  (84, ... ) == 0x0
 00787   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00788   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00789   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00790   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00791   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00792   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00793   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00794   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00795   896   NtClose  (80, ... ) == 0x0
 00796   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00797   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00798   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {808, 0}, ... 80, ) == 0x0
 00799   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00800   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00801   896   NtClose  (84, ... ) == 0x0
 00802   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00803   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00804   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00805   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00806   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00807   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00808   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00809   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00810   896   NtClose  (80, ... ) == 0x0
 00811   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00812   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00813   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 80, ) == 0x0
 00814   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00815   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00816   896   NtClose  (84, ... ) == 0x0
 00817   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00818   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00819   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00820   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00821   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00822   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00823   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00824   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00825   896   NtClose  (80, ... ) == 0x0
 00826   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00827   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00828   896   NtClose  (40, ... ) == 0x0
 00829   896   NtClose  (28, ... ) == 0x0
 00830   896   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x4000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00831   896   NtContinue  (1244400, 0, ...
 00832   896   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3342336, 4096, ) == 0x0
 00833   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00834   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00835   896   NtClose  (28, ... ) == 0x0
 00836   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00837   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00838   896   NtClose  (28, ... ) == 0x0
 00839   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00840   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00841   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00842   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00843   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00844   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00845   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00846   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00847   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00848   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00849   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00850   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00851   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00852   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00853   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00854   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00855   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00856   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00857   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00858   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00860   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81881, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81881, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81881, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00861   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00862   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00863   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 40, ) == 0x0
 00864   896   NtClose  (28, ... ) == 0x0
 00865   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00866   896   NtClose  (40, ... ) == 0x0
 00867   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00868   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00869   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00870   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 28, ) == 0x0
 00871   896   NtClose  (40, ... ) == 0x0
 00872   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00873   896   NtClose  (28, ... ) == 0x0
 00874   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00875   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00876   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00877   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00878   896   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00879   896   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00880   896   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00881   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00883   896   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00884   896   NtClose  (84, ... ) == 0x0
 00885   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00886   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00887   896   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00888   896   NtClose  (84, ... ) == 0x0
 00889   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   896   NtClose  (80, ... ) == 0x0
 00891   896   NtClose  (28, ... ) == 0x0
 00892   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00893   896   NtClose  (40, ... ) == 0x0
 00894   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00895   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00896   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00897   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00898   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00899   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00900   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00901   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00902   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00903   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00905   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00906   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00907   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00908   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 40, ) }, ... 40, ) == 0x0
 00910   896   NtQueryValueKey  (40,  (40, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   896   NtClose  (40, ... ) == 0x0
 00912   896   NtMapViewOfSection  (-2147482756, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00913   896   NtClose  (-2147482756, ... ) == 0x0
 00914   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00915   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00916   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482756, ) == 0x0
 00917   896   NtQueryInformationToken  (-2147482756, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00918   896   NtQueryInformationToken  (-2147482756, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00919   896   NtClose  (-2147482756, ... ) == 0x0
 00920   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00921   896   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00922   896   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00923   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00924   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   896   NtClose  (-2147482756, ... ) == 0x0
 00926   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00927   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   896   NtClose  (-2147482756, ... ) == 0x0
 00929   896   NtQueryDefaultLocale  (0, -142628532, ... ) == 0x0
 00930   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00931   896   NtUserCallNoParam  (24, ... ) == 0x0
 00932   896   NtGdiCreateCompatibleDC  (0, ...
 00933   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00932   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00934   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00935   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00936   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00937   896   NtGdiCreateSolidBrush  (0, 0, ...
 00938   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00937   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00939   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00940   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00941   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00942   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x50
 00943   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00944   896   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00945   896   NtClose  (88, ... ) == 0x0
 00946   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00947   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8177c017
 00948   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00949   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8177c01c
 00950   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00951   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8177c01e
 00952   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00953   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81778002
 00954   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00955   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8177c018
 00956   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00957   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8177c01a
 00958   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00959   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8177c01d
 00960   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00961   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8177c026
 00962   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00963   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8177c019
 00964   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c020
 00965   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c022
 00966   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c023
 00967   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c024
 00968   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c025
 00969   896   NtCallbackReturn  (0, 0, 0, ...
 00970   896   NtGdiInit  (... ) == 0x1
 00971   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00972   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00973   896   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 3538944, 28672, ) == 0x0
 00974   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00977   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00978   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00979   896   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00980   896   NtClose  (88, ... ) == 0x0
 00981   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00982   896   NtClose  (92, ... ) == 0x0
 00983   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00984   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00985   896   NtClose  (92, ... ) == 0x0
 00986   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00987   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00988   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00989   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00990   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00991   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00992   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00993   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00995   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00996   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00997   896   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00998   896   NtClose  (92, ... ) == 0x0
 00999   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 01000   896   NtClose  (88, ... ) == 0x0
 01001   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 01002   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 01003   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 01004   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 01005   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 01006   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 01007   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01009   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 01010   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 01011   896   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 01012   896   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 01013   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 88, ) }, ... 88, ) == 0x0
 01014   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 01015   896   NtClose  (88, ... ) == 0x0
 01016   896   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 01017   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01018   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01019   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01020   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 01021   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01022   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01023   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01024   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01025   896   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 01026   896   NtFreeVirtualMemory  (-1, (0x330144), 0, 32768, ... (0x330000), 4096, ) == 0x0
 01027   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01028   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 01029   896   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 01030   896   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 01031   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9502720, 1048576, ) == 0x0
 01032   896   NtAllocateVirtualMemory  (-1, 9502720, 0, 32768, 4096, 4, ... 9502720, 32768, ) == 0x0
 01033   896   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "Jobaka3"}, 0, ... 88, ) }, 0, ... 88, ) == 0x0
 01034   896   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 01035   896   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01036   896   NtQueryValueKey  (92,  (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01037   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 01038   896   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "Protocol_Catalog9"}, ... 100, ) }, ... 100, ) == 0x0
 01039   896   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040   896   NtNotifyChangeKey  (100, 96, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01041   896   NtQueryValueKey  (100,  (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01042   896   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   896   NtQueryValueKey  (100,  (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 01044   896   NtQueryValueKey  (100,  (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 01045   896   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Catalog_Entries"}, ... 104, ) }, ... 104, ) == 0x0
 01046   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 01047   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000001"}, ... 108, ) }, ... 108, ) == 0x0
 01048   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01049   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01050   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\33\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\34\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\35\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\33\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\34\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\35\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\33\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\33\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\34\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\35\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01051   896   NtClose  (108, ... ) == 0x0
 01052   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000002"}, ... 108, ) }, ... 108, ) == 0x0
 01053   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01054   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01055   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0 \4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0 \4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0!\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0"\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0 \4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0 \4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0!\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0"\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0 \4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0 \4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0!\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0"\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0 \4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0 \4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0!\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0"\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01056   896   NtClose  (108, ... ) == 0x0
 01057   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000003"}, ... 108, ) }, ... 108, ) == 0x0
 01058   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01059   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01060   896   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01061   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0&\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0&\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0'\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0(\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0(\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0&\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0&\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0'\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0(\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0(\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0(\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0&\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0&\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0'\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0(\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0(\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01062   896   NtClose  (108, ... ) == 0x0
 01063   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000004"}, ... 108, ) }, ... 108, ) == 0x0
 01064   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01065   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01066   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0+\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0+\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0,\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0,\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0-\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0-\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0.\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0+\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0+\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0,\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0,\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0-\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0-\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0.\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0-\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0.\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0+\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0+\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0,\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0,\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0-\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0-\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0.\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01067   896   NtClose  (108, ... ) == 0x0
 01068   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000005"}, ... 108, ) }, ... 108, ) == 0x0
 01069   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01070   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01071   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\00\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\00\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\01\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\02\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\00\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\00\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\01\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\02\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\00\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\00\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\01\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\02\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01072   896   NtClose  (108, ... ) == 0x0
 01073   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000006"}, ... 108, ) }, ... 108, ) == 0x0
 01074   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01075   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01076   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\05\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\05\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\06\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\07\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\05\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\05\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\06\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\07\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\05\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\05\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\06\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\07\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01077   896   NtClose  (108, ... ) == 0x0
 01078   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000007"}, ... 108, ) }, ... 108, ) == 0x0
 01079   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01080   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01081   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0:\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0:\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0;\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0<\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0:\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0:\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0;\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0<\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0:\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0:\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0;\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0<\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01082   896   NtClose  (108, ... ) == 0x0
 01083   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000008"}, ... 108, ) }, ... 108, ) == 0x0
 01084   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01085   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01086   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01087   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0@\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0@\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0A\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0B\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0B\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0@\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0@\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0A\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0B\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0B\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0B\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0@\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0@\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0A\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0B\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0B\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01088   896   NtClose  (108, ... ) == 0x0
 01089   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000009"}, ... 108, ) }, ... 108, ) == 0x0
 01090   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01091   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01092   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0E\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0E\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0F\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0G\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0E\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0E\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0F\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0G\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0E\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0E\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0F\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0G\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01093   896   NtClose  (108, ... ) == 0x0
 01094   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000010"}, ... 108, ) }, ... 108, ) == 0x0
 01095   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01096   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01097   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0J\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0J\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0K\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0L\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0J\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0J\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0K\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0L\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0J\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0J\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0K\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0L\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01098   896   NtClose  (108, ... ) == 0x0
 01099   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000011"}, ... 108, ) }, ... 108, ) == 0x0
 01100   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01101   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01102   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0O\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0P\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0O\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0P\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0O\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0O\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0P\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0Q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01103   896   NtClose  (108, ... ) == 0x0
 01104   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000012"}, ... 108, ) }, ... 108, ) == 0x0
 01105   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01106   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01107   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01108   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0U\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0U\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0V\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0W\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0U\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0U\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0V\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0W\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0U\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0U\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0V\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0W\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01109   896   NtClose  (108, ... ) == 0x0
 01110   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000013"}, ... 108, ) }, ... 108, ) == 0x0
 01111   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01112   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01113   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0Z\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Z\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0[\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0Z\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Z\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0[\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0Z\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0Z\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0[\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01114   896   NtClose  (108, ... ) == 0x0
 01115   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000014"}, ... 108, ) }, ... 108, ) == 0x0
 01116   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01117   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01118   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0_\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0`\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0_\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0`\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0_\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0_\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0`\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0a\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01119   896   NtClose  (108, ... ) == 0x0
 01120   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000015"}, ... 108, ) }, ... 108, ) == 0x0
 01121   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01122   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01123   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0d\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0e\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0d\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0e\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0d\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0d\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0e\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0f\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01124   896   NtClose  (108, ... ) == 0x0
 01125   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000016"}, ... 108, ) }, ... 108, ) == 0x0
 01126   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01127   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01128   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0i\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0j\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0i\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0j\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0i\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0i\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0j\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0k\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01129   896   NtClose  (108, ... ) == 0x0
 01130   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000017"}, ... 108, ) }, ... 108, ) == 0x0
 01131   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01132   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01133   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01134   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0o\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0o\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0p\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0o\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0o\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0p\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0o\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0o\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0p\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01135   896   NtClose  (108, ... ) == 0x0
 01136   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000018"}, ... 108, ) }, ... 108, ) == 0x0
 01137   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01138   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01139   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0t\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0t\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0u\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0v\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0t\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0t\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0u\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0v\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0t\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0t\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0u\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0v\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01140   896   NtClose  (108, ... ) == 0x0
 01141   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000019"}, ... 108, ) }, ... 108, ) == 0x0
 01142   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01143   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01144   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0y\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0z\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0y\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0z\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0y\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0y\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0z\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0{\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01145   896   NtClose  (108, ... ) == 0x0
 01146   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000020"}, ... 108, ) }, ... 108, ) == 0x0
 01147   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01148   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01149   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0~\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\177\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0~\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\177\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0~\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0~\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\177\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\200\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01150   896   NtClose  (108, ... ) == 0x0
 01151   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000021"}, ... 108, ) }, ... 108, ) == 0x0
 01152   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01153   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01154   896   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01155   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\204\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\204\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\205\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\206\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\204\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\204\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\205\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\206\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0 (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\204\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\204\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0h\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230n\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\205\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0\206\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\4\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0l\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01156   896   NtClose  (108, ... ) == 0x0
 01157   896   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "000000000022"}, ... 108, ) }, ... 108, ) == 0x0
 01158   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01159   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01160   896   NtQueryValueKey  (108,  (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\211\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\211\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\212\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\4\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\213\4\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\214\4\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\214\4\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\215\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (108, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\211\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\211\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\212\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\4\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\213\4\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\214\4\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\214\4\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\215\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\211\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\0\211\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\212\4\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\213\4\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\213\4\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\214\4\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\214\4\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\215\4\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0PD\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01161   896   NtClose  (108, ... ) == 0x0
 01162   896   NtClose  (104, ... ) == 0x0
 01163   896   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 01164   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 01165   896   NtOpenKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 108, ) }, ... 108, ) == 0x0
 01166   896   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01167   896   NtNotifyChangeKey  (108, 104, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01168   896   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01169   896   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   896   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01171   896   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 01172   896   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 01173   896   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01174   896   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01175   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01176   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01177   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01178   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01179   896   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01180   896   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   896   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01182   896   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01183   896   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01184   896   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01185   896   NtClose  (116, ... ) == 0x0
 01186   896   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 01187   896   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01188   896   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01189   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01190   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01191   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01192   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01193   896   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01194   896   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   896   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01196   896   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01197   896   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01198   896   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01199   896   NtClose  (116, ... ) == 0x0
 01200   896   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 01201   896   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01202   896   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01203   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01204   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01205   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01206   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01207   896   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01208   896   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   896   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01210   896   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01211   896   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01212   896   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01213   896   NtClose  (116, ... ) == 0x0
 01214   896   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000004"}, ... 116, ) }, ... 116, ) == 0x0
 01215   896   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01216   896   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01217   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01218   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01219   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01220   896   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01221   896   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01222   896   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01223   896   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01224   896   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01225   896   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01226   896   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01227   896   NtClose  (116, ... ) == 0x0
 01228   896   NtClose  (112, ... ) == 0x0
 01229   896   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01230   896   NtClose  (92, ... ) == 0x0
 01231   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01232   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01233   896   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 01234   896   NtQueryValueKey  (92,  (92, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   896   NtClose  (92, ... ) == 0x0
 01236   896   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01237   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 92, ) == 0x0
 01238   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241400, ... ) }, 1241400, ... ) == 0x0
 01239   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 112, {status=0x0, info=1}, ) }, 7, 2113568, ... 112, {status=0x0, info=1}, ) == 0x0
 01240   896   NtSetInformationFile  (112, 1241376, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01241   896   NtClose  (112, ... ) == 0x0
 01242   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01243   896   NtQueryInformationFile  (112, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01244   896   NtQueryInformationFile  (112, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01245   896   NtQueryInformationFile  (112, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01246   896   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01247   896   NtQueryInformationFile  (112, 1365056, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01248   896   NtQueryInformationFile  (112, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01249   896   NtQueryInformationFile  (112, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01250   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\AVSERVE2.EXE"}, 1239736, ... ) }, 1239736, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01252   896   NtClose  (-2147482756, ... ) == 0x0
 01251   896   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 01253   896   NtQueryVolumeInformationFile  (116, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01254   896   NtQueryInformationFile  (116, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01255   896   NtQueryVolumeInformationFile  (112, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01256   896   NtSetInformationFile  (116, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01257   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 112, ... 120, ) == 0x0
 01258   896   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 28672, ) == 0x0
 01259   896   NtClose  (120, ... ) == 0x0
 01260   896   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 01261   896   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 01262   896   NtSetInformationFile  (116, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01263   896   NtClose  (112, ... ) == 0x0
 01264   896   NtClose  (116, ... ) == 0x0
 01265   896   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 116, ) }, ... 116, ) == 0x0
 01266   896   NtSetValueKey  (116,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (116, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01267   896   NtSetInformationFile  (-2147482448, -142629072, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01268   896   NtSetInformationFile  (-2147482448, -142629164, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01269   896   NtSetInformationFile  (-2147482448, -142629472, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01270   896   NtSetInformationFile  (-2147482448, -142629568, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01266   896   NtSetValueKey  ... ) == 0x0
 01271   896   NtClose  (116, ... ) == 0x0
 01272   896   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 116, ) }, 0, ... 116, ) == 0x0
 01273   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10551296, 1048576, ) == 0x0
 01274   896   NtAllocateVirtualMemory  (-1, 11591680, 0, 8192, 4096, 4, ... 11591680, 8192, ) == 0x0
 01275   896   NtProtectVirtualMemory  (-1, (0xb0e000), 4096, 260, ... (0xb0e000), 4096, 4, ) == 0x0
 01276   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 112, {1252, 1296}, ) == 0x0
 01277   896   NtQueryInformationThread  (112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1252,Tid=1296,}, 0x0, ) == 0x0
 01278   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\4\0\0\20\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\4\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81883, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\4\0\0\20\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\4\0\0\20\5\0\0" )  ) == 0x0
 01279   896   NtResumeThread  (112, ... 1, ) == 0x0
 01280   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11599872, 1048576, ) == 0x0
 01281   896   NtAllocateVirtualMemory  (-1, 12640256, 0, 8192, 4096, 4, ...
 01282  1296   NtTestAlert  (... ) == 0x0
 01283  1296   NtContinue  (11599152, 1, ...
 01284  1296   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01285  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 120, ) == 0x0
 01286  1296   NtWaitForSingleObject  (96, 0, {0, 0}, ... ) == 0x102
 01287  1296   NtAllocateVirtualMemory  (-1, 11587584, 0, 4096, 4096, 260, ...
 01281   896   NtAllocateVirtualMemory  ... 12640256, 8192, ) == 0x0
 01288   896   NtProtectVirtualMemory  (-1, (0xc0e000), 4096, 260, ... (0xc0e000), 4096, 4, ) == 0x0
 01289   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 124, {1252, 1588}, ) == 0x0
 01290   896   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1252,Tid=1588,}, 0x0, ) == 0x0
 01291   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\344\4\0\04\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81884, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\0\0\0\344\4\0\04\6\0\0" )  ) == 0x0
 01292   896   NtResumeThread  (124, ... 1, ) == 0x0
 01287  1296   NtAllocateVirtualMemory  ... 11587584, 4096, ) == 0x0
 01293  1588   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01294  1296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596276, ... }, 11596276, ...
 01293  1588   NtCreateEvent  ... 128, ) == 0x0
 01294  1296   NtQueryAttributesFile  ... ) == 0x0
 01295  1588   NtWaitForSingleObject  (128, 0, 0x0, ...
 01296  1296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01297  1296   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 136, ) == 0x0
 01298  1296   NtClose  (132, ... ) == 0x0
 01299  1296   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 245760, ) == 0x0
 01300  1296   NtClose  (136, ...
 01301   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12648448, 1048576, ) == 0x0
 01302   896   NtAllocateVirtualMemory  (-1, 13688832, 0, 8192, 4096, 4, ... 13688832, 8192, ) == 0x0
 01303   896   NtProtectVirtualMemory  (-1, (0xd0e000), 4096, 260, ... (0xd0e000), 4096, 4, ) == 0x0
 01304   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 132, {1252, 2044}, ) == 0x0
 01305   896   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1252,Tid=2044,}, 0x0, ) == 0x0
 01306   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\344\4\0\0\374\7\0\0" ...  ...
 01300  1296   NtClose  ... ) == 0x0
 01307  1296   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01308  1296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596584, ... ) }, 11596584, ... ) == 0x0
 01309  1296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01306   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81885, 0}  ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\344\4\0\0\374\7\0\0" )  ) == 0x0
 01310   896   NtResumeThread  (132, ... 1, ) == 0x0
 01311   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 01312   896   NtAllocateVirtualMemory  (-1, 14737408, 0, 8192, 4096, 4, ... 14737408, 8192, ) == 0x0
 01313   896   NtProtectVirtualMemory  (-1, (0xe0e000), 4096, 260, ... (0xe0e000), 4096, 4, ) == 0x0
 01314   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {1252, 1652}, ) == 0x0
 01315   896   NtQueryInformationThread  (136, Basic, 28, ...
 01309  1296   NtOpenFile  ... 140, {status=0x0, info=1}, ) == 0x0
 01316  2044   NtWaitForSingleObject  (128, 0, 0x0, ...
 01317  1296   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 140, ... 144, ) == 0x0
 01318  1296   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01319  1296   NtClose  (140, ... ) == 0x0
 01320  1296   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01321  1296   NtClose  (144, ... ) == 0x0
 01322  1296   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01315   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1252,Tid=1652,}, 0x0, ) == 0x0
 01323   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81886, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0t\6\0\0" )  ) == 0x0
 01324   896   NtResumeThread  (136, ... 1, ) == 0x0
 01325   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 01326   896   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01327   896   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 01322  1296   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01328  1652   NtWaitForSingleObject  (128, 0, 0x0, ...
 01329  1296   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01330  1296   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01331  1296   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01332  1296   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01333  1296   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01334  1296   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01335   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1252, 1436}, ) == 0x0
 01336   896   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1252,Tid=1436,}, 0x0, ) == 0x0
 01337   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\234\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\234\5\0\0" )  ) == 0x0
 01338   896   NtResumeThread  (144, ... 1, ) == 0x0
 01339   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01340   896   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ...
 01334  1296   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01341  1436   NtWaitForSingleObject  (128, 0, 0x0, ...
 01342  1296   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01343  1296   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01344  1296   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345  1296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01346  1296   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01347  1296   NtSetEventBoostPriority  (128, ...
 01340   896   NtAllocateVirtualMemory  ... 16834560, 8192, ) == 0x0
 01348   896   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ... (0x100e000), 4096, 4, ) == 0x0
 01349   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 140, {1252, 1368}, ) == 0x0
 01350   896   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1252,Tid=1368,}, 0x0, ) == 0x0
 01351   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0X\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0X\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0X\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0X\5\0\0" )  ) == 0x0
 01352   896   NtResumeThread  (140, ... 1, ) == 0x0
 01295  1588   NtWaitForSingleObject  ... ) == 0x0
 01347  1296   NtSetEventBoostPriority  ... ) == 0x0
 01353  1368   NtWaitForSingleObject  (128, 0, 0x0, ...
 01354  1588   NtSetEventBoostPriority  (128, ...
 01355  1296   NtWaitForSingleObject  (128, 0, 0x0, ...
 01316  2044   NtWaitForSingleObject  ... ) == 0x0
 01354  1588   NtSetEventBoostPriority  ... ) == 0x0
 01356  2044   NtSetEventBoostPriority  (128, ...
 01357   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01328  1652   NtWaitForSingleObject  ... ) == 0x0
 01356  2044   NtSetEventBoostPriority  ... ) == 0x0
 01358  1652   NtSetEventBoostPriority  (128, ...
 01357   896   NtAllocateVirtualMemory  ... 16842752, 1048576, ) == 0x0
 01359  1588   NtTestAlert  (...
 01341  1436   NtWaitForSingleObject  ... ) == 0x0
 01358  1652   NtSetEventBoostPriority  ... ) == 0x0
 01360   896   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ...
 01361  1436   NtSetEventBoostPriority  (128, ...
 01359  1588   NtTestAlert  ... ) == 0x0
 01362  2044   NtTestAlert  (...
 01353  1368   NtWaitForSingleObject  ... ) == 0x0
 01361  1436   NtSetEventBoostPriority  ... ) == 0x0
 01360   896   NtAllocateVirtualMemory  ... 17883136, 8192, ) == 0x0
 01363  1588   NtContinue  (12647728, 1, ...
 01364  1368   NtSetEventBoostPriority  (128, ...
 01362  2044   NtTestAlert  ... ) == 0x0
 01365  1652   NtTestAlert  (...
 01366   896   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ...
 01355  1296   NtWaitForSingleObject  ... ) == 0x0
 01364  1368   NtSetEventBoostPriority  ... ) == 0x0
 01367  1588   NtRegisterThreadTerminatePort  (24, ...
 01368  2044   NtContinue  (13696304, 1, ...
 01365  1652   NtTestAlert  ... ) == 0x0
 01369  1296   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01366   896   NtProtectVirtualMemory  ... (0x110e000), 4096, 4, ) == 0x0
 01370  1436   NtTestAlert  (...
 01367  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01371  2044   NtRegisterThreadTerminatePort  (24, ...
 01369  1296   NtCreateEvent  ... 148, ) == 0x0
 01372  1652   NtContinue  (14744880, 1, ...
 01373  1368   NtTestAlert  (...
 01370  1436   NtTestAlert  ... ) == 0x0
 01374  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01371  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01375   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01376  1652   NtRegisterThreadTerminatePort  (24, ...
 01373  1368   NtTestAlert  ... ) == 0x0
 01377  1436   NtContinue  (15793456, 1, ...
 01378  1296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01379  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01375   896   NtCreateThread  ... 152, {1252, 1328}, ) == 0x0
 01376  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01380  1368   NtContinue  (16842032, 1, ...
 01381  1436   NtRegisterThreadTerminatePort  (24, ...
 01378  1296   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374  1588   NtDuplicateObject  ... 156, ) == 0x0
 01382   896   NtQueryInformationThread  (152, Basic, 28, ...
 01383  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01384  1368   NtRegisterThreadTerminatePort  (24, ...
 01381  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01385  1296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01386  1588   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01382   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1252,Tid=1328,}, 0x0, ) == 0x0
 01379  2044   NtDuplicateObject  ... 160, ) == 0x0
 01384  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 01387  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01386  1588   NtWaitForSingleObject  ... ) == 0x102
 01388   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\4\0\00\5\0\0" ...  ...
 01389  2044   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01390  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01383  1652   NtDuplicateObject  ... 164, ) == 0x0
 01391  1588   NtAllocateVirtualMemory  (-1, 12636160, 0, 4096, 4096, 260, ...
 01389  2044   NtWaitForSingleObject  ... ) == 0x102
 01387  1436   NtDuplicateObject  ... 168, ) == 0x0
 01388   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81889, 0}  ... {28, 56, reply, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\4\0\00\5\0\0" )  ) == 0x0
 01392  1652   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01391  1588   NtAllocateVirtualMemory  ... 12636160, 4096, ) == 0x0
 01393  2044   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01394  1436   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01395   896   NtResumeThread  (152, ...
 01392  1652   NtWaitForSingleObject  ... ) == 0x102
 01390  1368   NtDuplicateObject  ... 172, ) == 0x0
 01393  2044   NtCreateEvent  ... 176, ) == 0x0
 01394  1436   NtWaitForSingleObject  ... ) == 0x102
 01395   896   NtResumeThread  ... 1, ) == 0x0
 01396  1652   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01397  1368   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01398  1588   NtWaitForSingleObject  (128, 0, 0x0, ...
 01399  1328   NtWaitForSingleObject  (128, 0, 0x0, ...
 01400  1436   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01401   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01396  1652   NtCreateEvent  ... 180, ) == 0x0
 01397  1368   NtWaitForSingleObject  ... ) == 0x102
 01400  1436   NtCreateEvent  ... 184, ) == 0x0
 01401   896   NtAllocateVirtualMemory  ... 17891328, 1048576, ) == 0x0
 01402  2044   NtWaitForSingleObject  (176, 0, 0x0, ...
 01385  1296   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403  1368   NtWaitForSingleObject  (176, 0, 0x0, ...
 01404  1652   NtClose  (180, ...
 01405   896   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ...
 01406  1296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01404  1652   NtClose  ... ) == 0x0
 01407  1436   NtClose  (184, ...
 01406  1296   NtQueryAttributesFile  ... ) == 0x0
 01408  1652   NtWaitForSingleObject  (176, 0, 0x0, ...
 01407  1436   NtClose  ... ) == 0x0
 01409  1296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01410  1436   NtWaitForSingleObject  (176, 0, 0x0, ...
 01409  1296   NtOpenFile  ... 184, {status=0x0, info=1}, ) == 0x0
 01411  1296   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01412  1296   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01413  1296   NtClose  (184, ... ) == 0x0
 01414  1296   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01405   896   NtAllocateVirtualMemory  ... 18931712, 8192, ) == 0x0
 01415   896   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 01416   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 184, {1252, 1152}, ) == 0x0
 01417   896   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1252,Tid=1152,}, 0x0, ) == 0x0
 01418   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\4\0\0\200\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\4\0\0\200\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81890, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\4\0\0\200\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\4\0\0\200\4\0\0" )  ) == 0x0
 01419   896   NtResumeThread  (184, ... 1, ) == 0x0
 01414  1296   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 01420  1152   NtWaitForSingleObject  (128, 0, 0x0, ...
 01421  1296   NtClose  (180, ... ) == 0x0
 01422  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01423  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01424  1296   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01425  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01426  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01427   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18939904, 1048576, ) == 0x0
 01428   896   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01429   896   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01430   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {1252, 792}, ) == 0x0
 01431   896   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1252,Tid=792,}, 0x0, ) == 0x0
 01432   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\344\4\0\0\30\3\0\0" ...  ...
 01426  1296   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01433  1296   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01434  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01435  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01432   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81891, 0}  ... {28, 56, reply, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\344\4\0\0\30\3\0\0" )  ) == 0x0
 01436   896   NtResumeThread  (180, ... 1, ) == 0x0
 01437   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19988480, 1048576, ) == 0x0
 01438   896   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ... 21028864, 8192, ) == 0x0
 01439   896   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ... (0x140e000), 4096, 4, ) == 0x0
 01440   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 188, {1252, 1484}, ) == 0x0
 01441   896   NtQueryInformationThread  (188, Basic, 28, ...
 01435  1296   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01442   792   NtWaitForSingleObject  (128, 0, 0x0, ...
 01443  1296   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01444  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01445  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01446  1296   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01447  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01448  1296   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01441   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1252,Tid=1484,}, 0x0, ) == 0x0
 01449   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\344\4\0\0\314\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\344\4\0\0\314\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81892, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\344\4\0\0\314\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\344\4\0\0\314\5\0\0" )  ) == 0x0
 01450   896   NtResumeThread  (188, ... 1, ) == 0x0
 01451   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21037056, 1048576, ) == 0x0
 01452   896   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 01453   896   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01448  1296   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01454  1484   NtWaitForSingleObject  (128, 0, 0x0, ...
 01455  1296   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01456  1296   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457  1296   NtSetEventBoostPriority  (128, ...
 01398  1588   NtWaitForSingleObject  ... ) == 0x0
 01458  1588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12643280, ... ) }, 12643280, ... ) == 0x0
 01459  1588   NtSetEventBoostPriority  (128, ...
 01399  1328   NtWaitForSingleObject  ... ) == 0x0
 01460  1328   NtSetEventBoostPriority  (128, ...
 01420  1152   NtWaitForSingleObject  ... ) == 0x0
 01461  1152   NtSetEventBoostPriority  (128, ...
 01442   792   NtWaitForSingleObject  ... ) == 0x0
 01462   792   NtSetEventBoostPriority  (128, ...
 01454  1484   NtWaitForSingleObject  ... ) == 0x0
 01463  1484   NtTestAlert  (... ) == 0x0
 01462   792   NtSetEventBoostPriority  ... ) == 0x0
 01461  1152   NtSetEventBoostPriority  ... ) == 0x0
 01460  1328   NtSetEventBoostPriority  ... ) == 0x0
 01459  1588   NtSetEventBoostPriority  ... ) == 0x0
 01457  1296   NtSetEventBoostPriority  ... ) == 0x0
 01464   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01465  1484   NtContinue  (21036336, 1, ...
 01466   792   NtTestAlert  (...
 01467  1152   NtTestAlert  (...
 01468  1588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01469  1296   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01464   896   NtCreateThread  ... 192, {1252, 840}, ) == 0x0
 01470  1484   NtRegisterThreadTerminatePort  (24, ...
 01466   792   NtTestAlert  ... ) == 0x0
 01467  1152   NtTestAlert  ... ) == 0x0
 01468  1588   NtCreateEvent  ... 196, ) == 0x0
 01469  1296   NtCreateEvent  ... 200, ) == 0x0
 01471   896   NtQueryInformationThread  (192, Basic, 28, ...
 01470  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01472   792   NtContinue  (19987760, 1, ...
 01473  1152   NtContinue  (18939184, 1, ...
 01474  1588   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01475  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01471   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1252,Tid=840,}, 0x0, ) == 0x0
 01476  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01477   792   NtRegisterThreadTerminatePort  (24, ...
 01478  1152   NtRegisterThreadTerminatePort  (24, ...
 01474  1588   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475  1296   NtDuplicateObject  ... 204, ) == 0x0
 01479   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\344\4\0\0H\3\0\0" ...  ...
 01476  1484   NtDuplicateObject  ... 208, ) == 0x0
 01477   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 01478  1152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01480  1588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12643384, ... }, 12643384, ...
 01481  1296   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01482  1484   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01483   792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01484  1152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01485  1328   NtTestAlert  (...
 01479   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81893, 0}  ... {28, 56, reply, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\344\4\0\0H\3\0\0" )  ) == 0x0
 01481  1296   NtOpenKey  ... 212, ) == 0x0
 01482  1484   NtWaitForSingleObject  ... ) == 0x102
 01483   792   NtDuplicateObject  ... 216, ) == 0x0
 01485  1328   NtTestAlert  ... ) == 0x0
 01486   896   NtResumeThread  (192, ...
 01487  1296   NtQueryValueKey  (212,  (212, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01488  1484   NtWaitForSingleObject  (176, 0, 0x0, ...
 01489   792   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01490  1328   NtContinue  (17890608, 1, ...
 01486   896   NtResumeThread  ... 1, ) == 0x0
 01487  1296   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   792   NtWaitForSingleObject  ... ) == 0x102
 01491  1328   NtRegisterThreadTerminatePort  (24, ...
 01484  1152   NtDuplicateObject  ... 220, ) == 0x0
 01492   840   NtWaitForSingleObject  (128, 0, 0x0, ...
 01493  1296   NtClose  (212, ...
 01494   792   NtWaitForSingleObject  (176, 0, 0x0, ...
 01491  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 01495  1152   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01493  1296   NtClose  ... ) == 0x0
 01496  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01495  1152   NtWaitForSingleObject  ... ) == 0x102
 01497  1296   NtOpenThreadToken  (-2, 0xc, 1, ...
 01498   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01480  1588   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499  1152   NtWaitForSingleObject  (176, 0, 0x0, ...
 01496  1328   NtDuplicateObject  ... 212, ) == 0x0
 01498   896   NtAllocateVirtualMemory  ... 22085632, 1048576, ) == 0x0
 01500  1588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 12643384, ... }, 12643384, ...
 01501  1328   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01502   896   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ...
 01500  1588   NtQueryAttributesFile  ... ) == 0x0
 01501  1328   NtWaitForSingleObject  ... ) == 0x102
 01502   896   NtAllocateVirtualMemory  ... 23126016, 8192, ) == 0x0
 01497  1296   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01503  1328   NtWaitForSingleObject  (176, 0, 0x0, ...
 01504   896   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ...
 01505  1296   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01504   896   NtProtectVirtualMemory  ... (0x160e000), 4096, 4, ) == 0x0
 01505  1296   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01506  1588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01507  1296   NtWaitForSingleObject  (128, 0, 0x0, ...
 01506  1588   NtOpenFile  ... 224, {status=0x0, info=1}, ) == 0x0
 01508  1588   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 224, ... 228, ) == 0x0
 01509  1588   NtQuerySection  (228, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01510  1588   NtClose  (224, ... ) == 0x0
 01511  1588   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01512  1588   NtClose  (228, ... ) == 0x0
 01513   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1252, 860}, ) == 0x0
 01514   896   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1252,Tid=860,}, 0x0, ) == 0x0
 01515   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81894, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\\3\0\0" )  ) == 0x0
 01516   896   NtResumeThread  (228, ... 1, ) == 0x0
 01517   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23134208, 1048576, ) == 0x0
 01518   896   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ...
 01519  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01520   860   NtWaitForSingleObject  (128, 0, 0x0, ...
 01519  1588   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01521  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01522  1588   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01523  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01524  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01525  1588   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01518   896   NtAllocateVirtualMemory  ... 24174592, 8192, ) == 0x0
 01526   896   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ... (0x170e000), 4096, 4, ) == 0x0
 01527   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1252, 780}, ) == 0x0
 01528   896   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1252,Tid=780,}, 0x0, ) == 0x0
 01529   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81895, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\14\3\0\0" )  ) == 0x0
 01530   896   NtResumeThread  (224, ... 1, ) == 0x0
 01531  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01532   780   NtWaitForSingleObject  (128, 0, 0x0, ...
 01531  1588   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01533  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01534  1588   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01535  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01536  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01537  1588   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01538   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24182784, 1048576, ) == 0x0
 01539   896   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ... 25223168, 8192, ) == 0x0
 01540   896   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ... (0x180e000), 4096, 4, ) == 0x0
 01541   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1252, 940}, ) == 0x0
 01542   896   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1252,Tid=940,}, 0x0, ) == 0x0
 01543   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81895, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\254\3\0\0" ...  ...
 01544  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01545  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01546  1588   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01543   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81896, 0}  ... {28, 56, reply, 0, 1252, 896, 81896, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\254\3\0\0" )  ) == 0x0
 01547   896   NtResumeThread  (232, ... 1, ) == 0x0
 01548   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25231360, 1048576, ) == 0x0
 01549   896   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ... 26271744, 8192, ) == 0x0
 01550   896   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01551   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1252, 644}, ) == 0x0
 01552   896   NtQueryInformationThread  (236, Basic, 28, ...
 01553  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01554   940   NtWaitForSingleObject  (128, 0, 0x0, ...
 01553  1588   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01555  1588   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01556  1588   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01557  1588   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558  1588   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 240, 2, ) }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 240, 2, ) , 0, ... 240, 2, ) == 0x0
 01559  1588   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 244, ) }, ... 244, ) == 0x0
 01552   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1252,Tid=644,}, 0x0, ) == 0x0
 01560   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81896, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81896, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\204\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81897, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81896, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\204\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\204\2\0\0" )  ) == 0x0
 01561   896   NtResumeThread  (236, ... 1, ) == 0x0
 01562   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26279936, 1048576, ) == 0x0
 01563   896   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ... 27320320, 8192, ) == 0x0
 01564   896   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ... (0x1a0e000), 4096, 4, ) == 0x0
 01565  1588   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01566   644   NtWaitForSingleObject  (128, 0, 0x0, ...
 01565  1588   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567  1588   NtQueryValueKey  (244,  (244, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568  1588   NtQueryValueKey  (240,  (240, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569  1588   NtQueryValueKey  (244,  (244, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570  1588   NtQueryValueKey  (240,  (240, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01571  1588   NtQueryValueKey  (244,  (244, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1252, 1736}, ) == 0x0
 01573   896   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1252,Tid=1736,}, 0x0, ) == 0x0
 01574   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\310\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\310\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81898, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\310\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\310\6\0\0" )  ) == 0x0
 01575   896   NtResumeThread  (248, ... 1, ) == 0x0
 01576   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27328512, 1048576, ) == 0x0
 01577   896   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ...
 01578  1588   NtQueryValueKey  (240,  (240, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01579  1736   NtWaitForSingleObject  (128, 0, 0x0, ...
 01578  1588   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580  1588   NtQueryValueKey  (244,  (244, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581  1588   NtQueryValueKey  (240,  (240, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582  1588   NtQueryValueKey  (244,  (244, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583  1588   NtQueryValueKey  (244,  (244, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584  1588   NtQueryValueKey  (244,  (244, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577   896   NtAllocateVirtualMemory  ... 28368896, 8192, ) == 0x0
 01585   896   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ... (0x1b0e000), 4096, 4, ) == 0x0
 01586   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1252, 320}, ) == 0x0
 01587   896   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1252,Tid=320,}, 0x0, ) == 0x0
 01588   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0@\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0@\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81899, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0@\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0@\1\0\0" )  ) == 0x0
 01589   896   NtResumeThread  (252, ... 1, ) == 0x0
 01590  1588   NtQueryValueKey  (244,  (244, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 01591   320   NtWaitForSingleObject  (128, 0, 0x0, ...
 01590  1588   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592  1588   NtQueryValueKey  (244,  (244, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593  1588   NtQueryValueKey  (244,  (244, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594  1588   NtQueryValueKey  (244,  (244, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595  1588   NtQueryValueKey  (244,  (244, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01596  1588   NtQueryValueKey  (244,  (244, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28377088, 1048576, ) == 0x0
 01598   896   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ... 29417472, 8192, ) == 0x0
 01599   896   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 01600   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1252, 1332}, ) == 0x0
 01601   896   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1252,Tid=1332,}, 0x0, ) == 0x0
 01602   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\4\0\04\5\0\0" ...  ...
 01603  1588   NtQueryValueKey  (240,  (240, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01604  1588   NtQueryValueKey  (244,  (244, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605  1588   NtQueryValueKey  (244,  (244, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81900, 0}  ... {28, 56, reply, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\4\0\04\5\0\0" )  ) == 0x0
 01606   896   NtResumeThread  (256, ... 1, ) == 0x0
 01607   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29425664, 1048576, ) == 0x0
 01608   896   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ... 30466048, 8192, ) == 0x0
 01609   896   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ... (0x1d0e000), 4096, 4, ) == 0x0
 01610   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 260, {1252, 1336}, ) == 0x0
 01611   896   NtQueryInformationThread  (260, Basic, 28, ...
 01612  1588   NtQueryValueKey  (240,  (240, "EnableAdapterDomainNameRegistration", Partial, 144, ... , Partial, 144, ...
 01613  1332   NtWaitForSingleObject  (128, 0, 0x0, ...
 01612  1588   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614  1588   NtQueryValueKey  (244,  (244, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615  1588   NtQueryValueKey  (240,  (240, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616  1588   NtQueryValueKey  (244,  (244, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617  1588   NtQueryValueKey  (240,  (240, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01618  1588   NtQueryValueKey  (244,  (244, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1252,Tid=1336,}, 0x0, ) == 0x0
 01619   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\08\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\08\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81901, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\08\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\08\5\0\0" )  ) == 0x0
 01620   896   NtResumeThread  (260, ... 1, ) == 0x0
 01621   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30474240, 1048576, ) == 0x0
 01622   896   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ... 31514624, 8192, ) == 0x0
 01623   896   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ... (0x1e0e000), 4096, 4, ) == 0x0
 01624  1588   NtQueryValueKey  (240,  (240, "DefaultRegistrationTTL", Partial, 144, ... , Partial, 144, ...
 01625  1336   NtWaitForSingleObject  (128, 0, 0x0, ...
 01624  1588   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626  1588   NtQueryValueKey  (244,  (244, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01627  1588   NtQueryValueKey  (240,  (240, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628  1588   NtQueryValueKey  (244,  (244, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629  1588   NtQueryValueKey  (240,  (240, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630  1588   NtQueryValueKey  (244,  (244, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 264, {1252, 468}, ) == 0x0
 01632   896   NtQueryInformationThread  (264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1252,Tid=468,}, 0x0, ) == 0x0
 01633   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\344\4\0\0\324\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\344\4\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81902, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\344\4\0\0\324\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\344\4\0\0\324\1\0\0" )  ) == 0x0
 01634   896   NtResumeThread  (264, ... 1, ) == 0x0
 01635   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31522816, 1048576, ) == 0x0
 01636   896   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ...
 01637  1588   NtQueryValueKey  (240,  (240, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 01638   468   NtWaitForSingleObject  (128, 0, 0x0, ...
 01637  1588   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01639  1588   NtQueryValueKey  (244,  (244, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01640  1588   NtQueryValueKey  (244,  (244, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01641  1588   NtQueryValueKey  (244,  (244, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01642  1588   NtQueryValueKey  (244,  (244, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01643  1588   NtQueryValueKey  (244,  (244, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636   896   NtAllocateVirtualMemory  ... 32563200, 8192, ) == 0x0
 01644   896   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ... (0x1f0e000), 4096, 4, ) == 0x0
 01645   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 268, {1252, 752}, ) == 0x0
 01646   896   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1252,Tid=752,}, 0x0, ) == 0x0
 01647   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\344\4\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81903, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\344\4\0\0\360\2\0\0" )  ) == 0x0
 01648   896   NtResumeThread  (268, ... 1, ) == 0x0
 01649  1588   NtQueryValueKey  (244,  (244, "MaxNegativeCacheTtl", Partial, 144, ... , Partial, 144, ...
 01650   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 01649  1588   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01651  1588   NtQueryValueKey  (244,  (244, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652  1588   NtQueryValueKey  (244,  (244, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01653  1588   NtQueryValueKey  (244,  (244, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01654  1588   NtQueryValueKey  (244,  (244, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01655  1588   NtQueryValueKey  (244,  (244, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01656   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32571392, 1048576, ) == 0x0
 01657   896   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ... 33611776, 8192, ) == 0x0
 01658   896   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ... (0x200e000), 4096, 4, ) == 0x0
 01659   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 272, {1252, 1512}, ) == 0x0
 01660   896   NtQueryInformationThread  (272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1252,Tid=1512,}, 0x0, ) == 0x0
 01661   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\344\4\0\0\350\5\0\0" ...  ...
 01662  1588   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 276, ) }, ... 276, ) == 0x0
 01663  1588   NtQueryValueKey  (276,  (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (276, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01664  1588   NtClose  (276, ... ) == 0x0
 01661   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81904, 0}  ... {28, 56, reply, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\344\4\0\0\350\5\0\0" )  ) == 0x0
 01665   896   NtResumeThread  (272, ... 1, ) == 0x0
 01666   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33619968, 1048576, ) == 0x0
 01667   896   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ... 34660352, 8192, ) == 0x0
 01668   896   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ... (0x210e000), 4096, 4, ) == 0x0
 01669   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 276, {1252, 1380}, ) == 0x0
 01670   896   NtQueryInformationThread  (276, Basic, 28, ...
 01671  1588   NtClose  (240, ...
 01672  1512   NtWaitForSingleObject  (128, 0, 0x0, ...
 01671  1588   NtClose  ... ) == 0x0
 01673  1588   NtClose  (244, ... ) == 0x0
 01674  1588   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 244, ) }, ... 244, ) == 0x0
 01675  1588   NtQueryValueKey  (244,  (244, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01676  1588   NtQueryValueKey  (244,  (244, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01677  1588   NtQueryValueKey  (244,  (244, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1252,Tid=1380,}, 0x0, ) == 0x0
 01678   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\344\4\0\0d\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\344\4\0\0d\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81905, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\344\4\0\0d\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\344\4\0\0d\5\0\0" )  ) == 0x0
 01679   896   NtResumeThread  (276, ... 1, ) == 0x0
 01680   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34668544, 1048576, ) == 0x0
 01681   896   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ... 35708928, 8192, ) == 0x0
 01682   896   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ... (0x220e000), 4096, 4, ) == 0x0
 01683  1588   NtClose  (244, ...
 01684  1380   NtWaitForSingleObject  (128, 0, 0x0, ...
 01683  1588   NtClose  ... ) == 0x0
 01685  1588   NtSetEventBoostPriority  (128, ...
 01492   840   NtWaitForSingleObject  ... ) == 0x0
 01686   840   NtSetEventBoostPriority  (128, ...
 01507  1296   NtWaitForSingleObject  ... ) == 0x0
 01687  1296   NtSetEventBoostPriority  (128, ...
 01520   860   NtWaitForSingleObject  ... ) == 0x0
 01688   860   NtSetEventBoostPriority  (128, ...
 01532   780   NtWaitForSingleObject  ... ) == 0x0
 01689   780   NtSetEventBoostPriority  (128, ...
 01554   940   NtWaitForSingleObject  ... ) == 0x0
 01690   940   NtSetEventBoostPriority  (128, ...
 01566   644   NtWaitForSingleObject  ... ) == 0x0
 01691   644   NtSetEventBoostPriority  (128, ...
 01579  1736   NtWaitForSingleObject  ... ) == 0x0
 01692  1736   NtSetEventBoostPriority  (128, ...
 01591   320   NtWaitForSingleObject  ... ) == 0x0
 01693   320   NtSetEventBoostPriority  (128, ...
 01613  1332   NtWaitForSingleObject  ... ) == 0x0
 01694  1332   NtSetEventBoostPriority  (128, ...
 01625  1336   NtWaitForSingleObject  ... ) == 0x0
 01695  1336   NtSetEventBoostPriority  (128, ...
 01638   468   NtWaitForSingleObject  ... ) == 0x0
 01696   468   NtSetEventBoostPriority  (128, ...
 01650   752   NtWaitForSingleObject  ... ) == 0x0
 01697   752   NtSetEventBoostPriority  (128, ...
 01672  1512   NtWaitForSingleObject  ... ) == 0x0
 01698  1512   NtSetEventBoostPriority  (128, ...
 01684  1380   NtWaitForSingleObject  ... ) == 0x0
 01699  1380   NtTestAlert  (... ) == 0x0
 01698  1512   NtSetEventBoostPriority  ... ) == 0x0
 01697   752   NtSetEventBoostPriority  ... ) == 0x0
 01696   468   NtSetEventBoostPriority  ... ) == 0x0
 01695  1336   NtSetEventBoostPriority  ... ) == 0x0
 01694  1332   NtSetEventBoostPriority  ... ) == 0x0
 01693   320   NtSetEventBoostPriority  ... ) == 0x0
 01692  1736   NtSetEventBoostPriority  ... ) == 0x0
 01691   644   NtSetEventBoostPriority  ... ) == 0x0
 01690   940   NtSetEventBoostPriority  ... ) == 0x0
 01689   780   NtSetEventBoostPriority  ... ) == 0x0
 01688   860   NtSetEventBoostPriority  ... ) == 0x0
 01687  1296   NtSetEventBoostPriority  ... ) == 0x0
 01686   840   NtSetEventBoostPriority  ... ) == 0x0
 01685  1588   NtSetEventBoostPriority  ... ) == 0x0
 01700   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01701  1380   NtContinue  (34667824, 1, ...
 01702  1512   NtTestAlert  (...
 01703   752   NtTestAlert  (...
 01704   468   NtTestAlert  (...
 01705  1336   NtTestAlert  (...
 01706  1332   NtTestAlert  (...
 01707   320   NtTestAlert  (...
 01708  1736   NtTestAlert  (...
 01709   644   NtTestAlert  (...
 01710   940   NtTestAlert  (...
 01711   780   NtTestAlert  (...
 01712   860   NtTestAlert  (...
 01713  1296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11595888, ... }, 11595888, ...
 01714  1588   NtWaitForSingleObject  (128, 0, 0x0, ...
 01700   896   NtCreateThread  ... 244, {1252, 312}, ) == 0x0
 01715  1380   NtRegisterThreadTerminatePort  (24, ...
 01702  1512   NtTestAlert  ... ) == 0x0
 01703   752   NtTestAlert  ... ) == 0x0
 01704   468   NtTestAlert  ... ) == 0x0
 01705  1336   NtTestAlert  ... ) == 0x0
 01706  1332   NtTestAlert  ... ) == 0x0
 01707   320   NtTestAlert  ... ) == 0x0
 01708  1736   NtTestAlert  ... ) == 0x0
 01709   644   NtTestAlert  ... ) == 0x0
 01710   940   NtTestAlert  ... ) == 0x0
 01711   780   NtTestAlert  ... ) == 0x0
 01712   860   NtTestAlert  ... ) == 0x0
 01713  1296   NtQueryAttributesFile  ... ) == 0x0
 01716   896   NtQueryInformationThread  (244, Basic, 28, ...
 01715  1380   NtRegisterThreadTerminatePort  ... ) == 0x0
 01717  1512   NtContinue  (33619248, 1, ...
 01718   752   NtContinue  (32570672, 1, ...
 01719   468   NtContinue  (31522096, 1, ...
 01720  1336   NtContinue  (30473520, 1, ...
 01721  1332   NtContinue  (29424944, 1, ...
 01722   320   NtContinue  (28376368, 1, ...
 01723  1736   NtContinue  (27327792, 1, ...
 01724   644   NtContinue  (26279216, 1, ...
 01725   940   NtContinue  (25230640, 1, ...
 01726   780   NtContinue  (24182064, 1, ...
 01727   860   NtContinue  (23133488, 1, ...
 01728  1296   NtSetEventBoostPriority  (128, ...
 01716   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1252,Tid=312,}, 0x0, ) == 0x0
 01729  1380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01730  1512   NtRegisterThreadTerminatePort  (24, ...
 01731   752   NtRegisterThreadTerminatePort  (24, ...
 01732   468   NtRegisterThreadTerminatePort  (24, ...
 01733  1336   NtRegisterThreadTerminatePort  (24, ...
 01734  1332   NtRegisterThreadTerminatePort  (24, ...
 01735   320   NtRegisterThreadTerminatePort  (24, ...
 01736  1736   NtRegisterThreadTerminatePort  (24, ...
 01737   644   NtRegisterThreadTerminatePort  (24, ...
 01738   940   NtRegisterThreadTerminatePort  (24, ...
 01739   780   NtRegisterThreadTerminatePort  (24, ...
 01740   860   NtRegisterThreadTerminatePort  (24, ...
 01714  1588   NtWaitForSingleObject  ... ) == 0x0
 01728  1296   NtSetEventBoostPriority  ... ) == 0x0
 01741   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81905, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\08\1\0\0" ...  ...
 01729  1380   NtDuplicateObject  ... 240, ) == 0x0
 01730  1512   NtRegisterThreadTerminatePort  ... ) == 0x0
 01731   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 01732   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 01733  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 01734  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 01735   320   NtRegisterThreadTerminatePort  ... ) == 0x0
 01736  1736   NtRegisterThreadTerminatePort  ... ) == 0x0
 01737   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 01738   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01739   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01742  1588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01740   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 01743  1296   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01744  1380   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01745  1512   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01746   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01747   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01748  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01749  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01750   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01751  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01752   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01753   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01742  1588   NtCreateEvent  ... 280, ) == 0x0
 01754   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01755   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01743  1296   NtOpenKey  ... 284, ) == 0x0
 01756   840   NtTestAlert  (...
 01741   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81906, 0}  ... {28, 56, reply, 0, 1252, 896, 81906, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\08\1\0\0" )  ) == 0x0
 01744  1380   NtWaitForSingleObject  ... ) == 0x102
 01745  1512   NtDuplicateObject  ... 288, ) == 0x0
 01746   752   NtDuplicateObject  ... 292, ) == 0x0
 01747   468   NtDuplicateObject  ... 296, ) == 0x0
 01748  1336   NtDuplicateObject  ... 300, ) == 0x0
 01749  1332   NtDuplicateObject  ... 304, ) == 0x0
 01750   320   NtDuplicateObject  ... 308, ) == 0x0
 01751  1736   NtDuplicateObject  ... 312, ) == 0x0
 01752   644   NtDuplicateObject  ... 316, ) == 0x0
 01753   940   NtDuplicateObject  ... 320, ) == 0x0
 01757  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01754   780   NtDuplicateObject  ... 324, ) == 0x0
 01755   860   NtDuplicateObject  ... 328, ) == 0x0
 01756   840   NtTestAlert  ... ) == 0x0
 01758   896   NtResumeThread  (244, ...
 01759  1380   NtWaitForSingleObject  (176, 0, 0x0, ...
 01760  1512   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01761   752   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01762   468   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01763  1336   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01764  1332   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01765   320   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01766  1736   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01767   644   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01768   940   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01757  1588   NtDuplicateObject  ... 332, ) == 0x0
 01769   780   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01770   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01771   840   NtContinue  (22084912, 1, ...
 01758   896   NtResumeThread  ... 1, ) == 0x0
 01760  1512   NtWaitForSingleObject  ... ) == 0x102
 01761   752   NtWaitForSingleObject  ... ) == 0x102
 01762   468   NtWaitForSingleObject  ... ) == 0x102
 01763  1336   NtWaitForSingleObject  ... ) == 0x102
 01764  1332   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01765   320   NtCreateEvent  ... 336, ) == 0x0
 01766  1736   NtCreateEvent  ... 340, ) == 0x0
 01767   644   NtCreateEvent  ... 344, ) == 0x0
 01768   940   NtCreateEvent  ... 348, ) == 0x0
 01772  1588   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01769   780   NtCreateEvent  ... 352, ) == 0x0
 01770   860   NtCreateEvent  ... 356, ) == 0x0
 01773   840   NtRegisterThreadTerminatePort  (24, ...
 01774   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01775  1512   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01776   752   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01777   468   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01778  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01779  1332   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01780   320   NtWaitForSingleObject  (336, 0, 0x0, ...
 01781  1736   NtClose  (340, ...
 01782   644   NtClose  (344, ...
 01783   940   NtClose  (348, ...
 01772  1588   NtCreateEvent  ... 360, ) == 0x0
 01784   780   NtClose  (352, ...
 01785   860   NtClose  (356, ...
 01773   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 01774   896   NtAllocateVirtualMemory  ... 35717120, 1048576, ) == 0x0
 01775  1512   NtCreateEvent  ... 364, ) == 0x0
 01776   752   NtCreateEvent  ... 368, ) == 0x0
 01777   468   NtCreateEvent  ... 372, ) == 0x0
 01778  1336   NtCreateEvent  ... 376, ) == 0x0
 01779  1332   NtCreateEvent  ... 380, ) == 0x0
 01781  1736   NtClose  ... ) == 0x0
 01782   644   NtClose  ... ) == 0x0
 01783   940   NtClose  ... ) == 0x0
 01786  1588   NtClose  (360, ...
 01784   780   NtClose  ... ) == 0x0
 01785   860   NtClose  ... ) == 0x0
 01787   840   NtWaitForSingleObject  (336, 0, 0x0, ...
 01788   896   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ...
 01789  1296   NtQueryValueKey  (284,  (284, "Transports", Partial, 144, ... , Partial, 144, ...
 01790   312   NtTestAlert  (...
 01791  1512   NtClose  (364, ...
 01792   752   NtClose  (368, ...
 01793   468   NtClose  (372, ...
 01794  1332   NtClose  (380, ...
 01795  1736   NtWaitForSingleObject  (336, 0, 0x0, ...
 01796   644   NtWaitForSingleObject  (336, 0, 0x0, ...
 01797   940   NtWaitForSingleObject  (336, 0, 0x0, ...
 01786  1588   NtClose  ... ) == 0x0
 01798   780   NtWaitForSingleObject  (336, 0, 0x0, ...
 01799   860   NtWaitForSingleObject  (336, 0, 0x0, ...
 01800  1336   NtClose  (376, ...
 01789  1296   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01790   312   NtTestAlert  ... ) == 0x0
 01791  1512   NtClose  ... ) == 0x0
 01792   752   NtClose  ... ) == 0x0
 01793   468   NtClose  ... ) == 0x0
 01788   896   NtAllocateVirtualMemory  ... 36757504, 8192, ) == 0x0
 01794  1332   NtClose  ... ) == 0x0
 01801  1588   NtWaitForSingleObject  (336, 0, 0x0, ...
 01800  1336   NtClose  ... ) == 0x0
 01802  1296   NtQueryValueKey  (284,  (284, "Transports", Partial, 144, ... , Partial, 144, ...
 01803   312   NtContinue  (35716400, 1, ...
 01804  1512   NtWaitForSingleObject  (336, 0, 0x0, ...
 01805   752   NtWaitForSingleObject  (336, 0, 0x0, ...
 01806   468   NtWaitForSingleObject  (336, 0, 0x0, ...
 01807   896   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ...
 01808  1332   NtSetEventBoostPriority  (336, ...
 01809  1336   NtWaitForSingleObject  (336, 0, 0x0, ...
 01802  1296   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01810   312   NtRegisterThreadTerminatePort  (24, ...
 01807   896   NtProtectVirtualMemory  ... (0x230e000), 4096, 4, ) == 0x0
 01780   320   NtWaitForSingleObject  ... ) == 0x0
 01808  1332   NtSetEventBoostPriority  ... ) == 0x0
 01811  1296   NtClose  (284, ...
 01810   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 01812   320   NtSetEventBoostPriority  (336, ...
 01813   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01814  1332   NtWaitForSingleObject  (336, 0, 0x0, ...
 01811  1296   NtClose  ... ) == 0x0
 01787   840   NtWaitForSingleObject  ... ) == 0x0
 01812   320   NtSetEventBoostPriority  ... ) == 0x0
 01813   896   NtCreateThread  ... 284, {1252, 1440}, ) == 0x0
 01815   312   NtWaitForSingleObject  (336, 0, 0x0, ...
 01816   840   NtSetEventBoostPriority  (336, ...
 01817  1296   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01818   896   NtQueryInformationThread  (284, Basic, 28, ...
 01795  1736   NtWaitForSingleObject  ... ) == 0x0
 01817  1296   NtOpenKey  ... 376, ) == 0x0
 01816   840   NtSetEventBoostPriority  ... ) == 0x0
 01819   320   NtWaitForSingleObject  (336, 0, 0x0, ...
 01820  1736   NtSetEventBoostPriority  (336, ...
 01821  1296   NtQueryValueKey  (376,  (376, "Mapping", Partial, 144, ... , Partial, 144, ...
 01822   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01796   644   NtWaitForSingleObject  ... ) == 0x0
 01821  1296   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01822   840   NtDuplicateObject  ... 380, ) == 0x0
 01823   644   NtSetEventBoostPriority  (336, ...
 01824  1296   NtWaitForSingleObject  (336, 0, 0x0, ...
 01820  1736   NtSetEventBoostPriority  ... ) == 0x0
 01818   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1252,Tid=1440,}, 0x0, ) == 0x0
 01797   940   NtWaitForSingleObject  ... ) == 0x0
 01825  1736   NtWaitForSingleObject  (336, 0, 0x0, ...
 01826   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81906, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81906, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\344\4\0\0\240\5\0\0" ...  ...
 01827   940   NtSetEventBoostPriority  (336, ...
 01826   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81907, 0}  ... {28, 56, reply, 0, 1252, 896, 81907, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\344\4\0\0\240\5\0\0" )  ) == 0x0
 01798   780   NtWaitForSingleObject  ... ) == 0x0
 01828   896   NtResumeThread  (284, ...
 01829   780   NtSetEventBoostPriority  (336, ...
 01828   896   NtResumeThread  ... 1, ) == 0x0
 01801  1588   NtWaitForSingleObject  ... ) == 0x0
 01829   780   NtSetEventBoostPriority  ... ) == 0x0
 01827   940   NtSetEventBoostPriority  ... ) == 0x0
 01823   644   NtSetEventBoostPriority  ... ) == 0x0
 01830   840   NtWaitForSingleObject  (336, 0, 0x0, ...
 01831  1440   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ...
 01832  1588   NtSetEventBoostPriority  (336, ...
 01833   780   NtWaitForSingleObject  (336, 0, 0x0, ...
 01834   940   NtWaitForSingleObject  (336, 0, 0x0, ...
 01835   644   NtWaitForSingleObject  (336, 0, 0x0, ...
 01831  1440   NtAllocateVirtualMemory  ... 3624960, 4096, ) == 0x0
 01804  1512   NtWaitForSingleObject  ... ) == 0x0
 01832  1588   NtSetEventBoostPriority  ... ) == 0x0
 01836  1512   NtSetEventBoostPriority  (336, ...
 01837  1440   NtTestAlert  (...
 01805   752   NtWaitForSingleObject  ... ) == 0x0
 01836  1512   NtSetEventBoostPriority  ... ) == 0x0
 01838  1588   NtWaitForSingleObject  (336, 0, 0x0, ...
 01839   752   NtSetEventBoostPriority  (336, ...
 01837  1440   NtTestAlert  ... ) == 0x0
 01840   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01841  1512   NtWaitForSingleObject  (176, 0, 0x0, ...
 01806   468   NtWaitForSingleObject  ... ) == 0x0
 01839   752   NtSetEventBoostPriority  ... ) == 0x0
 01842  1440   NtContinue  (36764976, 1, ...
 01840   896   NtAllocateVirtualMemory  ... 36765696, 1048576, ) == 0x0
 01843   468   NtSetEventBoostPriority  (336, ...
 01844   752   NtWaitForSingleObject  (176, 0, 0x0, ...
 01809  1336   NtWaitForSingleObject  ... ) == 0x0
 01843   468   NtSetEventBoostPriority  ... ) == 0x0
 01845   896   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ...
 01846  1336   NtSetEventBoostPriority  (336, ...
 01847  1440   NtRegisterThreadTerminatePort  (24, ...
 01799   860   NtWaitForSingleObject  ... ) == 0x0
 01846  1336   NtSetEventBoostPriority  ... ) == 0x0
 01845   896   NtAllocateVirtualMemory  ... 37806080, 8192, ) == 0x0
 01848   860   NtSetEventBoostPriority  (336, ...
 01847  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01849   468   NtWaitForSingleObject  (176, 0, 0x0, ...
 01814  1332   NtWaitForSingleObject  ... ) == 0x0
 01850   896   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ...
 01851  1440   NtWaitForSingleObject  (336, 0, 0x0, ...
 01852  1332   NtSetEventBoostPriority  (336, ...
 01850   896   NtProtectVirtualMemory  ... (0x240e000), 4096, 4, ) == 0x0
 01815   312   NtWaitForSingleObject  ... ) == 0x0
 01852  1332   NtSetEventBoostPriority  ... ) == 0x0
 01848   860   NtSetEventBoostPriority  ... ) == 0x0
 01853  1336   NtWaitForSingleObject  (176, 0, 0x0, ...
 01854   312   NtSetEventBoostPriority  (336, ...
 01855   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01856   860   NtWaitForSingleObject  (336, 0, 0x0, ...
 01819   320   NtWaitForSingleObject  ... ) == 0x0
 01854   312   NtSetEventBoostPriority  ... ) == 0x0
 01855   896   NtCreateThread  ... 372, {1252, 1972}, ) == 0x0
 01857   320   NtSetEventBoostPriority  (336, ...
 01858   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01824  1296   NtWaitForSingleObject  ... ) == 0x0
 01857   320   NtSetEventBoostPriority  ... ) == 0x0
 01859   896   NtQueryInformationThread  (372, Basic, 28, ...
 01860  1332   NtWaitForSingleObject  (336, 0, 0x0, ...
 01861  1296   NtSetEventBoostPriority  (336, ...
 01862   320   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01859   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1252,Tid=1972,}, 0x0, ) == 0x0
 01825  1736   NtWaitForSingleObject  ... ) == 0x0
 01861  1296   NtSetEventBoostPriority  ... ) == 0x0
 01858   312   NtDuplicateObject  ... 368, ) == 0x0
 01863  1736   NtSetEventBoostPriority  (336, ...
 01864   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81907, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81907, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\264\7\0\0" ...  ...
 01862   320   NtCreateEvent  ... 364, ) == 0x0
 01830   840   NtWaitForSingleObject  ... ) == 0x0
 01863  1736   NtSetEventBoostPriority  ... ) == 0x0
 01865   312   NtWaitForSingleObject  (336, 0, 0x0, ...
 01866   840   NtSetEventBoostPriority  (336, ...
 01867   320   NtWaitForSingleObject  (364, 0, 0x0, ...
 01868  1296   NtQueryValueKey  (376,  (376, "Mapping", Partial, 144, ... , Partial, 144, ...
 01864   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81908, 0}  ... {28, 56, reply, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\264\7\0\0" )  ) == 0x0
 01833   780   NtWaitForSingleObject  ... ) == 0x0
 01866   840   NtSetEventBoostPriority  ... ) == 0x0
 01868  1296   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01869   780   NtSetEventBoostPriority  (336, ...
 01870   896   NtResumeThread  (372, ...
 01871   840   NtWaitForSingleObject  (336, 0, 0x0, ...
 01834   940   NtWaitForSingleObject  ... ) == 0x0
 01869   780   NtSetEventBoostPriority  ... ) == 0x0
 01872  1296   NtWaitForSingleObject  (336, 0, 0x0, ...
 01870   896   NtResumeThread  ... 1, ) == 0x0
 01873  1736   NtWaitForSingleObject  (364, 0, 0x0, ...
 01874   940   NtSetEventBoostPriority  (336, ...
 01875  1972   NtTestAlert  (...
 01876   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01835   644   NtWaitForSingleObject  ... ) == 0x0
 01874   940   NtSetEventBoostPriority  ... ) == 0x0
 01875  1972   NtTestAlert  ... ) == 0x0
 01877   644   NtSetEventBoostPriority  (336, ...
 01876   896   NtAllocateVirtualMemory  ... 37814272, 1048576, ) == 0x0
 01878   780   NtWaitForSingleObject  (364, 0, 0x0, ...
 01838  1588   NtWaitForSingleObject  ... ) == 0x0
 01877   644   NtSetEventBoostPriority  ... ) == 0x0
 01879  1972   NtContinue  (37813552, 1, ...
 01880   896   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ...
 01881  1588   NtSetEventBoostPriority  (336, ...
 01882   940   NtWaitForSingleObject  (364, 0, 0x0, ...
 01883  1972   NtRegisterThreadTerminatePort  (24, ...
 01884   644   NtWaitForSingleObject  (364, 0, 0x0, ...
 01851  1440   NtWaitForSingleObject  ... ) == 0x0
 01883  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 01885  1440   NtSetEventBoostPriority  (336, ...
 01881  1588   NtSetEventBoostPriority  ... ) == 0x0
 01880   896   NtAllocateVirtualMemory  ... 38854656, 8192, ) == 0x0
 01856   860   NtWaitForSingleObject  ... ) == 0x0
 01885  1440   NtSetEventBoostPriority  ... ) == 0x0
 01886  1588   NtWaitForSingleObject  (336, 0, 0x0, ...
 01887   860   NtSetEventBoostPriority  (336, ...
 01888   896   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ...
 01889  1972   NtWaitForSingleObject  (336, 0, 0x0, ...
 01860  1332   NtWaitForSingleObject  ... ) == 0x0
 01887   860   NtSetEventBoostPriority  ... ) == 0x0
 01888   896   NtProtectVirtualMemory  ... (0x250e000), 4096, 4, ) == 0x0
 01890  1332   NtSetEventBoostPriority  (336, ...
 01891  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01865   312   NtWaitForSingleObject  ... ) == 0x0
 01890  1332   NtSetEventBoostPriority  ... ) == 0x0
 01892   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01893   312   NtSetEventBoostPriority  (336, ...
 01891  1440   NtDuplicateObject  ... 360, ) == 0x0
 01894  1332   NtSetEventBoostPriority  (364, ...
 01871   840   NtWaitForSingleObject  ... ) == 0x0
 01893   312   NtSetEventBoostPriority  ... ) == 0x0
 01892   896   NtCreateThread  ... 356, {1252, 1036}, ) == 0x0
 01895  1440   NtWaitForSingleObject  (336, 0, 0x0, ...
 01896   860   NtWaitForSingleObject  (364, 0, 0x0, ...
 01897   840   NtSetEventBoostPriority  (336, ...
 01867   320   NtWaitForSingleObject  ... ) == 0x0
 01894  1332   NtSetEventBoostPriority  ... ) == 0x0
 01898   896   NtQueryInformationThread  (356, Basic, 28, ...
 01872  1296   NtWaitForSingleObject  ... ) == 0x0
 01899   320   NtWaitForSingleObject  (336, 0, 0x0, ...
 01900  1332   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01897   840   NtSetEventBoostPriority  ... ) == 0x0
 01901   312   NtWaitForSingleObject  (336, 0, 0x0, ...
 01902  1296   NtSetEventBoostPriority  (336, ...
 01900  1332   NtWaitForSingleObject  ... ) == 0x102
 01903   840   NtWaitForSingleObject  (336, 0, 0x0, ...
 01886  1588   NtWaitForSingleObject  ... ) == 0x0
 01902  1296   NtSetEventBoostPriority  ... ) == 0x0
 01904  1332   NtWaitForSingleObject  (176, 0, 0x0, ...
 01905  1588   NtSetEventBoostPriority  (336, ...
 01898   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1252,Tid=1036,}, 0x0, ) == 0x0
 01889  1972   NtWaitForSingleObject  ... ) == 0x0
 01905  1588   NtSetEventBoostPriority  ... ) == 0x0
 01906  1972   NtSetEventBoostPriority  (336, ...
 01907   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81908, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\14\4\0\0" ...  ...
 01908  1296   NtQueryValueKey  (376,  (376, "Mapping", Partial, 152, ... , Partial, 152, ...
 01895  1440   NtWaitForSingleObject  ... ) == 0x0
 01906  1972   NtSetEventBoostPriority  ... ) == 0x0
 01907   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81909, 0}  ... {28, 56, reply, 0, 1252, 896, 81909, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\14\4\0\0" )  ) == 0x0
 01909  1440   NtSetEventBoostPriority  (336, ...
 01908  1296   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01910  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01899   320   NtWaitForSingleObject  ... ) == 0x0
 01909  1440   NtSetEventBoostPriority  ... ) == 0x0
 01911   896   NtResumeThread  (356, ...
 01912  1296   NtClose  (376, ...
 01913  1588   NtWaitForSingleObject  (336, 0, 0x0, ...
 01914   320   NtSetEventBoostPriority  (336, ...
 01910  1972   NtDuplicateObject  ... 352, ) == 0x0
 01911   896   NtResumeThread  ... 1, ) == 0x0
 01912  1296   NtClose  ... ) == 0x0
 01901   312   NtWaitForSingleObject  ... ) == 0x0
 01914   320   NtSetEventBoostPriority  ... ) == 0x0
 01915  1972   NtWaitForSingleObject  (336, 0, 0x0, ...
 01916  1440   NtWaitForSingleObject  (336, 0, 0x0, ...
 01917  1036   NtTestAlert  (...
 01918   312   NtSetEventBoostPriority  (336, ...
 01919  1296   NtWaitForSingleObject  (336, 0, 0x0, ...
 01920   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01903   840   NtWaitForSingleObject  ... ) == 0x0
 01918   312   NtSetEventBoostPriority  ... ) == 0x0
 01917  1036   NtTestAlert  ... ) == 0x0
 01921   840   NtSetEventBoostPriority  (336, ...
 01920   896   NtAllocateVirtualMemory  ... 38862848, 1048576, ) == 0x0
 01922   312   NtWaitForSingleObject  (336, 0, 0x0, ...
 01913  1588   NtWaitForSingleObject  ... ) == 0x0
 01921   840   NtSetEventBoostPriority  ... ) == 0x0
 01923  1036   NtContinue  (38862128, 1, ...
 01924   896   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ...
 01925   320   NtSetEventBoostPriority  (364, ...
 01926  1588   NtSetEventBoostPriority  (336, ...
 01927  1036   NtRegisterThreadTerminatePort  (24, ...
 01924   896   NtAllocateVirtualMemory  ... 39903232, 8192, ) == 0x0
 01915  1972   NtWaitForSingleObject  ... ) == 0x0
 01926  1588   NtSetEventBoostPriority  ... ) == 0x0
 01873  1736   NtWaitForSingleObject  ... ) == 0x0
 01925   320   NtSetEventBoostPriority  ... ) == 0x0
 01927  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01928  1972   NtSetEventBoostPriority  (336, ...
 01929   896   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ...
 01930  1736   NtWaitForSingleObject  (336, 0, 0x0, ...
 01931  1588   NtWaitForSingleObject  (364, 0, 0x0, ...
 01932   320   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01933   840   NtWaitForSingleObject  (364, 0, 0x0, ...
 01916  1440   NtWaitForSingleObject  ... ) == 0x0
 01928  1972   NtSetEventBoostPriority  ... ) == 0x0
 01929   896   NtProtectVirtualMemory  ... (0x260e000), 4096, 4, ) == 0x0
 01934  1036   NtWaitForSingleObject  (336, 0, 0x0, ...
 01932   320   NtWaitForSingleObject  ... ) == 0x102
 01935  1440   NtSetEventBoostPriority  (336, ...
 01936  1972   NtWaitForSingleObject  (336, 0, 0x0, ...
 01919  1296   NtWaitForSingleObject  ... ) == 0x0
 01935  1440   NtSetEventBoostPriority  ... ) == 0x0
 01937   320   NtWaitForSingleObject  (336, 0, 0x0, ...
 01938  1296   NtSetEventBoostPriority  (336, ...
 01939  1440   NtWaitForSingleObject  (336, 0, 0x0, ...
 01940   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01922   312   NtWaitForSingleObject  ... ) == 0x0
 01938  1296   NtSetEventBoostPriority  ... ) == 0x0
 01941   312   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01940   896   NtCreateThread  ... 376, {1252, 1248}, ) == 0x0
 01941   312   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01942   312   NtSetEventBoostPriority  (336, ...
 01930  1736   NtWaitForSingleObject  ... ) == 0x0
 01943  1736   NtSetEventBoostPriority  (336, ...
 01934  1036   NtWaitForSingleObject  ... ) == 0x0
 01944  1036   NtSetEventBoostPriority  (336, ...
 01936  1972   NtWaitForSingleObject  ... ) == 0x0
 01945  1972   NtSetEventBoostPriority  (336, ...
 01937   320   NtWaitForSingleObject  ... ) == 0x0
 01946   320   NtSetEventBoostPriority  (336, ...
 01939  1440   NtWaitForSingleObject  ... ) == 0x0
 01947  1440   NtWaitForSingleObject  (364, 0, 0x0, ...
 01945  1972   NtSetEventBoostPriority  ... ) == 0x0
 01948  1972   NtWaitForSingleObject  (364, 0, 0x0, ...
 01944  1036   NtSetEventBoostPriority  ... ) == 0x0
 01943  1736   NtSetEventBoostPriority  ... ) == 0x0
 01949   896   NtQueryInformationThread  (376, Basic, 28, ...
 01946   320   NtSetEventBoostPriority  ... ) == 0x0
 01942   312   NtSetEventBoostPriority  ... ) == 0x0
 01950  1296   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01951  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01949   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1252,Tid=1248,}, 0x0, ) == 0x0
 01952   320   NtWaitForSingleObject  (176, 0, 0x0, ...
 01953  1736   NtSetEventBoostPriority  (364, ...
 01950  1296   NtOpenKey  ... 348, ) == 0x0
 01954   312   NtWaitForSingleObject  (364, 0, 0x0, ...
 01955   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81909, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81909, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\0\340\4\0\0" ...  ...
 01878   780   NtWaitForSingleObject  ... ) == 0x0
 01953  1736   NtSetEventBoostPriority  ... ) == 0x0
 01956  1296   NtQueryValueKey  (348,  (348, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01957   780   NtSetEventBoostPriority  (364, ...
 01958  1736   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01882   940   NtWaitForSingleObject  ... ) == 0x0
 01957   780   NtSetEventBoostPriority  ... ) == 0x0
 01956  1296   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01959   940   NtSetEventBoostPriority  (364, ...
 01958  1736   NtWaitForSingleObject  ... ) == 0x102
 01960   780   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01884   644   NtWaitForSingleObject  ... ) == 0x0
 01959   940   NtSetEventBoostPriority  ... ) == 0x0
 01961  1296   NtQueryValueKey  (348,  (348, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01962  1736   NtWaitForSingleObject  (176, 0, 0x0, ...
 01951  1036   NtDuplicateObject  ... 344, ) == 0x0
 01955   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81910, 0}  ... {28, 56, reply, 0, 1252, 896, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\0\340\4\0\0" )  ) == 0x0
 01963   644   NtSetEventBoostPriority  (364, ...
 01964   940   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01961  1296   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01960   780   NtWaitForSingleObject  ... ) == 0x102
 01965  1036   NtWaitForSingleObject  (364, 0, 0x0, ...
 01896   860   NtWaitForSingleObject  ... ) == 0x0
 01963   644   NtSetEventBoostPriority  ... ) == 0x0
 01966   896   NtResumeThread  (376, ...
 01964   940   NtWaitForSingleObject  ... ) == 0x102
 01967   780   NtWaitForSingleObject  (176, 0, 0x0, ...
 01968   860   NtSetEventBoostPriority  (364, ...
 01969   644   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01966   896   NtResumeThread  ... 1, ) == 0x0
 01970   940   NtWaitForSingleObject  (176, 0, 0x0, ...
 01933   840   NtWaitForSingleObject  ... ) == 0x0
 01968   860   NtSetEventBoostPriority  ... ) == 0x0
 01971  1296   NtQueryValueKey  (348,  (348, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01972  1248   NtTestAlert  (...
 01973   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01974   840   NtSetEventBoostPriority  (364, ...
 01975   860   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01971  1296   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01972  1248   NtTestAlert  ... ) == 0x0
 01931  1588   NtWaitForSingleObject  ... ) == 0x0
 01974   840   NtSetEventBoostPriority  ... ) == 0x0
 01973   896   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 01969   644   NtWaitForSingleObject  ... ) == 0x102
 01976  1296   NtQueryValueKey  (348,  (348, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01977  1588   NtSetEventBoostPriority  (364, ...
 01978  1248   NtContinue  (39910704, 1, ...
 01979   840   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01980   896   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ...
 01981   644   NtWaitForSingleObject  (176, 0, 0x0, ...
 01947  1440   NtWaitForSingleObject  ... ) == 0x0
 01976  1296   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01982  1248   NtRegisterThreadTerminatePort  (24, ...
 01977  1588   NtSetEventBoostPriority  ... ) == 0x0
 01975   860   NtWaitForSingleObject  ... ) == 0x102
 01979   840   NtWaitForSingleObject  ... ) == 0x102
 01983  1440   NtSetEventBoostPriority  (364, ...
 01984  1296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11596844, ... }, 11596844, ...
 01982  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01985  1588   NtWaitForSingleObject  (364, 0, 0x0, ...
 01986   860   NtWaitForSingleObject  (176, 0, 0x0, ...
 01987   840   NtWaitForSingleObject  (176, 0, 0x0, ...
 01948  1972   NtWaitForSingleObject  ... ) == 0x0
 01984  1296   NtQueryAttributesFile  ... ) == 0x0
 01983  1440   NtSetEventBoostPriority  ... ) == 0x0
 01980   896   NtAllocateVirtualMemory  ... 40951808, 8192, ) == 0x0
 01988  1972   NtSetEventBoostPriority  (364, ...
 01989  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01990  1296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01991   896   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 01954   312   NtWaitForSingleObject  ... ) == 0x0
 01989  1248   NtDuplicateObject  ... 340, ) == 0x0
 01990  1296   NtOpenFile  ... 384, {status=0x0, info=1}, ) == 0x0
 01991   896   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 01992   312   NtSetEventBoostPriority  (364, ...
 01993  1248   NtWaitForSingleObject  (364, 0, 0x0, ...
 01994  1296   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 384, ...
 01995   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01965  1036   NtWaitForSingleObject  ... ) == 0x0
 01992   312   NtSetEventBoostPriority  ... ) == 0x0
 01994  1296   NtCreateSection  ... 388, ) == 0x0
 01996  1036   NtSetEventBoostPriority  (364, ...
 01995   896   NtCreateThread  ... 392, {1252, 1656}, ) == 0x0
 01997   312   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01985  1588   NtWaitForSingleObject  ... ) == 0x0
 01996  1036   NtSetEventBoostPriority  ... ) == 0x0
 01998  1296   NtClose  (384, ...
 01999   896   NtQueryInformationThread  (392, Basic, 28, ...
 01988  1972   NtSetEventBoostPriority  ... ) == 0x0
 02000  1440   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02001  1588   NtSetEventBoostPriority  (364, ...
 01997   312   NtWaitForSingleObject  ... ) == 0x102
 01998  1296   NtClose  ... ) == 0x0
 02002  1036   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02003  1972   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01993  1248   NtWaitForSingleObject  ... ) == 0x0
 02001  1588   NtSetEventBoostPriority  ... ) == 0x0
 02000  1440   NtWaitForSingleObject  ... ) == 0x102
 02004   312   NtWaitForSingleObject  (176, 0, 0x0, ...
 01999   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1252,Tid=1656,}, 0x0, ) == 0x0
 02002  1036   NtWaitForSingleObject  ... ) == 0x102
 02005  1248   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02003  1972   NtWaitForSingleObject  ... ) == 0x102
 02006  1296   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02007  1440   NtWaitForSingleObject  (176, 0, 0x0, ...
 02008   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81910, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\344\4\0\0x\6\0\0" ...  ...
 02009  1036   NtWaitForSingleObject  (176, 0, 0x0, ...
 02010  1972   NtWaitForSingleObject  (176, 0, 0x0, ...
 02006  1296   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 02008   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81911, 0}  ... {28, 56, reply, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\344\4\0\0x\6\0\0" )  ) == 0x0
 02011  1296   NtClose  (388, ...
 02012   896   NtResumeThread  (392, ...
 02011  1296   NtClose  ... ) == 0x0
 02012   896   NtResumeThread  ... 1, ) == 0x0
 02013  1588   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 02014  1296   NtUnmapViewOfSection  (-1, 0x360000, ...
 02005  1248   NtWaitForSingleObject  ... ) == 0x102
 02015  1656   NtWaitForSingleObject  (128, 0, 0x0, ...
 02013  1588   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 02014  1296   NtUnmapViewOfSection  ... ) == 0x0
 02016  1248   NtWaitForSingleObject  (336, 0, 0x0, ...
 02017  1588   NtSetEventBoostPriority  (336, ...
 02018  1296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11597152, ... }, 11597152, ...
 02016  1248   NtWaitForSingleObject  ... ) == 0x0
 02017  1588   NtSetEventBoostPriority  ... ) == 0x0
 02019  1248   NtWaitForSingleObject  (176, 0, 0x0, ...
 02018  1296   NtQueryAttributesFile  ... ) == 0x0
 02020  1588   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 02021  1296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 02020  1588   NtOpenFile  ... 388, {status=0x0, info=0}, ) == 0x0
 02021  1296   NtOpenFile  ... 384, {status=0x0, info=1}, ) == 0x0
 02022   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02023  1588   NtDeviceIoControlFile  (388, 0, 0x0, 0x0, 0x390008,  (388, 0, 0x0, 0x0, 0x390008, ",Me\245\330\254\243k\270\16\227\337\246\355\235\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02022   896   NtAllocateVirtualMemory  ... 40960000, 1048576, ) == 0x0
 02024  1588   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02025   896   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ...
 02024  1588   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02025   896   NtAllocateVirtualMemory  ... 42000384, 8192, ) == 0x0
 02026  1588   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02027   896   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ...
 02026  1588   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02027   896   NtProtectVirtualMemory  ... (0x280e000), 4096, 4, ) == 0x0
 02028  1588   NtQuerySystemInformation  (Performance, 312, ...
 02029  1296   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 384, ...
 02030   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02029  1296   NtCreateSection  ... 396, ) == 0x0
 02030   896   NtCreateThread  ... 400, {1252, 484}, ) == 0x0
 02031  1296   NtQuerySection  (396, Image, 48, ...
 02032   896   NtQueryInformationThread  (400, Basic, 28, ...
 02031  1296   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02032   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1252,Tid=484,}, 0x0, ) == 0x0
 02033  1296   NtClose  (384, ...
 02034   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0\344\1\0\0" ...  ...
 02033  1296   NtClose  ... ) == 0x0
 02034   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81912, 0}  ... {28, 56, reply, 0, 1252, 896, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0\344\1\0\0" )  ) == 0x0
 02028  1588   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02035   896   NtResumeThread  (400, ...
 02036  1588   NtQuerySystemInformation  (Exception, 16, ...
 02035   896   NtResumeThread  ... 1, ) == 0x0
 02036  1588   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02037   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02038  1588   NtQuerySystemInformation  (Lookaside, 32, ...
 02037   896   NtAllocateVirtualMemory  ... 42008576, 1048576, ) == 0x0
 02038  1588   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02039   896   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ...
 02040  1588   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02041  1296   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02042   484   NtWaitForSingleObject  (128, 0, 0x0, ...
 02039   896   NtAllocateVirtualMemory  ... 43048960, 8192, ) == 0x0
 02041  1296   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 02043   896   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ...
 02044  1296   NtClose  (396, ...
 02043   896   NtProtectVirtualMemory  ... (0x290e000), 4096, 4, ) == 0x0
 02044  1296   NtClose  ... ) == 0x0
 02045   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02046  1296   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ...
 02045   896   NtCreateThread  ... 396, {1252, 1756}, ) == 0x0
 02046  1296   NtProtectVirtualMemory  ... (0x71a91000), 4096, 32, ) == 0x0
 02047   896   NtQueryInformationThread  (396, Basic, 28, ...
 02040  1588   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02048  1296   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ...
 02049  1588   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02048  1296   NtProtectVirtualMemory  ... (0x71a91000), 4096, 4, ) == 0x0
 02049  1588   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02050  1296   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 02051  1296   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052  1296   NtSetEventBoostPriority  (128, ...
 02015  1656   NtWaitForSingleObject  ... ) == 0x0
 02053  1656   NtSetEventBoostPriority  (128, ...
 02042   484   NtWaitForSingleObject  ... ) == 0x0
 02054   484   NtTestAlert  (... ) == 0x0
 02053  1656   NtSetEventBoostPriority  ... ) == 0x0
 02052  1296   NtSetEventBoostPriority  ... ) == 0x0
 02047   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1252,Tid=1756,}, 0x0, ) == 0x0
 02055  1588   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02056   484   NtContinue  (42007856, 1, ...
 02057  1656   NtTestAlert  (...
 02058   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81912, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\334\6\0\0" ...  ...
 02055  1588   NtCreateKey  ... -2147482756, 2, ) == 0x0
 02059   484   NtRegisterThreadTerminatePort  (24, ...
 02057  1656   NtTestAlert  ... ) == 0x0
 02058   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81913, 0}  ... {28, 56, reply, 0, 1252, 896, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\334\6\0\0" )  ) == 0x0
 02060  1588   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\35\6\27\24\336k\317\13e\246\353<\277\225\10\330\266\220\1777C\337F\213\236\271J\256j\202\17TY\327\3633"ju\3\312\261t\1\327\205\15\210G\\362\215\216\22\345\334?_p\217\305\312\32\231\210\346\305\320"\241I\11\211\312.Wv\305\312K", 80, ... , 0, 3,  (-2147482756, "Seed", 0, 3, "\35\6\27\24\336k\317\13e\246\353<\277\225\10\330\266\220\1777C\337F\213\236\271J\256j\202\17TY\327\3633"ju\3\312\261t\1\327\205\15\210G\\362\215\216\22\345\334?_p\217\305\312\32\231\210\346\305\320"\241I\11\211\312.Wv\305\312K", 80, ... ju\3\312\261t\1\327\205\15\210G\\362\215\216\22\345\334?_p\217\305\312\32\231\210\346\305\320 (-2147482756, "Seed", 0, 3, "\35\6\27\24\336k\317\13e\246\353<\277\225\10\330\266\220\1777C\337F\213\236\271J\256j\202\17TY\327\3633"ju\3\312\261t\1\327\205\15\210G\\362\215\216\22\345\334?_p\217\305\312\32\231\210\346\305\320"\241I\11\211\312.Wv\305\312K", 80, ... , 80, ...
 02059   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02061  1656   NtContinue  (40959280, 1, ...
 02062   896   NtResumeThread  (396, ...
 02060  1588   NtSetValueKey  ... ) == 0x0
 02063   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02064  1656   NtRegisterThreadTerminatePort  (24, ...
 02062   896   NtResumeThread  ... 1, ) == 0x0
 02065  1588   NtClose  (-2147482756, ...
 02063   484   NtDuplicateObject  ... 384, ) == 0x0
 02064  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 02066  1296   NtClose  (348, ...
 02067  1756   NtTestAlert  (...
 02065  1588   NtClose  ... ) == 0x0
 02068   484   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02069  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02066  1296   NtClose  ... ) == 0x0
 02067  1756   NtTestAlert  ... ) == 0x0
 02070   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02023  1588   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\32\316Da-4zp\231t\220\3260]t\22\6\347\376(\2622\365\347\343\216\351\21\371\221\207\230u\320\254\13\5\252S(\355\365\212KDd\211\240\230\2620Q\201\351X\2753N\347D\277\347\217\331\207\242\260;(C\11\240\262\321\324\35\213\3019m\276d\327>\26\357\253\213^Q2\243M}\324\325\304\25O\224\3034\21\21\362\307\33\21\350rl}e\37;\34\2503\265\37d\217\223U[\202L\365\16\266EG\250\366\16\360Z`\224\366\3778m\300\32\3114\251\300\345\360\271\22\271"HY{b\343U\224\260R\35*\271\377\27\375,\266\15\261\357!\347\245\364\347\10\262\361\223r]\257S\220\353\310R\322"\213\263\21\320\242\271>\242\375\375T\317\325\245\275\265\21a?V/89dY\244\353`\354w\320\302\10\241\370", ) HY{b\343U\224\260R\35*\271\377\27\375,\266\15\261\357!\347\245\364\347\10\262\361\223r]\257S\220\353\310R\322 ... {status=0x0, info=256}, "\32\316Da-4zp\231t\220\3260]t\22\6\347\376(\2622\365\347\343\216\351\21\371\221\207\230u\320\254\13\5\252S(\355\365\212KDd\211\240\230\2620Q\201\351X\2753N\347D\277\347\217\331\207\242\260;(C\11\240\262\321\324\35\213\3019m\276d\327>\26\357\253\213^Q2\243M}\324\325\304\25O\224\3034\21\21\362\307\33\21\350rl}e\37;\34\2503\265\37d\217\223U[\202L\365\16\266EG\250\366\16\360Z`\224\366\3778m\300\32\3114\251\300\345\360\271\22\271"HY{b\343U\224\260R\35*\271\377\27\375,\266\15\261\357!\347\245\364\347\10\262\361\223r]\257S\220\353\310R\322"\213\263\21\320\242\271>\242\375\375T\317\325\245\275\265\21a?V/89dY\244\353`\354w\320\302\10\241\370", ) , ) == 0x0
 02068   484   NtWaitForSingleObject  ... ) == 0x102
 02071  1296   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11599488, 67, ... }, 0x0, 0, 3, 3, 0, 11599488, 67, ...
 02072  1756   NtContinue  (43056432, 1, ...
 02070   896   NtAllocateVirtualMemory  ... 43057152, 1048576, ) == 0x0
 02073  1588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02074   484   NtWaitForSingleObject  (176, 0, 0x0, ...
 02071  1296   NtCreateFile  ... 348, {status=0x0, info=0}, ) == 0x0
 02075  1756   NtRegisterThreadTerminatePort  (24, ...
 02076   896   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ...
 02073  1588   NtCreateEvent  ... 404, ) == 0x0
 02077  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x1207b,  (348, 148, 0x0, 0x0, 0x1207b, "\7\0\0\0\250q\250q%\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 02075  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 02076   896   NtAllocateVirtualMemory  ... 44097536, 8192, ) == 0x0
 02078  1588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12643844, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12643844, 188, ...
 02077  1296   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\200=\242\201", ) , ) == 0x0
 02069  1656   NtDuplicateObject  ... 408, ) == 0x0
 02079   896   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ...
 02080  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02081  1656   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02079   896   NtProtectVirtualMemory  ... (0x2a0e000), 4096, 4, ) == 0x0
 02080  1756   NtDuplicateObject  ... 412, ) == 0x0
 02081  1656   NtWaitForSingleObject  ... ) == 0x102
 02082  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x1207b,  (348, 148, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\200=\242\201", 16, 16, ... , 16, 16, ...
 02078  1588   NtConnectPort  ... 416, 0x0, 0x0, 0x0, 188, ) == 0x0
 02083  1756   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02084  1656   NtWaitForSingleObject  (176, 0, 0x0, ...
 02082  1296   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\200=\242\201", ) , ) == 0x0
 02085   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02083  1756   NtWaitForSingleObject  ... ) == 0x102
 02086  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x12047,  (348, 148, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\224\375\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02085   896   NtCreateThread  ... 420, {1252, 540}, ) == 0x0
 02087  1756   NtWaitForSingleObject  (176, 0, 0x0, ...
 02086  1296   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02088   896   NtQueryInformationThread  (420, Basic, 28, ...
 02089  1588   NtRequestWaitReplyPort  (416, {200, 224, new_msg, 0, 1330592, 12, 2, 1}  (416, {200, 224, new_msg, 0, 1330592, 12, 2, 1} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0x*\25\0\4\0\0\0\320+\25\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\233\263>Z\302\3768\5\370+\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\320+\25\0D"a\244x\1\24\0\360+\25\0h\1\24\0\0\0\0\0\0\0\0\0\360+\25\0P\0\0\0\370+\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\300\0\372\31\221|\30\364\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... a\244x\1\24\0\360+\25\0h\1\24\0\0\0\0\0\0\0\0\0\360+\25\0P\0\0\0\370+\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\300\0\372\31\221|\30\364\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...
 02090  1296   NtWaitForSingleObject  (96, 0, {0, 0}, ...
 02088   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1252,Tid=540,}, 0x0, ) == 0x0
 02091   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81913, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\34\2\0\0" ...  ...
 02089  1588   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1588, 81915, 0}  ... {200, 224, reply, 0, 1252, 1588, 81915, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320+\25\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\233\263>Z\302\3768\5\370+\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\320+\25\0D"a\244x\1\24\0\360+\25\0h\1\24\0\0\0\0\0\0\0\0\0\360+\25\0P\0\0\0\370+\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\300\0\372\31\221|\30\364\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) a\244x\1\24\0\360+\25\0h\1\24\0\0\0\0\0\0\0\0\0\360+\25\0P\0\0\0\370+\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\300\0\372\31\221|\30\364\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) == 0x0
 02092  1588   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 02093  1588   NtRequestWaitReplyPort  (416, {64, 88, new_msg, 0, 0, 0, 0, 0}  (416, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 1252, 1588, 81917, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ... {52, 76, reply, 0, 1252, 1588, 81917, 0}  (416, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 1252, 1588, 81917, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02094  1588   NtClose  (404, ... ) == 0x0
 02095  1588   NtClose  (416, ... ) == 0x0
 02090  1296   NtWaitForSingleObject  ... ) == 0x102
 02091   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81916, 0}  ... {28, 56, reply, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\34\2\0\0" )  ) == 0x0
 02096  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x12003,  (348, 148, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02097   896   NtResumeThread  (420, ...
 02096  1296   NtDeviceIoControlFile  ... {status=0x0, info=416},  ... {status=0x0, info=416}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02097   896   NtResumeThread  ... 1, ) == 0x0
 02098  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x12047,  (348, 148, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02099   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02098  1296   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02099   896   NtAllocateVirtualMemory  ... 44105728, 1048576, ) == 0x0
 02100  1588   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02101   540   NtTestAlert  (...
 02102   896   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ...
 02100  1588   NtCreateKey  ... 404, 2, ) == 0x0
 02101   540   NtTestAlert  ... ) == 0x0
 02103  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x12037,  (348, 148, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02104  1588   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02105   540   NtContinue  (44105008, 1, ...
 02103  1296   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02104  1588   NtOpenKey  ... 424, ) == 0x0
 02106   540   NtRegisterThreadTerminatePort  (24, ...
 02107  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x1200b,  (348, 148, 0x0, 0x0, 0x1200b, "\0\376\260\0\5\0\0\0\0\320\24\0", 12, 0, ... , 12, 0, ...
 02108  1588   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02106   540   NtRegisterThreadTerminatePort  ... ) == 0x0
 02107  1296   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02108  1588   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02102   896   NtAllocateVirtualMemory  ... 45146112, 8192, ) == 0x0
 02109  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x12047,  (348, 148, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\260\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02110   540   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02111   896   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ...
 02109  1296   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02110   540   NtDuplicateObject  ... 428, ) == 0x0
 02111   896   NtProtectVirtualMemory  ... (0x2b0e000), 4096, 4, ) == 0x0
 02112  1588   NtQueryValueKey  (404,  (404, "Hostname", Partial, 144, ... , Partial, 144, ...
 02113   540   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02114   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02112  1588   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02113   540   NtWaitForSingleObject  ... ) == 0x102
 02114   896   NtCreateThread  ... 432, {1252, 1556}, ) == 0x0
 02115  1588   NtQueryValueKey  (404,  (404, "Hostname", Partial, 144, ... , Partial, 144, ...
 02116   540   NtWaitForSingleObject  (176, 0, 0x0, ...
 02117   896   NtQueryInformationThread  (432, Basic, 28, ...
 02115  1588   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02118  1296   NtDeviceIoControlFile  (348, 148, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 02119  1588   NtClose  (404, ...
 02118  1296   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02119  1588   NtClose  ... ) == 0x0
 02120  1296   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02117   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1252,Tid=1556,}, 0x0, ) == 0x0
 02120  1296   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02121   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\24\6\0\0" ...  ...
 02122  1296   NtDeviceIoControlFile  (388, 0, 0x0, 0x0, 0x390008,  (388, 0, 0x0, 0x0, 0x390008, ",Me\245\330\254\243\302lA\360\372\247A\350\17\350U@\344V\311s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02121   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81919, 0}  ... {28, 56, reply, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\24\6\0\0" )  ) == 0x0
 02123  1296   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02124   896   NtResumeThread  (432, ...
 02125  1588   NtClose  (424, ...
 02124   896   NtResumeThread  ... 1, ) == 0x0
 02125  1588   NtClose  ... ) == 0x0
 02123  1296   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02126  1556   NtTestAlert  (...
 02127  1588   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02128  1296   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02126  1556   NtTestAlert  ... ) == 0x0
 02127  1588   NtCreateEvent  ... 424, ) == 0x0
 02128  1296   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02129  1556   NtContinue  (45153584, 1, ...
 02130  1588   NtWaitForSingleObject  (424, 0, 0x0, ...
 02131  1296   NtQuerySystemInformation  (Performance, 312, ...
 02132  1556   NtRegisterThreadTerminatePort  (24, ...
 02131  1296   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02132  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 02133  1296   NtQuerySystemInformation  (Exception, 16, ...
 02134   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02135  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02134   896   NtAllocateVirtualMemory  ... 45154304, 1048576, ) == 0x0
 02135  1556   NtDuplicateObject  ... 404, ) == 0x0
 02136   896   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ...
 02137  1556   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02136   896   NtAllocateVirtualMemory  ... 46194688, 8192, ) == 0x0
 02137  1556   NtWaitForSingleObject  ... ) == 0x102
 02138   896   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ...
 02139  1556   NtWaitForSingleObject  (176, 0, 0x0, ...
 02138   896   NtProtectVirtualMemory  ... (0x2c0e000), 4096, 4, ) == 0x0
 02133  1296   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02140  1296   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02141  1296   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02142  1296   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02143  1296   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 02144  1296   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\351h\360\260\5gP\\323\215\345s`\30\310P\332\235\35u\211O\237\237\255\365\15\221\310\327JKN}\343Z\262Qr\215W\3536\313p\273\363\250[5\332\353]|R\14=:\305\206X\3466\24\203\275\\5\364\200i\304+s,V\336\342"\377", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "\351h\360\260\5gP\\323\215\345s`\30\310P\332\235\35u\211O\237\237\255\365\15\221\310\327JKN}\343Z\262Qr\215W\3536\313p\273\363\250[5\332\353]|R\14=:\305\206X\3466\24\203\275\\5\364\200i\304+s,V\336\342"\377", 80, ... ) \377", 80, ... ) == 0x0
 02145  1296   NtClose  (-2147481484, ...
 02146   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {1252, 460}, ) == 0x0
 02147   896   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1252,Tid=460,}, 0x0, ) == 0x0
 02148   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\314\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81920, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\314\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\314\1\0\0" )  ) == 0x0
 02149   896   NtResumeThread  (436, ... 1, ) == 0x0
 02150   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 46202880, 1048576, ) == 0x0
 02151   896   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ...
 02145  1296   NtClose  ... ) == 0x0
 02152   460   NtTestAlert  (...
 02122  1296   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\27\373\2\3666\261s'\210\301\214u\302\207@\3158\345$\7\177_\356\3149\371\307\3379\23;\341\365Y\21,\370\253\354I\226b\4\2670\35k\22[\374td\374ut%\315\7\3f\232\300\251?\2557\233\1\33T \275?\331\251)\302b \25\324Z\354%\212w\247cq\3127:v\311D\177M]/PL\364e\365N\241\217\270\212\256\32_\245\375\360[\340\230\372k\33q\3\303>\232j\325FY#\2070\336\226\203\17\207\247\315'S$\22\232%\320\267\270\20\304\325Q\16\37RL\237\221\267\257\241\357\354yO\245\314\234\235\305\305\204\253\21\337\222\2521Y\253\344\363&PR\366\301g\235|\301R5\354\1\1\231\210\350\365\356\302P\220\344\35\210J\363E<5P#\31p\322\343Ls\322cB\220\325K\362\372\355\26]o\20&\2064h\16\316\246\321=\264m\0\227\375:c\246\322\365\373\362\211", ) , ) == 0x0
 02152   460   NtTestAlert  ... ) == 0x0
 02153  1296   NtDeviceIoControlFile  (388, 0, 0x0, 0x0, 0x390008,  (388, 0, 0x0, 0x0, 0x390008, ",Me\245\330\254\243\302lA\360\372\247AA\333\2472e\345\372\274a\350U@\344V\311s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02154   460   NtContinue  (46202160, 1, ...
 02155  1296   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02156   460   NtRegisterThreadTerminatePort  (24, ...
 02155  1296   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02156   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 02157  1296   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02151   896   NtAllocateVirtualMemory  ... 47243264, 8192, ) == 0x0
 02158   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02159   896   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ...
 02158   460   NtDuplicateObject  ... 440, ) == 0x0
 02159   896   NtProtectVirtualMemory  ... (0x2d0e000), 4096, 4, ) == 0x0
 02160   460   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02161   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02160   460   NtWaitForSingleObject  ... ) == 0x102
 02161   896   NtCreateThread  ... 444, {1252, 1856}, ) == 0x0
 02162   460   NtWaitForSingleObject  (176, 0, 0x0, ...
 02163   896   NtQueryInformationThread  (444, Basic, 28, ...
 02157  1296   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02164  1296   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02165  1296   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02166  1296   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02167  1296   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02168  1296   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02169  1296   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02163   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1252,Tid=1856,}, 0x0, ) == 0x0
 02170   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0@\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81921, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0@\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0@\7\0\0" )  ) == 0x0
 02171   896   NtResumeThread  (444, ... 1, ) == 0x0
 02172   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47251456, 1048576, ) == 0x0
 02173   896   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ... 48291840, 8192, ) == 0x0
 02174   896   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ... (0x2e0e000), 4096, 4, ) == 0x0
 02169  1296   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02175  1856   NtTestAlert  (...
 02176  1296   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\2609\231\375\262\353i\255+/\301\331\255\256\231H(_\303E\37\26381\333G?\300\266\305\313s\2772\3176`6\31\2770\24\343e\373\14\272GyX\334gOQ\247p\0\231\361z0\305O\17\313\374\244\254\4\354\212\0\331\257\3j\205bPp", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\2609\231\375\262\353i\255+/\301\331\255\256\231H(_\303E\37\26381\333G?\300\266\305\313s\2772\3176`6\31\2770\24\343e\373\14\272GyX\334gOQ\247p\0\231\361z0\305O\17\313\374\244\254\4\354\212\0\331\257\3j\205bPp", 80, ... , 80, ...
 02175  1856   NtTestAlert  ... ) == 0x0
 02176  1296   NtSetValueKey  ... ) == 0x0
 02177  1856   NtContinue  (47250736, 1, ...
 02178  1296   NtClose  (-2147481484, ...
 02179  1856   NtRegisterThreadTerminatePort  (24, ...
 02178  1296   NtClose  ... ) == 0x0
 02179  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 02153  1296   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "$*oB|\201\315\364(\205\16\361\25N\350\350am\214\3441{}\200\376i\225\252\354\11\244\26I\215\33X\315,\255\335y2#\0=y\22\302\351U\6\34\365$\200{k\277\205\360\225v\326\255\237", ) , ) == 0x0
 02180   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02181  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02180   896   NtCreateThread  ... 448, {1252, 1596}, ) == 0x0
 02181  1856   NtDuplicateObject  ... 452, ) == 0x0
 02182   896   NtQueryInformationThread  (448, Basic, 28, ...
 02183  1856   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02182   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1252,Tid=1596,}, 0x0, ) == 0x0
 02183  1856   NtWaitForSingleObject  ... ) == 0x102
 02184   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0<\6\0\0" ...  ...
 02185  1856   NtWaitForSingleObject  (176, 0, 0x0, ...
 02184   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81922, 0}  ... {28, 56, reply, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0<\6\0\0" )  ) == 0x0
 02186  1296   NtDeviceIoControlFile  (388, 0, 0x0, 0x0, 0x390008,  (388, 0, 0x0, 0x0, 0x390008, ",Me\245\330\254\243\302lA\360\372\247AA\333\2472e\345\372\25\265\2472e\345\372\274a\350U@\344V\311s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02187   896   NtResumeThread  (448, ...
 02188  1296   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02187   896   NtResumeThread  ... 1, ) == 0x0
 02188  1296   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02189   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02190  1296   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02189   896   NtAllocateVirtualMemory  ... 48300032, 1048576, ) == 0x0
 02190  1296   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02191   896   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 02192  1296   NtQuerySystemInformation  (Performance, 312, ...
 02193  1596   NtTestAlert  (...
 02191   896   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 02193  1596   NtTestAlert  ... ) == 0x0
 02194   896   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 02195  1596   NtContinue  (48299312, 1, ...
 02194   896   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 02196  1596   NtRegisterThreadTerminatePort  (24, ...
 02197   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02196  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 02197   896   NtCreateThread  ... 456, {1252, 1132}, ) == 0x0
 02192  1296   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02198   896   NtQueryInformationThread  (456, Basic, 28, ...
 02199  1296   NtQuerySystemInformation  (Exception, 16, ...
 02200  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02199  1296   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02200  1596   NtDuplicateObject  ... 460, ) == 0x0
 02201  1296   NtQuerySystemInformation  (Lookaside, 32, ...
 02202  1596   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02201  1296   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02202  1596   NtWaitForSingleObject  ... ) == 0x102
 02203  1296   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02204  1596   NtWaitForSingleObject  (176, 0, 0x0, ...
 02198   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1252,Tid=1132,}, 0x0, ) == 0x0
 02203  1296   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02205   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0l\4\0\0" ...  ...
 02206  1296   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02205   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81923, 0}  ... {28, 56, reply, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0l\4\0\0" )  ) == 0x0
 02206  1296   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02207   896   NtResumeThread  (456, ...
 02208  1296   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02207   896   NtResumeThread  ... 1, ) == 0x0
 02208  1296   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02209  1132   NtTestAlert  (...
 02210  1296   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\240\20\0\312V\263\265Z\355,p\321CSI\244\226\342\13yX9\371\370\355\201\6\0t\200\17^\343\322\200\332\17\305\2036\\2571\367\312x\302[\312\326apS>\350C\22\260N\203!_@3r\236\222b\366\5\364\251\3600\377\256\337\2\205\372", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\240\20\0\312V\263\265Z\355,p\321CSI\244\226\342\13yX9\371\370\355\201\6\0t\200\17^\343\322\200\332\17\305\2036\\2571\367\312x\302[\312\326apS>\350C\22\260N\203!_@3r\236\222b\366\5\364\251\3600\377\256\337\2\205\372", 80, ... , 80, ...
 02209  1132   NtTestAlert  ... ) == 0x0
 02211   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02212  1132   NtContinue  (49347888, 1, ...
 02211   896   NtAllocateVirtualMemory  ... 49348608, 1048576, ) == 0x0
 02213  1132   NtRegisterThreadTerminatePort  (24, ...
 02214   896   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ...
 02213  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 02214   896   NtAllocateVirtualMemory  ... 50388992, 8192, ) == 0x0
 02210  1296   NtSetValueKey  ... ) == 0x0
 02215   896   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ...
 02216  1296   NtClose  (-2147481484, ...
 02215   896   NtProtectVirtualMemory  ... (0x300e000), 4096, 4, ) == 0x0
 02216  1296   NtClose  ... ) == 0x0
 02217  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02186  1296   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\222K\302)\4II\261\372\215\377\215\24 4\357\250\357>qSck\364\345\224\300B\327O\206\352\30\21\270.\217\354(\305\234Df"k\245\224\217tP9\333\302r\356\35\375\254\2314\337\320\6B9\367\356\200\207\362-\324\330\211\373\236\366n\205M$\226^\240\25f\233\256\311\224`\226e8\370\31\354.\340\367b\342\265o\232\324%O{m\340\362\4_\350\373\26\374\310C\326\275f\212\316\367\247\\2,\375\207\366\234]\0\265\343\274N\310\340*yW\210\374\217\277{\303\240y\26\271\264x\321\233\37\264\363\177\217\313\204\223x\3458J~\5\340\355Q\25\353\365\204/_\314\214/\306,\255\246\355P9L)\260\2343\361\315\271\250\370\265\310.$\315p\377\4\220\20\6}(\325\370T5t\343\31\250f\232q\277j\16>\337Q\15/5\224\3660\257\362\34\341t\3338S\336\5\272\215\1GDN\314\372", ) k\245\224\217tP9\333\302r\356\35\375\254\2314\337\320\6B9\367\356\200\207\362-\324\330\211\373\236\366n\205M$\226^\240\25f\233\256\311\224`\226e8\370\31\354.\340\367b\342\265o\232\324%O{m\340\362\4_\350\373\26\374\310C\326\275f\212\316\367\247\\2,\375\207\366\234]\0\265\343\274N\310\340*yW\210\374\217\277{\303\240y\26\271\264x\321\233\37\264\363\177\217\313\204\223x\3458J~\5\340\355Q\25\353\365\204/_\314\214/\306,\255\246\355P9L)\260\2343\361\315\271\250\370\265\310.$\315p\377\4\220\20\6}(\325\370T5t\343\31\250f\232q\277j\16>\337Q\15/5\224\3660\257\362\34\341t\3338S\336\5\272\215\1GDN\314\372", ) == 0x0
 02217  1132   NtDuplicateObject  ... 464, ) == 0x0
 02218  1296   NtDeviceIoControlFile  (388, 0, 0x0, 0x0, 0x390008,  (388, 0, 0x0, 0x0, 0x390008, ",Me\245\330\254\243\302lA\360\372\247AA\333\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\274a\350U@\344V\311s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02219  1132   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02220  1296   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02219  1132   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02221   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02222  1132   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02221   896   NtCreateThread  ... 468, {1252, 184}, ) == 0x0
 02223   896   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1252,Tid=184,}, 0x0, ) == 0x0
 02224   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\270\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\270\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81924, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\270\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\270\0\0\0" )  ) == 0x0
 02225   896   NtResumeThread  (468, ... 1, ) == 0x0
 02226   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50397184, 1048576, ) == 0x0
 02227   896   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ...
 02220  1296   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02228   184   NtTestAlert  (...
 02222  1132   NtWaitForSingleObject  ... ) == 0x102
 02229  1296   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02228   184   NtTestAlert  ... ) == 0x0
 02230  1132   NtWaitForSingleObject  (176, 0, 0x0, ...
 02229  1296   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02231   184   NtContinue  (50396464, 1, ...
 02232  1296   NtQuerySystemInformation  (Performance, 312, ...
 02233   184   NtRegisterThreadTerminatePort  (24, ...
 02232  1296   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02233   184   NtRegisterThreadTerminatePort  ... ) == 0x0
 02234  1296   NtQuerySystemInformation  (Exception, 16, ...
 02227   896   NtAllocateVirtualMemory  ... 51437568, 8192, ) == 0x0
 02235   184   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02236   896   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ...
 02235   184   NtDuplicateObject  ... 472, ) == 0x0
 02236   896   NtProtectVirtualMemory  ... (0x310e000), 4096, 4, ) == 0x0
 02237   184   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02238   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02237   184   NtWaitForSingleObject  ... ) == 0x102
 02238   896   NtCreateThread  ... 476, {1252, 188}, ) == 0x0
 02239   184   NtWaitForSingleObject  (176, 0, 0x0, ...
 02240   896   NtQueryInformationThread  (476, Basic, 28, ...
 02234  1296   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02241  1296   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02242  1296   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02243  1296   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02244  1296   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 02245  1296   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "M\366ZB\211~\273;\324\13}\257\234\215| \206=\215\245\1\243E\353;\376\321\12\250\365M\244\226\351v\211\253\227\357\317\341xY\152\306P\256\313$\341\200\210c\325 !\217$Rm\361\326FP\323LW\314D\237\225\277`\347\272J\373\243", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "M\366ZB\211~\273;\324\13}\257\234\215| \206=\215\245\1\243E\353;\376\321\12\250\365M\244\226\351v\211\253\227\357\317\341xY\152\306P\256\313$\341\200\210c\325 !\217$Rm\361\326FP\323LW\314D\237\225\277`\347\272J\373\243", 80, ... ) , 80, ... ) == 0x0
 02246  1296   NtClose  (-2147481484, ...
 02240   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1252,Tid=188,}, 0x0, ) == 0x0
 02247   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\274\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81925, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\274\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\274\0\0\0" )  ) == 0x0
 02248   896   NtResumeThread  (476, ... 1, ) == 0x0
 02249   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51445760, 1048576, ) == 0x0
 02250   896   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ... 52486144, 8192, ) == 0x0
 02251   896   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ... (0x320e000), 4096, 4, ) == 0x0
 02246  1296   NtClose  ... ) == 0x0
 02252   188   NtTestAlert  (...
 02218  1296   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\216z\240+\22\24\351\14\24\16\263%8\24\256\255\355\275\250f\231\1\0O\225\307\306\273\332\31D;\363\205\313$86P\222\266\243\331X\344W\352 \201\221V\2129\363\323}\322~:u$8\30\327\257\355;q\307,\356jXX\354>a\331\320\321\323F\255\240\225__\210\13r\34\311\7\31Y)&\256\2257\3\36;]\210`\257\31>\235\236\12\4Z^\371\17r\207\325iI\253\342\107$|\363#(\24\326,oy\374\364\223\332\336\303\326\211\23\37\263\1\327mo"\345\327\246\21\262t\21\222!\251\336\347+\324\216\212\7+\336\14\312\312\336\317m\372J\276q\7W\15\215T]\304\342\26\324nQ\32\365\265\241\203R\264m\275U\251\303\23\244\3436\255iOn'\360\354\\273\362ED\234~\204\35>v?\374\3048%e\221\363bYcDb.VY\3\276\264\240\23\334\367;\207-\340\25a", ) \345\327\246\21\262t\21\222!\251\336\347+\324\216\212\7+\336\14\312\312\336\317m\372J\276q\7W\15\215T]\304\342\26\324nQ\32\365\265\241\203R\264m\275U\251\303\23\244\3436\255iOn'\360\354\\273\362ED\234~\204\35>v?\374\3048%e\221\363bYcDb.VY\3\276\264\240\23\334\367;\207-\340\25a", ) == 0x0
 02252   188   NtTestAlert  ... ) == 0x0
 02253  1296   NtDeviceIoControlFile  (388, 0, 0x0, 0x0, 0x390008,  (388, 0, 0x0, 0x0, 0x390008, ",Me\245\330\254\243\302lA\360\372\247AA\333\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\274a\350U@\344V\311s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02254   188   NtContinue  (51445040, 1, ...
 02255  1296   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02256   188   NtRegisterThreadTerminatePort  (24, ...
 02255  1296   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02256   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 02257  1296   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02258   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02259   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02258   896   NtCreateThread  ... 480, {1252, 1240}, ) == 0x0
 02259   188   NtDuplicateObject  ... 484, ) == 0x0
 02260   896   NtQueryInformationThread  (480, Basic, 28, ...
 02261   188   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02260   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1252,Tid=1240,}, 0x0, ) == 0x0
 02261   188   NtWaitForSingleObject  ... ) == 0x102
 02262   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\330\4\0\0" ...  ...
 02263   188   NtWaitForSingleObject  (176, 0, 0x0, ...
 02262   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81926, 0}  ... {28, 56, reply, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\330\4\0\0" )  ) == 0x0
 02257  1296   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02264   896   NtResumeThread  (480, ...
 02265  1296   NtQuerySystemInformation  (Performance, 312, ...
 02264   896   NtResumeThread  ... 1, ) == 0x0
 02265  1296   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02266   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02267  1296   NtQuerySystemInformation  (Exception, 16, ...
 02266   896   NtAllocateVirtualMemory  ... 52494336, 1048576, ) == 0x0
 02267  1296   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02268   896   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ...
 02269  1296   NtQuerySystemInformation  (Lookaside, 32, ...
 02270  1240   NtTestAlert  (...
 02268   896   NtAllocateVirtualMemory  ... 53534720, 8192, ) == 0x0
 02270  1240   NtTestAlert  ... ) == 0x0
 02271   896   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ...
 02272  1240   NtContinue  (52493616, 1, ...
 02271   896   NtProtectVirtualMemory  ... (0x330e000), 4096, 4, ) == 0x0
 02273  1240   NtRegisterThreadTerminatePort  (24, ...
 02274   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02273  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02274   896   NtCreateThread  ... 488, {1252, 296}, ) == 0x0
 02269  1296   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02275   896   NtQueryInformationThread  (488, Basic, 28, ...
 02276  1296   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02277  1240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02276  1296   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02277  1240   NtDuplicateObject  ... 492, ) == 0x0
 02278  1296   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02279  1240   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02278  1296   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02279  1240   NtWaitForSingleObject  ... ) == 0x102
 02280  1296   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02281  1240   NtWaitForSingleObject  (176, 0, 0x0, ...
 02275   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1252,Tid=296,}, 0x0, ) == 0x0
 02280  1296   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02282   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0(\1\0\0" ...  ...
 02283  1296   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "a\307*\264\241V\306\263\204\352,]F-\20\266R"\11k;Wf\260O\324\14\27\274WV\2163\306O\332E\7\271\303\327S\231S\372\302\324\345\2362\370\304\305}\255\334D\302\247h\7\367\24\226\314\305\5'\264\2044dc\267\26\251O\251\262\232", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "a\307*\264\241V\306\263\204\352,]F-\20\266R"\11k;Wf\260O\324\14\27\274WV\2163\306O\332E\7\271\303\327S\231S\372\302\324\345\2362\370\304\305}\255\334D\302\247h\7\367\24\226\314\305\5'\264\2044dc\267\26\251O\251\262\232", 80, ... \11k;Wf\260O\324\14\27\274WV\2163\306O\332E\7\271\303\327S\231S\372\302\324\345\2362\370\304\305}\255\334D\302\247h\7\367\24\226\314\305\5'\264\2044dc\267\26\251O\251\262\232", 80, ...
 02282   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81927, 0}  ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0(\1\0\0" )  ) == 0x0
 02283  1296   NtSetValueKey  ... ) == 0x0
 02284   896   NtResumeThread  (488, ...
 02285  1296   NtClose  (-2147481484, ...
 02284   896   NtResumeThread  ... 1, ) == 0x0
 02285  1296   NtClose  ... ) == 0x0
 02286   296   NtTestAlert  (...
 02253  1296   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "g\346\202s9\214\366\336M\337\247\340@\246\366M\331\256S\317E\23\2619\262\355\2534\326\213z\267\5O\224\0L\234\14u\267\201\377\233\343\320\21\254\203w\1?\227\306\225\13\26\16pl\206\10\361d\13H$\2\214\233v\244P\242;\201\373"\213\325\263BJ\36*\3\371\370x90\361\311\207n;\0\322\250\371\326X\10\332\251.\243k[l\27\375%\250\350\252\324\336\326l\275\366~\256\213\177\10l'9\267\362\34v\14E\365"\36\356_{\345\223]\300h\372\244\373\327\2306\211\361\222\0q\17q\300\351\221\342\340\213O5#f\205\230\324\361w\354\255\21\351;&\327k\312\13K+cB#\244\235\200\32d\352\340\331\271\356B`\17\15\222\35<\5\305\334\346\205\302m\236i\357\266\277\25)\225\201\351\262\335\7\271\240\37'\350\302\203t\224#\267\322\375\342]\260\255\261\353^\24\245\251\341\320s", ) \213\325\263BJ\36*\3\371\370x90\361\311\207n;\0\322\250\371\326X\10\332\251.\243k[l\27\375%\250\350\252\324\336\326l\275\366~\256\213\177\10l'9\267\362\34v\14E\365 ... {status=0x0, info=256}, "g\346\202s9\214\366\336M\337\247\340@\246\366M\331\256S\317E\23\2619\262\355\2534\326\213z\267\5O\224\0L\234\14u\267\201\377\233\343\320\21\254\203w\1?\227\306\225\13\26\16pl\206\10\361d\13H$\2\214\233v\244P\242;\201\373"\213\325\263BJ\36*\3\371\370x90\361\311\207n;\0\322\250\371\326X\10\332\251.\243k[l\27\375%\250\350\252\324\336\326l\275\366~\256\213\177\10l'9\267\362\34v\14E\365"\36\356_{\345\223]\300h\372\244\373\327\2306\211\361\222\0q\17q\300\351\221\342\340\213O5#f\205\230\324\361w\354\255\21\351;&\327k\312\13K+cB#\244\235\200\32d\352\340\331\271\356B`\17\15\222\35<\5\305\334\346\205\302m\236i\357\266\277\25)\225\201\351\262\335\7\271\240\37'\350\302\203t\224#\267\322\375\342]\260\255\261\353^\24\245\251\341\320s", ) , ) == 0x0
 02286   296   NtTestAlert  ... ) == 0x0
 02287   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02288   296   NtContinue  (53542192, 1, ...
 02287   896   NtAllocateVirtualMemory  ... 53542912, 1048576, ) == 0x0
 02289   296   NtRegisterThreadTerminatePort  (24, ...
 02290   896   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ...
 02289   296   NtRegisterThreadTerminatePort  ... ) == 0x0
 02290   896   NtAllocateVirtualMemory  ... 54583296, 8192, ) == 0x0
 02291  1296   NtDeviceIoControlFile  (388, 0, 0x0, 0x0, 0x390008,  (388, 0, 0x0, 0x0, 0x390008, ",Me\245\330\254\243\302lA\360\372\247AA\333\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\274a\350U@\344V\311s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02292   896   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ...
 02293  1296   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02292   896   NtProtectVirtualMemory  ... (0x340e000), 4096, 4, ) == 0x0
 02293  1296   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02294   296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02295  1296   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02294   296   NtDuplicateObject  ... 496, ) == 0x0
 02295  1296   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02296   296   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02297  1296   NtQuerySystemInformation  (Performance, 312, ...
 02296   296   NtWaitForSingleObject  ... ) == 0x102
 02298   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02299   296   NtWaitForSingleObject  (176, 0, 0x0, ...
 02298   896   NtCreateThread  ... 500, {1252, 1356}, ) == 0x0
 02297  1296   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02300   896   NtQueryInformationThread  (500, Basic, 28, ...
 02301  1296   NtQuerySystemInformation  (Exception, 16, ...
 02300   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1252,Tid=1356,}, 0x0, ) == 0x0
 02301  1296   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02302   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0L\5\0\0" ...  ...
 02303  1296   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02304  1296   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02305  1296   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02306  1296   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 02307  1296   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\225\2776$\1\276+\315\350\273jn\305\33\322\334E\316\331Jo\373\335;\24\341Ue>\366\4r\332\24\245\230]")\266\3016\372/\303\324?\335B\265-\336\32\225\342\275\370F\2337d\206l}:"\221MW\4\313\361"&\272\241\217\321s\361", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\225\2776$\1\276+\315\350\273jn\305\33\322\334E\316\331Jo\373\335;\24\341Ue>\366\4r\332\24\245\230]")\266\3016\372/\303\324?\335B\265-\336\32\225\342\275\370F\2337d\206l}:"\221MW\4\313\361"&\272\241\217\321s\361", 80, ... )\266\3016\372/\303\324?\335B\265-\336\32\225\342\275\370F\2337d\206l}: (-2147481484, "Seed", 0, 3, "\225\2776$\1\276+\315\350\273jn\305\33\322\334E\316\331Jo\373\335;\24\341Ue>\366\4r\332\24\245\230]")\266\3016\372/\303\324?\335B\265-\336\32\225\342\275\370F\2337d\206l}:"\221MW\4\313\361"&\272\241\217\321s\361", 80, ... &\272\241\217\321s\361", 80, ...
 02302   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81928, 0}  ... {28, 56, reply, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0L\5\0\0" )  ) == 0x0
 02308   896   NtResumeThread  (500, ... 1, ) == 0x0
 02309   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54591488, 1048576, ) == 0x0
 02310   896   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ... 55631872, 8192, ) == 0x0
 02311   896   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ... (0x350e000), 4096, 4, ) == 0x0
 02312   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 504, {1252, 1796}, ) == 0x0
 02313   896   NtQueryInformationThread  (504, Basic, 28, ...
 02307  1296   NtSetValueKey  ... ) == 0x0
 02314  1356   NtTestAlert  (...
 02315  1296   NtClose  (-2147481484, ...
 02314  1356   NtTestAlert  ... ) == 0x0
 02315  1296   NtClose  ... ) == 0x0
 02316  1356   NtContinue  (54590768, 1, ...
 02291  1296   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ")\M\306\4e\361nL\217\310$\315\20v\367Q\3176\235\303-\201\374x%\275\11ECl\201S!\305\226\321\362\2x\30Gz#\316>8\362\362\303\200\31\347\244\242\361\261\215\235\225\262s4\352\2507\32!T\20Z\371\2650\3229\275\311\204\304U\332>\344r\276\20s\247\340'\350\241\351~Q\27210\355\371\377\247\270-G$\300N\256{\365U\341.\373\366\244\366\341\245\15\343E\3\274A\27\307{\10\23\321\310\34054Q\334\3\245G\215\304\231BK[\213V\20AS\263IX\301\335\213\310/y&X\317rs4\32\245\307\26\21G\333\352\337\213u\360\312\312tc\222\300$\220\23m\274\207*\245\11e\217\366\214g\333\246H+\322\227j\2\202\12 \10\10\330\241\2440\273}\243*w#sP\27\377\376\252Bl\202yk\354m\5\331C\263SW\236\362\793B\254C\360\365\320w\204A", ) , ) == 0x0
 02317  1356   NtRegisterThreadTerminatePort  (24, ...
 02318  1296   NtDeviceIoControlFile  (388, 0, 0x0, 0x0, 0x390008,  (388, 0, 0x0, 0x0, 0x390008, ",Me\245\330\254\243\302lA\360\372\247AA\333\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\25\265\2472e\345\372\274a\350U@\344V\311s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02317  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 02319  1296   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02313   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1252,Tid=1796,}, 0x0, ) == 0x0
 02320  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02321   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\4\7\0\0" ...  ...
 02320  1356   NtDuplicateObject  ... 508, ) == 0x0
 02321   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81929, 0}  ... {28, 56, reply, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\4\7\0\0" )  ) == 0x0
 02322  1356   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02323   896   NtResumeThread  (504, ...
 02322  1356   NtWaitForSingleObject  ... ) == 0x102
 02323   896   NtResumeThread  ... 1, ) == 0x0
 02324  1356   NtWaitForSingleObject  (176, 0, 0x0, ...
 02319  1296   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02325  1796   NtTestAlert  (...
 02326   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02327  1296   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02325  1796   NtTestAlert  ... ) == 0x0
 02326   896   NtAllocateVirtualMemory  ... 55640064, 1048576, ) == 0x0
 02327  1296   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02328  1796   NtContinue  (55639344, 1, ...
 02329   896   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ...
 02330  1296   NtQuerySystemInformation  (Performance, 312, ...
 02331  1796   NtRegisterThreadTerminatePort  (24, ...
 02329   896   NtAllocateVirtualMemory  ... 56680448, 8192, ) == 0x0
 02330  1296   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02331  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 02332   896   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ...
 02333  1296   NtQuerySystemInformation  (Exception, 16, ...
 02332   896   NtProtectVirtualMemory  ... (0x360e000), 4096, 4, ) == 0x0
 02334  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02333  1296   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02334  1796   NtDuplicateObject  ... 512, ) == 0x0
 02335  1296   NtQuerySystemInformation  (Lookaside, 32, ...
 02336  1796   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02335  1296   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02336  1796   NtWaitForSingleObject  ... ) == 0x102
 02337  1296   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02338  1796   NtWaitForSingleObject  (176, 0, 0x0, ...
 02337  1296   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02339   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02340  1296   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02339   896   NtCreateThread  ... 516, {1252, 712}, ) == 0x0
 02341   896   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1252,Tid=712,}, 0x0, ) == 0x0
 02342   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\310\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81930, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\310\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\310\2\0\0" )  ) == 0x0
 02343   896   NtResumeThread  (516, ... 1, ) == 0x0
 02344   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56688640, 1048576, ) == 0x0
 02345   896   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ...
 02340  1296   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02346   712   NtTestAlert  (...
 02347  1296   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02346   712   NtTestAlert  ... ) == 0x0
 02347  1296   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02348   712   NtContinue  (56687920, 1, ...
 02349  1296   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "R$#\250\266:\240d\305\311\362x\306h\313]\224<\234\365\177\34\22O8(\240\363=\346(\364\267n\244\217\330\302\5\211\1\274\24\317\360\330qw\205B\6;\1778\263\306\352\372;N!\17\10]\224\245]\321\36\203\10\274\352\6cx\271aIm", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "R$#\250\266:\240d\305\311\362x\306h\313]\224<\234\365\177\34\22O8(\240\363=\346(\364\267n\244\217\330\302\5\211\1\274\24\317\360\330qw\205B\6;\1778\263\306\352\372;N!\17\10]\224\245]\321\36\203\10\274\352\6cx\271aIm", 80, ... , 80, ...
 02350   712   NtRegisterThreadTerminatePort  (24, ...
 02349  1296   NtSetValueKey  ... ) == 0x0
 02350   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 02351  1296   NtClose  (-2147481484, ...
 02345   896   NtAllocateVirtualMemory  ... 57729024, 8192, ) == 0x0
 02352   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02353   896   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ...
 02352   712   NtDuplicateObject  ... 520, ) == 0x0
 02353   896   NtProtectVirtualMemory  ... (0x370e000), 4096, 4, ) == 0x0
 02354   712   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02355   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02354   712   NtWaitForSingleObject  ... ) == 0x102
 02356   712   NtWaitForSingleObject  (176, 0, 0x0, ...
 02351  1296   NtClose  ... ) == 0x0
 02318  1296   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Z\201*_3\236\320G\4\373xe\330pm\13n\1\226\222\1294\372%\37\24\275\241`&XF\326\325\375\3646\20\253iky\313G\370x0\270}\351Y\331\311c\276\265&\3142\26\240\32\330w\325\321\%\46\225\311\265\356)R\3218\204l\13\261\317\303\215\207\200w\314O\241\216\265\340\244\232N\265\33\2iJ\337\212\222\317~\355ax4\340\374\3010\3\345\279L^\240Q\273\26\332,\233\17\302_K\242\210\336\345\366TP\223OX\14\260\313\235Gn\204D\262]\363\273O|\324\32\322^`#`\306\331\257\16\251\324\205\375\13\246\367\274\211"GA\337/\211\361\13\231~\352\321t\25[\227\220\322\371\310S)\265S\356kh\333\316\33Q\241g\354\270UNW\227M\200\35}\325G6\370\256V\16I^:\263R\277E\345\304\360\360\201Z\257\374\235\250\11\340\360\234\330\241x\374\251\247+\14", ) GA\337/\211\361\13\231~\352\321t\25[\227\220\322\371\310S)\265S\356kh\333\316\33Q\241g\354\270UNW\227M\200\35}\325G6\370\256V\16I^:\263R\277E\345\304\360\360\201Z\257\374\235\250\11\340\360\234\330\241x\374\251\247+\14", ) == 0x0
 02357  1296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 524, ) == 0x0
 02358  1296   NtSetEventBoostPriority  (424, ...
 02130  1588   NtWaitForSingleObject  ... ) == 0x0
 02359  1588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 528, ) == 0x0
 02360  1588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12643692, 188, ... 532, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 12643692, 188, ... 532, 0x0, 0x0, 0x0, 188, ) == 0x0
 02361  1588   NtRequestWaitReplyPort  (532, {200, 224, new_msg, 0, 1330592, 12, 2, 1}  (532, {200, 224, new_msg, 0, 1330592, 12, 2, 1} "\0\2\24\0\274\0\0\0\244>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\2\24\0\4\0\0\0\3\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0|9\265\304)1b\231P_\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\2\0(\0\0\0X_\25\0)Vb\0(\2\24\0x_\25\0\\1\24\0\0\0\0\0\0\0\0\0x_\25\0P\0\0\0\200_\25\0\360\6\221|\0\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\300\0\372\31\221|\200\363\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 1588, 81932, 0} "\7\2\24\0\274\0\0\0\244>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0|9\265\304)1b\231P_\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\2\0(\0\0\0X_\25\0)Vb\0(\2\24\0x_\25\0\\1\24\0\0\0\0\0\0\0\0\0x_\25\0P\0\0\0\200_\25\0\360\6\221|\0\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\300\0\372\31\221|\200\363\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1252, 1588, 81932, 0}  (532, {200, 224, new_msg, 0, 1330592, 12, 2, 1} "\0\2\24\0\274\0\0\0\244>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\2\24\0\4\0\0\0\3\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0|9\265\304)1b\231P_\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\2\0(\0\0\0X_\25\0)Vb\0(\2\24\0x_\25\0\\1\24\0\0\0\0\0\0\0\0\0x_\25\0P\0\0\0\200_\25\0\360\6\221|\0\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\300\0\372\31\221|\200\363\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 1588, 81932, 0} "\7\2\24\0\274\0\0\0\244>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0|9\265\304)1b\231P_\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\2\0(\0\0\0X_\25\0)Vb\0(\2\24\0x_\25\0\\1\24\0\0\0\0\0\0\0\0\0x_\25\0P\0\0\0\200_\25\0\360\6\221|\0\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\300\0\372\31\221|\200\363\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02358  1296   NtSetEventBoostPriority  ... ) == 0x0
 02355   896   NtCreateThread  ... 536, {1252, 1728}, ) == 0x0
 02362  1588   NtRequestWaitReplyPort  (532, {44, 68, new_msg, 0, 1252, 1588, 81917, 0}  (532, {44, 68, new_msg, 0, 1252, 1588, 81917, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02363   896   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1252,Tid=1728,}, 0x0, ) == 0x0
 02364   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\300\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81934, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\300\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\300\6\0\0" )  ) == 0x0
 02362  1588   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1588, 81933, 0}  ... {40, 64, reply, 0, 1252, 1588, 81933, 0} "\2\356Q\200\4\0\0\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300lkt\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02365  1296   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02366  1588   NtWaitForSingleObject  (336, 0, 0x0, ...
 02365  1296   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02367  1296   NtSetEventBoostPriority  (336, ...
 02366  1588   NtWaitForSingleObject  ... ) == 0x0
 02368  1588   NtRequestWaitReplyPort  (532, {64, 88, new_msg, 56, 1393936, 12644204, 12644304, 0}  (532, {64, 88, new_msg, 56, 1393936, 12644204, 12644304, 0} "\10\357\300\0@\0\25\0\346\277\347w\320\357\300\0l\357\300\0\20\0\0\0\250.\362v\204E\25\0\1\0\0\0 `\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\250\365\24\0" ...  ...
 02367  1296   NtSetEventBoostPriority  ... ) == 0x0
 02369  1296   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ...
 02370   896   NtResumeThread  (536, ... 1, ) == 0x0
 02371   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57737216, 1048576, ) == 0x0
 02372   896   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ... 58777600, 8192, ) == 0x0
 02368  1588   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1588, 81935, 0}  ... {64, 88, reply, 56, 1252, 1588, 81935, 0} "\10\357\300\0@\0\25\0\346\277\347w\320\357\300\0l\357\300\0\20\0\0\0\250.\362v\204E\25\0\1\0\0\0 `\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\250\365\24\0" )  ) == 0x0
 02369  1296   NtConnectPort  ... 540, 0x0, 0x0, 0x0, 188, ) == 0x0
 02373  1728   NtTestAlert  (...
 02374  1588   NtClose  (528, ...
 02375  1296   NtRequestWaitReplyPort  (540, {200, 224, new_msg, 0, 2883626, 1364448, 12, 2}  (540, {200, 224, new_msg, 0, 2883626, 1364448, 12, 2} "\0\1\24\0\0\5\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\3\0\4\0\0\0\0;\24\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\314b\315\352\22\310\345\354x\1\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\200\\25\0\274p\325\274\0\5\24\0\310_\25\0h\1\24\0\0\0\0\0\0\0\0\0\310_\25\0P\0\0\0\320_\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02373  1728   NtTestAlert  ... ) == 0x0
 02374  1588   NtClose  ... ) == 0x0
 02376  1728   NtContinue  (57736496, 1, ...
 02377  1588   NtClose  (532, ...
 02375  1296   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1296, 81937, 0}  ... {200, 224, reply, 0, 1252, 1296, 81937, 0} "\7\1\24\0\0\5\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0;\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\314b\315\352\22\310\345\354x\1\24\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\200\\25\0\274p\325\274\0\5\24\0\310_\25\0h\1\24\0\0\0\0\0\0\0\0\0\310_\25\0P\0\0\0\320_\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02378  1728   NtRegisterThreadTerminatePort  (24, ...
 02377  1588   NtClose  ... ) == 0x0
 02378  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 02379  1588   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02380   896   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ...
 02381  1296   NtRequestWaitReplyPort  (540, {44, 68, new_msg, 56, 0, 0, 0, 0}  (540, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\360d\25\0\322\0\0\0" ...  ...
 02382  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02380   896   NtProtectVirtualMemory  ... (0x380e000), 4096, 4, ) == 0x0
 02382  1728   NtDuplicateObject  ... 532, ) == 0x0
 02383   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02381  1296   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1296, 81939, 0}  ... {40, 64, reply, 0, 1252, 1296, 81939, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02384  1728   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02383   896   NtCreateThread  ... 528, {1252, 212}, ) == 0x0
 02385  1296   NtRequestWaitReplyPort  (540, {64, 88, new_msg, 56, 1310720, 11596276, 1402088, 0}  (540, {64, 88, new_msg, 56, 1310720, 11596276, 1402088, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0hg\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02384  1728   NtWaitForSingleObject  ... ) == 0x102
 02386   896   NtQueryInformationThread  (528, Basic, 28, ...
 02387  1728   NtWaitForSingleObject  (176, 0, 0x0, ...
 02386   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1252,Tid=212,}, 0x0, ) == 0x0
 02385  1296   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1296, 81940, 0}  ... {64, 88, reply, 56, 1252, 1296, 81940, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0hg\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02379  1588   NtCreateKey  ... 544, 2, ) == 0x0
 02388   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\324\0\0\0" ...  ...
 02389  1588   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02388   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81941, 0}  ... {28, 56, reply, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\324\0\0\0" )  ) == 0x0
 02389  1588   NtOpenKey  ... 548, ) == 0x0
 02390   896   NtResumeThread  (528, ...
 02391  1588   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02390   896   NtResumeThread  ... 1, ) == 0x0
 02391  1588   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02392   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02393  1588   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02394  1296   NtRequestWaitReplyPort  (540, {44, 68, new_msg, 56, 1252, 1296, 81939, 0}  (540, {44, 68, new_msg, 56, 1252, 1296, 81939, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\360d\25\0\322\0\0\0" ...  ...
 02395   212   NtTestAlert  (...
 02392   896   NtAllocateVirtualMemory  ... 58785792, 1048576, ) == 0x0
 02395   212   NtTestAlert  ... ) == 0x0
 02396   896   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ...
 02394  1296   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1296, 81942, 0}  ... {40, 64, reply, 0, 1252, 1296, 81942, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02397   212   NtContinue  (58785072, 1, ...
 02396   896   NtAllocateVirtualMemory  ... 59826176, 8192, ) == 0x0
 02398  1296   NtRequestWaitReplyPort  (540, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (540, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0(k\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02399   212   NtRegisterThreadTerminatePort  (24, ...
 02400   896   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ...
 02399   212   NtRegisterThreadTerminatePort  ... ) == 0x0
 02400   896   NtProtectVirtualMemory  ... (0x390e000), 4096, 4, ) == 0x0
 02398  1296   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1296, 81943, 0}  ... {64, 88, reply, 56, 1252, 1296, 81943, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0(k\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02393  1588   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02402   212   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02403  1588   NtQueryValueKey  (544,  (544, "Domain", Partial, 144, ... , Partial, 144, ...
 02404  1296   NtRequestWaitReplyPort  (540, {44, 68, new_msg, 56, 1252, 1296, 81942, 0}  (540, {44, 68, new_msg, 56, 1252, 1296, 81942, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\360d\25\0\322\0\0\0" ...  ...
 02402   212   NtDuplicateObject  ... 552, ) == 0x0
 02403  1588   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02405   212   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02406  1588   NtQueryValueKey  (544,  (544, "Domain", Partial, 144, ... , Partial, 144, ...
 02404  1296   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1296, 81944, 0}  ... {40, 64, reply, 0, 1252, 1296, 81944, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 02405   212   NtWaitForSingleObject  ... ) == 0x102
 02406  1588   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02407  1296   NtRequestWaitReplyPort  (540, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (540, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\00n\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02408   212   NtWaitForSingleObject  (176, 0, 0x0, ...
 02409  1588   NtClose  (544, ...
 02407  1296   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1296, 81945, 0}  ... {64, 88, reply, 56, 1252, 1296, 81945, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\00n\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02401   896   NtCreateThread  ... 556, {1252, 180}, ) == 0x0
 02409  1588   NtClose  ... ) == 0x0
 02410   896   NtQueryInformationThread  (556, Basic, 28, ...
 02411  1588   NtClose  (548, ...
 02410   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1252,Tid=180,}, 0x0, ) == 0x0
 02411  1588   NtClose  ... ) == 0x0
 02412   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0\264\0\0\0" ...  ...
 02413  1588   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02412   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81946, 0}  ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0\264\0\0\0" )  ) == 0x0
 02413  1588   NtOpenKey  ... 548, ) == 0x0
 02414  1296   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02415  1588   NtQueryValueKey  (548,  (548, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02414  1296   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02416   896   NtResumeThread  (556, ...
 02417  1296   NtClose  (524, ...
 02416   896   NtResumeThread  ... 1, ) == 0x0
 02417  1296   NtClose  ... ) == 0x0
 02418   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02419  1296   NtClose  (540, ...
 02418   896   NtAllocateVirtualMemory  ... 59834368, 1048576, ) == 0x0
 02419  1296   NtClose  ... ) == 0x0
 02420   896   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ...
 02415  1588   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421   180   NtTestAlert  (...
 02420   896   NtAllocateVirtualMemory  ... 60874752, 8192, ) == 0x0
 02422  1588   NtClose  (548, ...
 02421   180   NtTestAlert  ... ) == 0x0
 02423  1296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02422  1588   NtClose  ... ) == 0x0
 02424   180   NtContinue  (59833648, 1, ...
 02423  1296   NtCreateEvent  ... 548, ) == 0x0
 02425  1588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12643280, ... }, 12643280, ...
 02426   180   NtRegisterThreadTerminatePort  (24, ...
 02427  1296   NtOpenThreadToken  (-2, 0xc, 1, ...
 02425  1588   NtQueryAttributesFile  ... ) == 0x0
 02426   180   NtRegisterThreadTerminatePort  ... ) == 0x0
 02427  1296   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02428  1588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02429   896   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ...
 02430  1296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02431   180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02429   896   NtProtectVirtualMemory  ... (0x3a0e000), 4096, 4, ) == 0x0
 02430  1296   NtCreateEvent  ... 540, ) == 0x0
 02431   180   NtDuplicateObject  ... 524, ) == 0x0
 02432   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02428  1588   NtOpenFile  ... 544, {status=0x0, info=1}, ) == 0x0
 02433   180   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 02432   896   NtCreateThread  ... 560, {1252, 464}, ) == 0x0
 02434  1588   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 544, ...
 02433   180   NtWaitForSingleObject  ... ) == 0x102
 02435   896   NtQueryInformationThread  (560, Basic, 28, ...
 02434  1588   NtCreateSection  ... 564, ) == 0x0
 02436   180   NtWaitForSingleObject  (176, 0, 0x0, ...
 02435   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1252,Tid=464,}, 0x0, ) == 0x0
 02437  1588   NtClose  (544, ...
 02438  1296   NtOpenThreadToken  (-2, 0xc, 1, ...
 02437  1588   NtClose  ... ) == 0x0
 02438  1296   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02439  1588   NtMapViewOfSection  (564, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02440  1296   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02441   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\320\1\0\0" ...  ...
 02440  1296   NtSetInformationThread  ... ) == 0x0
 02441   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81948, 0}  ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\320\1\0\0" )  ) == 0x0
 02442  1296   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11595968,  (0xc0100080, {24, 0, 0x40, 0, 11595968, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02443   896   NtResumeThread  (560, ... 1, ) == 0x0
 02444   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60882944, 1048576, ) == 0x0
 02445   896   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ... 61923328, 8192, ) == 0x0
 02446   896   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ... (0x3b0e000), 4096, 4, ) == 0x0
 02447   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02439  1588   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 02442  1296   NtCreateFile  ... 544, {status=0x0, info=1}, ) == 0x0
 02448   464   NtWaitForSingleObject  (128, 0, 0x0, ...
 02449  1588   NtClose  (564, ...
 02450  1296   NtSetInformationFile  (544, 11596024, 8, Pipe, ...
 02449  1588   NtClose  ... ) == 0x0
 02450  1296   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02451  1588   NtUnmapViewOfSection  (-1, 0x360000, ...
 02452  1296   NtSetInformationFile  (544, 11596012, 8, Completion, ...
 02451  1588   NtUnmapViewOfSection  ... ) == 0x0
 02452  1296   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02453  1588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12643588, ... }, 12643588, ...
 02454  1296   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02447   896   NtCreateThread  ... 564, {1252, 444}, ) == 0x0
 02453  1588   NtQueryAttributesFile  ... ) == 0x0
 02455   896   NtQueryInformationThread  (564, Basic, 28, ...
 02456  1588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02455   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1252,Tid=444,}, 0x0, ) == 0x0
 02456  1588   NtOpenFile  ... 568, {status=0x0, info=1}, ) == 0x0
 02457   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\274\1\0\0" ...  ...
 02458  1588   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 568, ...
 02457   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81949, 0}  ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\274\1\0\0" )  ) == 0x0
 02458  1588   NtCreateSection  ... 572, ) == 0x0
 02454  1296   NtSetInformationThread  ... ) == 0x0
 02459  1588   NtQuerySection  (572, Image, 48, ...
 02460  1296   NtWriteFile  (544, 201, 0, 0,  (544, 201, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02461   896   NtResumeThread  (564, ...
 02460  1296   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02461   896   NtResumeThread  ... 1, ) == 0x0
 02462  1296   NtReadFile  (544, 201, 0, 0, 1024, {0, 0}, 0, ...
 02463   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02462  1296   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02463   896   NtAllocateVirtualMemory  ... 61931520, 1048576, ) == 0x0
 02464  1296   NtFsControlFile  (544, 201, 0x0, 0x0, 0x11c017,  (544, 201, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\260\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02465   896   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ...
 02459  1588   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02466   444   NtWaitForSingleObject  (128, 0, 0x0, ...
 02465   896   NtAllocateVirtualMemory  ... 62971904, 8192, ) == 0x0
 02467  1588   NtClose  (568, ...
 02464  1296   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02467  1588   NtClose  ... ) == 0x0
 02468  1296   NtFsControlFile  (544, 201, 0x0, 0x0, 0x11c017,  (544, 201, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351\1\0\0\0\1\0\0\0&\0(\0Pp\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02469  1588   NtMapViewOfSection  (572, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02468  1296   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351\0\0\0\0", ) , ) == 0x103
 02469  1588   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02470  1296   NtFsControlFile  (544, 201, 0x0, 0x0, 0x11c017,  (544, 201, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351", 44, 1024, ... , 44, 1024, ...
 02471  1588   NtClose  (572, ...
 02470  1296   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\200j\25\0\1\0\0\0\214j\25\0 \0\0\0\1\0\0\0\30\0\32\0\230j\25\0\264j\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\340w\25\0\1\0\0\0\5\0i\0\360w\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02472   896   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ...
 02473  1296   NtClose  (540, ...
 02472   896   NtProtectVirtualMemory  ... (0x3c0e000), 4096, 4, ) == 0x0
 02471  1588   NtClose  ... ) == 0x0
 02474   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02475  1588   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02474   896   NtCreateThread  ... 572, {1252, 276}, ) == 0x0
 02475  1588   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02476   896   NtQueryInformationThread  (572, Basic, 28, ...
 02477  1588   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02476   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1252,Tid=276,}, 0x0, ) == 0x0
 02477  1588   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02473  1296   NtClose  ... ) == 0x0
 02478  1588   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02479  1296   NtClose  (544, ...
 02480   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0\24\1\0\0" ...  ...
 02479  1296   NtClose  ... ) == 0x0
 02480   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81950, 0}  ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0\24\1\0\0" )  ) == 0x0
 02481  1296   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1330592, 0x0, 11597892, 188, ... , {12, 2, 1, 1}, 0x0, 1330592, 0x0, 11597892, 188, ...
 02482   896   NtResumeThread  (572, ...
 02481  1296   NtSecureConnectPort  ... 544, 0x0, 0x0, 0x0, 188, ) == 0x0
 02482   896   NtResumeThread  ... 1, ) == 0x0
 02478  1588   NtFlushInstructionCache  ... ) == 0x0
 02483   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02484  1588   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02485  1296   NtOpenThreadToken  (-2, 0xc, 1, ...
 02486   276   NtWaitForSingleObject  (128, 0, 0x0, ...
 02484  1588   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02485  1296   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02487  1588   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02488  1296   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02487  1588   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02488  1296   NtSetInformationThread  ... ) == 0x0
 02489  1588   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02490  1296   NtRequestWaitReplyPort  (544, {200, 224, new_msg, 0, 1364448, 12, 2, 1310977}  (544, {200, 224, new_msg, 0, 1364448, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0O{\37;~c\357=$C\27\207\16\377\325\333\12\0\0\0\211\21R!AV#\242\0\0\0\0\330]\25\0\235\316\347\274\264^\252\34(\0\0\0\250\207\0\35\0\0\24\0\240\366\260\0\3732\344\6\0\0\0\0\320_\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02483   896   NtAllocateVirtualMemory  ... 62980096, 1048576, ) == 0x0
 02491   896   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ... 64020480, 8192, ) == 0x0
 02492   896   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ... (0x3d0e000), 4096, 4, ) == 0x0
 02493   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02489  1588   NtFlushInstructionCache  ... ) == 0x0
 02494  1588   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 540, ) }, ... 540, ) == 0x0
 02495  1588   NtMapViewOfSection  (540, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02496  1588   NtClose  (540, ... ) == 0x0
 02497  1588   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02493   896   NtCreateThread  ... 540, {1252, 1688}, ) == 0x0
 02498   896   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1252,Tid=1688,}, 0x0, ) == 0x0
 02499   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\230\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\230\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81953, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\230\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\230\6\0\0" )  ) == 0x0
 02490  1296   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1296, 81952, 0}  ... {200, 224, reply, 0, 1252, 1296, 81952, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0O{\37;~c\357=$C\27\207\16\377\325\333\12\0\0\0\211\21R!AV#\242\0\0\0\0\330]\25\0\235\316\347\274\264^\252\34(\0\0\0\250\207\0\35\0\0\24\0\240\366\260\0\3732\344\6\0\0\0\0\320_\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02500  1588   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02501  1296   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02502   896   NtResumeThread  (540, ...
 02501  1296   NtSetInformationThread  ... ) == 0x0
 02502   896   NtResumeThread  ... 1, ) == 0x0
 02503  1296   NtRequestWaitReplyPort  (544, {56, 80, new_msg, 0, 44, 3, 20, 0}  (544, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\32\235JO\235\342d\324\312\304\340\351\1\0\0\0\0\0\0\0&\0(\0\\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02504   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64028672, 1048576, ) == 0x0
 02505   896   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ... 65069056, 8192, ) == 0x0
 02500  1588   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02506  1688   NtWaitForSingleObject  (128, 0, 0x0, ...
 02507  1588   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02508  1588   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02509  1588   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02510  1588   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02511  1588   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02512  1588   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02513   896   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ... (0x3e0e000), 4096, 4, ) == 0x0
 02514   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {1252, 1584}, ) == 0x0
 02515   896   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1252,Tid=1584,}, 0x0, ) == 0x0
 02516   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\00\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\00\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81955, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\00\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\00\6\0\0" )  ) == 0x0
 02517   896   NtResumeThread  (568, ... 1, ) == 0x0
 02518   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02512  1588   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02519  1584   NtWaitForSingleObject  (128, 0, 0x0, ...
 02520  1588   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02518   896   NtAllocateVirtualMemory  ... 65077248, 1048576, ) == 0x0
 02521   896   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ... 66117632, 8192, ) == 0x0
 02522   896   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ... (0x3f0e000), 4096, 4, ) == 0x0
 02523   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {1252, 1496}, ) == 0x0
 02524   896   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1252,Tid=1496,}, 0x0, ) == 0x0
 02525   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\330\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\330\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\330\5\0\0" )  ) == 0x0
 02526   896   NtResumeThread  (576, ... 1, ) == 0x0
 02527   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66125824, 1048576, ) == 0x0
 02528   896   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ... 67166208, 8192, ) == 0x0
 02529  1496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02530   896   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ... (0x400e000), 4096, 4, ) == 0x0
 02531   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 580, {1252, 1944}, ) == 0x0
 02532   896   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1252,Tid=1944,}, 0x0, ) == 0x0
 02533   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\230\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\230\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81957, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\230\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\230\7\0\0" )  ) == 0x0
 02534   896   NtResumeThread  (580, ... 1, ) == 0x0
 02535   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02536  1944   NtWaitForSingleObject  (128, 0, 0x0, ...
 02535   896   NtAllocateVirtualMemory  ... 67174400, 1048576, ) == 0x0
 02537   896   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 02538   896   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ... (0x410e000), 4096, 4, ) == 0x0
 02539   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {1252, 1896}, ) == 0x0
 02540   896   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1252,Tid=1896,}, 0x0, ) == 0x0
 02541   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0h\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0h\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81958, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0h\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0h\7\0\0" )  ) == 0x0
 02542   896   NtResumeThread  (584, ... 1, ) == 0x0
 02543   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68222976, 1048576, ) == 0x0
 02544   896   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ... 69263360, 8192, ) == 0x0
 02545  1896   NtWaitForSingleObject  (128, 0, 0x0, ...
 02546   896   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ... (0x420e000), 4096, 4, ) == 0x0
 02547   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {1252, 148}, ) == 0x0
 02548   896   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1252,Tid=148,}, 0x0, ) == 0x0
 02549   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\224\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\224\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\224\0\0\0" )  ) == 0x0
 02550   896   NtResumeThread  (588, ... 1, ) == 0x0
 02551   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02552   148   NtWaitForSingleObject  (128, 0, 0x0, ...
 02551   896   NtAllocateVirtualMemory  ... 69271552, 1048576, ) == 0x0
 02553   896   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 02554   896   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 02555   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1252, 1500}, ) == 0x0
 02556   896   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1252,Tid=1500,}, 0x0, ) == 0x0
 02557   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\334\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\334\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\334\5\0\0" )  ) == 0x0
 02558   896   NtResumeThread  (592, ... 1, ) == 0x0
 02559   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70320128, 1048576, ) == 0x0
 02560   896   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ... 71360512, 8192, ) == 0x0
 02561  1500   NtWaitForSingleObject  (128, 0, 0x0, ...
 02562   896   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ... (0x440e000), 4096, 4, ) == 0x0
 02563   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {1252, 240}, ) == 0x0
 02564   896   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1252,Tid=240,}, 0x0, ) == 0x0
 02565   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\360\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\360\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\360\0\0\0" )  ) == 0x0
 02566   896   NtResumeThread  (596, ... 1, ) == 0x0
 02567   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02568   240   NtWaitForSingleObject  (128, 0, 0x0, ...
 02567   896   NtAllocateVirtualMemory  ... 71368704, 1048576, ) == 0x0
 02569   896   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ... 72409088, 8192, ) == 0x0
 02570   896   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ... (0x450e000), 4096, 4, ) == 0x0
 02571   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1252, 2032}, ) == 0x0
 02572   896   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1252,Tid=2032,}, 0x0, ) == 0x0
 02573   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\360\7\0\0" )  ) == 0x0
 02574   896   NtResumeThread  (600, ... 1, ) == 0x0
 02575   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72417280, 1048576, ) == 0x0
 02576   896   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ... 73457664, 8192, ) == 0x0
 02577  2032   NtWaitForSingleObject  (128, 0, 0x0, ...
 02578   896   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ... (0x460e000), 4096, 4, ) == 0x0
 02579   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1252, 1592}, ) == 0x0
 02580   896   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1252,Tid=1592,}, 0x0, ) == 0x0
 02581   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\08\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\08\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\08\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\08\6\0\0" )  ) == 0x0
 02582   896   NtResumeThread  (604, ... 1, ) == 0x0
 02583   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02584  1592   NtWaitForSingleObject  (128, 0, 0x0, ...
 02583   896   NtAllocateVirtualMemory  ... 73465856, 1048576, ) == 0x0
 02585   896   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ... 74506240, 8192, ) == 0x0
 02586   896   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ... (0x470e000), 4096, 4, ) == 0x0
 02587   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1252, 496}, ) == 0x0
 02588   896   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1252,Tid=496,}, 0x0, ) == 0x0
 02589   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0\360\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0\360\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81964, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0\360\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0\360\1\0\0" )  ) == 0x0
 02590   896   NtResumeThread  (608, ... 1, ) == 0x0
 02591   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02592   896   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02593   496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02594   896   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02595   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {1252, 476}, ) == 0x0
 02596   896   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1252,Tid=476,}, 0x0, ) == 0x0
 02597   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\334\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\334\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81965, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\334\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\334\1\0\0" )  ) == 0x0
 02598   896   NtResumeThread  (612, ... 1, ) == 0x0
 02599   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02600   476   NtWaitForSingleObject  (128, 0, 0x0, ...
 02599   896   NtAllocateVirtualMemory  ... 75563008, 1048576, ) == 0x0
 02601   896   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 02602   896   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ... (0x490e000), 4096, 4, ) == 0x0
 02603   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1252, 1404}, ) == 0x0
 02604   896   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1252,Tid=1404,}, 0x0, ) == 0x0
 02605   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0|\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81966, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0|\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0|\5\0\0" )  ) == 0x0
 02606   896   NtResumeThread  (616, ... 1, ) == 0x0
 02607   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76611584, 1048576, ) == 0x0
 02608   896   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ... 77651968, 8192, ) == 0x0
 02609  1404   NtWaitForSingleObject  (128, 0, 0x0, ...
 02610   896   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ... (0x4a0e000), 4096, 4, ) == 0x0
 02611   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1252, 1744}, ) == 0x0
 02612   896   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1252,Tid=1744,}, 0x0, ) == 0x0
 02613   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\320\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81967, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\320\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\320\6\0\0" )  ) == 0x0
 02614   896   NtResumeThread  (620, ... 1, ) == 0x0
 02615   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02616  1744   NtWaitForSingleObject  (128, 0, 0x0, ...
 02615   896   NtAllocateVirtualMemory  ... 77660160, 1048576, ) == 0x0
 02617   896   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ... 78700544, 8192, ) == 0x0
 02618   896   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ... (0x4b0e000), 4096, 4, ) == 0x0
 02619   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1252, 336}, ) == 0x0
 02620   896   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1252,Tid=336,}, 0x0, ) == 0x0
 02621   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0P\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0P\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81968, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0P\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0P\1\0\0" )  ) == 0x0
 02622   896   NtResumeThread  (624, ... 1, ) == 0x0
 02623   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02624   896   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02625   336   NtWaitForSingleObject  (128, 0, 0x0, ...
 02626   896   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ... (0x4c0e000), 4096, 4, ) == 0x0
 02627   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1252, 1128}, ) == 0x0
 02628   896   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1252,Tid=1128,}, 0x0, ) == 0x0
 02629   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0h\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81969, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0h\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0h\4\0\0" )  ) == 0x0
 02630   896   NtResumeThread  (628, ... 1, ) == 0x0
 02631   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02632  1128   NtWaitForSingleObject  (128, 0, 0x0, ...
 02631   896   NtAllocateVirtualMemory  ... 79757312, 1048576, ) == 0x0
 02633   896   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02634   896   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ... (0x4d0e000), 4096, 4, ) == 0x0
 02635   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {1252, 1924}, ) == 0x0
 02636   896   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1252,Tid=1924,}, 0x0, ) == 0x0
 02637   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\204\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81970, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\204\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\204\7\0\0" )  ) == 0x0
 02638   896   NtResumeThread  (632, ... 1, ) == 0x0
 02639   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80805888, 1048576, ) == 0x0
 02640   896   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ... 81846272, 8192, ) == 0x0
 02641  1924   NtWaitForSingleObject  (128, 0, 0x0, ...
 02642   896   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 02643   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1252, 768}, ) == 0x0
 02644   896   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1252,Tid=768,}, 0x0, ) == 0x0
 02645   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\0\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\0\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81971, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\0\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\0\3\0\0" )  ) == 0x0
 02646   896   NtResumeThread  (636, ... 1, ) == 0x0
 02647   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02648   768   NtWaitForSingleObject  (128, 0, 0x0, ...
 02647   896   NtAllocateVirtualMemory  ... 81854464, 1048576, ) == 0x0
 02649   896   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ... 82894848, 8192, ) == 0x0
 02650   896   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ... (0x4f0e000), 4096, 4, ) == 0x0
 02651   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1252, 2040}, ) == 0x0
 02652   896   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1252,Tid=2040,}, 0x0, ) == 0x0
 02653   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\370\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81972, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\370\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\370\7\0\0" )  ) == 0x0
 02654   896   NtResumeThread  (640, ... 1, ) == 0x0
 02655   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82903040, 1048576, ) == 0x0
 02656   896   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ... 83943424, 8192, ) == 0x0
 02657  2040   NtWaitForSingleObject  (128, 0, 0x0, ...
 02658   896   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ... (0x500e000), 4096, 4, ) == 0x0
 02659   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1252, 216}, ) == 0x0
 02660   896   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1252,Tid=216,}, 0x0, ) == 0x0
 02661   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0\330\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81973, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0\330\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0\330\0\0\0" )  ) == 0x0
 02662   896   NtResumeThread  (644, ... 1, ) == 0x0
 02663   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02664   216   NtWaitForSingleObject  (128, 0, 0x0, ...
 02663   896   NtAllocateVirtualMemory  ... 83951616, 1048576, ) == 0x0
 02665   896   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ... 84992000, 8192, ) == 0x0
 02666   896   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ... (0x510e000), 4096, 4, ) == 0x0
 02667   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1252, 1524}, ) == 0x0
 02668   896   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1252,Tid=1524,}, 0x0, ) == 0x0
 02669   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0\364\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81974, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0\364\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0\364\5\0\0" )  ) == 0x0
 02670   896   NtResumeThread  (648, ... 1, ) == 0x0
 02671   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85000192, 1048576, ) == 0x0
 02672   896   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ... 86040576, 8192, ) == 0x0
 02673  1524   NtWaitForSingleObject  (128, 0, 0x0, ...
 02674   896   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ... (0x520e000), 4096, 4, ) == 0x0
 02675   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1252, 1864}, ) == 0x0
 02676   896   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1252,Tid=1864,}, 0x0, ) == 0x0
 02677   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0H\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0H\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81975, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0H\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0H\7\0\0" )  ) == 0x0
 02678   896   NtResumeThread  (652, ... 1, ) == 0x0
 02679   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02680  1864   NtWaitForSingleObject  (128, 0, 0x0, ...
 02679   896   NtAllocateVirtualMemory  ... 86048768, 1048576, ) == 0x0
 02681   896   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ... 87089152, 8192, ) == 0x0
 02682   896   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ... (0x530e000), 4096, 4, ) == 0x0
 02683   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1252, 1020}, ) == 0x0
 02684   896   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1252,Tid=1020,}, 0x0, ) == 0x0
 02685   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\374\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81976, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\374\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\374\3\0\0" )  ) == 0x0
 02686   896   NtResumeThread  (656, ... 1, ) == 0x0
 02687   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87097344, 1048576, ) == 0x0
 02688   896   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ... 88137728, 8192, ) == 0x0
 02689  1020   NtWaitForSingleObject  (128, 0, 0x0, ...
 02690   896   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ... (0x540e000), 4096, 4, ) == 0x0
 02691   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1252, 1804}, ) == 0x0
 02692   896   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1252,Tid=1804,}, 0x0, ) == 0x0
 02693   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0\14\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0\14\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81977, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0\14\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0\14\7\0\0" )  ) == 0x0
 02694   896   NtResumeThread  (660, ... 1, ) == 0x0
 02695   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02696  1804   NtWaitForSingleObject  (128, 0, 0x0, ...
 02695   896   NtAllocateVirtualMemory  ... 88145920, 1048576, ) == 0x0
 02697   896   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ... 89186304, 8192, ) == 0x0
 02698   896   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ... (0x550e000), 4096, 4, ) == 0x0
 02699   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1252, 1644}, ) == 0x0
 02700   896   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1252,Tid=1644,}, 0x0, ) == 0x0
 02701   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0l\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0l\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81978, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0l\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0l\6\0\0" )  ) == 0x0
 02702   896   NtResumeThread  (664, ... 1, ) == 0x0
 02703   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89194496, 1048576, ) == 0x0
 02704   896   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ... 90234880, 8192, ) == 0x0
 02705  1644   NtWaitForSingleObject  (128, 0, 0x0, ...
 02706   896   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ... (0x560e000), 4096, 4, ) == 0x0
 02707   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1252, 1124}, ) == 0x0
 02708   896   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1252,Tid=1124,}, 0x0, ) == 0x0
 02709   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81979, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0d\4\0\0" )  ) == 0x0
 02710   896   NtResumeThread  (668, ... 1, ) == 0x0
 02711   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02712  1124   NtWaitForSingleObject  (128, 0, 0x0, ...
 02711   896   NtAllocateVirtualMemory  ... 90243072, 1048576, ) == 0x0
 02713   896   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ... 91283456, 8192, ) == 0x0
 02714   896   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ... (0x570e000), 4096, 4, ) == 0x0
 02715   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1252, 776}, ) == 0x0
 02716   896   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1252,Tid=776,}, 0x0, ) == 0x0
 02717   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\10\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81980, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\10\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\10\3\0\0" )  ) == 0x0
 02718   896   NtResumeThread  (672, ... 1, ) == 0x0
 02719   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91291648, 1048576, ) == 0x0
 02720   896   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ... 92332032, 8192, ) == 0x0
 02721   776   NtWaitForSingleObject  (128, 0, 0x0, ...
 02722   896   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ... (0x580e000), 4096, 4, ) == 0x0
 02723   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1252, 1696}, ) == 0x0
 02724   896   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1252,Tid=1696,}, 0x0, ) == 0x0
 02725   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\240\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\240\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81981, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\240\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0\240\6\0\0" )  ) == 0x0
 02726   896   NtResumeThread  (676, ... 1, ) == 0x0
 02727   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02728  1696   NtWaitForSingleObject  (128, 0, 0x0, ...
 02727   896   NtAllocateVirtualMemory  ... 92340224, 1048576, ) == 0x0
 02729   896   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ... 93380608, 8192, ) == 0x0
 02730   896   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ... (0x590e000), 4096, 4, ) == 0x0
 02731   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1252, 1920}, ) == 0x0
 02732   896   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1252,Tid=1920,}, 0x0, ) == 0x0
 02733   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\200\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81982, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\200\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\200\7\0\0" )  ) == 0x0
 02734   896   NtResumeThread  (680, ... 1, ) == 0x0
 02735   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93388800, 1048576, ) == 0x0
 02736   896   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ... 94429184, 8192, ) == 0x0
 02737  1920   NtWaitForSingleObject  (128, 0, 0x0, ...
 02738   896   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ... (0x5a0e000), 4096, 4, ) == 0x0
 02739   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1252, 1200}, ) == 0x0
 02740   896   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1252,Tid=1200,}, 0x0, ) == 0x0
 02741   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\260\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81983, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\260\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\260\4\0\0" )  ) == 0x0
 02742   896   NtResumeThread  (684, ... 1, ) == 0x0
 02743   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02744  1200   NtWaitForSingleObject  (128, 0, 0x0, ...
 02743   896   NtAllocateVirtualMemory  ... 94437376, 1048576, ) == 0x0
 02745   896   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ... 95477760, 8192, ) == 0x0
 02746   896   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ... (0x5b0e000), 4096, 4, ) == 0x0
 02747   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1252, 1396}, ) == 0x0
 02748   896   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1252,Tid=1396,}, 0x0, ) == 0x0
 02749   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0t\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0t\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81984, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0t\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0t\5\0\0" )  ) == 0x0
 02750   896   NtResumeThread  (688, ... 1, ) == 0x0
 02751   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95485952, 1048576, ) == 0x0
 02752   896   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ... 96526336, 8192, ) == 0x0
 02753  1396   NtWaitForSingleObject  (128, 0, 0x0, ...
 02754   896   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ... (0x5c0e000), 4096, 4, ) == 0x0
 02755   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1252, 1692}, ) == 0x0
 02756   896   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1252,Tid=1692,}, 0x0, ) == 0x0
 02757   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\234\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81985, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\234\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\234\6\0\0" )  ) == 0x0
 02758   896   NtResumeThread  (692, ... 1, ) == 0x0
 02759   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02760  1692   NtWaitForSingleObject  (128, 0, 0x0, ...
 02759   896   NtAllocateVirtualMemory  ... 96534528, 1048576, ) == 0x0
 02761   896   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ... 97574912, 8192, ) == 0x0
 02762   896   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ... (0x5d0e000), 4096, 4, ) == 0x0
 02763   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1252, 1392}, ) == 0x0
 02764   896   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1252,Tid=1392,}, 0x0, ) == 0x0
 02765   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0p\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0p\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81986, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0p\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0p\5\0\0" )  ) == 0x0
 02766   896   NtResumeThread  (696, ... 1, ) == 0x0
 02767   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97583104, 1048576, ) == 0x0
 02768   896   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ... 98623488, 8192, ) == 0x0
 02769  1392   NtWaitForSingleObject  (128, 0, 0x0, ...
 02770   896   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ... (0x5e0e000), 4096, 4, ) == 0x0
 02771   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1252, 1852}, ) == 0x0
 02772   896   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1252,Tid=1852,}, 0x0, ) == 0x0
 02773   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81987, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0<\7\0\0" )  ) == 0x0
 02774   896   NtResumeThread  (700, ... 1, ) == 0x0
 02775   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02776  1852   NtWaitForSingleObject  (128, 0, 0x0, ...
 02775   896   NtAllocateVirtualMemory  ... 98631680, 1048576, ) == 0x0
 02777   896   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ... 99672064, 8192, ) == 0x0
 02778   896   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ... (0x5f0e000), 4096, 4, ) == 0x0
 02779   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1252, 504}, ) == 0x0
 02780   896   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1252,Tid=504,}, 0x0, ) == 0x0
 02781   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\370\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81988, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\370\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\370\1\0\0" )  ) == 0x0
 02782   896   NtResumeThread  (704, ... 1, ) == 0x0
 02783   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99680256, 1048576, ) == 0x0
 02784   896   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ... 100720640, 8192, ) == 0x0
 02785   504   NtWaitForSingleObject  (128, 0, 0x0, ...
 02786   896   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ... (0x600e000), 4096, 4, ) == 0x0
 02787   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1252, 800}, ) == 0x0
 02788   896   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1252,Tid=800,}, 0x0, ) == 0x0
 02789   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0 \3\0\0" ... {28, 56, reply, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0 \3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81989, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0 \3\0\0" ... {28, 56, reply, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0 \3\0\0" )  ) == 0x0
 02790   896   NtResumeThread  (708, ... 1, ) == 0x0
 02791   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02792   800   NtWaitForSingleObject  (128, 0, 0x0, ...
 02791   896   NtAllocateVirtualMemory  ... 100728832, 1048576, ) == 0x0
 02793   896   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ... 101769216, 8192, ) == 0x0
 02794   896   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ... (0x610e000), 4096, 4, ) == 0x0
 02795   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1252, 1176}, ) == 0x0
 02796   896   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1252,Tid=1176,}, 0x0, ) == 0x0
 02797   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\230\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\230\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81990, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\230\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\230\4\0\0" )  ) == 0x0
 02798   896   NtResumeThread  (712, ... 1, ) == 0x0
 02799   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101777408, 1048576, ) == 0x0
 02800   896   NtAllocateVirtualMemory  (-1, 102817792, 0, 8192, 4096, 4, ... 102817792, 8192, ) == 0x0
 02801  1176   NtWaitForSingleObject  (128, 0, 0x0, ...
 02802   896   NtProtectVirtualMemory  (-1, (0x620e000), 4096, 260, ... (0x620e000), 4096, 4, ) == 0x0
 02803   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1252, 1828}, ) == 0x0
 02804   896   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1252,Tid=1828,}, 0x0, ) == 0x0
 02805   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0$\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0$\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81991, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0$\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0$\7\0\0" )  ) == 0x0
 02806   896   NtResumeThread  (716, ... 1, ) == 0x0
 02807   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02808  1828   NtWaitForSingleObject  (128, 0, 0x0, ...
 02807   896   NtAllocateVirtualMemory  ... 102825984, 1048576, ) == 0x0
 02809   896   NtAllocateVirtualMemory  (-1, 103866368, 0, 8192, 4096, 4, ... 103866368, 8192, ) == 0x0
 02810   896   NtProtectVirtualMemory  (-1, (0x630e000), 4096, 260, ... (0x630e000), 4096, 4, ) == 0x0
 02811   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1252, 1028}, ) == 0x0
 02812   896   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1252,Tid=1028,}, 0x0, ) == 0x0
 02813   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\4\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81992, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\4\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\4\4\0\0" )  ) == 0x0
 02814   896   NtResumeThread  (720, ... 1, ) == 0x0
 02815   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103874560, 1048576, ) == 0x0
 02816   896   NtAllocateVirtualMemory  (-1, 104914944, 0, 8192, 4096, 4, ... 104914944, 8192, ) == 0x0
 02817  1028   NtWaitForSingleObject  (128, 0, 0x0, ...
 02818   896   NtProtectVirtualMemory  (-1, (0x640e000), 4096, 260, ... (0x640e000), 4096, 4, ) == 0x0
 02819   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1252, 2012}, ) == 0x0
 02820   896   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1252,Tid=2012,}, 0x0, ) == 0x0
 02821   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81993, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\334\7\0\0" )  ) == 0x0
 02822   896   NtResumeThread  (724, ... 1, ) == 0x0
 02823   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02824  2012   NtWaitForSingleObject  (128, 0, 0x0, ...
 02823   896   NtAllocateVirtualMemory  ... 104923136, 1048576, ) == 0x0
 02825   896   NtAllocateVirtualMemory  (-1, 105963520, 0, 8192, 4096, 4, ... 105963520, 8192, ) == 0x0
 02826   896   NtProtectVirtualMemory  (-1, (0x650e000), 4096, 260, ... (0x650e000), 4096, 4, ) == 0x0
 02827   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1252, 1168}, ) == 0x0
 02828   896   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1252,Tid=1168,}, 0x0, ) == 0x0
 02829   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81994, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\220\4\0\0" )  ) == 0x0
 02830   896   NtResumeThread  (728, ... 1, ) == 0x0
 02831   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 105971712, 1048576, ) == 0x0
 02832   896   NtAllocateVirtualMemory  (-1, 107012096, 0, 8192, 4096, 4, ... 107012096, 8192, ) == 0x0
 02833  1168   NtWaitForSingleObject  (128, 0, 0x0, ...
 02834   896   NtProtectVirtualMemory  (-1, (0x660e000), 4096, 260, ... (0x660e000), 4096, 4, ) == 0x0
 02835   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1252, 1528}, ) == 0x0
 02836   896   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1252,Tid=1528,}, 0x0, ) == 0x0
 02837   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\370\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81995, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\370\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\370\5\0\0" )  ) == 0x0
 02838   896   NtResumeThread  (732, ... 1, ) == 0x0
 02839   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02840  1528   NtWaitForSingleObject  (128, 0, 0x0, ...
 02839   896   NtAllocateVirtualMemory  ... 107020288, 1048576, ) == 0x0
 02841   896   NtAllocateVirtualMemory  (-1, 108060672, 0, 8192, 4096, 4, ... 108060672, 8192, ) == 0x0
 02842   896   NtProtectVirtualMemory  (-1, (0x670e000), 4096, 260, ... (0x670e000), 4096, 4, ) == 0x0
 02843   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1252, 928}, ) == 0x0
 02844   896   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1252,Tid=928,}, 0x0, ) == 0x0
 02845   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81996, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\240\3\0\0" )  ) == 0x0
 02846   896   NtResumeThread  (736, ... 1, ) == 0x0
 02847   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108068864, 1048576, ) == 0x0
 02848   896   NtAllocateVirtualMemory  (-1, 109109248, 0, 8192, 4096, 4, ... 109109248, 8192, ) == 0x0
 02849   928   NtWaitForSingleObject  (128, 0, 0x0, ...
 02850   896   NtProtectVirtualMemory  (-1, (0x680e000), 4096, 260, ... (0x680e000), 4096, 4, ) == 0x0
 02851   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1252, 428}, ) == 0x0
 02852   896   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1252,Tid=428,}, 0x0, ) == 0x0
 02853   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0\254\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81997, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0\254\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0\254\1\0\0" )  ) == 0x0
 02854   896   NtResumeThread  (740, ... 1, ) == 0x0
 02855   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02856   428   NtWaitForSingleObject  (128, 0, 0x0, ...
 02855   896   NtAllocateVirtualMemory  ... 109117440, 1048576, ) == 0x0
 02857   896   NtAllocateVirtualMemory  (-1, 110157824, 0, 8192, 4096, 4, ... 110157824, 8192, ) == 0x0
 02858   896   NtProtectVirtualMemory  (-1, (0x690e000), 4096, 260, ... (0x690e000), 4096, 4, ) == 0x0
 02859   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1252, 1732}, ) == 0x0
 02860   896   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1252,Tid=1732,}, 0x0, ) == 0x0
 02861   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\304\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81998, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\304\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\304\6\0\0" )  ) == 0x0
 02862   896   NtResumeThread  (744, ... 1, ) == 0x0
 02863   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110166016, 1048576, ) == 0x0
 02864   896   NtAllocateVirtualMemory  (-1, 111206400, 0, 8192, 4096, 4, ... 111206400, 8192, ) == 0x0
 02865  1732   NtWaitForSingleObject  (128, 0, 0x0, ...
 02866   896   NtProtectVirtualMemory  (-1, (0x6a0e000), 4096, 260, ... (0x6a0e000), 4096, 4, ) == 0x0
 02867   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1252, 748}, ) == 0x0
 02868   896   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1252,Tid=748,}, 0x0, ) == 0x0
 02869   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81999, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\354\2\0\0" )  ) == 0x0
 02870   896   NtResumeThread  (748, ... 1, ) == 0x0
 02871   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02872   748   NtWaitForSingleObject  (128, 0, 0x0, ...
 02871   896   NtAllocateVirtualMemory  ... 111214592, 1048576, ) == 0x0
 02873   896   NtAllocateVirtualMemory  (-1, 112254976, 0, 8192, 4096, 4, ... 112254976, 8192, ) == 0x0
 02874   896   NtProtectVirtualMemory  (-1, (0x6b0e000), 4096, 260, ... (0x6b0e000), 4096, 4, ) == 0x0
 02875   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1252, 900}, ) == 0x0
 02876   896   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1252,Tid=900,}, 0x0, ) == 0x0
 02877   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82000, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\204\3\0\0" )  ) == 0x0
 02878   896   NtResumeThread  (752, ... 1, ) == 0x0
 02879   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112263168, 1048576, ) == 0x0
 02880   896   NtAllocateVirtualMemory  (-1, 113303552, 0, 8192, 4096, 4, ... 113303552, 8192, ) == 0x0
 02881   900   NtWaitForSingleObject  (128, 0, 0x0, ...
 02882   896   NtProtectVirtualMemory  (-1, (0x6c0e000), 4096, 260, ... (0x6c0e000), 4096, 4, ) == 0x0
 02883   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1252, 1388}, ) == 0x0
 02884   896   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1252,Tid=1388,}, 0x0, ) == 0x0
 02885   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82001, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0l\5\0\0" )  ) == 0x0
 02886   896   NtResumeThread  (756, ... 1, ) == 0x0
 02887   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02888  1388   NtWaitForSingleObject  (128, 0, 0x0, ...
 02887   896   NtAllocateVirtualMemory  ... 113311744, 1048576, ) == 0x0
 02889   896   NtAllocateVirtualMemory  (-1, 114352128, 0, 8192, 4096, 4, ... 114352128, 8192, ) == 0x0
 02890   896   NtProtectVirtualMemory  (-1, (0x6d0e000), 4096, 260, ... (0x6d0e000), 4096, 4, ) == 0x0
 02891   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1252, 2036}, ) == 0x0
 02892   896   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1252,Tid=2036,}, 0x0, ) == 0x0
 02893   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82002, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\364\7\0\0" )  ) == 0x0
 02894   896   NtResumeThread  (760, ... 1, ) == 0x0
 02895   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 114360320, 1048576, ) == 0x0
 02896   896   NtAllocateVirtualMemory  (-1, 115400704, 0, 8192, 4096, 4, ... 115400704, 8192, ) == 0x0
 02897  2036   NtWaitForSingleObject  (128, 0, 0x0, ...
 02898   896   NtProtectVirtualMemory  (-1, (0x6e0e000), 4096, 260, ... (0x6e0e000), 4096, 4, ) == 0x0
 02899   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1252, 1372}, ) == 0x0
 02900   896   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1252,Tid=1372,}, 0x0, ) == 0x0
 02901   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0\\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82003, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0\\5\0\0" )  ) == 0x0
 02902   896   NtResumeThread  (764, ... 1, ) == 0x0
 02903   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02904  1372   NtWaitForSingleObject  (128, 0, 0x0, ...
 02903   896   NtAllocateVirtualMemory  ... 115408896, 1048576, ) == 0x0
 02905   896   NtAllocateVirtualMemory  (-1, 116449280, 0, 8192, 4096, 4, ... 116449280, 8192, ) == 0x0
 02906   896   NtProtectVirtualMemory  (-1, (0x6f0e000), 4096, 260, ... (0x6f0e000), 4096, 4, ) == 0x0
 02907   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1252, 1600}, ) == 0x0
 02908   896   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1252,Tid=1600,}, 0x0, ) == 0x0
 02909   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0@\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82004, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0@\6\0\0" )  ) == 0x0
 02910   896   NtResumeThread  (768, ... 1, ) == 0x0
 02911   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 116457472, 1048576, ) == 0x0
 02912   896   NtAllocateVirtualMemory  (-1, 117497856, 0, 8192, 4096, 4, ... 117497856, 8192, ) == 0x0
 02913  1600   NtWaitForSingleObject  (128, 0, 0x0, ...
 02914   896   NtProtectVirtualMemory  (-1, (0x700e000), 4096, 260, ... (0x700e000), 4096, 4, ) == 0x0
 02915   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 772, {1252, 1948}, ) == 0x0
 02916   896   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1252,Tid=1948,}, 0x0, ) == 0x0
 02917   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\4\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82005, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\344\4\0\0\234\7\0\0" )  ) == 0x0
 02918   896   NtResumeThread  (772, ... 1, ) == 0x0
 02919   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02920  1948   NtWaitForSingleObject  (128, 0, 0x0, ...
 02919   896   NtAllocateVirtualMemory  ... 117506048, 1048576, ) == 0x0
 02921   896   NtAllocateVirtualMemory  (-1, 118546432, 0, 8192, 4096, 4, ... 118546432, 8192, ) == 0x0
 02922   896   NtProtectVirtualMemory  (-1, (0x710e000), 4096, 260, ... (0x710e000), 4096, 4, ) == 0x0
 02923   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 776, {1252, 252}, ) == 0x0
 02924   896   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1252,Tid=252,}, 0x0, ) == 0x0
 02925   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\4\0\0\374\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\4\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82006, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\4\0\0\374\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\4\0\0\374\0\0\0" )  ) == 0x0
 02926   896   NtResumeThread  (776, ... 1, ) == 0x0
 02927   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 118554624, 1048576, ) == 0x0
 02928   896   NtAllocateVirtualMemory  (-1, 119595008, 0, 8192, 4096, 4, ... 119595008, 8192, ) == 0x0
 02929   252   NtWaitForSingleObject  (128, 0, 0x0, ...
 02930   896   NtProtectVirtualMemory  (-1, (0x720e000), 4096, 260, ... (0x720e000), 4096, 4, ) == 0x0
 02931   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 780, {1252, 1300}, ) == 0x0
 02932   896   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=1252,Tid=1300,}, 0x0, ) == 0x0
 02933   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\344\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\344\4\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82007, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\344\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\344\4\0\0\24\5\0\0" )  ) == 0x0
 02934   896   NtResumeThread  (780, ... 1, ) == 0x0
 02935   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02936  1300   NtWaitForSingleObject  (128, 0, 0x0, ...
 02935   896   NtAllocateVirtualMemory  ... 119603200, 1048576, ) == 0x0
 02937   896   NtAllocateVirtualMemory  (-1, 120643584, 0, 8192, 4096, 4, ... 120643584, 8192, ) == 0x0
 02938   896   NtProtectVirtualMemory  (-1, (0x730e000), 4096, 260, ... (0x730e000), 4096, 4, ) == 0x0
 02939   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 784, {1252, 1096}, ) == 0x0
 02940   896   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=1252,Tid=1096,}, 0x0, ) == 0x0
 02941   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82008, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0H\4\0\0" )  ) == 0x0
 02942   896   NtResumeThread  (784, ... 1, ) == 0x0
 02943   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 120651776, 1048576, ) == 0x0
 02944   896   NtAllocateVirtualMemory  (-1, 121692160, 0, 8192, 4096, 4, ... 121692160, 8192, ) == 0x0
 02945  1096   NtWaitForSingleObject  (128, 0, 0x0, ...
 02946   896   NtProtectVirtualMemory  (-1, (0x740e000), 4096, 260, ... (0x740e000), 4096, 4, ) == 0x0
 02947   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 788, {1252, 1708}, ) == 0x0
 02948   896   NtQueryInformationThread  (788, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=1252,Tid=1708,}, 0x0, ) == 0x0
 02949   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\4\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82009, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\4\0\0\254\6\0\0" )  ) == 0x0
 02950   896   NtResumeThread  (788, ... 1, ) == 0x0
 02951   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02952  1708   NtWaitForSingleObject  (128, 0, 0x0, ...
 02951   896   NtAllocateVirtualMemory  ... 121700352, 1048576, ) == 0x0
 02953   896   NtAllocateVirtualMemory  (-1, 122740736, 0, 8192, 4096, 4, ... 122740736, 8192, ) == 0x0
 02954   896   NtProtectVirtualMemory  (-1, (0x750e000), 4096, 260, ... (0x750e000), 4096, 4, ) == 0x0
 02955   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 792, {1252, 1024}, ) == 0x0
 02956   896   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=1252,Tid=1024,}, 0x0, ) == 0x0
 02957   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82010, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0\0\4\0\0" )  ) == 0x0
 02958   896   NtResumeThread  (792, ... 1, ) == 0x0
 02959   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 122748928, 1048576, ) == 0x0
 02960   896   NtAllocateVirtualMemory  (-1, 123789312, 0, 8192, 4096, 4, ... 123789312, 8192, ) == 0x0
 02961  1024   NtWaitForSingleObject  (128, 0, 0x0, ...
 02962   896   NtProtectVirtualMemory  (-1, (0x760e000), 4096, 260, ... (0x760e000), 4096, 4, ) == 0x0
 02963   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 796, {1252, 500}, ) == 0x0
 02964   896   NtQueryInformationThread  (796, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=1252,Tid=500,}, 0x0, ) == 0x0
 02965   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\344\4\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82011, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\344\4\0\0\364\1\0\0" )  ) == 0x0
 02966   896   NtResumeThread  (796, ... 1, ) == 0x0
 02967   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02968   500   NtWaitForSingleObject  (128, 0, 0x0, ...
 02967   896   NtAllocateVirtualMemory  ... 123797504, 1048576, ) == 0x0
 02969   896   NtAllocateVirtualMemory  (-1, 124837888, 0, 8192, 4096, 4, ... 124837888, 8192, ) == 0x0
 02970   896   NtProtectVirtualMemory  (-1, (0x770e000), 4096, 260, ... (0x770e000), 4096, 4, ) == 0x0
 02971   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 800, {1252, 1776}, ) == 0x0
 02972   896   NtQueryInformationThread  (800, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=1252,Tid=1776,}, 0x0, ) == 0x0
 02973   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\344\4\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82012, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\344\4\0\0\360\6\0\0" )  ) == 0x0
 02974   896   NtResumeThread  (800, ... 1, ) == 0x0
 02975   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 124846080, 1048576, ) == 0x0
 02976   896   NtAllocateVirtualMemory  (-1, 125886464, 0, 8192, 4096, 4, ... 125886464, 8192, ) == 0x0
 02977  1776   NtWaitForSingleObject  (128, 0, 0x0, ...
 02978   896   NtProtectVirtualMemory  (-1, (0x780e000), 4096, 260, ... (0x780e000), 4096, 4, ) == 0x0
 02979   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 804, {1252, 1324}, ) == 0x0
 02980   896   NtQueryInformationThread  (804, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=1252,Tid=1324,}, 0x0, ) == 0x0
 02981   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0\344\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0\344\4\0\0,\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82013, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0\344\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0\344\4\0\0,\5\0\0" )  ) == 0x0
 02982   896   NtResumeThread  (804, ... 1, ) == 0x0
 02983   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02984  1324   NtWaitForSingleObject  (128, 0, 0x0, ...
 02983   896   NtAllocateVirtualMemory  ... 125894656, 1048576, ) == 0x0
 02985   896   NtAllocateVirtualMemory  (-1, 126935040, 0, 8192, 4096, 4, ... 126935040, 8192, ) == 0x0
 02986   896   NtProtectVirtualMemory  (-1, (0x790e000), 4096, 260, ... (0x790e000), 4096, 4, ) == 0x0
 02987   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 808, {1252, 248}, ) == 0x0
 02988   896   NtQueryInformationThread  (808, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=1252,Tid=248,}, 0x0, ) == 0x0
 02989   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\4\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82014, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\4\0\0\370\0\0\0" )  ) == 0x0
 02990   896   NtResumeThread  (808, ... 1, ) == 0x0
 02991   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 126943232, 1048576, ) == 0x0
 02992   896   NtAllocateVirtualMemory  (-1, 127983616, 0, 8192, 4096, 4, ... 127983616, 8192, ) == 0x0
 02993   248   NtWaitForSingleObject  (128, 0, 0x0, ...
 02994   896   NtProtectVirtualMemory  (-1, (0x7a0e000), 4096, 260, ... (0x7a0e000), 4096, 4, ) == 0x0
 02995   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 812, {1252, 1884}, ) == 0x0
 02996   896   NtQueryInformationThread  (812, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=1252,Tid=1884,}, 0x0, ) == 0x0
 02997   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0\344\4\0\0\\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0\344\4\0\0\\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82015, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0\344\4\0\0\\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0\344\4\0\0\\7\0\0" )  ) == 0x0
 02998   896   NtResumeThread  (812, ... 1, ) == 0x0
 02999   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03000  1884   NtWaitForSingleObject  (128, 0, 0x0, ...
 02999   896   NtAllocateVirtualMemory  ... 127991808, 1048576, ) == 0x0
 03001   896   NtAllocateVirtualMemory  (-1, 129032192, 0, 8192, 4096, 4, ... 129032192, 8192, ) == 0x0
 03002   896   NtProtectVirtualMemory  (-1, (0x7b0e000), 4096, 260, ... (0x7b0e000), 4096, 4, ) == 0x0
 03003   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 816, {1252, 1308}, ) == 0x0
 03004   896   NtQueryInformationThread  (816, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=1252,Tid=1308,}, 0x0, ) == 0x0
 03005   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\344\4\0\0\34\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\344\4\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82016, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\344\4\0\0\34\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\344\4\0\0\34\5\0\0" )  ) == 0x0
 03006   896   NtResumeThread  (816, ... 1, ) == 0x0
 03007   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 129040384, 1048576, ) == 0x0
 03008   896   NtAllocateVirtualMemory  (-1, 130080768, 0, 8192, 4096, 4, ... 130080768, 8192, ) == 0x0
 03009  1308   NtWaitForSingleObject  (128, 0, 0x0, ...
 03010   896   NtProtectVirtualMemory  (-1, (0x7c0e000), 4096, 260, ... (0x7c0e000), 4096, 4, ) == 0x0
 03011   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 820, {1252, 1676}, ) == 0x0
 03012   896   NtQueryInformationThread  (820, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=1252,Tid=1676,}, 0x0, ) == 0x0
 03013   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\344\4\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82017, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\344\4\0\0\214\6\0\0" )  ) == 0x0
 03014   896   NtResumeThread  (820, ... 1, ) == 0x0
 03015   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 130088960, 1048576, ) == 0x0
 03016   896   NtAllocateVirtualMemory  (-1, 131129344, 0, 8192, 4096, 4, ... 131129344, 8192, ) == 0x0
 03017  1676   NtWaitForSingleObject  (128, 0, 0x0, ...
 03018   896   NtProtectVirtualMemory  (-1, (0x7d0e000), 4096, 260, ... (0x7d0e000), 4096, 4, ) == 0x0
 03019   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 824, {1252, 1620}, ) == 0x0
 03020   896   NtQueryInformationThread  (824, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=1252,Tid=1620,}, 0x0, ) == 0x0
 03021   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\4\0\0T\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\4\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82018, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\4\0\0T\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\4\0\0T\6\0\0" )  ) == 0x0
 03022   896   NtResumeThread  (824, ... 1, ) == 0x0
 03023   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03024  1620   NtWaitForSingleObject  (128, 0, 0x0, ...
 03023   896   NtAllocateVirtualMemory  ... 131137536, 1048576, ) == 0x0
 03025   896   NtAllocateVirtualMemory  (-1, 132177920, 0, 8192, 4096, 4, ... 132177920, 8192, ) == 0x0
 03026   896   NtProtectVirtualMemory  (-1, (0x7e0e000), 4096, 260, ... (0x7e0e000), 4096, 4, ) == 0x0
 03027   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 828, {1252, 440}, ) == 0x0
 03028   896   NtQueryInformationThread  (828, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=1252,Tid=440,}, 0x0, ) == 0x0
 03029   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\344\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\344\4\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82019, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\344\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\344\4\0\0\270\1\0\0" )  ) == 0x0
 03030   896   NtResumeThread  (828, ... 1, ) == 0x0
 03031   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 132186112, 1048576, ) == 0x0
 03032   896   NtAllocateVirtualMemory  (-1, 133226496, 0, 8192, 4096, 4, ... 133226496, 8192, ) == 0x0
 03033   440   NtWaitForSingleObject  (128, 0, 0x0, ...
 03034   896   NtProtectVirtualMemory  (-1, (0x7f0e000), 4096, 260, ... (0x7f0e000), 4096, 4, ) == 0x0
 03035   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 832, {1252, 588}, ) == 0x0
 03036   896   NtQueryInformationThread  (832, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=1252,Tid=588,}, 0x0, ) == 0x0
 03037   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\4\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82020, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\4\0\0L\2\0\0" )  ) == 0x0
 03038   896   NtResumeThread  (832, ... 1, ) == 0x0
 03039   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03040   588   NtWaitForSingleObject  (128, 0, 0x0, ...
 03039   896   NtAllocateVirtualMemory  ... 133234688, 1048576, ) == 0x0
 03041   896   NtAllocateVirtualMemory  (-1, 134275072, 0, 8192, 4096, 4, ... 134275072, 8192, ) == 0x0
 03042   896   NtProtectVirtualMemory  (-1, (0x800e000), 4096, 260, ... (0x800e000), 4096, 4, ) == 0x0
 03043   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 836, {1252, 1376}, ) == 0x0
 03044   896   NtQueryInformationThread  (836, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=1252,Tid=1376,}, 0x0, ) == 0x0
 03045   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0\344\4\0\0`\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82021, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0\344\4\0\0`\5\0\0" )  ) == 0x0
 03046   896   NtResumeThread  (836, ... 1, ) == 0x0
 03047   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 134283264, 1048576, ) == 0x0
 03048   896   NtAllocateVirtualMemory  (-1, 135323648, 0, 8192, 4096, 4, ... 135323648, 8192, ) == 0x0
 03049  1376   NtWaitForSingleObject  (128, 0, 0x0, ...
 03050   896   NtProtectVirtualMemory  (-1, (0x810e000), 4096, 260, ... (0x810e000), 4096, 4, ) == 0x0
 03051   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 840, {1252, 724}, ) == 0x0
 03052   896   NtQueryInformationThread  (840, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=1252,Tid=724,}, 0x0, ) == 0x0
 03053   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0\324\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82022, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0\324\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0\324\2\0\0" )  ) == 0x0
 03054   896   NtResumeThread  (840, ... 1, ) == 0x0
 03055   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03056   724   NtWaitForSingleObject  (128, 0, 0x0, ...
 03055   896   NtAllocateVirtualMemory  ... 135331840, 1048576, ) == 0x0
 03057   896   NtAllocateVirtualMemory  (-1, 136372224, 0, 8192, 4096, 4, ... 136372224, 8192, ) == 0x0
 03058   896   NtProtectVirtualMemory  (-1, (0x820e000), 4096, 260, ... (0x820e000), 4096, 4, ) == 0x0
 03059   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 844, {1252, 1276}, ) == 0x0
 03060   896   NtQueryInformationThread  (844, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=1252,Tid=1276,}, 0x0, ) == 0x0
 03061   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\344\4\0\0\374\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\344\4\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82023, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\344\4\0\0\374\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\344\4\0\0\374\4\0\0" )  ) == 0x0
 03062   896   NtResumeThread  (844, ... 1, ) == 0x0
 03063   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 136380416, 1048576, ) == 0x0
 03064   896   NtAllocateVirtualMemory  (-1, 137420800, 0, 8192, 4096, 4, ... 137420800, 8192, ) == 0x0
 03065  1276   NtWaitForSingleObject  (128, 0, 0x0, ...
 03066   896   NtProtectVirtualMemory  (-1, (0x830e000), 4096, 260, ... (0x830e000), 4096, 4, ) == 0x0
 03067   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 848, {1252, 220}, ) == 0x0
 03068   896   NtQueryInformationThread  (848, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=1252,Tid=220,}, 0x0, ) == 0x0
 03069   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0\334\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82024, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0\334\0\0\0" ... {28, 56, reply, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0\334\0\0\0" )  ) == 0x0
 03070   896   NtResumeThread  (848, ... 1, ) == 0x0
 03071   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03072   220   NtWaitForSingleObject  (128, 0, 0x0, ...
 03071   896   NtAllocateVirtualMemory  ... 137428992, 1048576, ) == 0x0
 03073   896   NtAllocateVirtualMemory  (-1, 138469376, 0, 8192, 4096, 4, ... 138469376, 8192, ) == 0x0
 03074   896   NtProtectVirtualMemory  (-1, (0x840e000), 4096, 260, ... (0x840e000), 4096, 4, ) == 0x0
 03075   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 852, {1252, 1636}, ) == 0x0
 03076   896   NtQueryInformationThread  (852, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=1252,Tid=1636,}, 0x0, ) == 0x0
 03077   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\344\4\0\0d\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\344\4\0\0d\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82025, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\344\4\0\0d\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\344\4\0\0d\6\0\0" )  ) == 0x0
 03078   896   NtResumeThread  (852, ... 1, ) == 0x0
 03079   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 138477568, 1048576, ) == 0x0
 03080   896   NtAllocateVirtualMemory  (-1, 139517952, 0, 8192, 4096, 4, ... 139517952, 8192, ) == 0x0
 03081  1636   NtWaitForSingleObject  (128, 0, 0x0, ...
 03082   896   NtProtectVirtualMemory  (-1, (0x850e000), 4096, 260, ... (0x850e000), 4096, 4, ) == 0x0
 03083   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 856, {1252, 704}, ) == 0x0
 03084   896   NtQueryInformationThread  (856, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=1252,Tid=704,}, 0x0, ) == 0x0
 03085   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\300\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82026, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\300\2\0\0" )  ) == 0x0
 03086   896   NtResumeThread  (856, ... 1, ) == 0x0
 03087   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03088   704   NtWaitForSingleObject  (128, 0, 0x0, ...
 03087   896   NtAllocateVirtualMemory  ... 139526144, 1048576, ) == 0x0
 03089   896   NtAllocateVirtualMemory  (-1, 140566528, 0, 8192, 4096, 4, ... 140566528, 8192, ) == 0x0
 03090   896   NtProtectVirtualMemory  (-1, (0x860e000), 4096, 260, ... (0x860e000), 4096, 4, ) == 0x0
 03091   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 860, {1252, 1228}, ) == 0x0
 03092   896   NtQueryInformationThread  (860, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff37000,Pid=1252,Tid=1228,}, 0x0, ) == 0x0
 03093   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\344\4\0\0\314\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\344\4\0\0\314\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82027, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\344\4\0\0\314\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\344\4\0\0\314\4\0\0" )  ) == 0x0
 03094   896   NtResumeThread  (860, ... 1, ) == 0x0
 03095   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 140574720, 1048576, ) == 0x0
 03096   896   NtAllocateVirtualMemory  (-1, 141615104, 0, 8192, 4096, 4, ... 141615104, 8192, ) == 0x0
 03097  1228   NtWaitForSingleObject  (128, 0, 0x0, ...
 03098   896   NtProtectVirtualMemory  (-1, (0x870e000), 4096, 260, ... (0x870e000), 4096, 4, ) == 0x0
 03099   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 864, {1252, 888}, ) == 0x0
 03100   896   NtQueryInformationThread  (864, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff36000,Pid=1252,Tid=888,}, 0x0, ) == 0x0
 03101   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\4\0\0x\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\4\0\0x\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82028, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\4\0\0x\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\4\0\0x\3\0\0" )  ) == 0x0
 03102   896   NtResumeThread  (864, ... 1, ) == 0x0
 03103   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03104   888   NtWaitForSingleObject  (128, 0, 0x0, ...
 03103   896   NtAllocateVirtualMemory  ... 141623296, 1048576, ) == 0x0
 03105   896   NtAllocateVirtualMemory  (-1, 142663680, 0, 8192, 4096, 4, ... 142663680, 8192, ) == 0x0
 03106   896   NtProtectVirtualMemory  (-1, (0x880e000), 4096, 260, ... (0x880e000), 4096, 4, ) == 0x0
 03107   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 868, {1252, 1120}, ) == 0x0
 03108   896   NtQueryInformationThread  (868, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff35000,Pid=1252,Tid=1120,}, 0x0, ) == 0x0
 03109   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\344\4\0\0`\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\344\4\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82029, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\344\4\0\0`\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\344\4\0\0`\4\0\0" )  ) == 0x0
 03110   896   NtResumeThread  (868, ... 1, ) == 0x0
 03111   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 142671872, 1048576, ) == 0x0
 03112   896   NtAllocateVirtualMemory  (-1, 143712256, 0, 8192, 4096, 4, ... 143712256, 8192, ) == 0x0
 03113  1120   NtWaitForSingleObject  (128, 0, 0x0, ...
 03114   896   NtProtectVirtualMemory  (-1, (0x890e000), 4096, 260, ... (0x890e000), 4096, 4, ) == 0x0
 03115   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 872, {1252, 876}, ) == 0x0
 03116   896   NtQueryInformationThread  (872, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff34000,Pid=1252,Tid=876,}, 0x0, ) == 0x0
 03117   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0l\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82030, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0l\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0l\3\0\0" )  ) == 0x0
 03118   896   NtResumeThread  (872, ... 1, ) == 0x0
 03119   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03120   876   NtWaitForSingleObject  (128, 0, 0x0, ...
 03119   896   NtAllocateVirtualMemory  ... 143720448, 1048576, ) == 0x0
 03121   896   NtAllocateVirtualMemory  (-1, 144760832, 0, 8192, 4096, 4, ... 144760832, 8192, ) == 0x0
 03122   896   NtProtectVirtualMemory  (-1, (0x8a0e000), 4096, 260, ... (0x8a0e000), 4096, 4, ) == 0x0
 03123   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 876, {1252, 1104}, ) == 0x0
 03124   896   NtQueryInformationThread  (876, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff33000,Pid=1252,Tid=1104,}, 0x0, ) == 0x0
 03125   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\4\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82031, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\4\0\0P\4\0\0" )  ) == 0x0
 03126   896   NtResumeThread  (876, ... 1, ) == 0x0
 03127   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 144769024, 1048576, ) == 0x0
 03128   896   NtAllocateVirtualMemory  (-1, 145809408, 0, 8192, 4096, 4, ... 145809408, 8192, ) == 0x0
 03129  1104   NtWaitForSingleObject  (128, 0, 0x0, ...
 03130   896   NtProtectVirtualMemory  (-1, (0x8b0e000), 4096, 260, ... (0x8b0e000), 4096, 4, ) == 0x0
 03131   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 880, {1252, 1516}, ) == 0x0
 03132   896   NtQueryInformationThread  (880, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff32000,Pid=1252,Tid=1516,}, 0x0, ) == 0x0
 03133   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\344\4\0\0\354\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\344\4\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82032, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\344\4\0\0\354\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\344\4\0\0\354\5\0\0" )  ) == 0x0
 03134   896   NtResumeThread  (880, ... 1, ) == 0x0
 03135   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03136  1516   NtWaitForSingleObject  (128, 0, 0x0, ...
 03135   896   NtAllocateVirtualMemory  ... 145817600, 1048576, ) == 0x0
 03137   896   NtAllocateVirtualMemory  (-1, 146857984, 0, 8192, 4096, 4, ... 146857984, 8192, ) == 0x0
 03138   896   NtProtectVirtualMemory  (-1, (0x8c0e000), 4096, 260, ... (0x8c0e000), 4096, 4, ) == 0x0
 03139   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 884, {1252, 1268}, ) == 0x0
 03140   896   NtQueryInformationThread  (884, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff31000,Pid=1252,Tid=1268,}, 0x0, ) == 0x0
 03141   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\344\4\0\0\364\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\344\4\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82033, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\344\4\0\0\364\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\344\4\0\0\364\4\0\0" )  ) == 0x0
 03142   896   NtResumeThread  (884, ... 1, ) == 0x0
 03143   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 146866176, 1048576, ) == 0x0
 03144   896   NtAllocateVirtualMemory  (-1, 147906560, 0, 8192, 4096, 4, ... 147906560, 8192, ) == 0x0
 03145  1268   NtWaitForSingleObject  (128, 0, 0x0, ...
 03146   896   NtProtectVirtualMemory  (-1, (0x8d0e000), 4096, 260, ... (0x8d0e000), 4096, 4, ) == 0x0
 03147   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 888, {1252, 380}, ) == 0x0
 03148   896   NtQueryInformationThread  (888, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff30000,Pid=1252,Tid=380,}, 0x0, ) == 0x0
 03149   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\344\4\0\0|\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\344\4\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82034, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\344\4\0\0|\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\344\4\0\0|\1\0\0" )  ) == 0x0
 03150   896   NtResumeThread  (888, ... 1, ) == 0x0
 03151   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03152   380   NtWaitForSingleObject  (128, 0, 0x0, ...
 03151   896   NtAllocateVirtualMemory  ... 147914752, 1048576, ) == 0x0
 03153   896   NtAllocateVirtualMemory  (-1, 148955136, 0, 8192, 4096, 4, ... 148955136, 8192, ) == 0x0
 03154   896   NtProtectVirtualMemory  (-1, (0x8e0e000), 4096, 260, ... (0x8e0e000), 4096, 4, ) == 0x0
 03155   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 892, {1252, 1564}, ) == 0x0
 03156   896   NtQueryInformationThread  (892, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2f000,Pid=1252,Tid=1564,}, 0x0, ) == 0x0
 03157   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82034, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\344\4\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82035, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\344\4\0\0\34\6\0\0" )  ) == 0x0
 03158   896   NtResumeThread  (892, ... 1, ) == 0x0
 03159   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 148963328, 1048576, ) == 0x0
 03160   896   NtAllocateVirtualMemory  (-1, 150003712, 0, 8192, 4096, 4, ... 150003712, 8192, ) == 0x0
 03161  1564   NtWaitForSingleObject  (128, 0, 0x0, ...
 03162   896   NtProtectVirtualMemory  (-1, (0x8f0e000), 4096, 260, ... (0x8f0e000), 4096, 4, ) == 0x0
 03163   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 896, {1252, 1964}, ) == 0x0
 03164   896   NtQueryInformationThread  (896, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2e000,Pid=1252,Tid=1964,}, 0x0, ) == 0x0
 03165   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82035, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\254\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\254\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82036, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\254\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\254\7\0\0" )  ) == 0x0
 03166   896   NtResumeThread  (896, ... 1, ) == 0x0
 03167   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03168  1964   NtWaitForSingleObject  (128, 0, 0x0, ...
 03167   896   NtAllocateVirtualMemory  ... 150011904, 1048576, ) == 0x0
 03169   896   NtAllocateVirtualMemory  (-1, 151052288, 0, 8192, 4096, 4, ... 151052288, 8192, ) == 0x0
 03170   896   NtProtectVirtualMemory  (-1, (0x900e000), 4096, 260, ... (0x900e000), 4096, 4, ) == 0x0
 03171   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 900, {1252, 1568}, ) == 0x0
 03172   896   NtQueryInformationThread  (900, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2d000,Pid=1252,Tid=1568,}, 0x0, ) == 0x0
 03173   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82036, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\344\4\0\0 \6\0\0" ... {28, 56, reply, 0, 1252, 896, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\344\4\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82037, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\344\4\0\0 \6\0\0" ... {28, 56, reply, 0, 1252, 896, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\344\4\0\0 \6\0\0" )  ) == 0x0
 03174   896   NtResumeThread  (900, ... 1, ) == 0x0
 03175   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 151060480, 1048576, ) == 0x0
 03176   896   NtAllocateVirtualMemory  (-1, 152100864, 0, 8192, 4096, 4, ... 152100864, 8192, ) == 0x0
 03177  1568   NtWaitForSingleObject  (128, 0, 0x0, ...
 03178   896   NtProtectVirtualMemory  (-1, (0x910e000), 4096, 260, ... (0x910e000), 4096, 4, ) == 0x0
 03179   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 904, {1252, 1624}, ) == 0x0
 03180   896   NtQueryInformationThread  (904, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2c000,Pid=1252,Tid=1624,}, 0x0, ) == 0x0
 03181   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82037, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\344\4\0\0X\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\344\4\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82038, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\344\4\0\0X\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\344\4\0\0X\6\0\0" )  ) == 0x0
 03182   896   NtResumeThread  (904, ... 1, ) == 0x0
 03183   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03184  1624   NtWaitForSingleObject  (128, 0, 0x0, ...
 03183   896   NtAllocateVirtualMemory  ... 152109056, 1048576, ) == 0x0
 03185   896   NtAllocateVirtualMemory  (-1, 153149440, 0, 8192, 4096, 4, ... 153149440, 8192, ) == 0x0
 03186   896   NtProtectVirtualMemory  (-1, (0x920e000), 4096, 260, ... (0x920e000), 4096, 4, ) == 0x0
 03187   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 908, {1252, 1716}, ) == 0x0
 03188   896   NtQueryInformationThread  (908, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2b000,Pid=1252,Tid=1716,}, 0x0, ) == 0x0
 03189   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82038, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\344\4\0\0\264\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\344\4\0\0\264\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82039, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\344\4\0\0\264\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\344\4\0\0\264\6\0\0" )  ) == 0x0
 03190   896   NtResumeThread  (908, ... 1, ) == 0x0
 03191   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 153157632, 1048576, ) == 0x0
 03192   896   NtAllocateVirtualMemory  (-1, 154198016, 0, 8192, 4096, 4, ... 154198016, 8192, ) == 0x0
 03193  1716   NtWaitForSingleObject  (128, 0, 0x0, ...
 03194   896   NtProtectVirtualMemory  (-1, (0x930e000), 4096, 260, ... (0x930e000), 4096, 4, ) == 0x0
 03195   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 912, {1252, 1664}, ) == 0x0
 03196   896   NtQueryInformationThread  (912, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2a000,Pid=1252,Tid=1664,}, 0x0, ) == 0x0
 03197   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82039, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82040, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0\200\6\0\0" )  ) == 0x0
 03198   896   NtResumeThread  (912, ... 1, ) == 0x0
 03199   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03200  1664   NtWaitForSingleObject  (128, 0, 0x0, ...
 03199   896   NtAllocateVirtualMemory  ... 154206208, 1048576, ) == 0x0
 03201   896   NtAllocateVirtualMemory  (-1, 155246592, 0, 8192, 4096, 4, ... 155246592, 8192, ) == 0x0
 03202   896   NtProtectVirtualMemory  (-1, (0x940e000), 4096, 260, ... (0x940e000), 4096, 4, ) == 0x0
 03203   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 916, {1252, 760}, ) == 0x0
 03204   896   NtQueryInformationThread  (916, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff29000,Pid=1252,Tid=760,}, 0x0, ) == 0x0
 03205   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82040, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\344\4\0\0\370\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\344\4\0\0\370\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82041, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\344\4\0\0\370\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\344\4\0\0\370\2\0\0" )  ) == 0x0
 03206   896   NtResumeThread  (916, ... 1, ) == 0x0
 03207   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 155254784, 1048576, ) == 0x0
 03208   896   NtAllocateVirtualMemory  (-1, 156295168, 0, 8192, 4096, 4, ... 156295168, 8192, ) == 0x0
 03209   760   NtWaitForSingleObject  (128, 0, 0x0, ...
 03210   896   NtProtectVirtualMemory  (-1, (0x950e000), 4096, 260, ... (0x950e000), 4096, 4, ) == 0x0
 03211   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 920, {1252, 1580}, ) == 0x0
 03212   896   NtQueryInformationThread  (920, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff28000,Pid=1252,Tid=1580,}, 0x0, ) == 0x0
 03213   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82041, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0,\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0,\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82042, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0,\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0,\6\0\0" )  ) == 0x0
 03214   896   NtResumeThread  (920, ... 1, ) == 0x0
 03215   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03216  1580   NtWaitForSingleObject  (128, 0, 0x0, ...
 03215   896   NtAllocateVirtualMemory  ... 156303360, 1048576, ) == 0x0
 03217   896   NtAllocateVirtualMemory  (-1, 157343744, 0, 8192, 4096, 4, ... 157343744, 8192, ) == 0x0
 03218   896   NtProtectVirtualMemory  (-1, (0x960e000), 4096, 260, ... (0x960e000), 4096, 4, ) == 0x0
 03219   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 924, {1252, 2052}, ) == 0x0
 03220   896   NtQueryInformationThread  (924, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff27000,Pid=1252,Tid=2052,}, 0x0, ) == 0x0
 03221   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82042, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\344\4\0\0\4\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\344\4\0\0\4\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82043, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\344\4\0\0\4\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\344\4\0\0\4\10\0\0" )  ) == 0x0
 03222   896   NtResumeThread  (924, ... 1, ) == 0x0
 03223   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03224  2052   NtWaitForSingleObject  (128, 0, 0x0, ...
 03223   896   NtAllocateVirtualMemory  ... 157351936, 1048576, ) == 0x0
 03225   896   NtAllocateVirtualMemory  (-1, 158392320, 0, 8192, 4096, 4, ... 158392320, 8192, ) == 0x0
 03226   896   NtProtectVirtualMemory  (-1, (0x970e000), 4096, 260, ... (0x970e000), 4096, 4, ) == 0x0
 03227   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 928, {1252, 2056}, ) == 0x0
 03228   896   NtQueryInformationThread  (928, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff26000,Pid=1252,Tid=2056,}, 0x0, ) == 0x0
 03229   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82043, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\344\4\0\0\10\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\344\4\0\0\10\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82044, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\344\4\0\0\10\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\344\4\0\0\10\10\0\0" )  ) == 0x0
 03230   896   NtResumeThread  (928, ... 1, ) == 0x0
 03231   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 158400512, 1048576, ) == 0x0
 03232   896   NtAllocateVirtualMemory  (-1, 159440896, 0, 8192, 4096, 4, ... 159440896, 8192, ) == 0x0
 03233  2056   NtWaitForSingleObject  (128, 0, 0x0, ...
 03234   896   NtProtectVirtualMemory  (-1, (0x980e000), 4096, 260, ... (0x980e000), 4096, 4, ) == 0x0
 03235   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 932, {1252, 2060}, ) == 0x0
 03236   896   NtQueryInformationThread  (932, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff25000,Pid=1252,Tid=2060,}, 0x0, ) == 0x0
 03237   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82044, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\344\4\0\0\14\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\344\4\0\0\14\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82045, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\344\4\0\0\14\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\344\4\0\0\14\10\0\0" )  ) == 0x0
 03238   896   NtResumeThread  (932, ... 1, ) == 0x0
 03239   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03240  2060   NtWaitForSingleObject  (128, 0, 0x0, ...
 03239   896   NtAllocateVirtualMemory  ... 159449088, 1048576, ) == 0x0
 03241   896   NtAllocateVirtualMemory  (-1, 160489472, 0, 8192, 4096, 4, ... 160489472, 8192, ) == 0x0
 03242   896   NtProtectVirtualMemory  (-1, (0x990e000), 4096, 260, ... (0x990e000), 4096, 4, ) == 0x0
 03243   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 936, {1252, 2064}, ) == 0x0
 03244   896   NtQueryInformationThread  (936, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff24000,Pid=1252,Tid=2064,}, 0x0, ) == 0x0
 03245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82045, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\20\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\20\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82046, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\20\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\20\10\0\0" )  ) == 0x0
 03246   896   NtResumeThread  (936, ... 1, ) == 0x0
 03247   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 160497664, 1048576, ) == 0x0
 03248   896   NtAllocateVirtualMemory  (-1, 161538048, 0, 8192, 4096, 4, ... 161538048, 8192, ) == 0x0
 03249  2064   NtWaitForSingleObject  (128, 0, 0x0, ...
 03250   896   NtProtectVirtualMemory  (-1, (0x9a0e000), 4096, 260, ... (0x9a0e000), 4096, 4, ) == 0x0
 03251   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 940, {1252, 2068}, ) == 0x0
 03252   896   NtQueryInformationThread  (940, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff23000,Pid=1252,Tid=2068,}, 0x0, ) == 0x0
 03253   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82046, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\344\4\0\0\24\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\344\4\0\0\24\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82047, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\344\4\0\0\24\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\344\4\0\0\24\10\0\0" )  ) == 0x0
 03254   896   NtResumeThread  (940, ... 1, ) == 0x0
 03255   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03256  2068   NtWaitForSingleObject  (128, 0, 0x0, ...
 03255   896   NtAllocateVirtualMemory  ... 161546240, 1048576, ) == 0x0
 03257   896   NtAllocateVirtualMemory  (-1, 162586624, 0, 8192, 4096, 4, ... 162586624, 8192, ) == 0x0
 03258   896   NtProtectVirtualMemory  (-1, (0x9b0e000), 4096, 260, ... (0x9b0e000), 4096, 4, ) == 0x0
 03259   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 944, {1252, 2072}, ) == 0x0
 03260   896   NtQueryInformationThread  (944, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff22000,Pid=1252,Tid=2072,}, 0x0, ) == 0x0
 03261   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82047, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\4\0\0\30\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\4\0\0\30\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82048, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\4\0\0\30\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\4\0\0\30\10\0\0" )  ) == 0x0
 03262   896   NtResumeThread  (944, ... 1, ) == 0x0
 03263   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 162594816, 1048576, ) == 0x0
 03264   896   NtAllocateVirtualMemory  (-1, 163635200, 0, 8192, 4096, 4, ... 163635200, 8192, ) == 0x0
 03265  2072   NtWaitForSingleObject  (128, 0, 0x0, ...
 03266   896   NtProtectVirtualMemory  (-1, (0x9c0e000), 4096, 260, ... (0x9c0e000), 4096, 4, ) == 0x0
 03267   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 948, {1252, 2076}, ) == 0x0
 03268   896   NtQueryInformationThread  (948, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff21000,Pid=1252,Tid=2076,}, 0x0, ) == 0x0
 03269   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82048, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\344\4\0\0\34\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\344\4\0\0\34\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82049, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\344\4\0\0\34\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\344\4\0\0\34\10\0\0" )  ) == 0x0
 03270   896   NtResumeThread  (948, ... 1, ) == 0x0
 03271   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03272  2076   NtWaitForSingleObject  (128, 0, 0x0, ...
 03271   896   NtAllocateVirtualMemory  ... 163643392, 1048576, ) == 0x0
 03273   896   NtAllocateVirtualMemory  (-1, 164683776, 0, 8192, 4096, 4, ... 164683776, 8192, ) == 0x0
 03274   896   NtProtectVirtualMemory  (-1, (0x9d0e000), 4096, 260, ... (0x9d0e000), 4096, 4, ) == 0x0
 03275   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 952, {1252, 2080}, ) == 0x0
 03276   896   NtQueryInformationThread  (952, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff20000,Pid=1252,Tid=2080,}, 0x0, ) == 0x0
 03277   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82049, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\4\0\0 \10\0\0" ... {28, 56, reply, 0, 1252, 896, 82050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\4\0\0 \10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82050, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\4\0\0 \10\0\0" ... {28, 56, reply, 0, 1252, 896, 82050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\4\0\0 \10\0\0" )  ) == 0x0
 03278   896   NtResumeThread  (952, ... 1, ) == 0x0
 03279   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 164691968, 1048576, ) == 0x0
 03280   896   NtAllocateVirtualMemory  (-1, 165732352, 0, 8192, 4096, 4, ... 165732352, 8192, ) == 0x0
 03281  2080   NtWaitForSingleObject  (128, 0, 0x0, ...
 03282   896   NtProtectVirtualMemory  (-1, (0x9e0e000), 4096, 260, ... (0x9e0e000), 4096, 4, ) == 0x0
 03283   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 956, {1252, 2084}, ) == 0x0
 03284   896   NtQueryInformationThread  (956, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1f000,Pid=1252,Tid=2084,}, 0x0, ) == 0x0
 03285   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82050, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\344\4\0\0$\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\344\4\0\0$\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82051, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\344\4\0\0$\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\344\4\0\0$\10\0\0" )  ) == 0x0
 03286   896   NtResumeThread  (956, ... 1, ) == 0x0
 03287   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03288  2084   NtWaitForSingleObject  (128, 0, 0x0, ...
 03287   896   NtAllocateVirtualMemory  ... 165740544, 1048576, ) == 0x0
 03289   896   NtAllocateVirtualMemory  (-1, 166780928, 0, 8192, 4096, 4, ... 166780928, 8192, ) == 0x0
 03290   896   NtProtectVirtualMemory  (-1, (0x9f0e000), 4096, 260, ... (0x9f0e000), 4096, 4, ) == 0x0
 03291   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 960, {1252, 2088}, ) == 0x0
 03292   896   NtQueryInformationThread  (960, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1e000,Pid=1252,Tid=2088,}, 0x0, ) == 0x0
 03293   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82051, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\4\0\0(\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\4\0\0(\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82052, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\4\0\0(\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\4\0\0(\10\0\0" )  ) == 0x0
 03294   896   NtResumeThread  (960, ... 1, ) == 0x0
 03295   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 166789120, 1048576, ) == 0x0
 03296   896   NtAllocateVirtualMemory  (-1, 167829504, 0, 8192, 4096, 4, ... 167829504, 8192, ) == 0x0
 03297  2088   NtWaitForSingleObject  (128, 0, 0x0, ...
 03298   896   NtProtectVirtualMemory  (-1, (0xa00e000), 4096, 260, ... (0xa00e000), 4096, 4, ) == 0x0
 03299   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 964, {1252, 2092}, ) == 0x0
 03300   896   NtQueryInformationThread  (964, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1d000,Pid=1252,Tid=2092,}, 0x0, ) == 0x0
 03301   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82052, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\344\4\0\0,\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\344\4\0\0,\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82053, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\344\4\0\0,\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\344\4\0\0,\10\0\0" )  ) == 0x0
 03302   896   NtResumeThread  (964, ... 1, ) == 0x0
 03303   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03304  2092   NtWaitForSingleObject  (128, 0, 0x0, ...
 03303   896   NtAllocateVirtualMemory  ... 167837696, 1048576, ) == 0x0
 03305   896   NtAllocateVirtualMemory  (-1, 168878080, 0, 8192, 4096, 4, ... 168878080, 8192, ) == 0x0
 03306   896   NtProtectVirtualMemory  (-1, (0xa10e000), 4096, 260, ... (0xa10e000), 4096, 4, ) == 0x0
 03307   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 968, {1252, 2100}, ) == 0x0
 03308   896   NtQueryInformationThread  (968, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1c000,Pid=1252,Tid=2100,}, 0x0, ) == 0x0
 03309   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82053, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\04\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\04\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82054, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\04\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\04\10\0\0" )  ) == 0x0
 03310   896   NtResumeThread  (968, ... 1, ) == 0x0
 03311   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 168886272, 1048576, ) == 0x0
 03312   896   NtAllocateVirtualMemory  (-1, 169926656, 0, 8192, 4096, 4, ... 169926656, 8192, ) == 0x0
 03313  2100   NtWaitForSingleObject  (128, 0, 0x0, ...
 03314   896   NtProtectVirtualMemory  (-1, (0xa20e000), 4096, 260, ... (0xa20e000), 4096, 4, ) == 0x0
 03315   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 972, {1252, 2104}, ) == 0x0
 03316   896   NtQueryInformationThread  (972, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1b000,Pid=1252,Tid=2104,}, 0x0, ) == 0x0
 03317   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82054, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0\344\4\0\08\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0\344\4\0\08\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82055, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0\344\4\0\08\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0\344\4\0\08\10\0\0" )  ) == 0x0
 03318   896   NtResumeThread  (972, ... 1, ) == 0x0
 03319   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03320  2104   NtWaitForSingleObject  (128, 0, 0x0, ...
 03319   896   NtAllocateVirtualMemory  ... 169934848, 1048576, ) == 0x0
 03321   896   NtAllocateVirtualMemory  (-1, 170975232, 0, 8192, 4096, 4, ... 170975232, 8192, ) == 0x0
 03322   896   NtProtectVirtualMemory  (-1, (0xa30e000), 4096, 260, ... (0xa30e000), 4096, 4, ) == 0x0
 03323   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 976, {1252, 2112}, ) == 0x0
 03324   896   NtQueryInformationThread  (976, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1a000,Pid=1252,Tid=2112,}, 0x0, ) == 0x0
 03325   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82055, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\344\4\0\0@\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\344\4\0\0@\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82056, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\344\4\0\0@\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\344\4\0\0@\10\0\0" )  ) == 0x0
 03326   896   NtResumeThread  (976, ... 1, ) == 0x0
 03327   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 170983424, 1048576, ) == 0x0
 03328   896   NtAllocateVirtualMemory  (-1, 172023808, 0, 8192, 4096, 4, ... 172023808, 8192, ) == 0x0
 03329  2112   NtWaitForSingleObject  (128, 0, 0x0, ...
 03330   896   NtProtectVirtualMemory  (-1, (0xa40e000), 4096, 260, ... (0xa40e000), 4096, 4, ) == 0x0
 03331   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 980, {1252, 2116}, ) == 0x0
 03332   896   NtQueryInformationThread  (980, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff19000,Pid=1252,Tid=2116,}, 0x0, ) == 0x0
 03333   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82056, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\344\4\0\0D\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\344\4\0\0D\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82057, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\344\4\0\0D\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\344\4\0\0D\10\0\0" )  ) == 0x0
 03334   896   NtResumeThread  (980, ... 1, ) == 0x0
 03335   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03336  2116   NtWaitForSingleObject  (128, 0, 0x0, ...
 03335   896   NtAllocateVirtualMemory  ... 172032000, 1048576, ) == 0x0
 03337   896   NtAllocateVirtualMemory  (-1, 173072384, 0, 8192, 4096, 4, ... 173072384, 8192, ) == 0x0
 03338   896   NtProtectVirtualMemory  (-1, (0xa50e000), 4096, 260, ... (0xa50e000), 4096, 4, ) == 0x0
 03339   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 984, {1252, 2120}, ) == 0x0
 03340   896   NtQueryInformationThread  (984, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff18000,Pid=1252,Tid=2120,}, 0x0, ) == 0x0
 03341   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82057, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\344\4\0\0H\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\344\4\0\0H\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82058, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\344\4\0\0H\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\344\4\0\0H\10\0\0" )  ) == 0x0
 03342   896   NtResumeThread  (984, ... 1, ) == 0x0
 03343   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 173080576, 1048576, ) == 0x0
 03344   896   NtAllocateVirtualMemory  (-1, 174120960, 0, 8192, 4096, 4, ... 174120960, 8192, ) == 0x0
 03345  2120   NtWaitForSingleObject  (128, 0, 0x0, ...
 03346   896   NtProtectVirtualMemory  (-1, (0xa60e000), 4096, 260, ... (0xa60e000), 4096, 4, ) == 0x0
 03347   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 988, {1252, 2128}, ) == 0x0
 03348   896   NtQueryInformationThread  (988, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff17000,Pid=1252,Tid=2128,}, 0x0, ) == 0x0
 03349   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82058, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\344\4\0\0P\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\344\4\0\0P\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82059, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\344\4\0\0P\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\344\4\0\0P\10\0\0" )  ) == 0x0
 03350   896   NtResumeThread  (988, ... 1, ) == 0x0
 03351   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03352  2128   NtWaitForSingleObject  (128, 0, 0x0, ...
 03351   896   NtAllocateVirtualMemory  ... 174129152, 1048576, ) == 0x0
 03353   896   NtAllocateVirtualMemory  (-1, 175169536, 0, 8192, 4096, 4, ... 175169536, 8192, ) == 0x0
 03354   896   NtProtectVirtualMemory  (-1, (0xa70e000), 4096, 260, ... (0xa70e000), 4096, 4, ) == 0x0
 03355   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 992, {1252, 2136}, ) == 0x0
 03356   896   NtQueryInformationThread  (992, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff16000,Pid=1252,Tid=2136,}, 0x0, ) == 0x0
 03357   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82059, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\344\4\0\0X\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\344\4\0\0X\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82060, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\344\4\0\0X\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\344\4\0\0X\10\0\0" )  ) == 0x0
 03358   896   NtResumeThread  (992, ... 1, ) == 0x0
 03359   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 175177728, 1048576, ) == 0x0
 03360   896   NtAllocateVirtualMemory  (-1, 176218112, 0, 8192, 4096, 4, ... 176218112, 8192, ) == 0x0
 03361  2136   NtWaitForSingleObject  (128, 0, 0x0, ...
 03362   896   NtProtectVirtualMemory  (-1, (0xa80e000), 4096, 260, ... (0xa80e000), 4096, 4, ) == 0x0
 03363   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 996, {1252, 2140}, ) == 0x0
 03364   896   NtQueryInformationThread  (996, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff15000,Pid=1252,Tid=2140,}, 0x0, ) == 0x0
 03365   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82060, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0\344\4\0\0\\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0\344\4\0\0\\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82061, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0\344\4\0\0\\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0\344\4\0\0\\10\0\0" )  ) == 0x0
 03366   896   NtResumeThread  (996, ... 1, ) == 0x0
 03367   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03368  2140   NtWaitForSingleObject  (128, 0, 0x0, ...
 03367   896   NtAllocateVirtualMemory  ... 176226304, 1048576, ) == 0x0
 03369   896   NtAllocateVirtualMemory  (-1, 177266688, 0, 8192, 4096, 4, ... 177266688, 8192, ) == 0x0
 03370   896   NtProtectVirtualMemory  (-1, (0xa90e000), 4096, 260, ... (0xa90e000), 4096, 4, ) == 0x0
 03371   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1000, {1252, 2144}, ) == 0x0
 03372   896   NtQueryInformationThread  (1000, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff14000,Pid=1252,Tid=2144,}, 0x0, ) == 0x0
 03373   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82061, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\4\0\0`\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\4\0\0`\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82062, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\4\0\0`\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\4\0\0`\10\0\0" )  ) == 0x0
 03374   896   NtResumeThread  (1000, ... 1, ) == 0x0
 03375   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 177274880, 1048576, ) == 0x0
 03376   896   NtAllocateVirtualMemory  (-1, 178315264, 0, 8192, 4096, 4, ... 178315264, 8192, ) == 0x0
 03377  2144   NtWaitForSingleObject  (128, 0, 0x0, ...
 03378   896   NtProtectVirtualMemory  (-1, (0xaa0e000), 4096, 260, ... (0xaa0e000), 4096, 4, ) == 0x0
 03379   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1004, {1252, 2148}, ) == 0x0
 03380   896   NtQueryInformationThread  (1004, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff13000,Pid=1252,Tid=2148,}, 0x0, ) == 0x0
 03381   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82062, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0\344\4\0\0d\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0\344\4\0\0d\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82063, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0\344\4\0\0d\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0\344\4\0\0d\10\0\0" )  ) == 0x0
 03382   896   NtResumeThread  (1004, ... 1, ) == 0x0
 03383   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03384  2148   NtWaitForSingleObject  (128, 0, 0x0, ...
 03383   896   NtAllocateVirtualMemory  ... 178323456, 1048576, ) == 0x0
 03385   896   NtAllocateVirtualMemory  (-1, 179363840, 0, 8192, 4096, 4, ... 179363840, 8192, ) == 0x0
 03386   896   NtProtectVirtualMemory  (-1, (0xab0e000), 4096, 260, ... (0xab0e000), 4096, 4, ) == 0x0
 03387   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1008, {1252, 2152}, ) == 0x0
 03388   896   NtQueryInformationThread  (1008, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff12000,Pid=1252,Tid=2152,}, 0x0, ) == 0x0
 03389   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82063, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\4\0\0h\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\4\0\0h\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82064, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\4\0\0h\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\4\0\0h\10\0\0" )  ) == 0x0
 03390   896   NtResumeThread  (1008, ... 1, ) == 0x0
 03391   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 179372032, 1048576, ) == 0x0
 03392   896   NtAllocateVirtualMemory  (-1, 180412416, 0, 8192, 4096, 4, ... 180412416, 8192, ) == 0x0
 03393  2152   NtWaitForSingleObject  (128, 0, 0x0, ...
 03394   896   NtProtectVirtualMemory  (-1, (0xac0e000), 4096, 260, ... (0xac0e000), 4096, 4, ) == 0x0
 03395   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1012, {1252, 2156}, ) == 0x0
 03396   896   NtQueryInformationThread  (1012, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff11000,Pid=1252,Tid=2156,}, 0x0, ) == 0x0
 03397   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82064, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\344\4\0\0l\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\344\4\0\0l\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82065, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\344\4\0\0l\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\344\4\0\0l\10\0\0" )  ) == 0x0
 03398   896   NtResumeThread  (1012, ... 1, ) == 0x0
 03399   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03400  2156   NtWaitForSingleObject  (128, 0, 0x0, ...
 03399   896   NtAllocateVirtualMemory  ... 180420608, 1048576, ) == 0x0
 03401   896   NtAllocateVirtualMemory  (-1, 181460992, 0, 8192, 4096, 4, ... 181460992, 8192, ) == 0x0
 03402   896   NtProtectVirtualMemory  (-1, (0xad0e000), 4096, 260, ... (0xad0e000), 4096, 4, ) == 0x0
 03403   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1016, {1252, 2160}, ) == 0x0
 03404   896   NtQueryInformationThread  (1016, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff10000,Pid=1252,Tid=2160,}, 0x0, ) == 0x0
 03405   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82065, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\344\4\0\0p\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\344\4\0\0p\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82066, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\344\4\0\0p\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\344\4\0\0p\10\0\0" )  ) == 0x0
 03406   896   NtResumeThread  (1016, ... 1, ) == 0x0
 03407   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 181469184, 1048576, ) == 0x0
 03408   896   NtAllocateVirtualMemory  (-1, 182509568, 0, 8192, 4096, 4, ... 182509568, 8192, ) == 0x0
 03409  2160   NtWaitForSingleObject  (128, 0, 0x0, ...
 03410   896   NtProtectVirtualMemory  (-1, (0xae0e000), 4096, 260, ... (0xae0e000), 4096, 4, ) == 0x0
 03411   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1020, {1252, 2168}, ) == 0x0
 03412   896   NtQueryInformationThread  (1020, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0f000,Pid=1252,Tid=2168,}, 0x0, ) == 0x0
 03413   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82066, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\344\4\0\0x\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\344\4\0\0x\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82067, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\344\4\0\0x\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\344\4\0\0x\10\0\0" )  ) == 0x0
 03414   896   NtResumeThread  (1020, ... 1, ) == 0x0
 03415   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03416  2168   NtWaitForSingleObject  (128, 0, 0x0, ...
 03415   896   NtAllocateVirtualMemory  ... 182517760, 1048576, ) == 0x0
 03417   896   NtAllocateVirtualMemory  (-1, 183558144, 0, 8192, 4096, 4, ... 183558144, 8192, ) == 0x0
 03418   896   NtProtectVirtualMemory  (-1, (0xaf0e000), 4096, 260, ... (0xaf0e000), 4096, 4, ) == 0x0
 03419   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1024, {1252, 2176}, ) == 0x0
 03420   896   NtQueryInformationThread  (1024, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0e000,Pid=1252,Tid=2176,}, 0x0, ) == 0x0
 03421   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82067, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\344\4\0\0\200\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\344\4\0\0\200\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82068, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\344\4\0\0\200\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\344\4\0\0\200\10\0\0" )  ) == 0x0
 03422   896   NtResumeThread  (1024, ... 1, ) == 0x0
 03423   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 183566336, 1048576, ) == 0x0
 03424   896   NtAllocateVirtualMemory  (-1, 184606720, 0, 8192, 4096, 4, ... 184606720, 8192, ) == 0x0
 03425  2176   NtWaitForSingleObject  (128, 0, 0x0, ...
 03426   896   NtProtectVirtualMemory  (-1, (0xb00e000), 4096, 260, ... (0xb00e000), 4096, 4, ) == 0x0
 03427   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1028, {1252, 2184}, ) == 0x0
 03428   896   NtQueryInformationThread  (1028, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0d000,Pid=1252,Tid=2184,}, 0x0, ) == 0x0
 03429   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82068, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0\344\4\0\0\210\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0\344\4\0\0\210\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82069, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0\344\4\0\0\210\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0\344\4\0\0\210\10\0\0" )  ) == 0x0
 03430   896   NtResumeThread  (1028, ... 1, ) == 0x0
 03431   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03432  2184   NtWaitForSingleObject  (128, 0, 0x0, ...
 03431   896   NtAllocateVirtualMemory  ... 184614912, 1048576, ) == 0x0
 03433   896   NtAllocateVirtualMemory  (-1, 185655296, 0, 8192, 4096, 4, ... 185655296, 8192, ) == 0x0
 03434   896   NtProtectVirtualMemory  (-1, (0xb10e000), 4096, 260, ... (0xb10e000), 4096, 4, ) == 0x0
 03435   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1032, {1252, 2188}, ) == 0x0
 03436   896   NtQueryInformationThread  (1032, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0c000,Pid=1252,Tid=2188,}, 0x0, ) == 0x0
 03437   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82069, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\344\4\0\0\214\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\344\4\0\0\214\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82070, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\344\4\0\0\214\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\344\4\0\0\214\10\0\0" )  ) == 0x0
 03438   896   NtResumeThread  (1032, ... 1, ) == 0x0
 03439   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 185663488, 1048576, ) == 0x0
 03440   896   NtAllocateVirtualMemory  (-1, 186703872, 0, 8192, 4096, 4, ... 186703872, 8192, ) == 0x0
 03441  2188   NtWaitForSingleObject  (128, 0, 0x0, ...
 03442   896   NtProtectVirtualMemory  (-1, (0xb20e000), 4096, 260, ... (0xb20e000), 4096, 4, ) == 0x0
 03443   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1036, {1252, 2192}, ) == 0x0
 03444   896   NtQueryInformationThread  (1036, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0b000,Pid=1252,Tid=2192,}, 0x0, ) == 0x0
 03445   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82070, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0\344\4\0\0\220\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0\344\4\0\0\220\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82071, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0\344\4\0\0\220\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0\344\4\0\0\220\10\0\0" )  ) == 0x0
 03446   896   NtResumeThread  (1036, ... 1, ) == 0x0
 03447   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03448  2192   NtWaitForSingleObject  (128, 0, 0x0, ...
 03447   896   NtAllocateVirtualMemory  ... 186712064, 1048576, ) == 0x0
 03449   896   NtAllocateVirtualMemory  (-1, 187752448, 0, 8192, 4096, 4, ... 187752448, 8192, ) == 0x0
 03450   896   NtProtectVirtualMemory  (-1, (0xb30e000), 4096, 260, ... (0xb30e000), 4096, 4, ) == 0x0
 03451   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1040, {1252, 2196}, ) == 0x0
 03452   896   NtQueryInformationThread  (1040, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0a000,Pid=1252,Tid=2196,}, 0x0, ) == 0x0
 03453   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82071, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\344\4\0\0\224\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\344\4\0\0\224\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82072, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\344\4\0\0\224\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\344\4\0\0\224\10\0\0" )  ) == 0x0
 03454   896   NtResumeThread  (1040, ... 1, ) == 0x0
 03455   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 187760640, 1048576, ) == 0x0
 03456   896   NtAllocateVirtualMemory  (-1, 188801024, 0, 8192, 4096, 4, ... 188801024, 8192, ) == 0x0
 03457  2196   NtWaitForSingleObject  (128, 0, 0x0, ...
 03458   896   NtProtectVirtualMemory  (-1, (0xb40e000), 4096, 260, ... (0xb40e000), 4096, 4, ) == 0x0
 03459   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1044, {1252, 2200}, ) == 0x0
 03460   896   NtQueryInformationThread  (1044, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff09000,Pid=1252,Tid=2200,}, 0x0, ) == 0x0
 03461   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82072, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\344\4\0\0\230\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\344\4\0\0\230\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82073, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\344\4\0\0\230\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\344\4\0\0\230\10\0\0" )  ) == 0x0
 03462   896   NtResumeThread  (1044, ... 1, ) == 0x0
 03463   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03464  2200   NtWaitForSingleObject  (128, 0, 0x0, ...
 03463   896   NtAllocateVirtualMemory  ... 188809216, 1048576, ) == 0x0
 03465   896   NtAllocateVirtualMemory  (-1, 189849600, 0, 8192, 4096, 4, ... 189849600, 8192, ) == 0x0
 03466   896   NtProtectVirtualMemory  (-1, (0xb50e000), 4096, 260, ... (0xb50e000), 4096, 4, ) == 0x0
 03467   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1048, {1252, 2204}, ) == 0x0
 03468   896   NtQueryInformationThread  (1048, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff08000,Pid=1252,Tid=2204,}, 0x0, ) == 0x0
 03469   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82073, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\234\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\234\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82074, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\234\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\234\10\0\0" )  ) == 0x0
 03470   896   NtResumeThread  (1048, ... 1, ) == 0x0
 03471   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 189857792, 1048576, ) == 0x0
 03472   896   NtAllocateVirtualMemory  (-1, 190898176, 0, 8192, 4096, 4, ... 190898176, 8192, ) == 0x0
 03473  2204   NtWaitForSingleObject  (128, 0, 0x0, ...
 03474   896   NtProtectVirtualMemory  (-1, (0xb60e000), 4096, 260, ... (0xb60e000), 4096, 4, ) == 0x0
 03475   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1052, {1252, 2208}, ) == 0x0
 03476   896   NtQueryInformationThread  (1052, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff07000,Pid=1252,Tid=2208,}, 0x0, ) == 0x0
 03477   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82074, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\344\4\0\0\240\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\344\4\0\0\240\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82075, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\344\4\0\0\240\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\344\4\0\0\240\10\0\0" )  ) == 0x0
 03478   896   NtResumeThread  (1052, ... 1, ) == 0x0
 03479   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03480  2208   NtWaitForSingleObject  (128, 0, 0x0, ...
 03479   896   NtAllocateVirtualMemory  ... 190906368, 1048576, ) == 0x0
 03481   896   NtAllocateVirtualMemory  (-1, 191946752, 0, 8192, 4096, 4, ... 191946752, 8192, ) == 0x0
 03482   896   NtProtectVirtualMemory  (-1, (0xb70e000), 4096, 260, ... (0xb70e000), 4096, 4, ) == 0x0
 03483   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1056, {1252, 2216}, ) == 0x0
 03484   896   NtQueryInformationThread  (1056, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff06000,Pid=1252,Tid=2216,}, 0x0, ) == 0x0
 03485   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82075, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\344\4\0\0\250\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\344\4\0\0\250\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82076, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\344\4\0\0\250\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\344\4\0\0\250\10\0\0" )  ) == 0x0
 03486   896   NtResumeThread  (1056, ... 1, ) == 0x0
 03487   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 191954944, 1048576, ) == 0x0
 03488   896   NtAllocateVirtualMemory  (-1, 192995328, 0, 8192, 4096, 4, ... 192995328, 8192, ) == 0x0
 03489  2216   NtWaitForSingleObject  (128, 0, 0x0, ...
 03490   896   NtProtectVirtualMemory  (-1, (0xb80e000), 4096, 260, ... (0xb80e000), 4096, 4, ) == 0x0
 03491   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1060, {1252, 2220}, ) == 0x0
 03492   896   NtQueryInformationThread  (1060, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff05000,Pid=1252,Tid=2220,}, 0x0, ) == 0x0
 03493   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82076, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0\344\4\0\0\254\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0\344\4\0\0\254\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82077, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0\344\4\0\0\254\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0\344\4\0\0\254\10\0\0" )  ) == 0x0
 03494   896   NtResumeThread  (1060, ... 1, ) == 0x0
 03495   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03496  2220   NtWaitForSingleObject  (128, 0, 0x0, ...
 03495   896   NtAllocateVirtualMemory  ... 193003520, 1048576, ) == 0x0
 03497   896   NtAllocateVirtualMemory  (-1, 194043904, 0, 8192, 4096, 4, ... 194043904, 8192, ) == 0x0
 03498   896   NtProtectVirtualMemory  (-1, (0xb90e000), 4096, 260, ... (0xb90e000), 4096, 4, ) == 0x0
 03499   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1064, {1252, 2228}, ) == 0x0
 03500   896   NtQueryInformationThread  (1064, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff04000,Pid=1252,Tid=2228,}, 0x0, ) == 0x0
 03501   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82077, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\344\4\0\0\264\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\344\4\0\0\264\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82078, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\344\4\0\0\264\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\344\4\0\0\264\10\0\0" )  ) == 0x0
 03502   896   NtResumeThread  (1064, ... 1, ) == 0x0
 03503   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 194052096, 1048576, ) == 0x0
 03504   896   NtAllocateVirtualMemory  (-1, 195092480, 0, 8192, 4096, 4, ... 195092480, 8192, ) == 0x0
 03505  2228   NtWaitForSingleObject  (128, 0, 0x0, ...
 03506   896   NtProtectVirtualMemory  (-1, (0xba0e000), 4096, 260, ... (0xba0e000), 4096, 4, ) == 0x0
 03507   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1068, {1252, 2232}, ) == 0x0
 03508   896   NtQueryInformationThread  (1068, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff03000,Pid=1252,Tid=2232,}, 0x0, ) == 0x0
 03509   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82078, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\344\4\0\0\270\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\344\4\0\0\270\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82079, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\344\4\0\0\270\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\344\4\0\0\270\10\0\0" )  ) == 0x0
 03510   896   NtResumeThread  (1068, ... 1, ) == 0x0
 03511   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03512  2232   NtWaitForSingleObject  (128, 0, 0x0, ...
 03511   896   NtAllocateVirtualMemory  ... 195100672, 1048576, ) == 0x0
 03513   896   NtAllocateVirtualMemory  (-1, 196141056, 0, 8192, 4096, 4, ... 196141056, 8192, ) == 0x0
 03514   896   NtProtectVirtualMemory  (-1, (0xbb0e000), 4096, 260, ... (0xbb0e000), 4096, 4, ) == 0x0
 03515   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1072, {1252, 2236}, ) == 0x0
 03516   896   NtQueryInformationThread  (1072, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff02000,Pid=1252,Tid=2236,}, 0x0, ) == 0x0
 03517   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82079, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\344\4\0\0\274\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\344\4\0\0\274\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82080, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\344\4\0\0\274\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\344\4\0\0\274\10\0\0" )  ) == 0x0
 03518   896   NtResumeThread  (1072, ... 1, ) == 0x0
 03519   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 196149248, 1048576, ) == 0x0
 03520   896   NtAllocateVirtualMemory  (-1, 197189632, 0, 8192, 4096, 4, ... 197189632, 8192, ) == 0x0
 03521  2236   NtWaitForSingleObject  (128, 0, 0x0, ...
 03522   896   NtProtectVirtualMemory  (-1, (0xbc0e000), 4096, 260, ... (0xbc0e000), 4096, 4, ) == 0x0
 03523   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1076, {1252, 2240}, ) == 0x0
 03524   896   NtQueryInformationThread  (1076, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff01000,Pid=1252,Tid=2240,}, 0x0, ) == 0x0
 03525   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82080, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\344\4\0\0\300\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\344\4\0\0\300\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82081, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\344\4\0\0\300\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\344\4\0\0\300\10\0\0" )  ) == 0x0
 03526   896   NtResumeThread  (1076, ... 1, ) == 0x0
 03527   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03528  2240   NtWaitForSingleObject  (128, 0, 0x0, ...
 03527   896   NtAllocateVirtualMemory  ... 197197824, 1048576, ) == 0x0
 03529   896   NtAllocateVirtualMemory  (-1, 198238208, 0, 8192, 4096, 4, ... 198238208, 8192, ) == 0x0
 03530   896   NtProtectVirtualMemory  (-1, (0xbd0e000), 4096, 260, ... (0xbd0e000), 4096, 4, ) == 0x0
 03531   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1080, {1252, 2244}, ) == 0x0
 03532   896   NtQueryInformationThread  (1080, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff00000,Pid=1252,Tid=2244,}, 0x0, ) == 0x0
 03533   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82081, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\344\4\0\0\304\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\344\4\0\0\304\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82082, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\344\4\0\0\304\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\344\4\0\0\304\10\0\0" )  ) == 0x0
 03534   896   NtResumeThread  (1080, ... 1, ) == 0x0
 03535   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 198246400, 1048576, ) == 0x0
 03536   896   NtAllocateVirtualMemory  (-1, 199286784, 0, 8192, 4096, 4, ... 199286784, 8192, ) == 0x0
 03537  2244   NtWaitForSingleObject  (128, 0, 0x0, ...
 03538   896   NtProtectVirtualMemory  (-1, (0xbe0e000), 4096, 260, ... (0xbe0e000), 4096, 4, ) == 0x0
 03539   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1084, {1252, 2248}, ) == 0x0
 03540   896   NtQueryInformationThread  (1084, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feff000,Pid=1252,Tid=2248,}, 0x0, ) == 0x0
 03541   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82082, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\4\0\0\344\4\0\0\310\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\4\0\0\344\4\0\0\310\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82083, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\4\0\0\344\4\0\0\310\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\4\0\0\344\4\0\0\310\10\0\0" )  ) == 0x0
 03542   896   NtResumeThread  (1084, ... 1, ) == 0x0
 03543   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03544  2248   NtWaitForSingleObject  (128, 0, 0x0, ...
 03543   896   NtAllocateVirtualMemory  ... 199294976, 1048576, ) == 0x0
 03545   896   NtAllocateVirtualMemory  (-1, 200335360, 0, 8192, 4096, 4, ... 200335360, 8192, ) == 0x0
 03546   896   NtProtectVirtualMemory  (-1, (0xbf0e000), 4096, 260, ... (0xbf0e000), 4096, 4, ) == 0x0
 03547   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1088, {1252, 2256}, ) == 0x0
 03548   896   NtQueryInformationThread  (1088, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefe000,Pid=1252,Tid=2256,}, 0x0, ) == 0x0
 03549   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82083, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\4\0\0\344\4\0\0\320\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\4\0\0\344\4\0\0\320\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82084, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\4\0\0\344\4\0\0\320\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\4\0\0\344\4\0\0\320\10\0\0" )  ) == 0x0
 03550   896   NtResumeThread  (1088, ... 1, ) == 0x0
 03551   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 200343552, 1048576, ) == 0x0
 03552   896   NtAllocateVirtualMemory  (-1, 201383936, 0, 8192, 4096, 4, ... 201383936, 8192, ) == 0x0
 03553  2256   NtWaitForSingleObject  (128, 0, 0x0, ...
 03554   896   NtProtectVirtualMemory  (-1, (0xc00e000), 4096, 260, ... (0xc00e000), 4096, 4, ) == 0x0
 03555   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1092, {1252, 2260}, ) == 0x0
 03556   896   NtQueryInformationThread  (1092, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefd000,Pid=1252,Tid=2260,}, 0x0, ) == 0x0
 03557   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82084, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\344\4\0\0\324\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\344\4\0\0\324\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82085, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\344\4\0\0\324\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\344\4\0\0\324\10\0\0" )  ) == 0x0
 03558   896   NtResumeThread  (1092, ... 1, ) == 0x0
 03559   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03560  2260   NtWaitForSingleObject  (128, 0, 0x0, ...
 03559   896   NtAllocateVirtualMemory  ... 201392128, 1048576, ) == 0x0
 03561   896   NtAllocateVirtualMemory  (-1, 202432512, 0, 8192, 4096, 4, ... 202432512, 8192, ) == 0x0
 03562   896   NtProtectVirtualMemory  (-1, (0xc10e000), 4096, 260, ... (0xc10e000), 4096, 4, ) == 0x0
 03563   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1096, {1252, 2268}, ) == 0x0
 03564   896   NtQueryInformationThread  (1096, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefc000,Pid=1252,Tid=2268,}, 0x0, ) == 0x0
 03565   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82085, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\4\0\0\334\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\4\0\0\334\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82086, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\4\0\0\334\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\4\0\0\334\10\0\0" )  ) == 0x0
 03566   896   NtResumeThread  (1096, ... 1, ) == 0x0
 03567   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 202440704, 1048576, ) == 0x0
 03568   896   NtAllocateVirtualMemory  (-1, 203481088, 0, 8192, 4096, 4, ... 203481088, 8192, ) == 0x0
 03569  2268   NtWaitForSingleObject  (128, 0, 0x0, ...
 03570   896   NtProtectVirtualMemory  (-1, (0xc20e000), 4096, 260, ... (0xc20e000), 4096, 4, ) == 0x0
 03571   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1100, {1252, 2272}, ) == 0x0
 03572   896   NtQueryInformationThread  (1100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefb000,Pid=1252,Tid=2272,}, 0x0, ) == 0x0
 03573   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82086, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\344\4\0\0\340\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\344\4\0\0\340\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82087, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\344\4\0\0\340\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\344\4\0\0\340\10\0\0" )  ) == 0x0
 03574   896   NtResumeThread  (1100, ... 1, ) == 0x0
 03575   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03576  2272   NtWaitForSingleObject  (128, 0, 0x0, ...
 03575   896   NtAllocateVirtualMemory  ... 203489280, 1048576, ) == 0x0
 03577   896   NtAllocateVirtualMemory  (-1, 204529664, 0, 8192, 4096, 4, ... 204529664, 8192, ) == 0x0
 03578   896   NtProtectVirtualMemory  (-1, (0xc30e000), 4096, 260, ... (0xc30e000), 4096, 4, ) == 0x0
 03579   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1104, {1252, 2280}, ) == 0x0
 03580   896   NtQueryInformationThread  (1104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefa000,Pid=1252,Tid=2280,}, 0x0, ) == 0x0
 03581   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82087, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\4\0\0\344\4\0\0\350\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\4\0\0\344\4\0\0\350\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82088, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\4\0\0\344\4\0\0\350\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\4\0\0\344\4\0\0\350\10\0\0" )  ) == 0x0
 03582   896   NtResumeThread  (1104, ... 1, ) == 0x0
 03583   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 204537856, 1048576, ) == 0x0
 03584   896   NtAllocateVirtualMemory  (-1, 205578240, 0, 8192, 4096, 4, ... 205578240, 8192, ) == 0x0
 03585  2280   NtWaitForSingleObject  (128, 0, 0x0, ...
 03586   896   NtProtectVirtualMemory  (-1, (0xc40e000), 4096, 260, ... (0xc40e000), 4096, 4, ) == 0x0
 03587   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1108, {1252, 2288}, ) == 0x0
 03588   896   NtQueryInformationThread  (1108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef9000,Pid=1252,Tid=2288,}, 0x0, ) == 0x0
 03589   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82088, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\4\0\0\344\4\0\0\360\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\4\0\0\344\4\0\0\360\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82089, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\4\0\0\344\4\0\0\360\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\4\0\0\344\4\0\0\360\10\0\0" )  ) == 0x0
 03590   896   NtResumeThread  (1108, ... 1, ) == 0x0
 03591   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03592  2288   NtWaitForSingleObject  (128, 0, 0x0, ...
 03591   896   NtAllocateVirtualMemory  ... 205586432, 1048576, ) == 0x0
 03593   896   NtAllocateVirtualMemory  (-1, 206626816, 0, 8192, 4096, 4, ... 206626816, 8192, ) == 0x0
 03594   896   NtProtectVirtualMemory  (-1, (0xc50e000), 4096, 260, ... (0xc50e000), 4096, 4, ) == 0x0
 03595   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1112, {1252, 2292}, ) == 0x0
 03596   896   NtQueryInformationThread  (1112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef8000,Pid=1252,Tid=2292,}, 0x0, ) == 0x0
 03597   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82089, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\344\4\0\0\364\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\344\4\0\0\364\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82090, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\344\4\0\0\364\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\344\4\0\0\364\10\0\0" )  ) == 0x0
 03598   896   NtResumeThread  (1112, ... 1, ) == 0x0
 03599   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 206635008, 1048576, ) == 0x0
 03600   896   NtAllocateVirtualMemory  (-1, 207675392, 0, 8192, 4096, 4, ...
 03601  2292   NtWaitForSingleObject  (128, 0, 0x0, ...
 03600   896   NtAllocateVirtualMemory  ... 207675392, 8192, ) == 0x0
 03602   896   NtProtectVirtualMemory  (-1, (0xc60e000), 4096, 260, ... (0xc60e000), 4096, 4, ) == 0x0
 03603   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1116, {1252, 2296}, ) == 0x0
 03604   896   NtQueryInformationThread  (1116, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef7000,Pid=1252,Tid=2296,}, 0x0, ) == 0x0
 03605   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82090, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\344\4\0\0\370\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\344\4\0\0\370\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82091, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\344\4\0\0\370\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\344\4\0\0\370\10\0\0" )  ) == 0x0
 03606   896   NtResumeThread  (1116, ... 1, ) == 0x0
 03607  2296   NtWaitForSingleObject  (128, 0, 0x0, ...
 03608   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 207683584, 1048576, ) == 0x0
 03609   896   NtAllocateVirtualMemory  (-1, 208723968, 0, 8192, 4096, 4, ... 208723968, 8192, ) == 0x0
 03610   896   NtProtectVirtualMemory  (-1, (0xc70e000), 4096, 260, ... (0xc70e000), 4096, 4, ) == 0x0
 03611   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1120, {1252, 2300}, ) == 0x0
 03612   896   NtQueryInformationThread  (1120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef6000,Pid=1252,Tid=2300,}, 0x0, ) == 0x0
 03613   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82091, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\4\0\0\344\4\0\0\374\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\4\0\0\344\4\0\0\374\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82092, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\4\0\0\344\4\0\0\374\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\4\0\0\344\4\0\0\374\10\0\0" )  ) == 0x0
 03614   896   NtResumeThread  (1120, ... 1, ) == 0x0
 03615   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 208732160, 1048576, ) == 0x0
 03616   896   NtAllocateVirtualMemory  (-1, 209772544, 0, 8192, 4096, 4, ...
 03617  2300   NtWaitForSingleObject  (128, 0, 0x0, ...
 03616   896   NtAllocateVirtualMemory  ... 209772544, 8192, ) == 0x0
 03618   896   NtProtectVirtualMemory  (-1, (0xc80e000), 4096, 260, ... (0xc80e000), 4096, 4, ) == 0x0
 03619   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1124, {1252, 2304}, ) == 0x0
 03620   896   NtQueryInformationThread  (1124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef5000,Pid=1252,Tid=2304,}, 0x0, ) == 0x0
 03621   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82092, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\4\0\0\344\4\0\0\0\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\4\0\0\344\4\0\0\0\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82093, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\4\0\0\344\4\0\0\0\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\4\0\0\344\4\0\0\0\11\0\0" )  ) == 0x0
 03622   896   NtResumeThread  (1124, ... 1, ) == 0x0
 03623  2304   NtWaitForSingleObject  (128, 0, 0x0, ...
 03624   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 209780736, 1048576, ) == 0x0
 03625   896   NtAllocateVirtualMemory  (-1, 210821120, 0, 8192, 4096, 4, ... 210821120, 8192, ) == 0x0
 03626   896   NtProtectVirtualMemory  (-1, (0xc90e000), 4096, 260, ... (0xc90e000), 4096, 4, ) == 0x0
 03627   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1128, {1252, 2308}, ) == 0x0
 03628   896   NtQueryInformationThread  (1128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef4000,Pid=1252,Tid=2308,}, 0x0, ) == 0x0
 03629   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82093, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\344\4\0\0\4\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\344\4\0\0\4\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82094, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\344\4\0\0\4\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\344\4\0\0\4\11\0\0" )  ) == 0x0
 03630   896   NtResumeThread  (1128, ... 1, ) == 0x0
 03631   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 210829312, 1048576, ) == 0x0
 03632   896   NtAllocateVirtualMemory  (-1, 211869696, 0, 8192, 4096, 4, ...
 03633  2308   NtWaitForSingleObject  (128, 0, 0x0, ...
 03632   896   NtAllocateVirtualMemory  ... 211869696, 8192, ) == 0x0
 03634   896   NtProtectVirtualMemory  (-1, (0xca0e000), 4096, 260, ... (0xca0e000), 4096, 4, ) == 0x0
 03635   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1132, {1252, 2312}, ) == 0x0
 03636   896   NtQueryInformationThread  (1132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef3000,Pid=1252,Tid=2312,}, 0x0, ) == 0x0
 03637   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82094, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\4\0\0\344\4\0\0\10\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\4\0\0\344\4\0\0\10\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82095, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\4\0\0\344\4\0\0\10\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\4\0\0\344\4\0\0\10\11\0\0" )  ) == 0x0
 03638   896   NtResumeThread  (1132, ... 1, ) == 0x0
 03639  2312   NtWaitForSingleObject  (128, 0, 0x0, ...
 03640   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 211877888, 1048576, ) == 0x0
 03641   896   NtAllocateVirtualMemory  (-1, 212918272, 0, 8192, 4096, 4, ... 212918272, 8192, ) == 0x0
 03642   896   NtProtectVirtualMemory  (-1, (0xcb0e000), 4096, 260, ... (0xcb0e000), 4096, 4, ) == 0x0
 03643   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1136, {1252, 2316}, ) == 0x0
 03644   896   NtQueryInformationThread  (1136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef2000,Pid=1252,Tid=2316,}, 0x0, ) == 0x0
 03645   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82095, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\4\0\0\344\4\0\0\14\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\4\0\0\344\4\0\0\14\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82096, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\4\0\0\344\4\0\0\14\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\4\0\0\344\4\0\0\14\11\0\0" )  ) == 0x0
 03646   896   NtResumeThread  (1136, ... 1, ) == 0x0
 03647   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 212926464, 1048576, ) == 0x0
 03648   896   NtAllocateVirtualMemory  (-1, 213966848, 0, 8192, 4096, 4, ...
 03649  2316   NtWaitForSingleObject  (128, 0, 0x0, ...
 03648   896   NtAllocateVirtualMemory  ... 213966848, 8192, ) == 0x0
 03650   896   NtProtectVirtualMemory  (-1, (0xcc0e000), 4096, 260, ... (0xcc0e000), 4096, 4, ) == 0x0
 03651   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1140, {1252, 2320}, ) == 0x0
 03652   896   NtQueryInformationThread  (1140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef1000,Pid=1252,Tid=2320,}, 0x0, ) == 0x0
 03653   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82096, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\344\4\0\0\20\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\344\4\0\0\20\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82097, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\344\4\0\0\20\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\344\4\0\0\20\11\0\0" )  ) == 0x0
 03654   896   NtResumeThread  (1140, ... 1, ) == 0x0
 03655  2320   NtWaitForSingleObject  (128, 0, 0x0, ...
 03656   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 213975040, 1048576, ) == 0x0
 03657   896   NtAllocateVirtualMemory  (-1, 215015424, 0, 8192, 4096, 4, ... 215015424, 8192, ) == 0x0
 03658   896   NtProtectVirtualMemory  (-1, (0xcd0e000), 4096, 260, ... (0xcd0e000), 4096, 4, ) == 0x0
 03659   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1144, {1252, 2324}, ) == 0x0
 03660   896   NtQueryInformationThread  (1144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef0000,Pid=1252,Tid=2324,}, 0x0, ) == 0x0
 03661   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82097, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\4\0\0\344\4\0\0\24\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\4\0\0\344\4\0\0\24\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82098, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\4\0\0\344\4\0\0\24\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\4\0\0\344\4\0\0\24\11\0\0" )  ) == 0x0
 03662   896   NtResumeThread  (1144, ... 1, ) == 0x0
 03663   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 215023616, 1048576, ) == 0x0
 03664   896   NtAllocateVirtualMemory  (-1, 216064000, 0, 8192, 4096, 4, ...
 03665  2324   NtWaitForSingleObject  (128, 0, 0x0, ...
 03664   896   NtAllocateVirtualMemory  ... 216064000, 8192, ) == 0x0
 03666   896   NtProtectVirtualMemory  (-1, (0xce0e000), 4096, 260, ... (0xce0e000), 4096, 4, ) == 0x0
 03667   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1148, {1252, 2328}, ) == 0x0
 03668   896   NtQueryInformationThread  (1148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feef000,Pid=1252,Tid=2328,}, 0x0, ) == 0x0
 03669   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82098, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\4\0\0\344\4\0\0\30\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\4\0\0\344\4\0\0\30\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82099, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\4\0\0\344\4\0\0\30\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\4\0\0\344\4\0\0\30\11\0\0" )  ) == 0x0
 03670   896   NtResumeThread  (1148, ... 1, ) == 0x0
 03671  2328   NtWaitForSingleObject  (128, 0, 0x0, ...
 03672   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 216072192, 1048576, ) == 0x0
 03673   896   NtAllocateVirtualMemory  (-1, 217112576, 0, 8192, 4096, 4, ... 217112576, 8192, ) == 0x0
 03674   896   NtProtectVirtualMemory  (-1, (0xcf0e000), 4096, 260, ... (0xcf0e000), 4096, 4, ) == 0x0
 03675   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1152, {1252, 2332}, ) == 0x0
 03676   896   NtQueryInformationThread  (1152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feee000,Pid=1252,Tid=2332,}, 0x0, ) == 0x0
 03677   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82099, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\344\4\0\0\34\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\344\4\0\0\34\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82100, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\344\4\0\0\34\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\344\4\0\0\34\11\0\0" )  ) == 0x0
 03678   896   NtResumeThread  (1152, ... 1, ) == 0x0
 03679   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 217120768, 1048576, ) == 0x0
 03680   896   NtAllocateVirtualMemory  (-1, 218161152, 0, 8192, 4096, 4, ...
 03681  2332   NtWaitForSingleObject  (128, 0, 0x0, ...
 03680   896   NtAllocateVirtualMemory  ... 218161152, 8192, ) == 0x0
 03682   896   NtProtectVirtualMemory  (-1, (0xd00e000), 4096, 260, ... (0xd00e000), 4096, 4, ) == 0x0
 03683   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1156, {1252, 2336}, ) == 0x0
 03684   896   NtQueryInformationThread  (1156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feed000,Pid=1252,Tid=2336,}, 0x0, ) == 0x0
 03685   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82100, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\4\0\0\344\4\0\0 \11\0\0" ... {28, 56, reply, 0, 1252, 896, 82101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\4\0\0\344\4\0\0 \11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82101, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\4\0\0\344\4\0\0 \11\0\0" ... {28, 56, reply, 0, 1252, 896, 82101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\4\0\0\344\4\0\0 \11\0\0" )  ) == 0x0
 03686   896   NtResumeThread  (1156, ... 1, ) == 0x0
 03687  2336   NtWaitForSingleObject  (128, 0, 0x0, ...
 03688   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 218169344, 1048576, ) == 0x0
 03689   896   NtAllocateVirtualMemory  (-1, 219209728, 0, 8192, 4096, 4, ... 219209728, 8192, ) == 0x0
 03690   896   NtProtectVirtualMemory  (-1, (0xd10e000), 4096, 260, ... (0xd10e000), 4096, 4, ) == 0x0
 03691   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1160, {1252, 2340}, ) == 0x0
 03692   896   NtQueryInformationThread  (1160, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feec000,Pid=1252,Tid=2340,}, 0x0, ) == 0x0
 03693   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82101, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\344\4\0\0$\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\344\4\0\0$\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82102, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\344\4\0\0$\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\344\4\0\0$\11\0\0" )  ) == 0x0
 03694   896   NtResumeThread  (1160, ... 1, ) == 0x0
 03695   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 219217920, 1048576, ) == 0x0
 03696   896   NtAllocateVirtualMemory  (-1, 220258304, 0, 8192, 4096, 4, ...
 03697  2340   NtWaitForSingleObject  (128, 0, 0x0, ...
 03696   896   NtAllocateVirtualMemory  ... 220258304, 8192, ) == 0x0
 03698   896   NtProtectVirtualMemory  (-1, (0xd20e000), 4096, 260, ... (0xd20e000), 4096, 4, ) == 0x0
 03699   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1164, {1252, 2344}, ) == 0x0
 03700   896   NtQueryInformationThread  (1164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feeb000,Pid=1252,Tid=2344,}, 0x0, ) == 0x0
 03701   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82102, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\344\4\0\0(\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82103, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\344\4\0\0(\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82103, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\344\4\0\0(\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82103, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\344\4\0\0(\11\0\0" )  ) == 0x0
 03702   896   NtResumeThread  (1164, ... 1, ) == 0x0
 03703  2344   NtWaitForSingleObject  (128, 0, 0x0, ...
 03704   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 220266496, 1048576, ) == 0x0
 03705   896   NtAllocateVirtualMemory  (-1, 221306880, 0, 8192, 4096, 4, ... 221306880, 8192, ) == 0x0
 03706   896   NtProtectVirtualMemory  (-1, (0xd30e000), 4096, 260, ... (0xd30e000), 4096, 4, ) == 0x0
 03707   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1168, {1252, 2352}, ) == 0x0
 03708   896   NtQueryInformationThread  (1168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feea000,Pid=1252,Tid=2352,}, 0x0, ) == 0x0
 03709   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82103, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82103, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\4\0\0\344\4\0\00\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\4\0\0\344\4\0\00\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82104, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82103, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\4\0\0\344\4\0\00\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\4\0\0\344\4\0\00\11\0\0" )  ) == 0x0
 03710   896   NtResumeThread  (1168, ... 1, ) == 0x0
 03711   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 221315072, 1048576, ) == 0x0
 03712   896   NtAllocateVirtualMemory  (-1, 222355456, 0, 8192, 4096, 4, ...
 03713  2352   NtWaitForSingleObject  (128, 0, 0x0, ...
 03712   896   NtAllocateVirtualMemory  ... 222355456, 8192, ) == 0x0
 03714   896   NtProtectVirtualMemory  (-1, (0xd40e000), 4096, 260, ... (0xd40e000), 4096, 4, ) == 0x0
 03715   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1172, {1252, 2356}, ) == 0x0
 03716   896   NtQueryInformationThread  (1172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee9000,Pid=1252,Tid=2356,}, 0x0, ) == 0x0
 03717   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82104, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\4\0\0\344\4\0\04\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\4\0\0\344\4\0\04\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82105, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\4\0\0\344\4\0\04\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\4\0\0\344\4\0\04\11\0\0" )  ) == 0x0
 03718   896   NtResumeThread  (1172, ... 1, ) == 0x0
 03719  2356   NtWaitForSingleObject  (128, 0, 0x0, ...
 03720   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 222363648, 1048576, ) == 0x0
 03721   896   NtAllocateVirtualMemory  (-1, 223404032, 0, 8192, 4096, 4, ... 223404032, 8192, ) == 0x0
 03722   896   NtProtectVirtualMemory  (-1, (0xd50e000), 4096, 260, ... (0xd50e000), 4096, 4, ) == 0x0
 03723   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1176, {1252, 2364}, ) == 0x0
 03724   896   NtQueryInformationThread  (1176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee8000,Pid=1252,Tid=2364,}, 0x0, ) == 0x0
 03725   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82105, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\344\4\0\0<\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82106, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\344\4\0\0<\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82106, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\344\4\0\0<\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82106, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\344\4\0\0<\11\0\0" )  ) == 0x0
 03726   896   NtResumeThread  (1176, ... 1, ) == 0x0
 03727   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 223412224, 1048576, ) == 0x0
 03728   896   NtAllocateVirtualMemory  (-1, 224452608, 0, 8192, 4096, 4, ...
 03729  2364   NtWaitForSingleObject  (128, 0, 0x0, ...
 03728   896   NtAllocateVirtualMemory  ... 224452608, 8192, ) == 0x0
 03730   896   NtProtectVirtualMemory  (-1, (0xd60e000), 4096, 260, ... (0xd60e000), 4096, 4, ) == 0x0
 03731   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1180, {1252, 2368}, ) == 0x0
 03732   896   NtQueryInformationThread  (1180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee7000,Pid=1252,Tid=2368,}, 0x0, ) == 0x0
 03733   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82106, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82106, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\4\0\0\344\4\0\0@\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\4\0\0\344\4\0\0@\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82107, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82106, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\4\0\0\344\4\0\0@\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\4\0\0\344\4\0\0@\11\0\0" )  ) == 0x0
 03734   896   NtResumeThread  (1180, ... 1, ) == 0x0
 03735  2368   NtWaitForSingleObject  (128, 0, 0x0, ...
 03736   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 224460800, 1048576, ) == 0x0
 03737   896   NtAllocateVirtualMemory  (-1, 225501184, 0, 8192, 4096, 4, ... 225501184, 8192, ) == 0x0
 03738   896   NtProtectVirtualMemory  (-1, (0xd70e000), 4096, 260, ... (0xd70e000), 4096, 4, ) == 0x0
 03739   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1184, {1252, 2372}, ) == 0x0
 03740   896   NtQueryInformationThread  (1184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee6000,Pid=1252,Tid=2372,}, 0x0, ) == 0x0
 03741   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82107, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\4\0\0\344\4\0\0D\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\4\0\0\344\4\0\0D\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82108, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\4\0\0\344\4\0\0D\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\4\0\0\344\4\0\0D\11\0\0" )  ) == 0x0
 03742   896   NtResumeThread  (1184, ... 1, ) == 0x0
 03743   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 225509376, 1048576, ) == 0x0
 03744   896   NtAllocateVirtualMemory  (-1, 226549760, 0, 8192, 4096, 4, ...
 03745  2372   NtWaitForSingleObject  (128, 0, 0x0, ...
 03744   896   NtAllocateVirtualMemory  ... 226549760, 8192, ) == 0x0
 03746   896   NtProtectVirtualMemory  (-1, (0xd80e000), 4096, 260, ... (0xd80e000), 4096, 4, ) == 0x0
 03747   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1188, {1252, 2380}, ) == 0x0
 03748   896   NtQueryInformationThread  (1188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee5000,Pid=1252,Tid=2380,}, 0x0, ) == 0x0
 03749   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82108, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\4\0\0\344\4\0\0L\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\4\0\0\344\4\0\0L\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82109, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\4\0\0\344\4\0\0L\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\4\0\0\344\4\0\0L\11\0\0" )  ) == 0x0
 03750   896   NtResumeThread  (1188, ... 1, ) == 0x0
 03751  2380   NtWaitForSingleObject  (128, 0, 0x0, ...
 03752   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 226557952, 1048576, ) == 0x0
 03753   896   NtAllocateVirtualMemory  (-1, 227598336, 0, 8192, 4096, 4, ... 227598336, 8192, ) == 0x0
 03754   896   NtProtectVirtualMemory  (-1, (0xd90e000), 4096, 260, ... (0xd90e000), 4096, 4, ) == 0x0
 03755   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1192, {1252, 2388}, ) == 0x0
 03756   896   NtQueryInformationThread  (1192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee4000,Pid=1252,Tid=2388,}, 0x0, ) == 0x0
 03757   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82109, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\4\0\0\344\4\0\0T\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\4\0\0\344\4\0\0T\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82110, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\4\0\0\344\4\0\0T\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\4\0\0\344\4\0\0T\11\0\0" )  ) == 0x0
 03758   896   NtResumeThread  (1192, ... 1, ) == 0x0
 03759   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 227606528, 1048576, ) == 0x0
 03760   896   NtAllocateVirtualMemory  (-1, 228646912, 0, 8192, 4096, 4, ...
 03761  2388   NtWaitForSingleObject  (128, 0, 0x0, ...
 03760   896   NtAllocateVirtualMemory  ... 228646912, 8192, ) == 0x0
 03762   896   NtProtectVirtualMemory  (-1, (0xda0e000), 4096, 260, ... (0xda0e000), 4096, 4, ) == 0x0
 03763   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1196, {1252, 2392}, ) == 0x0
 03764   896   NtQueryInformationThread  (1196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee3000,Pid=1252,Tid=2392,}, 0x0, ) == 0x0
 03765   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82110, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\4\0\0\344\4\0\0X\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\4\0\0\344\4\0\0X\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82111, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\4\0\0\344\4\0\0X\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\4\0\0\344\4\0\0X\11\0\0" )  ) == 0x0
 03766   896   NtResumeThread  (1196, ... 1, ) == 0x0
 03767  2392   NtWaitForSingleObject  (128, 0, 0x0, ...
 03768   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 228655104, 1048576, ) == 0x0
 03769   896   NtAllocateVirtualMemory  (-1, 229695488, 0, 8192, 4096, 4, ... 229695488, 8192, ) == 0x0
 03770   896   NtProtectVirtualMemory  (-1, (0xdb0e000), 4096, 260, ... (0xdb0e000), 4096, 4, ) == 0x0
 03771   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1200, {1252, 2396}, ) == 0x0
 03772   896   NtQueryInformationThread  (1200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee2000,Pid=1252,Tid=2396,}, 0x0, ) == 0x0
 03773   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82111, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\4\0\0\344\4\0\0\\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\4\0\0\344\4\0\0\\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82112, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\4\0\0\344\4\0\0\\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\4\0\0\344\4\0\0\\11\0\0" )  ) == 0x0
 03774   896   NtResumeThread  (1200, ... 1, ) == 0x0
 03775  2396   NtWaitForSingleObject  (128, 0, 0x0, ...
 03776   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 229703680, 1048576, ) == 0x0
 03777   896   NtAllocateVirtualMemory  (-1, 230744064, 0, 8192, 4096, 4, ... 230744064, 8192, ) == 0x0
 03778   896   NtProtectVirtualMemory  (-1, (0xdc0e000), 4096, 260, ... (0xdc0e000), 4096, 4, ) == 0x0
 03779   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1204, {1252, 2404}, ) == 0x0
 03780   896   NtQueryInformationThread  (1204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee1000,Pid=1252,Tid=2404,}, 0x0, ) == 0x0
 03781   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82112, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\4\0\0\344\4\0\0d\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\4\0\0\344\4\0\0d\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82113, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\4\0\0\344\4\0\0d\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\4\0\0\344\4\0\0d\11\0\0" )  ) == 0x0
 03782   896   NtResumeThread  (1204, ... 1, ) == 0x0
 03783   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 230752256, 1048576, ) == 0x0
 03784   896   NtAllocateVirtualMemory  (-1, 231792640, 0, 8192, 4096, 4, ...
 03785  2404   NtWaitForSingleObject  (128, 0, 0x0, ...
 03784   896   NtAllocateVirtualMemory  ... 231792640, 8192, ) == 0x0
 03786   896   NtProtectVirtualMemory  (-1, (0xdd0e000), 4096, 260, ... (0xdd0e000), 4096, 4, ) == 0x0
 03787   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1208, {1252, 2408}, ) == 0x0
 03788   896   NtQueryInformationThread  (1208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fee0000,Pid=1252,Tid=2408,}, 0x0, ) == 0x0
 03789   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82113, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\4\0\0\344\4\0\0h\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\4\0\0\344\4\0\0h\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82114, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\4\0\0\344\4\0\0h\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\4\0\0\344\4\0\0h\11\0\0" )  ) == 0x0
 03790   896   NtResumeThread  (1208, ... 1, ) == 0x0
 03791  2408   NtWaitForSingleObject  (128, 0, 0x0, ...
 03792   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 231800832, 1048576, ) == 0x0
 03793   896   NtAllocateVirtualMemory  (-1, 232841216, 0, 8192, 4096, 4, ... 232841216, 8192, ) == 0x0
 03794   896   NtProtectVirtualMemory  (-1, (0xde0e000), 4096, 260, ... (0xde0e000), 4096, 4, ) == 0x0
 03795   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1212, {1252, 2416}, ) == 0x0
 03796   896   NtQueryInformationThread  (1212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fedf000,Pid=1252,Tid=2416,}, 0x0, ) == 0x0
 03797   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82114, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\4\0\0\344\4\0\0p\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82115, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\4\0\0\344\4\0\0p\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82115, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\4\0\0\344\4\0\0p\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82115, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\4\0\0\344\4\0\0p\11\0\0" )  ) == 0x0
 03798   896   NtResumeThread  (1212, ... 1, ) == 0x0
 03799   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 232849408, 1048576, ) == 0x0
 03800   896   NtAllocateVirtualMemory  (-1, 233889792, 0, 8192, 4096, 4, ...
 03801  2416   NtWaitForSingleObject  (128, 0, 0x0, ...
 03800   896   NtAllocateVirtualMemory  ... 233889792, 8192, ) == 0x0
 03802   896   NtProtectVirtualMemory  (-1, (0xdf0e000), 4096, 260, ... (0xdf0e000), 4096, 4, ) == 0x0
 03803   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1216, {1252, 2424}, ) == 0x0
 03804   896   NtQueryInformationThread  (1216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fede000,Pid=1252,Tid=2424,}, 0x0, ) == 0x0
 03805   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82115, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82115, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\4\0\0\344\4\0\0x\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82116, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\4\0\0\344\4\0\0x\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82116, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82115, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\4\0\0\344\4\0\0x\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82116, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\4\0\0\344\4\0\0x\11\0\0" )  ) == 0x0
 03806   896   NtResumeThread  (1216, ... 1, ) == 0x0
 03807  2424   NtWaitForSingleObject  (128, 0, 0x0, ...
 03808   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 233897984, 1048576, ) == 0x0
 03809   896   NtAllocateVirtualMemory  (-1, 234938368, 0, 8192, 4096, 4, ... 234938368, 8192, ) == 0x0
 03810   896   NtProtectVirtualMemory  (-1, (0xe00e000), 4096, 260, ... (0xe00e000), 4096, 4, ) == 0x0
 03811   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1220, {1252, 2428}, ) == 0x0
 03812   896   NtQueryInformationThread  (1220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fedd000,Pid=1252,Tid=2428,}, 0x0, ) == 0x0
 03813   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82116, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82116, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\4\0\0\344\4\0\0|\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82117, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\4\0\0\344\4\0\0|\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82117, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82116, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\4\0\0\344\4\0\0|\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82117, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\4\0\0\344\4\0\0|\11\0\0" )  ) == 0x0
 03814   896   NtResumeThread  (1220, ... 1, ) == 0x0
 03815   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 234946560, 1048576, ) == 0x0
 03816   896   NtAllocateVirtualMemory  (-1, 235986944, 0, 8192, 4096, 4, ...
 03817  2428   NtWaitForSingleObject  (128, 0, 0x0, ...
 03816   896   NtAllocateVirtualMemory  ... 235986944, 8192, ) == 0x0
 03818   896   NtProtectVirtualMemory  (-1, (0xe10e000), 4096, 260, ... (0xe10e000), 4096, 4, ) == 0x0
 03819   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1224, {1252, 2432}, ) == 0x0
 03820   896   NtQueryInformationThread  (1224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fedc000,Pid=1252,Tid=2432,}, 0x0, ) == 0x0
 03821   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82117, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82117, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\4\0\0\344\4\0\0\200\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82118, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\4\0\0\344\4\0\0\200\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82118, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82117, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\4\0\0\344\4\0\0\200\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82118, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\4\0\0\344\4\0\0\200\11\0\0" )  ) == 0x0
 03822   896   NtResumeThread  (1224, ... 1, ) == 0x0
 03823  2432   NtWaitForSingleObject  (128, 0, 0x0, ...
 03824   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 235995136, 1048576, ) == 0x0
 03825   896   NtAllocateVirtualMemory  (-1, 237035520, 0, 8192, 4096, 4, ... 237035520, 8192, ) == 0x0
 03826   896   NtProtectVirtualMemory  (-1, (0xe20e000), 4096, 260, ... (0xe20e000), 4096, 4, ) == 0x0
 03827   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1228, {1252, 2436}, ) == 0x0
 03828   896   NtQueryInformationThread  (1228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fedb000,Pid=1252,Tid=2436,}, 0x0, ) == 0x0
 03829   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82118, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82118, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\4\0\0\344\4\0\0\204\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82119, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\4\0\0\344\4\0\0\204\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82119, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82118, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\4\0\0\344\4\0\0\204\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82119, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\4\0\0\344\4\0\0\204\11\0\0" )  ) == 0x0
 03830   896   NtResumeThread  (1228, ... 1, ) == 0x0
 03831   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 237043712, 1048576, ) == 0x0
 03832   896   NtAllocateVirtualMemory  (-1, 238084096, 0, 8192, 4096, 4, ...
 03833  2436   NtWaitForSingleObject  (128, 0, 0x0, ...
 03832   896   NtAllocateVirtualMemory  ... 238084096, 8192, ) == 0x0
 03834   896   NtProtectVirtualMemory  (-1, (0xe30e000), 4096, 260, ... (0xe30e000), 4096, 4, ) == 0x0
 03835   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1232, {1252, 2440}, ) == 0x0
 03836   896   NtQueryInformationThread  (1232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feda000,Pid=1252,Tid=2440,}, 0x0, ) == 0x0
 03837   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82119, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82119, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\4\0\0\344\4\0\0\210\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82120, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\4\0\0\344\4\0\0\210\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82120, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82119, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\4\0\0\344\4\0\0\210\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82120, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\4\0\0\344\4\0\0\210\11\0\0" )  ) == 0x0
 03838   896   NtResumeThread  (1232, ... 1, ) == 0x0
 03839  2440   NtWaitForSingleObject  (128, 0, 0x0, ...
 03840   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 238092288, 1048576, ) == 0x0
 03841   896   NtAllocateVirtualMemory  (-1, 239132672, 0, 8192, 4096, 4, ... 239132672, 8192, ) == 0x0
 03842   896   NtProtectVirtualMemory  (-1, (0xe40e000), 4096, 260, ... (0xe40e000), 4096, 4, ) == 0x0
 03843   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1236, {1252, 2444}, ) == 0x0
 03844   896   NtQueryInformationThread  (1236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed9000,Pid=1252,Tid=2444,}, 0x0, ) == 0x0
 03845   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82120, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82120, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\4\0\0\344\4\0\0\214\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82121, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\4\0\0\344\4\0\0\214\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82121, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82120, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\4\0\0\344\4\0\0\214\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82121, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\4\0\0\344\4\0\0\214\11\0\0" )  ) == 0x0
 03846   896   NtResumeThread  (1236, ... 1, ) == 0x0
 03847   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 239140864, 1048576, ) == 0x0
 03848   896   NtAllocateVirtualMemory  (-1, 240181248, 0, 8192, 4096, 4, ...
 03849  2444   NtWaitForSingleObject  (128, 0, 0x0, ...
 03848   896   NtAllocateVirtualMemory  ... 240181248, 8192, ) == 0x0
 03850   896   NtProtectVirtualMemory  (-1, (0xe50e000), 4096, 260, ... (0xe50e000), 4096, 4, ) == 0x0
 03851   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1240, {1252, 2448}, ) == 0x0
 03852   896   NtQueryInformationThread  (1240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed8000,Pid=1252,Tid=2448,}, 0x0, ) == 0x0
 03853   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82121, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82121, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\4\0\0\344\4\0\0\220\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82122, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\4\0\0\344\4\0\0\220\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82122, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82121, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\4\0\0\344\4\0\0\220\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82122, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\4\0\0\344\4\0\0\220\11\0\0" )  ) == 0x0
 03854   896   NtResumeThread  (1240, ... 1, ) == 0x0
 03855  2448   NtWaitForSingleObject  (128, 0, 0x0, ...
 03856   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 240189440, 1048576, ) == 0x0
 03857   896   NtAllocateVirtualMemory  (-1, 241229824, 0, 8192, 4096, 4, ... 241229824, 8192, ) == 0x0
 03858   896   NtProtectVirtualMemory  (-1, (0xe60e000), 4096, 260, ... (0xe60e000), 4096, 4, ) == 0x0
 03859   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1244, {1252, 2452}, ) == 0x0
 03860   896   NtQueryInformationThread  (1244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed7000,Pid=1252,Tid=2452,}, 0x0, ) == 0x0
 03861   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82122, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82122, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\4\0\0\344\4\0\0\224\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82123, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\4\0\0\344\4\0\0\224\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82123, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82122, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\4\0\0\344\4\0\0\224\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82123, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\4\0\0\344\4\0\0\224\11\0\0" )  ) == 0x0
 03862   896   NtResumeThread  (1244, ... 1, ) == 0x0
 03863   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 241238016, 1048576, ) == 0x0
 03864   896   NtAllocateVirtualMemory  (-1, 242278400, 0, 8192, 4096, 4, ...
 03865  2452   NtWaitForSingleObject  (128, 0, 0x0, ...
 03864   896   NtAllocateVirtualMemory  ... 242278400, 8192, ) == 0x0
 03866   896   NtProtectVirtualMemory  (-1, (0xe70e000), 4096, 260, ... (0xe70e000), 4096, 4, ) == 0x0
 03867   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1248, {1252, 2456}, ) == 0x0
 03868   896   NtQueryInformationThread  (1248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed6000,Pid=1252,Tid=2456,}, 0x0, ) == 0x0
 03869   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82123, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82123, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\4\0\0\344\4\0\0\230\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82124, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\4\0\0\344\4\0\0\230\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82124, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82123, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\4\0\0\344\4\0\0\230\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82124, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\4\0\0\344\4\0\0\230\11\0\0" )  ) == 0x0
 03870   896   NtResumeThread  (1248, ... 1, ) == 0x0
 03871  2456   NtWaitForSingleObject  (128, 0, 0x0, ...
 03872   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 242286592, 1048576, ) == 0x0
 03873   896   NtAllocateVirtualMemory  (-1, 243326976, 0, 8192, 4096, 4, ... 243326976, 8192, ) == 0x0
 03874   896   NtProtectVirtualMemory  (-1, (0xe80e000), 4096, 260, ... (0xe80e000), 4096, 4, ) == 0x0
 03875   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1252, {1252, 2460}, ) == 0x0
 03876   896   NtQueryInformationThread  (1252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed5000,Pid=1252,Tid=2460,}, 0x0, ) == 0x0
 03877   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82124, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82124, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\4\0\0\344\4\0\0\234\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82125, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\4\0\0\344\4\0\0\234\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82125, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82124, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\4\0\0\344\4\0\0\234\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82125, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\4\0\0\344\4\0\0\234\11\0\0" )  ) == 0x0
 03878   896   NtResumeThread  (1252, ... 1, ) == 0x0
 03879   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 243335168, 1048576, ) == 0x0
 03880   896   NtAllocateVirtualMemory  (-1, 244375552, 0, 8192, 4096, 4, ...
 03881  2460   NtWaitForSingleObject  (128, 0, 0x0, ...
 03880   896   NtAllocateVirtualMemory  ... 244375552, 8192, ) == 0x0
 03882   896   NtProtectVirtualMemory  (-1, (0xe90e000), 4096, 260, ... (0xe90e000), 4096, 4, ) == 0x0
 03883   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1256, {1252, 2464}, ) == 0x0
 03884   896   NtQueryInformationThread  (1256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed4000,Pid=1252,Tid=2464,}, 0x0, ) == 0x0
 03885   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82125, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82125, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\4\0\0\344\4\0\0\240\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82126, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\4\0\0\344\4\0\0\240\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82126, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82125, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\4\0\0\344\4\0\0\240\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82126, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\4\0\0\344\4\0\0\240\11\0\0" )  ) == 0x0
 03886   896   NtResumeThread  (1256, ... 1, ) == 0x0
 03887  2464   NtWaitForSingleObject  (128, 0, 0x0, ...
 03888   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 244383744, 1048576, ) == 0x0
 03889   896   NtAllocateVirtualMemory  (-1, 245424128, 0, 8192, 4096, 4, ... 245424128, 8192, ) == 0x0
 03890   896   NtProtectVirtualMemory  (-1, (0xea0e000), 4096, 260, ... (0xea0e000), 4096, 4, ) == 0x0
 03891   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1260, {1252, 2472}, ) == 0x0
 03892   896   NtQueryInformationThread  (1260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed3000,Pid=1252,Tid=2472,}, 0x0, ) == 0x0
 03893   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82126, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82126, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\4\0\0\344\4\0\0\250\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82127, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\4\0\0\344\4\0\0\250\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82127, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82126, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\4\0\0\344\4\0\0\250\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82127, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\4\0\0\344\4\0\0\250\11\0\0" )  ) == 0x0
 03894   896   NtResumeThread  (1260, ... 1, ) == 0x0
 03895   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 245432320, 1048576, ) == 0x0
 03896   896   NtAllocateVirtualMemory  (-1, 246472704, 0, 8192, 4096, 4, ...
 03897  2472   NtWaitForSingleObject  (128, 0, 0x0, ...
 03896   896   NtAllocateVirtualMemory  ... 246472704, 8192, ) == 0x0
 03898   896   NtProtectVirtualMemory  (-1, (0xeb0e000), 4096, 260, ... (0xeb0e000), 4096, 4, ) == 0x0
 03899   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1264, {1252, 2480}, ) == 0x0
 03900   896   NtQueryInformationThread  (1264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed2000,Pid=1252,Tid=2480,}, 0x0, ) == 0x0
 03901   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82127, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82127, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\4\0\0\344\4\0\0\260\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82128, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\4\0\0\344\4\0\0\260\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82128, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82127, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\4\0\0\344\4\0\0\260\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82128, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\4\0\0\344\4\0\0\260\11\0\0" )  ) == 0x0
 03902   896   NtResumeThread  (1264, ... 1, ) == 0x0
 03903  2480   NtWaitForSingleObject  (128, 0, 0x0, ...
 03904   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 246480896, 1048576, ) == 0x0
 03905   896   NtAllocateVirtualMemory  (-1, 247521280, 0, 8192, 4096, 4, ... 247521280, 8192, ) == 0x0
 03906   896   NtProtectVirtualMemory  (-1, (0xec0e000), 4096, 260, ... (0xec0e000), 4096, 4, ) == 0x0
 03907   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1268, {1252, 2484}, ) == 0x0
 03908   896   NtQueryInformationThread  (1268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed1000,Pid=1252,Tid=2484,}, 0x0, ) == 0x0
 03909   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82128, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82128, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\4\0\0\344\4\0\0\264\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82129, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\4\0\0\344\4\0\0\264\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82129, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82128, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\4\0\0\344\4\0\0\264\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82129, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\4\0\0\344\4\0\0\264\11\0\0" )  ) == 0x0
 03910   896   NtResumeThread  (1268, ... 1, ) == 0x0
 03911   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 247529472, 1048576, ) == 0x0
 03912   896   NtAllocateVirtualMemory  (-1, 248569856, 0, 8192, 4096, 4, ...
 03913  2484   NtWaitForSingleObject  (128, 0, 0x0, ...
 03912   896   NtAllocateVirtualMemory  ... 248569856, 8192, ) == 0x0
 03914   896   NtProtectVirtualMemory  (-1, (0xed0e000), 4096, 260, ... (0xed0e000), 4096, 4, ) == 0x0
 03915   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1272, {1252, 2488}, ) == 0x0
 03916   896   NtQueryInformationThread  (1272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fed0000,Pid=1252,Tid=2488,}, 0x0, ) == 0x0
 03917   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82129, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82129, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\4\0\0\344\4\0\0\270\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82130, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\4\0\0\344\4\0\0\270\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82130, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82129, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\4\0\0\344\4\0\0\270\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82130, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\4\0\0\344\4\0\0\270\11\0\0" )  ) == 0x0
 03918   896   NtResumeThread  (1272, ... 1, ) == 0x0
 03919  2488   NtWaitForSingleObject  (128, 0, 0x0, ...
 03920   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 248578048, 1048576, ) == 0x0
 03921   896   NtAllocateVirtualMemory  (-1, 249618432, 0, 8192, 4096, 4, ... 249618432, 8192, ) == 0x0
 03922   896   NtProtectVirtualMemory  (-1, (0xee0e000), 4096, 260, ... (0xee0e000), 4096, 4, ) == 0x0
 03923   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1276, {1252, 2500}, ) == 0x0
 03924   896   NtQueryInformationThread  (1276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fecf000,Pid=1252,Tid=2500,}, 0x0, ) == 0x0
 03925   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82130, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82130, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\344\4\0\0\304\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82131, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\344\4\0\0\304\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82131, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82130, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\344\4\0\0\304\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82131, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\344\4\0\0\304\11\0\0" )  ) == 0x0
 03926   896   NtResumeThread  (1276, ... 1, ) == 0x0
 03927   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 249626624, 1048576, ) == 0x0
 03928   896   NtAllocateVirtualMemory  (-1, 250667008, 0, 8192, 4096, 4, ...
 03929  2500   NtWaitForSingleObject  (128, 0, 0x0, ...
 03928   896   NtAllocateVirtualMemory  ... 250667008, 8192, ) == 0x0
 03930   896   NtProtectVirtualMemory  (-1, (0xef0e000), 4096, 260, ... (0xef0e000), 4096, 4, ) == 0x0
 03931   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1280, {1252, 2504}, ) == 0x0
 03932   896   NtQueryInformationThread  (1280, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fece000,Pid=1252,Tid=2504,}, 0x0, ) == 0x0
 03933   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82131, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82131, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\5\0\0\344\4\0\0\310\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82132, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\5\0\0\344\4\0\0\310\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82132, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82131, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\5\0\0\344\4\0\0\310\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82132, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\5\0\0\344\4\0\0\310\11\0\0" )  ) == 0x0
 03934   896   NtResumeThread  (1280, ... 1, ) == 0x0
 03935  2504   NtWaitForSingleObject  (128, 0, 0x0, ...
 03936   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 250675200, 1048576, ) == 0x0
 03937   896   NtAllocateVirtualMemory  (-1, 251715584, 0, 8192, 4096, 4, ... 251715584, 8192, ) == 0x0
 03938   896   NtProtectVirtualMemory  (-1, (0xf00e000), 4096, 260, ... (0xf00e000), 4096, 4, ) == 0x0
 03939   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1284, {1252, 2512}, ) == 0x0
 03940   896   NtQueryInformationThread  (1284, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fecd000,Pid=1252,Tid=2512,}, 0x0, ) == 0x0
 03941   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82132, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82132, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\344\4\0\0\320\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82133, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\344\4\0\0\320\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82133, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82132, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\344\4\0\0\320\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82133, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\344\4\0\0\320\11\0\0" )  ) == 0x0
 03942   896   NtResumeThread  (1284, ... 1, ) == 0x0
 03943   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 251723776, 1048576, ) == 0x0
 03944   896   NtAllocateVirtualMemory  (-1, 252764160, 0, 8192, 4096, 4, ...
 03945  2512   NtWaitForSingleObject  (128, 0, 0x0, ...
 03944   896   NtAllocateVirtualMemory  ... 252764160, 8192, ) == 0x0
 03946   896   NtProtectVirtualMemory  (-1, (0xf10e000), 4096, 260, ... (0xf10e000), 4096, 4, ) == 0x0
 03947   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1288, {1252, 2516}, ) == 0x0
 03948   896   NtQueryInformationThread  (1288, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fecc000,Pid=1252,Tid=2516,}, 0x0, ) == 0x0
 03949   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82133, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82133, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\5\0\0\344\4\0\0\324\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82134, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\5\0\0\344\4\0\0\324\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82134, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82133, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\5\0\0\344\4\0\0\324\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82134, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\5\0\0\344\4\0\0\324\11\0\0" )  ) == 0x0
 03950   896   NtResumeThread  (1288, ... 1, ) == 0x0
 03951  2516   NtWaitForSingleObject  (128, 0, 0x0, ...
 03952   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 252772352, 1048576, ) == 0x0
 03953   896   NtAllocateVirtualMemory  (-1, 253812736, 0, 8192, 4096, 4, ... 253812736, 8192, ) == 0x0
 03954   896   NtProtectVirtualMemory  (-1, (0xf20e000), 4096, 260, ... (0xf20e000), 4096, 4, ) == 0x0
 03955   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1292, {1252, 2524}, ) == 0x0
 03956   896   NtQueryInformationThread  (1292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fecb000,Pid=1252,Tid=2524,}, 0x0, ) == 0x0
 03957   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82134, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82134, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\5\0\0\344\4\0\0\334\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82135, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\5\0\0\344\4\0\0\334\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82135, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82134, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\5\0\0\344\4\0\0\334\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82135, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\5\0\0\344\4\0\0\334\11\0\0" )  ) == 0x0
 03958   896   NtResumeThread  (1292, ... 1, ) == 0x0
 03959   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 253820928, 1048576, ) == 0x0
 03960   896   NtAllocateVirtualMemory  (-1, 254861312, 0, 8192, 4096, 4, ...
 03961  2524   NtWaitForSingleObject  (128, 0, 0x0, ...
 03960   896   NtAllocateVirtualMemory  ... 254861312, 8192, ) == 0x0
 03962   896   NtProtectVirtualMemory  (-1, (0xf30e000), 4096, 260, ... (0xf30e000), 4096, 4, ) == 0x0
 03963   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1296, {1252, 2528}, ) == 0x0
 03964   896   NtQueryInformationThread  (1296, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feca000,Pid=1252,Tid=2528,}, 0x0, ) == 0x0
 03965   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82135, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82135, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\5\0\0\344\4\0\0\340\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82136, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\5\0\0\344\4\0\0\340\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82136, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82135, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\5\0\0\344\4\0\0\340\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82136, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\5\0\0\344\4\0\0\340\11\0\0" )  ) == 0x0
 03966   896   NtResumeThread  (1296, ... 1, ) == 0x0
 03967  2528   NtWaitForSingleObject  (128, 0, 0x0, ...
 03968   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 254869504, 1048576, ) == 0x0
 03969   896   NtAllocateVirtualMemory  (-1, 255909888, 0, 8192, 4096, 4, ... 255909888, 8192, ) == 0x0
 03970   896   NtProtectVirtualMemory  (-1, (0xf40e000), 4096, 260, ... (0xf40e000), 4096, 4, ) == 0x0
 03971   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1300, {1252, 2536}, ) == 0x0
 03972   896   NtQueryInformationThread  (1300, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec9000,Pid=1252,Tid=2536,}, 0x0, ) == 0x0
 03973   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82136, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82136, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\5\0\0\344\4\0\0\350\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82137, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\5\0\0\344\4\0\0\350\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82137, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82136, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\5\0\0\344\4\0\0\350\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82137, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\5\0\0\344\4\0\0\350\11\0\0" )  ) == 0x0
 03974   896   NtResumeThread  (1300, ... 1, ) == 0x0
 03975   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 255918080, 1048576, ) == 0x0
 03976   896   NtAllocateVirtualMemory  (-1, 256958464, 0, 8192, 4096, 4, ...
 03977  2536   NtWaitForSingleObject  (128, 0, 0x0, ...
 03976   896   NtAllocateVirtualMemory  ... 256958464, 8192, ) == 0x0
 03978   896   NtProtectVirtualMemory  (-1, (0xf50e000), 4096, 260, ... (0xf50e000), 4096, 4, ) == 0x0
 03979   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1304, {1252, 2540}, ) == 0x0
 03980   896   NtQueryInformationThread  (1304, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec8000,Pid=1252,Tid=2540,}, 0x0, ) == 0x0
 03981   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82137, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82137, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\5\0\0\344\4\0\0\354\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82138, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\5\0\0\344\4\0\0\354\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82138, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82137, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\5\0\0\344\4\0\0\354\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82138, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\5\0\0\344\4\0\0\354\11\0\0" )  ) == 0x0
 03982   896   NtResumeThread  (1304, ... 1, ) == 0x0
 03983  2540   NtWaitForSingleObject  (128, 0, 0x0, ...
 03984   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 256966656, 1048576, ) == 0x0
 03985   896   NtAllocateVirtualMemory  (-1, 258007040, 0, 8192, 4096, 4, ... 258007040, 8192, ) == 0x0
 03986   896   NtProtectVirtualMemory  (-1, (0xf60e000), 4096, 260, ... (0xf60e000), 4096, 4, ) == 0x0
 03987   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1308, {1252, 2548}, ) == 0x0
 03988   896   NtQueryInformationThread  (1308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec7000,Pid=1252,Tid=2548,}, 0x0, ) == 0x0
 03989   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82138, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82138, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\5\0\0\344\4\0\0\364\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82139, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\5\0\0\344\4\0\0\364\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82139, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82138, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\5\0\0\344\4\0\0\364\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82139, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\5\0\0\344\4\0\0\364\11\0\0" )  ) == 0x0
 03990   896   NtResumeThread  (1308, ... 1, ) == 0x0
 03991   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 258015232, 1048576, ) == 0x0
 03992   896   NtAllocateVirtualMemory  (-1, 259055616, 0, 8192, 4096, 4, ...
 03993  2548   NtWaitForSingleObject  (128, 0, 0x0, ...
 03992   896   NtAllocateVirtualMemory  ... 259055616, 8192, ) == 0x0
 03994   896   NtProtectVirtualMemory  (-1, (0xf70e000), 4096, 260, ... (0xf70e000), 4096, 4, ) == 0x0
 03995   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1312, {1252, 2556}, ) == 0x0
 03996   896   NtQueryInformationThread  (1312, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec6000,Pid=1252,Tid=2556,}, 0x0, ) == 0x0
 03997   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82139, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82139, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \5\0\0\344\4\0\0\374\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82140, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \5\0\0\344\4\0\0\374\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82140, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82139, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \5\0\0\344\4\0\0\374\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82140, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \5\0\0\344\4\0\0\374\11\0\0" )  ) == 0x0
 03998   896   NtResumeThread  (1312, ... 1, ) == 0x0
 03999   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 259063808, 1048576, ) == 0x0
 04000   896   NtAllocateVirtualMemory  (-1, 260104192, 0, 8192, 4096, 4, ... 260104192, 8192, ) == 0x0
 04001   896   NtProtectVirtualMemory  (-1, (0xf80e000), 4096, 260, ... (0xf80e000), 4096, 4, ) == 0x0
 04002  2556   NtWaitForSingleObject  (128, 0, 0x0, ...
 04003   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1316, {1252, 2560}, ) == 0x0
 04004   896   NtQueryInformationThread  (1316, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec5000,Pid=1252,Tid=2560,}, 0x0, ) == 0x0
 04005   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82140, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82140, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\5\0\0\344\4\0\0\0\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82141, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\5\0\0\344\4\0\0\0\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82141, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82140, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\5\0\0\344\4\0\0\0\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82141, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\5\0\0\344\4\0\0\0\12\0\0" )  ) == 0x0
 04006   896   NtResumeThread  (1316, ... 1, ) == 0x0
 04007   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 260112384, 1048576, ) == 0x0
 04008   896   NtAllocateVirtualMemory  (-1, 261152768, 0, 8192, 4096, 4, ...
 04009  2560   NtWaitForSingleObject  (128, 0, 0x0, ...
 04008   896   NtAllocateVirtualMemory  ... 261152768, 8192, ) == 0x0
 04010   896   NtProtectVirtualMemory  (-1, (0xf90e000), 4096, 260, ... (0xf90e000), 4096, 4, ) == 0x0
 04011   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1320, {1252, 2564}, ) == 0x0
 04012   896   NtQueryInformationThread  (1320, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec4000,Pid=1252,Tid=2564,}, 0x0, ) == 0x0
 04013   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82141, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82141, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\5\0\0\344\4\0\0\4\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82142, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\5\0\0\344\4\0\0\4\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82142, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82141, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\5\0\0\344\4\0\0\4\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82142, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\5\0\0\344\4\0\0\4\12\0\0" )  ) == 0x0
 04014   896   NtResumeThread  (1320, ... 1, ) == 0x0
 04015  2564   NtWaitForSingleObject  (128, 0, 0x0, ...
 04016   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 261160960, 1048576, ) == 0x0
 04017   896   NtAllocateVirtualMemory  (-1, 262201344, 0, 8192, 4096, 4, ... 262201344, 8192, ) == 0x0
 04018   896   NtProtectVirtualMemory  (-1, (0xfa0e000), 4096, 260, ... (0xfa0e000), 4096, 4, ) == 0x0
 04019   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1324, {1252, 2568}, ) == 0x0
 04020   896   NtQueryInformationThread  (1324, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec3000,Pid=1252,Tid=2568,}, 0x0, ) == 0x0
 04021   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82142, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82142, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\5\0\0\344\4\0\0\10\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82143, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\5\0\0\344\4\0\0\10\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82143, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82142, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\5\0\0\344\4\0\0\10\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82143, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\5\0\0\344\4\0\0\10\12\0\0" )  ) == 0x0
 04022   896   NtResumeThread  (1324, ... 1, ) == 0x0
 04023   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 262209536, 1048576, ) == 0x0
 04024   896   NtAllocateVirtualMemory  (-1, 263249920, 0, 8192, 4096, 4, ...
 04025  2568   NtWaitForSingleObject  (128, 0, 0x0, ...
 04024   896   NtAllocateVirtualMemory  ... 263249920, 8192, ) == 0x0
 04026   896   NtProtectVirtualMemory  (-1, (0xfb0e000), 4096, 260, ... (0xfb0e000), 4096, 4, ) == 0x0
 04027   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1328, {1252, 2576}, ) == 0x0
 04028   896   NtQueryInformationThread  (1328, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec2000,Pid=1252,Tid=2576,}, 0x0, ) == 0x0
 04029   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82143, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82143, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\5\0\0\344\4\0\0\20\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82144, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\5\0\0\344\4\0\0\20\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82144, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82143, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\5\0\0\344\4\0\0\20\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82144, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\5\0\0\344\4\0\0\20\12\0\0" )  ) == 0x0
 04030   896   NtResumeThread  (1328, ... 1, ) == 0x0
 04031  2576   NtWaitForSingleObject  (128, 0, 0x0, ...
 04032   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 263258112, 1048576, ) == 0x0
 04033   896   NtAllocateVirtualMemory  (-1, 264298496, 0, 8192, 4096, 4, ... 264298496, 8192, ) == 0x0
 04034   896   NtProtectVirtualMemory  (-1, (0xfc0e000), 4096, 260, ... (0xfc0e000), 4096, 4, ) == 0x0
 04035   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1332, {1252, 2584}, ) == 0x0
 04036   896   NtQueryInformationThread  (1332, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec1000,Pid=1252,Tid=2584,}, 0x0, ) == 0x0
 04037   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82144, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82144, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\5\0\0\344\4\0\0\30\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82145, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\5\0\0\344\4\0\0\30\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82145, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82144, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\5\0\0\344\4\0\0\30\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82145, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\5\0\0\344\4\0\0\30\12\0\0" )  ) == 0x0
 04038   896   NtResumeThread  (1332, ... 1, ) == 0x0
 04039   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 264306688, 1048576, ) == 0x0
 04040   896   NtAllocateVirtualMemory  (-1, 265347072, 0, 8192, 4096, 4, ...
 04041  2584   NtWaitForSingleObject  (128, 0, 0x0, ...
 04040   896   NtAllocateVirtualMemory  ... 265347072, 8192, ) == 0x0
 04042   896   NtProtectVirtualMemory  (-1, (0xfd0e000), 4096, 260, ... (0xfd0e000), 4096, 4, ) == 0x0
 04043   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1336, {1252, 2588}, ) == 0x0
 04044   896   NtQueryInformationThread  (1336, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fec0000,Pid=1252,Tid=2588,}, 0x0, ) == 0x0
 04045   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82145, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82145, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\5\0\0\344\4\0\0\34\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82146, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\5\0\0\344\4\0\0\34\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82146, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82145, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\5\0\0\344\4\0\0\34\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82146, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\5\0\0\344\4\0\0\34\12\0\0" )  ) == 0x0
 04046   896   NtResumeThread  (1336, ... 1, ) == 0x0
 04047  2588   NtWaitForSingleObject  (128, 0, 0x0, ...
 04048   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 265355264, 1048576, ) == 0x0
 04049   896   NtAllocateVirtualMemory  (-1, 266395648, 0, 8192, 4096, 4, ... 266395648, 8192, ) == 0x0
 04050   896   NtProtectVirtualMemory  (-1, (0xfe0e000), 4096, 260, ... (0xfe0e000), 4096, 4, ) == 0x0
 04051   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1340, {1252, 2596}, ) == 0x0
 04052   896   NtQueryInformationThread  (1340, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7febf000,Pid=1252,Tid=2596,}, 0x0, ) == 0x0
 04053   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82146, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82146, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\5\0\0\344\4\0\0$\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82147, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\5\0\0\344\4\0\0$\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82147, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82146, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\5\0\0\344\4\0\0$\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82147, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\5\0\0\344\4\0\0$\12\0\0" )  ) == 0x0
 04054   896   NtResumeThread  (1340, ... 1, ) == 0x0
 04055   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 266403840, 1048576, ) == 0x0
 04056   896   NtAllocateVirtualMemory  (-1, 267444224, 0, 8192, 4096, 4, ...
 04057  2596   NtWaitForSingleObject  (128, 0, 0x0, ...
 04056   896   NtAllocateVirtualMemory  ... 267444224, 8192, ) == 0x0
 04058   896   NtProtectVirtualMemory  (-1, (0xff0e000), 4096, 260, ... (0xff0e000), 4096, 4, ) == 0x0
 04059   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1344, {1252, 2600}, ) == 0x0
 04060   896   NtQueryInformationThread  (1344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7febe000,Pid=1252,Tid=2600,}, 0x0, ) == 0x0
 04061   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82147, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82147, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\5\0\0\344\4\0\0(\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82148, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\5\0\0\344\4\0\0(\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82148, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82147, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\5\0\0\344\4\0\0(\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82148, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\5\0\0\344\4\0\0(\12\0\0" )  ) == 0x0
 04062   896   NtResumeThread  (1344, ... 1, ) == 0x0
 04063  2600   NtWaitForSingleObject  (128, 0, 0x0, ...
 04064   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 267452416, 1048576, ) == 0x0
 04065   896   NtAllocateVirtualMemory  (-1, 268492800, 0, 8192, 4096, 4, ... 268492800, 8192, ) == 0x0
 04066   896   NtProtectVirtualMemory  (-1, (0x1000e000), 4096, 260, ... (0x1000e000), 4096, 4, ) == 0x0
 04067   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1348, {1252, 2604}, ) == 0x0
 04068   896   NtQueryInformationThread  (1348, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7febd000,Pid=1252,Tid=2604,}, 0x0, ) == 0x0
 04069   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82148, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82148, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\5\0\0\344\4\0\0,\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82149, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\5\0\0\344\4\0\0,\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82149, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82148, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\5\0\0\344\4\0\0,\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82149, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\5\0\0\344\4\0\0,\12\0\0" )  ) == 0x0
 04070   896   NtResumeThread  (1348, ... 1, ) == 0x0
 04071  2604   NtWaitForSingleObject  (128, 0, 0x0, ...
 04072   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 268500992, 1048576, ) == 0x0
 04073   896   NtAllocateVirtualMemory  (-1, 269541376, 0, 8192, 4096, 4, ... 269541376, 8192, ) == 0x0
 04074   896   NtProtectVirtualMemory  (-1, (0x1010e000), 4096, 260, ... (0x1010e000), 4096, 4, ) == 0x0
 04075   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1352, {1252, 2608}, ) == 0x0
 04076   896   NtQueryInformationThread  (1352, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7febc000,Pid=1252,Tid=2608,}, 0x0, ) == 0x0
 04077   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82149, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82149, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\5\0\0\344\4\0\00\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82150, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\5\0\0\344\4\0\00\12\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82150, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82149, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\5\0\0\344\4\0\00\12\0\0" ... {28, 56, reply, 0, 1252, 896, 82150, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\5\0\0\344\4\0\00\12\0\0" )  ) == 0x0
 04078   896   NtResumeThread  (1352, ... 1, ) == 0x0
 04079   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 269549568, 1048576, ) == 0x0
 04080   896   NtAllocateVirtualMemory  (-1, 270589952, 0, 8192, 4096, 4, ...
 04081  2608   NtWaitForSingleObject  (128, 0, 0x0, ...
 04080   896   NtAllocateVirtualMemory  ... 270589952, 8192, ) == 0x0
 04082   896   NtProtectVirtualMemory  (-1, (0x1020e000), 4096, 260, ... (0x1020e000), 4096, 4, ) == 0x0
 04083   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1356, {1252, 2612}, ) == 0x0
NtAdjustPrivilegesToken(>)	1	NtOpenDirectoryObject(>)	2	NtFsControlFile(>)	11	NtCreateSection(>)	71
NtCallbackReturn(>)	1	NtOpenProcessTokenEx(>)	2	NtQuerySection(>)	11	NtTestAlert(>)	91
NtDelayExecution(>)	1	NtOpenThreadTokenEx(>)	2	NtSetInformationThread(>)	11	NtRegisterThreadTerminatePort(>)	94
NtGdiCreateBitmap(>)	1	NtQueryDefaultLocale(>)	2	NtOpenThreadToken(>)	12	NtOpenKey(>)	96
NtGdiInit(>)	1	NtSetInformationObject(>)	2	NtSetInformationFile(>)	13	NtMapViewOfSection(>)	98
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryDirectoryFile(>)	14	NtDuplicateObject(>)	101
NtGdiSelectBitmap(>)	1	NtOpenProcessToken(>)	3	NtUserRegisterClassExWOW(>)	14	NtQuerySystemInformation(>)	116
NtOpenKeyedEvent(>)	1	NtSecureConnectPort(>)	3	NtCreateFile(>)	16	NtWriteVirtualMemory(>)	116
NtOpenSymbolicLinkObject(>)	1	NtFreeVirtualMemory(>)	4	NtSetValueKey(>)	16	NtSetEventBoostPriority(>)	178
NtQueryObject(>)	1	NtReadFile(>)	4	NtCreateKey(>)	18	NtQueryValueKey(>)	221
NtQuerySymbolicLinkObject(>)	1	NtWriteFile(>)	4	NtOpenFile(>)	25	NtResumeThread(>)	270
NtQuerySystemTime(>)	1	NtConnectPort(>)	5	NtOpenProcess(>)	29	NtCreateThread(>)	277
NtSetInformationProcess(>)	1	NtGdiGetStockObject(>)	5	NtDeviceIoControlFile(>)	34	NtQueryInformationThread(>)	277
NtUserCallNoParam(>)	1	NtQueryInformationToken(>)	5	NtFlushInstructionCache(>)	42	NtRequestWaitReplyPort(>)	305
NtUserGetThreadDesktop(>)	1	NtQueryVirtualMemory(>)	5	NtUnmapViewOfSection(>)	44	NtClose(>)	354
NtCreateIoCompletion(>)	2	NtQueryVolumeInformationFile(>)	5	NtContinue(>)	50	NtProtectVirtualMemory(>)	485
NtCreateMutant(>)	2	NtQueryInformationProcess(>)	6	NtOpenSection(>)	50	NtWaitForSingleObject(>)	520
NtGdiCreateSolidBrush(>)	2	NtQueryInformationFile(>)	8	NtQueryAttributesFile(>)	52	NtAllocateVirtualMemory(>)	705
NtNotifyChangeKey(>)	2	NtUserFindExistingCursorIcon(>)	9	NtCreateEvent(>)	61