Summary:


NtAdjustPrivilegesToken(>)  1 
NtConnectPort(>)  2 
NtQueryInformationProcess(>)  7 
NtOpenSection(>)  57 

NtCreateMutant(>)  1 
NtCreateIoCompletion(>)  2 
NtDuplicateObject(>)  8 
NtQueryAttributesFile(>)  58 

NtDelayExecution(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtReleaseMutant(>)  8 
NtQueryVirtualMemory(>)  59 

NtDuplicateToken(>)  1 
NtNotifyChangeKey(>)  2 
NtOpenProcessTokenEx(>)  11 
NtUserRegisterClassExWOW(>)  61 

NtEnumerateValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenThreadTokenEx(>)  11 
NtSetEventBoostPriority(>)  70 

NtGdiCreateBitmap(>)  1 
NtQueryPerformanceCounter(>)  2 
NtQuerySection(>)  11 
NtCreateSection(>)  80 

NtGdiInit(>)  1 
NtUserGetDC(>)  2 
NtQueryDefaultUILanguage(>)  12 
NtFlushInstructionCache(>)  87 

NtGdiQueryFontAssocInfo(>)  1 
NtWaitForMultipleObjects(>)  2 
NtUserSystemParametersInfo(>)  12 
NtMapViewOfSection(>)  114 

NtGdiSelectBitmap(>)  1 
NtDeleteValueKey(>)  3 
NtFsControlFile(>)  13 
NtWriteVirtualMemory(>)  116 

NtOpenEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryInformationFile(>)  13 
NtQuerySystemInformation(>)  120 

NtOpenKeyedEvent(>)  1 
NtReleaseSemaphore(>)  3 
NtQueryDirectoryFile(>)  14 
NtContinue(>)  135 

NtOpenSymbolicLinkObject(>)  1 
NtSecureConnectPort(>)  3 
NtQueryInformationToken(>)  14 
NtQueryInformationThread(>)  151 

NtQueryEvent(>)  1 
NtSetInformationObject(>)  3 
NtOpenThreadToken(>)  18 
NtResumeThread(>)  151 

NtQueryInstallUILanguage(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtQueryDebugFilterState(>)  21 
NtCreateThread(>)  154 

NtQueryObject(>)  1 
NtAccessCheck(>)  4 
NtSetValueKey(>)  21 
NtTestAlert(>)  166 

NtQuerySymbolicLinkObject(>)  1 
NtEnumerateKey(>)  4 
NtCreateKey(>)  23 
NtRegisterThreadTerminatePort(>)  168 

NtQuerySystemTime(>)  1 
NtSetEvent(>)  4 
NtFreeVirtualMemory(>)  29 
NtRequestWaitReplyPort(>)  177 

NtRaiseException(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  30 
NtWaitForSingleObject(>)  216 

NtSetInformationProcess(>)  1 
NtQueryVolumeInformationFile(>)  5 
NtOpenProcess(>)  30 
NtOpenKey(>)  232 

NtUserCallNoParam(>)  1 
NtCreateSemaphore(>)  6 
NtSetInformationFile(>)  30 
NtSetInformationThread(>)  267 

NtUserCallOneParam(>)  1 
NtQueryDefaultLocale(>)  6 
NtCreateEvent(>)  39 
NtQueryValueKey(>)  307 

NtUserGetThreadDesktop(>)  1 
NtReadFile(>)  6 
NtDeviceIoControlFile(>)  45 
NtProtectVirtualMemory(>)  449 

NtUserGetThreadState(>)  1 
NtWriteFile(>)  6 
NtOpenFile(>)  48 
NtClose(>)  452 

NtAddAtom(>)  2 
NtOpenMutant(>)  7 
NtUserFindExistingCursorIcon(>)  50 
NtAllocateVirtualMemory(>)  461 

NtCallbackReturn(>)  2 
NtOpenProcessToken(>)  7 
NtUnmapViewOfSection(>)  53 

Trace:
 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482756, {status=0x0, info=1}, ) }, 0, 32, ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147482756, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147482756, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147482756, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147482756, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147482756, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147482756, 0, 0x0, 0x0, 0x90120,  (-2147482756, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147482764, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147482764, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147482764, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147482764, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147482764, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037   896   NtClose  (-2147482688, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053   896   NtClose  (-2147482760, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055   896   NtClose  (-2147481628, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057   896   NtClose  (-2147481484, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00059   896   NtClose  (-2147482104, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482592, ) == 0x0
 00061   896   NtClose  (-2147482592, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482592, ... -2147481624, ) == 0x0
 00063   896   NtClose  (-2147481624, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481624, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147482764, ... ) == 0x0
 00093   896   NtClose  (-2147482688, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147482760, ... ) == 0x0
 00102   896   NtClose  (-2147481628, ... ) == 0x0
 00103   896   NtClose  (-2147481484, ... ) == 0x0
 00104   896   NtClose  (-2147482104, ... ) == 0x0
 00105   896   NtClose  (-2147482592, ... ) == 0x0
 00106   896   NtClose  (-2147481624, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481624, ) == 0x0
 00145   896   NtClose  (-2147481624, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481624, ... -2147482592, ) == 0x0
 00147   896   NtClose  (-2147482592, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482592, ... -2147482104, ) == 0x0
 00149   896   NtClose  (-2147482104, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482104, ... -2147481484, ) == 0x0
 00151   896   NtClose  (-2147481484, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153   896   NtClose  (-2147481628, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155   896   NtClose  (-2147482760, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147481624, ... ) == 0x0
 00178   896   NtClose  (-2147482592, ... ) == 0x0
 00179   896   NtClose  (-2147482104, ... ) == 0x0
 00180   896   NtClose  (-2147481484, ... ) == 0x0
 00181   896   NtClose  (-2147481628, ... ) == 0x0
 00182   896   NtClose  (-2147482760, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147482756, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81831, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81832, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81833, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x408000), 94208, 4, ... (0x408000), 94208, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x408000), 94208, 128, ... (0x408000), 94208, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 4227072, 94208, ... ) == 0x0
 00249   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00251   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00252   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00253   896   NtClose  (16, ... ) == 0x0
 00254   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00255   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   896   NtClose  (16, ... ) == 0x0
 00257   896   NtTestAlert  (... ) == 0x0
 00258   896   NtContinue  (1244464, 1, ...
 00259   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40292e,}, 4, ... ) == 0x0
 00260   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00261   896   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00262   896   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 32, ) }, {27086, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00263   896   NtMapViewOfSection  (32, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x320000), 0x0, 28672, ) == 0x0
 00264   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 36, ) }, ... 36, ) == 0x0
 00265   896   NtQueryValueKey  (36,  (36, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   896   NtClose  (36, ... ) == 0x0
 00267   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00268   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00269   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00270   896   NtClose  (36, ... ) == 0x0
 00271   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00272   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00273   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00274   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00275   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00276   896   NtClose  (36, ... ) == 0x0
 00277   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00278   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00279   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00280   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00281   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00282   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00283   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00284   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00285   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00286   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00287   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00288   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00289   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00291   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00293   896   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00294   896   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00295   896   NtClose  (36, ... ) == 0x0
 00296   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00297   896   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   896   NtClose  (36, ... ) == 0x0
 00299   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00300   896   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00301   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   896   NtOpenProcessToken  (-1, 0x20, ... 40, ) == 0x0
 00305   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00306   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00308   896   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   896   NtClose  (44, ... ) == 0x0
 00310   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00312   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00313   896   NtQuerySystemTime  (... {1412891664, 29929616}, ) == 0x0
 00314   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00315   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   896   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00317   896   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00318   896   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00319   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00320   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00321   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00322   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00323   896   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00324   896   NtClose  (68, ... ) == 0x0
 00325   896   NtClose  (64, ... ) == 0x0
 00326   896   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00327   896   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00328   896   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00329   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00330   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00331   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00332   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00333   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00334   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00335   896   NtSetInformationFile  (80, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00336   896   NtSetInformationFile  (80, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00337   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00338   896   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00339   896   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00340   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00341   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) == 0x103
 00342   896   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00343   896   NtClose  (76, ... ) == 0x0
 00344   896   NtClose  (80, ... ) == 0x0
 00345   896   NtAdjustPrivilegesToken  (40, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00346   896   NtClose  (40, ... ) == 0x0
 00347   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00348   896   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00349   896   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 40, ) == 0x0
 00350   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00351   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00352   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00353   896   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00354   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00355   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00356   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00357   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00358   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00359   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00360   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00361   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00362   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00363   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00364   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00365   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00366   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 76, ) }, ... 76, ) == 0x0
 00367   896   NtMapViewOfSection  (76, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00368   896   NtClose  (76, ... ) == 0x0
 00369   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00370   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00371   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00372   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00373   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00374   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00375   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00376   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00377   896   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00378   896   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00379   896   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00380   896   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 2016}, ) == 0x0
 00381   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81834, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\340\7\0\0" )  ) == 0x0
 00382   896   NtResumeThread  (76, ... 1, ) == 0x0
 00383   896   NtClose  (80, ... ) == 0x0
 00384   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00385   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00386   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00387   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00388   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00389   896   NtClose  (84, ... ) == 0x0
 00390   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00391   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00392   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00393   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00394   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00395   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00396   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00397   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00398   896   NtClose  (80, ... ) == 0x0
 00399   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00400   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00401   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00402   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00403   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00404   896   NtClose  (84, ... ) == 0x0
 00405   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00406   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00407   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00408   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00409   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00410   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00411   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00412   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00413   896   NtClose  (80, ... ) == 0x0
 00414   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00415   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00416   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00417   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00418   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00419   896   NtClose  (84, ... ) == 0x0
 00420   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00421   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00422   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00423   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00424   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00425   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00426   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00427   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00428   896   NtClose  (80, ... ) == 0x0
 00429   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00430   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00431   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00432   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00433   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00434   896   NtClose  (84, ... ) == 0x0
 00435   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00436   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00437   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00438   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00439   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00440   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00441   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00442   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00443   896   NtClose  (80, ... ) == 0x0
 00444   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00445   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00446   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00447   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00448   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00449   896   NtClose  (84, ... ) == 0x0
 00450   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00451   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00452   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00453   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00454   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00455   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00456   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00457   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00458   896   NtClose  (80, ... ) == 0x0
 00459   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00460   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00461   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00462   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00463   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00464   896   NtClose  (84, ... ) == 0x0
 00465   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00466   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00467   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00468   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00469   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00470   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00471   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00472   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00473   896   NtClose  (80, ... ) == 0x0
 00474   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00475   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00476   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00477   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00478   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00479   896   NtClose  (84, ... ) == 0x0
 00480   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00481   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00482   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00483   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00484   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00485   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00486   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00487   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00488   896   NtClose  (80, ... ) == 0x0
 00489   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00490   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00491   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00492   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00493   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00494   896   NtClose  (84, ... ) == 0x0
 00495   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00496   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00497   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00498   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00499   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00500   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00501   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00502   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00503   896   NtClose  (80, ... ) == 0x0
 00504   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00505   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00506   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00507   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00508   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00509   896   NtClose  (84, ... ) == 0x0
 00510   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00511   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00512   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00513   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00514   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00515   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00516   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00517   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00518   896   NtClose  (80, ... ) == 0x0
 00519   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00520   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00521   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00522   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00523   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00524   896   NtClose  (84, ... ) == 0x0
 00525   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00526   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00527   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00528   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00529   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00530   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00531   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00532   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00533   896   NtClose  (80, ... ) == 0x0
 00534   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00535   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00536   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00537   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00538   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00539   896   NtClose  (84, ... ) == 0x0
 00540   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00541   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00542   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00543   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00544   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00545   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00546   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00547   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00548   896   NtClose  (80, ... ) == 0x0
 00549   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00550   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00551   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00552   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00553   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00554   896   NtClose  (84, ... ) == 0x0
 00555   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00556   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00557   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00558   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00559   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00560   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00561   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00562   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00563   896   NtClose  (80, ... ) == 0x0
 00564   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00565   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00566   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00567   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00568   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00569   896   NtClose  (84, ... ) == 0x0
 00570   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00571   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00572   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00573   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00574   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00575   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00576   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00577   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00578   896   NtClose  (80, ... ) == 0x0
 00579   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00580   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00581   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00582   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00583   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00584   896   NtClose  (84, ... ) == 0x0
 00585   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00586   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00587   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00588   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00589   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00590   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00591   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00592   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00593   896   NtClose  (80, ... ) == 0x0
 00594   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00595   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00596   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00597   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00598   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00599   896   NtClose  (84, ... ) == 0x0
 00600   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00601   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00602   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00603   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00604   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00605   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00606   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00607   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00608   896   NtClose  (80, ... ) == 0x0
 00609   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00610   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00611   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00612   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00613   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00614   896   NtClose  (84, ... ) == 0x0
 00615   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00616   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00617   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00618   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00619   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00620   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00621   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00622   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00623   896   NtClose  (80, ... ) == 0x0
 00624   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00625   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00626   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00627   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00628   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00629   896   NtClose  (84, ... ) == 0x0
 00630   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00631   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00632   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00633   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00634   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00635   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00636   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00637   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00638   896   NtClose  (80, ... ) == 0x0
 00639   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00640   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00641   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00642   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00643   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00644   896   NtClose  (84, ... ) == 0x0
 00645   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00646   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00647   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00648   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00649   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00650   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00651   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00652   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00653   896   NtClose  (80, ... ) == 0x0
 00654   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00655   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00656   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00657   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00658   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00659   896   NtClose  (84, ... ) == 0x0
 00660   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00661   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00662   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00663   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00664   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00665   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00666   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00667   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00668   896   NtClose  (80, ... ) == 0x0
 00669   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00670   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00671   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00672   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00673   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00674   896   NtClose  (84, ... ) == 0x0
 00675   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00676   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00677   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00678   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00679   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00680   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00681   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00682   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00683   896   NtClose  (80, ... ) == 0x0
 00684   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00685   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00686   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {784, 0}, ... 80, ) == 0x0
 00687   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00688   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00689   896   NtClose  (84, ... ) == 0x0
 00690   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00691   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00692   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00693   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00694   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00695   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00696   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00697   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00698   896   NtClose  (80, ... ) == 0x0
 00699   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00700   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00701   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {488, 0}, ... 80, ) == 0x0
 00702   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00703   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00704   896   NtClose  (84, ... ) == 0x0
 00705   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00706   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00707   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00708   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00709   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00710   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00711   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00712   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00713   896   NtClose  (80, ... ) == 0x0
 00714   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00715   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00716   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1208, 0}, ... 80, ) == 0x0
 00717   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00718   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00719   896   NtClose  (84, ... ) == 0x0
 00720   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00721   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00722   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00723   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00724   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00725   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00726   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00727   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00728   896   NtClose  (80, ... ) == 0x0
 00729   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00730   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00731   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {168, 0}, ... 80, ) == 0x0
 00732   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00733   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00734   896   NtClose  (84, ... ) == 0x0
 00735   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00736   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00737   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00738   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00739   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00740   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00741   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00742   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00743   896   NtClose  (80, ... ) == 0x0
 00744   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00745   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00746   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {764, 0}, ... 80, ) == 0x0
 00747   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00748   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00749   896   NtClose  (84, ... ) == 0x0
 00750   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00751   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00752   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00753   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00754   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00755   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00756   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00757   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00758   896   NtClose  (80, ... ) == 0x0
 00759   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00760   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00761   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {868, 0}, ... 80, ) == 0x0
 00762   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00763   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00764   896   NtClose  (84, ... ) == 0x0
 00765   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00766   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00767   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00768   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00769   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00770   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00771   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00772   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00773   896   NtClose  (80, ... ) == 0x0
 00774   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00775   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00776   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {808, 0}, ... 80, ) == 0x0
 00777   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00778   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00779   896   NtClose  (84, ... ) == 0x0
 00780   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00781   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00782   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00783   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00784   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00785   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00786   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00787   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00788   896   NtClose  (80, ... ) == 0x0
 00789   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00790   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00791   896   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 80, ) == 0x0
 00792   896   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00793   896   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00794   896   NtClose  (84, ... ) == 0x0
 00795   896   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00796   896   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00797   896   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00798   896   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00799   896   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00800   896   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00801   896   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00802   896   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00803   896   NtClose  (80, ... ) == 0x0
 00804   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00805   896   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00806   896   NtClose  (40, ... ) == 0x0
 00807   896   NtClose  (28, ... ) == 0x0
 00808   896   NtQueryVirtualMemory  (-1, 0x408729, Basic, 28, ... {BaseAddress=0x408000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x4000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00809   896   NtContinue  (1244400, 0, ...
 00810   896   NtAllocateVirtualMemory  (-1, 0, 0, 2398, 4096, 64, ... 3342336, 4096, ) == 0x0
 00811   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00812   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00813   896   NtClose  (28, ... ) == 0x0
 00814   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00815   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00816   896   NtClose  (28, ... ) == 0x0
 00817   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00818   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00819   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00820   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00821   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00822   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00823   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00824   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00825   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00826   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00827   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00828   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00829   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00830   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00831   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00832   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00833   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00834   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00835   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00836   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00838   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81879, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81879, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81879, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00839   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00840   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00841   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00842   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00843   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 40, ) == 0x0
 00844   896   NtClose  (28, ... ) == 0x0
 00845   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00846   896   NtClose  (40, ... ) == 0x0
 00847   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00848   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00849   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00850   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 28, ) == 0x0
 00851   896   NtClose  (40, ... ) == 0x0
 00852   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00853   896   NtClose  (28, ... ) == 0x0
 00854   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00855   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00856   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00857   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00858   896   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00859   896   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00860   896   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00861   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00863   896   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00864   896   NtClose  (84, ... ) == 0x0
 00865   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00866   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00867   896   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00868   896   NtClose  (84, ... ) == 0x0
 00869   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00870   896   NtClose  (80, ... ) == 0x0
 00871   896   NtClose  (28, ... ) == 0x0
 00872   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00873   896   NtClose  (40, ... ) == 0x0
 00874   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00875   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00876   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00877   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00878   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00879   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00880   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00881   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00882   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00883   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00885   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00886   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00887   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00888   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 40, ) }, ... 40, ) == 0x0
 00890   896   NtQueryValueKey  (40,  (40, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   896   NtClose  (40, ... ) == 0x0
 00892   896   NtMapViewOfSection  (-2147482756, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4f0000), 0x0, 1060864, ) == 0x0
 00893   896   NtClose  (-2147482756, ... ) == 0x0
 00894   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00895   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00896   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482756, ) == 0x0
 00897   896   NtQueryInformationToken  (-2147482756, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00898   896   NtQueryInformationToken  (-2147482756, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00899   896   NtClose  (-2147482756, ... ) == 0x0
 00900   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00901   896   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00902   896   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00903   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00904   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   896   NtClose  (-2147482756, ... ) == 0x0
 00906   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00907   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   896   NtClose  (-2147482756, ... ) == 0x0
 00909   896   NtQueryDefaultLocale  (0, -142628532, ... ) == 0x0
 00910   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00911   896   NtUserCallNoParam  (24, ... ) == 0x0
 00912   896   NtGdiCreateCompatibleDC  (0, ...
 00913   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00912   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00914   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00915   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00916   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00917   896   NtGdiCreateSolidBrush  (0, 0, ...
 00918   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00917   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00919   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00920   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00921   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00922   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x50
 00923   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00924   896   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00925   896   NtClose  (88, ... ) == 0x0
 00926   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00927   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8177c017
 00928   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00929   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8177c01c
 00930   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00931   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8177c01e
 00932   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00933   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81778002
 00934   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00935   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8177c018
 00936   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00937   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8177c01a
 00938   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00939   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8177c01d
 00940   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00941   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8177c026
 00942   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00943   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8177c019
 00944   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c020
 00945   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c022
 00946   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c023
 00947   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c024
 00948   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c025
 00949   896   NtCallbackReturn  (0, 0, 0, ...
 00950   896   NtGdiInit  (... ) == 0x1
 00951   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00952   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00953   896   NtAllocateVirtualMemory  (-1, 0, 0, 27136, 4096, 64, ... 3538944, 28672, ) == 0x0
 00954   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00957   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00958   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00959   896   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00960   896   NtClose  (88, ... ) == 0x0
 00961   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00962   896   NtClose  (92, ... ) == 0x0
 00963   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00964   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00965   896   NtClose  (92, ... ) == 0x0
 00966   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00967   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00968   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00969   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00970   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00971   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00972   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00975   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00976   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00977   896   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00978   896   NtClose  (92, ... ) == 0x0
 00979   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00980   896   NtClose  (88, ... ) == 0x0
 00981   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00982   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00983   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00984   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00985   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00986   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00987   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00989   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00990   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00991   896   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00992   896   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00993   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 88, ) }, ... 88, ) == 0x0
 00994   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 00995   896   NtClose  (88, ... ) == 0x0
 00996   896   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00997   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00998   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00999   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01000   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 01001   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01004   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01005   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01006   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 01007   896   NtClose  (88, ... ) == 0x0
 01008   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01009   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01010   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01011   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01012   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01013   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01014   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01015   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01016   896   NtClose  (88, ... ) == 0x0
 01017   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01018   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01019   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01020   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01021   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01022   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01023   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01024   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01025   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01026   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01027   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01028   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01029   896   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01030   896   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01031   896   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01032   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01033   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01034   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01035   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01036   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01037   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01038   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01039   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01040   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01041   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01042   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01043   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01044   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01045   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x390000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 01046   896   NtProtectVirtualMemory  (-1, (0x391000), 18944, 4, ... (0x391000), 20480, 32, ) == 0x0
 01047   896   NtProtectVirtualMemory  (-1, (0x397000), 1024, 4, ... (0x397000), 4096, 2, ) == 0x0
 01048   896   NtProtectVirtualMemory  (-1, (0x398000), 1536, 4, ... (0x398000), 4096, 2, ) == 0x0
 01049   896   NtMapViewOfSection  (88, -1, (0x390000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01050   896   NtProtectVirtualMemory  (-1, (0x391000), 18944, 16, ... (0x391000), 20480, 4, ) == 0x0
 01051   896   NtProtectVirtualMemory  (-1, (0x397000), 1024, 2, ... (0x397000), 4096, 8, ) == 0x0
 01052   896   NtProtectVirtualMemory  (-1, (0x398000), 1536, 2, ... (0x398000), 4096, 8, ) == 0x0
 01053   896   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01054   896   NtClose  (88, ... ) == 0x0
 01055   896   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 01056   896   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 01057   896   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 01058   896   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 01059   896   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 01060   896   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 01061   896   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 01062   896   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 01063   896   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 01064   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01065   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01066   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01067   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 88, ) }, ... 88, ) == 0x0
 01068   896   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 01069   896   NtClose  (88, ... ) == 0x0
 01070   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01071   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01072   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01073   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01074   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01075   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01076   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01077   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01078   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01079   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01080   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01081   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01082   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01083   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01084   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01085   896   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 01086   896   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 01087   896   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 01088   896   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 01089   896   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 01090   896   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 01091   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   896   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   896   NtCreateSemaphore  (0x1f0003, {24, 16, 0x80, 1338216, 0,  (0x1f0003, {24, 16, 0x80, 1338216, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 88, ) }, 0, 2147483647, ... 88, ) == STATUS_OBJECT_NAME_EXISTS
 01094   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01096   896   NtQueryPerformanceCounter  (... {-1447577166, 16}, {3579545, 0}, ) == 0x0
 01097   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   896   NtQueryPerformanceCounter  (... {-1447575276, 16}, {3579545, 0}, ) == 0x0
 01099   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 01100   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01101   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 01102   896   NtAllocateVirtualMemory  (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0
 01103   896   NtAllocateVirtualMemory  (-1, 9441280, 0, 8192, 4096, 4, ... 9441280, 8192, ) == 0x0
 01104   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 01105   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242348,  (0xc0100080, {24, 0, 0x40, 0, 1242348, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 96, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 96, {status=0x0, info=0}, ) == 0x0
 01106   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0
 01107   896   NtDeviceIoControlFile  (96, 100, 0x0, 0x12f54c, 0x22414c,  (96, 100, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01108   896   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 01109   896   NtQueryValueKey  (-2147482756,  (-2147482756, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   896   NtQueryValueKey  (-2147482756,  (-2147482756, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01111   896   NtClose  (-2147482756, ... ) == 0x0
 01112   896   NtClose  (892, ... ) == 0x0
 01107   896   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\250\211\376\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#u\0l\0t\0s\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01113   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242564,  (0xc0100080, {24, 0, 0x40, 0, 1242564, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 108, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 108, {status=0x0, info=0}, ) == 0x0
 01114   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 01115   896   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 116, ) == 0x0
 01116   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01117   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 01118   896   NtAllocateVirtualMemory  (-1, 9449472, 0, 8192, 4096, 4, ... 9449472, 8192, ) == 0x0
 01119   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10485760, 1048576, ) == 0x0
 01120   896   NtAllocateVirtualMemory  (-1, 11526144, 0, 8192, 4096, 4, ... 11526144, 8192, ) == 0x0
 01121   896   NtProtectVirtualMemory  (-1, (0xafe000), 4096, 260, ... (0xafe000), 4096, 4, ) == 0x0
 01122   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1241648, 1241592, 1, ... 128, {1252, 500}, ) == 0x0
 01123   896   NtQueryInformationThread  (128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1252,Tid=500,}, 0x0, ) == 0x0
 01124   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9437560}  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9437560} "\0\0\0\0\1\0\1\0\200\0\0\0(\2\0\0\200\0\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\200\0\0\0\344\4\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81880, 0}  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9437560} "\0\0\0\0\1\0\1\0\200\0\0\0(\2\0\0\200\0\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\200\0\0\0\344\4\0\0\364\1\0\0" )  ) == 0x0
 01125   896   NtResumeThread  (128, ... 1, ) == 0x0
 01126   500   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 132, ) == 0x0
 01127   500   NtWaitForSingleObject  (132, 0, 0x0, ...
 01128   896   NtClose  (128, ... ) == 0x0
 01129   896   NtSetEvent  (112, ... 0x0, ) == 0x0
 01130   896   NtSetEvent  (92, ... 0x0, ) == 0x0
 01131   896   NtClose  (92, ... ) == 0x0
 01132   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 01133   896   NtAllocateVirtualMemory  (-1, 9457664, 0, 4096, 4096, 4, ... 9457664, 4096, ) == 0x0
 01134   896   NtDeviceIoControlFile  (96, 100, 0x0, 0x12f54c, 0x22414c,  (96, 100, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 01135   896   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 01136   896   NtQueryValueKey  (-2147482756,  (-2147482756, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   896   NtQueryValueKey  (-2147482756,  (-2147482756, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138   896   NtClose  (-2147482756, ... ) == 0x0
 01139   896   NtClose  (892, ... ) == 0x0
 01134   896   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "(\14\30\342\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344e\0r\0Ntff\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01140   896   NtSetEvent  (112, ... 0x0, ) == 0x0
 01141   896   NtSetEvent  (92, ... 0x0, ) == 0x0
 01142   896   NtClose  (92, ... ) == 0x0
 01143   896   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01144   896   NtOpenProcessToken  (-1, 0xa, ... 92, ) == 0x0
 01145   896   NtDuplicateToken  (92, 0xc, {24, 0, 0x0, 0, 1242832, 0x0}, 0, 2, ... 136, ) == 0x0
 01146   896   NtClose  (92, ... ) == 0x0
 01147   896   NtAccessCheck  (1344040, 136, 0x1, 1242908, 1242960, 56, 1242940, ... (0x1), ) == 0x0
 01148   896   NtClose  (136, ... ) == 0x0
 01149   896   NtQueryDefaultUILanguage  (1241712, ...
 01150   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01151   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 01152   896   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01153   896   NtClose  (-2147482756, ... ) == 0x0
 01154   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 01155   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01157   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   896   NtClose  (-2147481452, ... ) == 0x0
 01159   896   NtClose  (-2147482756, ... ) == 0x0
 01149   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01160   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   896   NtQueryDefaultUILanguage  (2090319928, ...
 01162   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01163   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 01164   896   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01165   896   NtClose  (-2147482756, ... ) == 0x0
 01166   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 01167   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01169   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   896   NtClose  (-2147481452, ... ) == 0x0
 01171   896   NtClose  (-2147482756, ... ) == 0x0
 01161   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01172   896   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 01173   896   NtQueryDefaultLocale  (1, 1239808, ... ) == 0x0
 01174   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81881, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81881, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81881, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ) == 0x0
 01176   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01177   896   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01179   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01180   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239036, ... ) }, 1239036, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01182   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01183   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01184   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239100, ... ) }, 1239100, ... ) == 0x0
 01185   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 136, {status=0x0, info=1}, ) }, 3, 33, ... 136, {status=0x0, info=1}, ) == 0x0
 01186   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01187   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01188   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 140, ) == 0x0
 01189   896   NtClose  (92, ... ) == 0x0
 01190   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb00000), 0x0, 1056768, ) == 0x0
 01191   896   NtClose  (140, ... ) == 0x0
 01192   896   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 01193   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01194   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 140, ... 92, ) == 0x0
 01195   896   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01196   896   NtClose  (140, ... ) == 0x0
 01197   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01198   896   NtClose  (92, ... ) == 0x0
 01199   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01200   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01201   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01202   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01203   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01204   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01205   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01206   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01207   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01208   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01209   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01210   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01211   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01212   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01213   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01214   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01215   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01216   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01217   896   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01218   896   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01219   896   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01220   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   896   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240580, ... ) , 42, 1240580, ... ) == 0x0
 01222   896   NtQueryDefaultUILanguage  (1239264, ...
 01223   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01224   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 01225   896   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01226   896   NtClose  (-2147482756, ... ) == 0x0
 01227   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 01228   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01229   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01230   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01231   896   NtClose  (-2147481452, ... ) == 0x0
 01232   896   NtClose  (-2147482756, ... ) == 0x0
 01222   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01233   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238104, ... ) }, 1238104, ... ) == 0x0
 01234   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01235   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 140, ) == 0x0
 01236   896   NtClose  (92, ... ) == 0x0
 01237   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 4096, ) == 0x0
 01238   896   NtClose  (140, ... ) == 0x0
 01239   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01240   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237700, ... ) }, 1237700, ... ) == 0x0
 01241   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238444,  (0x80100080, {24, 0, 0x40, 0, 1238444, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 140, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 140, {status=0x0, info=1}, ) == 0x0
 01242   896   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 140, ... 92, ) == 0x0
 01243   896   NtClose  (140, ... ) == 0x0
 01244   896   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3b0000), {0, 0}, 4096, ) == 0x0
 01245   896   NtClose  (92, ... ) == 0x0
 01246   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01247   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01248   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 140, ) == 0x0
 01249   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3b0000), 0x0, 4096, ) == 0x0
 01250   896   NtQueryInformationFile  (92, 1238096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01251   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81882, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81882, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81882, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ) == 0x0
 01253   896   NtClose  (92, ... ) == 0x0
 01254   896   NtClose  (140, ... ) == 0x0
 01255   896   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01256   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01257   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01258   896   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01259   896   NtUserGetDC  (0, ... ) == 0x1010052
 01260   896   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01261   896   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01262   896   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01263   896   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01264   896   NtContinue  (1238304, 0, ...
 01265   896   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01266   896   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 01267   896   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01268   896   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01269   896   NtClose  (136, ... ) == 0x0
 01270   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 136, ) }, ... 136, ) == 0x0
 01271   896   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 01272   896   NtClose  (136, ... ) == 0x0
 01273   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01274   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01275   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01276   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01277   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01278   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01279   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01280   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01281   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01282   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01283   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01284   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01285   896   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01286   896   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01287   896   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01288   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01289   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01290   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3801088, 65536, ) == 0x0
 01291   896   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 01292   896   NtAllocateVirtualMemory  (-1, 3805184, 0, 8192, 4096, 4, ... 3805184, 8192, ) == 0x0
 01293   896   NtAllocateVirtualMemory  (-1, 3813376, 0, 4096, 4096, 4, ... 3813376, 4096, ) == 0x0
 01294   896   NtAllocateVirtualMemory  (-1, 3817472, 0, 4096, 4096, 4, ... 3817472, 4096, ) == 0x0
 01295   896   NtQueryDefaultUILanguage  (1238736, ...
 01296   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01297   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 01298   896   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01299   896   NtClose  (-2147482756, ... ) == 0x0
 01300   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 01301   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 01303   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   896   NtClose  (-2147481452, ... ) == 0x0
 01305   896   NtClose  (-2147482756, ... ) == 0x0
 01295   896   NtQueryDefaultUILanguage  ... ) == 0x0
 01306   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 136, {status=0x0, info=1}, ) }, 1, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01307   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 136, ... 140, ) == 0x0
 01308   896   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb00000), 0x0, 618496, ) == 0x0
 01309   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   896   NtQueryDefaultLocale  (1, 1236832, ... ) == 0x0
 01311   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   896   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\267\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81883, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\267\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 896, 81883, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\267\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81883, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6!\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\267\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6!\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ) == 0x0
 01313   896   NtClose  (136, ... ) == 0x0
 01314   896   NtClose  (140, ... ) == 0x0
 01315   896   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 01316   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01317   896   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 140, ) == 0x0
 01318   896   NtQueryInformationProcess  (140, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01319   896   NtClose  (140, ... ) == 0x0
 01320   896   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01321   896   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01322   896   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01323   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01324   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 01325   896   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01326   896   NtClose  (140, ... ) == 0x0
 01327   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 140, ) }, ... 140, ) == 0x0
 01328   896   NtOpenProcessToken  (-1, 0x8, ... 136, ) == 0x0
 01329   896   NtAccessCheck  (1344040, 136, 0x1, 1239928, 1239980, 56, 1239960, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01330   896   NtClose  (136, ... ) == 0x0
 01331   896   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Control Panel\Desktop"}, ... 136, ) }, ... 136, ) == 0x0
 01332   896   NtQueryValueKey  (136,  (136, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   896   NtClose  (136, ... ) == 0x0
 01334   896   NtUserSystemParametersInfo  (41, 500, 1240108, 0, ... ) == 0x1
 01335   896   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01336   896   NtClose  (140, ... ) == 0x0
 01337   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01338   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c03b
 01339   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c03d
 01340   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01341   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c03f
 01342   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01343   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c041
 01344   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01345   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c043
 01346   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c045
 01347   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01348   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c047
 01349   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01350   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c049
 01351   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01352   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c04b
 01353   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01354   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c04d
 01355   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01356   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c04f
 01357   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c051
 01358   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01359   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c053
 01360   896   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 01361   896   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x8177c055
 01362   896   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 01363   896   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x8177c057
 01364   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01365   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c059
 01366   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10013
 01367   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c05b
 01368   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01369   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c05d
 01370   896   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01371   896   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8177c05f
 01372   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01373   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 01374   896   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01375   896   NtClose  (140, ... ) == 0x0
 01376   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 140, ) }, ... 140, ) == 0x0
 01377   896   NtSetInformationObject  (140, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01378   896   NtCreateKey  (0x2001f, {24, 140, 0x40, 0, 0,  (0x2001f, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 01379   896   NtSetEventBoostPriority  (132, ...
 01127   500   NtWaitForSingleObject  ... ) == 0x0
 01380   500   NtTestAlert  (... ) == 0x0
 01381   500   NtContinue  (11533616, 1, ...
 01382   500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01383   500   NtDeviceIoControlFile  (108, 120, 0x0, 0x77e466a0, 0x228144,  (108, 120, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0t\0\0\0\0\0\0\0\200\0\0\0\0\0\0\0h\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01379   896   NtSetEventBoostPriority  ... ) == 0x0
 01384   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242908, ... }, 1242908, ...
 01386   500   NtWaitForMultipleObjects  (2, (112, 120, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 01387   500   NtDeviceIoControlFile  (108, 124, 0x0, 0x77e46680, 0x228144,  (108, 124, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0t\0\0\0\0\0\0\0\200\0\0\0\0\0\0\0h\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01388   500   NtWaitForMultipleObjects  (2, (112, 124, ), 1, 1, {1294967296, -1}, ...
 01385   896   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 01390   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01391   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 144, ) == 0x0
 01392   896   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01393   896   NtClose  (92, ... ) == 0x0
 01394   896   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 01395   896   NtClose  (144, ... ) == 0x0
 01396   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01397   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01398   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01399   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01400   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01401   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01402   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01403   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01404   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01405   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01406   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01407   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01408   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01409   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01410   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01411   896   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01412   896   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01413   896   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01414   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01416   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3997696, 65536, ) == 0x0
 01417   896   NtAllocateVirtualMemory  (-1, 3997696, 0, 4096, 4096, 4, ... 3997696, 4096, ) == 0x0
 01418   896   NtAllocateVirtualMemory  (-1, 4001792, 0, 8192, 4096, 4, ... 4001792, 8192, ) == 0x0
 01419   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 144, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 144, {status=0x0, info=0}, ) == 0x0
 01420   896   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 92, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 92, {status=0x0, info=0}, ) == 0x0
 01421   896   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) == 0x0
 01422   896   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 152, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 152, {status=0x0, info=0}, ) == 0x0
 01423   896   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242836,  (0x20100080, {24, 0, 0x40, 0, 1242836, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=0}, ) == 0x0
 01424   896   NtAllocateVirtualMemory  (-1, 4009984, 0, 36864, 4096, 4, ... 4009984, 36864, ) == 0x0
 01425   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01426   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01427   896   NtClose  (160, ... ) == 0x0
 01428   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01429   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01430   896   NtClose  (160, ... ) == 0x0
 01431   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01432   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\200\201\1\0\0\0\5\0\0\0\232A\250\25[]\241\6\245\205\1\0\326\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\5l\0'\222\0\0\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\200\201\1\0\0\0\5\0\0\0\232A\250\25[]\241\6\245\205\1\0\326\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\5l\0'\222\0\0\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01433   896   NtClose  (160, ... ) == 0x0
 01434   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01435   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01436   896   NtClose  (160, ... ) == 0x0
 01437   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01438   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01439   896   NtClose  (160, ... ) == 0x0
 01440   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01441   896   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01442   896   NtClose  (160, ... ) == 0x0
 01443   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 160, ) == 0x0
 01444   896   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 164, ) == 0x0
 01445   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01446   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01447   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01448   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01449   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01450   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01451   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01452   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01453   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01454   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01455   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01456   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01457   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01458   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01459   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01460   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01461   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01462   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01463   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01464   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01465   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01466   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01467   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01468   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01469   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01470   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01471   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01472   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01473   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01474   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01475   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01476   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01477   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01478   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01479   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01480   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01481   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01482   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01483   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01484   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01485   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01486   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01487   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01488   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01489   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01490   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01491   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01492   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01493   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01494   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01495   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01496   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01497   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01498   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01499   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01500   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01501   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01502   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01503   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01504   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01505   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01506   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01507   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01508   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01509   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01510   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01511   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01512   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01513   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01514   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01515   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01516   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01517   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01518   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01519   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01520   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01521   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01522   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01523   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01524   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01525   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01526   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01527   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01528   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01529   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01530   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01531   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01532   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01533   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01534   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01535   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01536   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01537   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01538   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01539   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01540   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01541   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01542   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01543   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01544   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01545   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01546   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01547   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01548   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01549   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01550   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01551   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01552   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01553   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01554   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01555   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01556   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01557   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01558   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01559   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01560   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01561   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01562   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01563   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01564   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01565   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01566   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01567   896   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01568   896   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01569   896   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01570   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 168, ) }, ... 168, ) == 0x0
 01571   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 172, ) }, ... 172, ) == 0x0
 01572   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 176, ) }, ... 176, ) == 0x0
 01573   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 180, ) }, ... 180, ) == 0x0
 01574   896   NtQueryDefaultLocale  (1, 1242816, ... ) == 0x0
 01575   896   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 01576   896   NtFreeVirtualMemory  (-1, (0x330147), 0, 32768, ... (0x330000), 4096, ) == 0x0
 01577   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01578   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 01579   896   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 01580   896   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 01581   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11534336, 1048576, ) == 0x0
 01582   896   NtAllocateVirtualMemory  (-1, 11534336, 0, 32768, 4096, 4, ... 11534336, 32768, ) == 0x0
 01583   896   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01584   896   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01585   896   NtQueryValueKey  (184,  (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01586   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 01587   896   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "Protocol_Catalog9"}, ... 192, ) }, ... 192, ) == 0x0
 01588   896   NtQueryValueKey  (192,  (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01589   896   NtNotifyChangeKey  (192, 188, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01590   896   NtQueryValueKey  (192,  (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01591   896   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   896   NtQueryValueKey  (192,  (192, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 01593   896   NtQueryValueKey  (192,  (192, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 01594   896   NtOpenKey  (0x2000000, {24, 192, 0x40, 0, 0,  (0x2000000, {24, 192, 0x40, 0, 0, "Catalog_Entries"}, ... 196, ) }, ... 196, ) == 0x0
 01595   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01596   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000001"}, ... 200, ) }, ... 200, ) == 0x0
 01597   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01598   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01599   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0@\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0@\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0A\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0B\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0B\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0@\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0@\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0A\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0B\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0B\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0B\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0@\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0@\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0A\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0A\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0B\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0B\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0C\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01600   896   NtClose  (200, ... ) == 0x0
 01601   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000002"}, ... 200, ) }, ... 200, ) == 0x0
 01602   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01603   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01604   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0E\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0E\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0F\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0G\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0E\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0E\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0F\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0G\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0E\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0E\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0F\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0G\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0G\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01605   896   NtClose  (200, ... ) == 0x0
 01606   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000003"}, ... 200, ) }, ... 200, ) == 0x0
 01607   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01608   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01609   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01610   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0K\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0K\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0L\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0M\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0M\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0N\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0K\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0K\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0L\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0M\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0M\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0N\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0M\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0N\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0K\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0K\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0L\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0M\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0M\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0N\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01611   896   NtClose  (200, ... ) == 0x0
 01612   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000004"}, ... 200, ) }, ... 200, ) == 0x0
 01613   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01614   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01615   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0P\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0Q\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0R\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0R\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0P\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0Q\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0R\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0R\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0R\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0P\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0P\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0Q\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0R\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0R\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01616   896   NtClose  (200, ... ) == 0x0
 01617   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000005"}, ... 200, ) }, ... 200, ) == 0x0
 01618   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01619   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01620   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0U\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0V\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0W\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0U\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0V\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0W\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0U\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0U\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0V\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0V\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0W\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0W\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0X\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01621   896   NtClose  (200, ... ) == 0x0
 01622   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000006"}, ... 200, ) }, ... 200, ) == 0x0
 01623   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01624   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01625   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0Z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0[\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0Z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0[\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0Z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0Z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0[\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0[\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0]\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01626   896   NtClose  (200, ... ) == 0x0
 01627   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000007"}, ... 200, ) }, ... 200, ) == 0x0
 01628   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01629   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01630   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0_\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0_\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0`\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0_\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0_\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0`\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0_\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0_\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0`\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01631   896   NtClose  (200, ... ) == 0x0
 01632   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000008"}, ... 200, ) }, ... 200, ) == 0x0
 01633   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01634   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01635   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01636   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0e\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0f\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0f\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0g\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0g\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0h\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0e\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0f\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0f\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0g\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0g\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0h\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0g\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0h\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0e\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0e\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0f\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0f\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0g\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0g\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0h\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01637   896   NtClose  (200, ... ) == 0x0
 01638   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000009"}, ... 200, ) }, ... 200, ) == 0x0
 01639   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01640   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01641   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0j\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0k\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0k\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0l\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0l\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0m\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0j\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0k\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0k\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0l\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0l\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0m\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0l\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0m\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0j\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0j\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0k\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0k\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0l\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0l\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0m\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01642   896   NtClose  (200, ... ) == 0x0
 01643   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000010"}, ... 200, ) }, ... 200, ) == 0x0
 01644   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01645   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01646   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0o\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0p\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0o\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0p\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0o\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0o\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0p\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01647   896   NtClose  (200, ... ) == 0x0
 01648   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000011"}, ... 200, ) }, ... 200, ) == 0x0
 01649   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01650   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01651   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0t\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0t\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0u\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0t\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0t\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0u\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0t\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0t\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0u\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01652   896   NtClose  (200, ... ) == 0x0
 01653   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000012"}, ... 200, ) }, ... 200, ) == 0x0
 01654   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01655   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01656   896   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01657   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0{\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0|\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0{\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0|\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0z\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0{\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0|\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01658   896   NtClose  (200, ... ) == 0x0
 01659   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000013"}, ... 200, ) }, ... 200, ) == 0x0
 01660   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01661   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01662   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\177\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\200\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\201\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\177\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\200\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\201\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\177\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\177\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\200\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\201\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01663   896   NtClose  (200, ... ) == 0x0
 01664   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000014"}, ... 200, ) }, ... 200, ) == 0x0
 01665   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01666   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01667   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\204\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\205\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\206\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\204\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\205\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\206\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\204\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\204\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\205\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\206\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01668   896   NtClose  (200, ... ) == 0x0
 01669   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000015"}, ... 200, ) }, ... 200, ) == 0x0
 01670   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01671   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01672   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\211\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\211\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\212\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\211\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\211\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\212\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\211\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\211\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\212\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01673   896   NtClose  (200, ... ) == 0x0
 01674   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000016"}, ... 200, ) }, ... 200, ) == 0x0
 01675   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01676   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01677   896   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01678   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\217\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\220\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\221\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\217\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\220\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\221\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\217\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\217\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\220\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\221\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\221\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\222\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01679   896   NtClose  (200, ... ) == 0x0
 01680   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000017"}, ... 200, ) }, ... 200, ) == 0x0
 01681   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01682   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01683   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\224\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\225\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\226\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\224\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\225\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\226\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\224\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\224\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\225\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\226\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01684   896   NtClose  (200, ... ) == 0x0
 01685   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000018"}, ... 200, ) }, ... 200, ) == 0x0
 01686   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01687   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01688   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\231\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\232\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\233\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\231\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\232\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\233\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\231\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\231\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\232\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\233\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01689   896   NtClose  (200, ... ) == 0x0
 01690   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000019"}, ... 200, ) }, ... 200, ) == 0x0
 01691   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01692   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01693   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\236\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\236\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\237\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\236\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\236\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\237\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\236\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\236\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\237\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01694   896   NtClose  (200, ... ) == 0x0
 01695   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000020"}, ... 200, ) }, ... 200, ) == 0x0
 01696   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01697   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01698   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\243\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\243\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\244\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\243\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\243\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\244\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\243\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\243\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\244\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01699   896   NtClose  (200, ... ) == 0x0
 01700   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000021"}, ... 200, ) }, ... 200, ) == 0x0
 01701   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01702   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01703   896   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01704   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\251\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\252\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\253\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\253\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\251\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\252\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\253\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\253\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\253\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0 (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\251\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\251\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\304\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\252\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\253\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\253\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\6\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\310\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01705   896   NtClose  (200, ... ) == 0x0
 01706   896   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "000000000022"}, ... 200, ) }, ... 200, ) == 0x0
 01707   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01708   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01709   896   NtQueryValueKey  (200,  (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\256\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (200, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\256\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\256\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\256\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\304\0\0\0\257\6\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\260\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\274\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\6\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\261\6\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\304\0\0\0\262\6\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\270\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01710   896   NtClose  (200, ... ) == 0x0
 01711   896   NtClose  (196, ... ) == 0x0
 01712   896   NtWaitForSingleObject  (188, 0, {0, 0}, ... ) == 0x102
 01713   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01714   896   NtOpenKey  (0x2000000, {24, 184, 0x40, 0, 0,  (0x2000000, {24, 184, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 200, ) }, ... 200, ) == 0x0
 01715   896   NtQueryValueKey  (200,  (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01716   896   NtNotifyChangeKey  (200, 196, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01717   896   NtQueryValueKey  (200,  (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01718   896   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01719   896   NtQueryValueKey  (200,  (200, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01720   896   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "Catalog_Entries"}, ... 204, ) }, ... 204, ) == 0x0
 01721   896   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000001"}, ... 208, ) }, ... 208, ) == 0x0
 01722   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01723   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01724   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01725   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01726   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01727   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01728   896   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01729   896   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01730   896   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01731   896   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01732   896   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01733   896   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01734   896   NtClose  (208, ... ) == 0x0
 01735   896   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000002"}, ... 208, ) }, ... 208, ) == 0x0
 01736   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01737   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01738   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01739   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01740   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01741   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01742   896   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01743   896   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01744   896   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01745   896   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01746   896   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01747   896   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01748   896   NtClose  (208, ... ) == 0x0
 01749   896   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000003"}, ... 208, ) }, ... 208, ) == 0x0
 01750   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01751   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01752   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01753   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01754   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01755   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01756   896   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01757   896   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   896   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01759   896   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01760   896   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01761   896   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01762   896   NtClose  (208, ... ) == 0x0
 01763   896   NtOpenKey  (0x20019, {24, 204, 0x40, 0, 0,  (0x20019, {24, 204, 0x40, 0, 0, "000000000004"}, ... 208, ) }, ... 208, ) == 0x0
 01764   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01765   896   NtQueryValueKey  (208,  (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01766   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01767   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01768   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01769   896   NtQueryValueKey  (208,  (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01770   896   NtQueryValueKey  (208,  (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01771   896   NtQueryValueKey  (208,  (208, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772   896   NtQueryValueKey  (208,  (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01773   896   NtQueryValueKey  (208,  (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01774   896   NtQueryValueKey  (208,  (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01775   896   NtQueryValueKey  (208,  (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01776   896   NtClose  (208, ... ) == 0x0
 01777   896   NtClose  (204, ... ) == 0x0
 01778   896   NtWaitForSingleObject  (196, 0, {0, 0}, ... ) == 0x102
 01779   896   NtClose  (184, ... ) == 0x0
 01780   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01781   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01782   896   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01783   896   NtQueryValueKey  (184,  (184, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   896   NtClose  (184, ... ) == 0x0
 01785   896   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01786   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 184, ) == 0x0
 01787   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241392, ... ) }, 1241392, ... ) == 0x0
 01788   896   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 204, {status=0x0, info=1}, ) }, 7, 2113568, ... 204, {status=0x0, info=1}, ) == 0x0
 01789   896   NtSetInformationFile  (204, 1241368, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01790   896   NtClose  (204, ... ) == 0x0
 01791   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241640,  (0x80100080, {24, 0, 0x40, 0, 1241640, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 204, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 204, {status=0x0, info=1}, ) == 0x0
 01792   896   NtQueryInformationFile  (204, 1242076, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01793   896   NtQueryInformationFile  (204, 1241992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01794   896   NtQueryInformationFile  (204, 1241808, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01795   896   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 01796   896   NtQueryInformationFile  (204, 1373088, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01797   896   NtQueryInformationFile  (204, 1240256, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01798   896   NtQueryInformationFile  (204, 1240532, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01799   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\LSASSS.EXE"}, 1239728, ... ) }, 1239728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01800   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240408,  (0x40110080, {24, 0, 0x40, 0, 1240408, "\??\C:\WINDOWS\lsasss.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01801   896   NtClose  (-2147482756, ... ) == 0x0
 01800   896   NtCreateFile  ... 208, {status=0x0, info=2}, ) == 0x0
 01802   896   NtQueryVolumeInformationFile  (208, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01803   896   NtQueryInformationFile  (208, 1240144, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01804   896   NtQueryVolumeInformationFile  (204, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01805   896   NtSetInformationFile  (208, 1240460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01806   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 204, ... 212, ) == 0x0
 01807   896   NtMapViewOfSection  (212, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 28672, ) == 0x0
 01808   896   NtClose  (212, ... ) == 0x0
 01809   896   NtWriteFile  (208, 0, 0, 0,  (208, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0i8\366\222-Y\230\301-Y\230\301-Y\230\301\256Q\305\301/Y\230\301-Y\230\301.Y\230\301\305F\222\3017Y\230\301\256E\226\301&Y\230\301-Y\231\301}Y\230\301OF\213\301$Y\230\301\305F\223\301)Y\230\301Rich-Y\230\301\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\6\302\226@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0.)\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) \0\0\0\0\0\0.)\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\360\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 01810   896   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 01811   896   NtSetInformationFile  (208, 1241808, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01812   896   NtClose  (204, ... ) == 0x0
 01813   896   NtClose  (208, ... ) == 0x0
 01814   896   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 208, ) }, ... 208, ) == 0x0
 01815   896   NtSetValueKey  (208,  (208, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 0, 1,  (208, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 44, ...
 01816   896   NtSetInformationFile  (-2147482448, -142629072, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01817   896   NtSetInformationFile  (-2147482448, -142629164, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01818   896   NtSetInformationFile  (-2147482448, -142629472, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01819   896   NtSetInformationFile  (-2147482448, -142629568, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01815   896   NtSetValueKey  ... ) == 0x0
 01820   896   NtClose  (208, ... ) == 0x0
 01821   896   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 208, ) }, ... 208, ) == 0x0
 01822   896   NtDeleteValueKey  (208,  (208, "ssgrate.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   896   NtClose  (208, ... ) == 0x0
 01824   896   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 208, ) }, ... 208, ) == 0x0
 01825   896   NtDeleteValueKey  (208,  (208, "drvsys.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826   896   NtClose  (208, ... ) == 0x0
 01827   896   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 208, ) }, ... 208, ) == 0x0
 01828   896   NtDeleteValueKey  (208,  (208, "Drvddll_exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01829   896   NtClose  (208, ... ) == 0x0
 01830   896   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "SkynetNotice"}, 0, ... 208, ) }, 0, ... 208, ) == 0x0
 01831   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12582912, 1048576, ) == 0x0
 01832   896   NtAllocateVirtualMemory  (-1, 13623296, 0, 8192, 4096, 4, ... 13623296, 8192, ) == 0x0
 01833   896   NtProtectVirtualMemory  (-1, (0xcfe000), 4096, 260, ... (0xcfe000), 4096, 4, ) == 0x0
 01834   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {1252, 1808}, ) == 0x0
 01835   896   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1252,Tid=1808,}, 0x0, ) == 0x0
 01836   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\20\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\20\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\20\7\0\0" )  ) == 0x0
 01837   896   NtResumeThread  (204, ... 1, ) == 0x0
 01838   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13631488, 1048576, ) == 0x0
 01839  1808   NtTestAlert  (... ) == 0x0
 01840  1808   NtContinue  (13630768, 1, ...
 01841  1808   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01842  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 212, ) == 0x0
 01843  1808   NtWaitForSingleObject  (188, 0, {0, 0}, ... ) == 0x102
 01844  1808   NtAllocateVirtualMemory  (-1, 13619200, 0, 4096, 4096, 260, ...
 01845   896   NtAllocateVirtualMemory  (-1, 14671872, 0, 8192, 4096, 4, ... 14671872, 8192, ) == 0x0
 01846   896   NtProtectVirtualMemory  (-1, (0xdfe000), 4096, 260, ... (0xdfe000), 4096, 4, ) == 0x0
 01847   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1252, 752}, ) == 0x0
 01848   896   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1252,Tid=752,}, 0x0, ) == 0x0
 01849   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81886, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\360\2\0\0" )  ) == 0x0
 01850   896   NtResumeThread  (216, ...
 01844  1808   NtAllocateVirtualMemory  ... 13619200, 4096, ) == 0x0
 01851  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13627892, ... ) }, 13627892, ... ) == 0x0
 01852  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 220, {status=0x0, info=1}, ) }, 5, 96, ... 220, {status=0x0, info=1}, ) == 0x0
 01853  1808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 220, ... 224, ) == 0x0
 01854  1808   NtClose  (220, ... ) == 0x0
 01855  1808   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe00000), 0x0, 245760, ) == 0x0
 01856  1808   NtClose  (224, ...
 01850   896   NtResumeThread  ... 1, ) == 0x0
 01857   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14942208, 1048576, ) == 0x0
 01858   896   NtAllocateVirtualMemory  (-1, 15982592, 0, 8192, 4096, 4, ... 15982592, 8192, ) == 0x0
 01859   896   NtProtectVirtualMemory  (-1, (0xf3e000), 4096, 260, ... (0xf3e000), 4096, 4, ) == 0x0
 01860   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1252, 1380}, ) == 0x0
 01861   896   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1252,Tid=1380,}, 0x0, ) == 0x0
 01862   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0d\5\0\0" ...  ...
 01856  1808   NtClose  ... ) == 0x0
 01863   752   NtWaitForSingleObject  (132, 0, 0x0, ...
 01864  1808   NtUnmapViewOfSection  (-1, 0xe00000, ... ) == 0x0
 01865  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13628200, ... ) }, 13628200, ... ) == 0x0
 01866  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01867  1808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 224, ... 228, ) == 0x0
 01868  1808   NtQuerySection  (228, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01869  1808   NtClose  (224, ...
 01862   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81887, 0}  ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0d\5\0\0" )  ) == 0x0
 01870   896   NtResumeThread  (220, ... 1, ) == 0x0
 01871   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15990784, 1048576, ) == 0x0
 01872   896   NtAllocateVirtualMemory  (-1, 17031168, 0, 8192, 4096, 4, ... 17031168, 8192, ) == 0x0
 01873   896   NtProtectVirtualMemory  (-1, (0x103e000), 4096, 260, ... (0x103e000), 4096, 4, ) == 0x0
 01874   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1252, 164}, ) == 0x0
 01869  1808   NtClose  ... ) == 0x0
 01875  1380   NtWaitForSingleObject  (132, 0, 0x0, ...
 01876  1808   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01877  1808   NtClose  (228, ... ) == 0x0
 01878  1808   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01879  1808   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01880  1808   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01881  1808   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01882   896   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1252,Tid=164,}, 0x0, ) == 0x0
 01883   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\244\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\244\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\244\0\0\0" )  ) == 0x0
 01884   896   NtResumeThread  (232, ... 1, ) == 0x0
 01885   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17039360, 1048576, ) == 0x0
 01886   896   NtAllocateVirtualMemory  (-1, 18079744, 0, 8192, 4096, 4, ... 18079744, 8192, ) == 0x0
 01887   896   NtProtectVirtualMemory  (-1, (0x113e000), 4096, 260, ...
 01881  1808   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01888   164   NtWaitForSingleObject  (132, 0, 0x0, ...
 01889  1808   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01890  1808   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01891  1808   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01892  1808   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01893  1808   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01894  1808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 01887   896   NtProtectVirtualMemory  ... (0x113e000), 4096, 4, ) == 0x0
 01895   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1252, 1964}, ) == 0x0
 01896   896   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1252,Tid=1964,}, 0x0, ) == 0x0
 01897   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\254\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\254\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81889, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\254\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\254\7\0\0" )  ) == 0x0
 01898   896   NtResumeThread  (228, ...
 01894  1808   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01899  1808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01900  1808   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01901  1808   NtSetEventBoostPriority  (132, ...
 01863   752   NtWaitForSingleObject  ... ) == 0x0
 01902   752   NtSetEventBoostPriority  (132, ...
 01875  1380   NtWaitForSingleObject  ... ) == 0x0
 01903  1380   NtSetEventBoostPriority  (132, ...
 01888   164   NtWaitForSingleObject  ... ) == 0x0
 01904   164   NtTestAlert  (... ) == 0x0
 01903  1380   NtSetEventBoostPriority  ... ) == 0x0
 01902   752   NtSetEventBoostPriority  ... ) == 0x0
 01901  1808   NtSetEventBoostPriority  ... ) == 0x0
 01898   896   NtResumeThread  ... 1, ) == 0x0
 01905   164   NtContinue  (17038640, 1, ...
 01906  1964   NtTestAlert  (...
 01907  1380   NtTestAlert  (...
 01908  1808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01909   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01910   164   NtRegisterThreadTerminatePort  (24, ...
 01906  1964   NtTestAlert  ... ) == 0x0
 01907  1380   NtTestAlert  ... ) == 0x0
 01908  1808   NtCreateEvent  ... 224, ) == 0x0
 01909   896   NtAllocateVirtualMemory  ... 18087936, 1048576, ) == 0x0
 01910   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 01911  1964   NtContinue  (18087216, 1, ...
 01912  1380   NtContinue  (15990064, 1, ...
 01913  1808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01914   896   NtAllocateVirtualMemory  (-1, 19128320, 0, 8192, 4096, 4, ...
 01915   164   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01916  1964   NtRegisterThreadTerminatePort  (24, ...
 01917  1380   NtRegisterThreadTerminatePort  (24, ...
 01913  1808   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01914   896   NtAllocateVirtualMemory  ... 19128320, 8192, ) == 0x0
 01916  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 01917  1380   NtRegisterThreadTerminatePort  ... ) == 0x0
 01918  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 13627812, ... }, 13627812, ...
 01919   896   NtProtectVirtualMemory  (-1, (0x123e000), 4096, 260, ...
 01920   752   NtTestAlert  (...
 01915   164   NtSetInformationThread  ... ) == 0x0
 01921  1380   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01922  1964   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01920   752   NtTestAlert  ... ) == 0x0
 01919   896   NtProtectVirtualMemory  ... (0x123e000), 4096, 4, ) == 0x0
 01923   164   NtQueryValueKey  (136,  (136, "FromCacheTimeout", Partial, 144, ... , Partial, 144, ...
 01924   752   NtContinue  (14679344, 1, ...
 01925   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01922  1964   NtSetInformationThread  ... ) == 0x0
 01926   752   NtRegisterThreadTerminatePort  (24, ...
 01925   896   NtCreateThread  ... 236, {1252, 1716}, ) == 0x0
 01923   164   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01926   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 01927   896   NtQueryInformationThread  (236, Basic, 28, ...
 01928  1964   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01918  1808   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01929   752   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01927   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1252,Tid=1716,}, 0x0, ) == 0x0
 01930   164   NtQueryValueKey  (136,  (136, "SecureProtocols", Partial, 144, ... , Partial, 144, ...
 01931  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 13627812, ... }, 13627812, ...
 01928  1964   NtCreateEvent  ... 240, ) == 0x0
 01932   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\264\6\0\0" ...  ...
 01931  1808   NtQueryAttributesFile  ... ) == 0x0
 01930   164   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 01933  1964   NtWaitForSingleObject  (240, 0, 0x0, ...
 01932   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81890, 0}  ... {28, 56, reply, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\264\6\0\0" )  ) == 0x0
 01934  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01935   164   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 01936   896   NtResumeThread  (236, ...
 01934  1808   NtOpenFile  ... 244, {status=0x0, info=1}, ) == 0x0
 01921  1380   NtSetInformationThread  ... ) == 0x0
 01929   752   NtSetInformationThread  ... ) == 0x0
 01936   896   NtResumeThread  ... 1, ) == 0x0
 01937  1808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ...
 01938  1716   NtWaitForSingleObject  (132, 0, 0x0, ...
 01939  1380   NtWaitForSingleObject  (240, 0, 0x0, ...
 01940   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01937  1808   NtCreateSection  ... 248, ) == 0x0
 01941   752   NtWaitForSingleObject  (240, 0, 0x0, ...
 01940   896   NtAllocateVirtualMemory  ... 19136512, 1048576, ) == 0x0
 01942  1808   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01943  1808   NtClose  (244, ... ) == 0x0
 01944  1808   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x662b0000), 0x0, 360448, ) == 0x0
 01945  1808   NtClose  (248, ... ) == 0x0
 01946   896   NtAllocateVirtualMemory  (-1, 20176896, 0, 8192, 4096, 4, ... 20176896, 8192, ) == 0x0
 01947   896   NtProtectVirtualMemory  (-1, (0x133e000), 4096, 260, ... (0x133e000), 4096, 4, ) == 0x0
 01948   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1252, 760}, ) == 0x0
 01949   896   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1252,Tid=760,}, 0x0, ) == 0x0
 01950   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\370\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\370\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81891, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\370\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\370\2\0\0" )  ) == 0x0
 01951   896   NtResumeThread  (248, ...
 01952  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01953  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01954  1808   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01955  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01956  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01957  1808   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01951   896   NtResumeThread  ... 1, ) == 0x0
 01958   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20185088, 1048576, ) == 0x0
 01959   896   NtAllocateVirtualMemory  (-1, 21225472, 0, 8192, 4096, 4, ... 21225472, 8192, ) == 0x0
 01960   896   NtProtectVirtualMemory  (-1, (0x143e000), 4096, 260, ... (0x143e000), 4096, 4, ) == 0x0
 01961   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1252, 484}, ) == 0x0
 01962   896   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1252,Tid=484,}, 0x0, ) == 0x0
 01963   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\344\1\0\0" ...  ...
 01964  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01965   760   NtWaitForSingleObject  (132, 0, 0x0, ...
 01964  1808   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01966  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01967  1808   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01968  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01969  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01970  1808   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01963   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81892, 0}  ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\344\1\0\0" )  ) == 0x0
 01971   896   NtResumeThread  (244, ... 1, ) == 0x0
 01972   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21233664, 1048576, ) == 0x0
 01973   896   NtAllocateVirtualMemory  (-1, 22274048, 0, 8192, 4096, 4, ... 22274048, 8192, ) == 0x0
 01974   896   NtProtectVirtualMemory  (-1, (0x153e000), 4096, 260, ... (0x153e000), 4096, 4, ) == 0x0
 01975   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1252, 1756}, ) == 0x0
 01976  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01977   484   NtWaitForSingleObject  (132, 0, 0x0, ...
 01976  1808   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01978  1808   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01979  1808   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01980  1808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01981  1808   NtSetEventBoostPriority  (132, ...
 01938  1716   NtWaitForSingleObject  ... ) == 0x0
 01982  1716   NtSetEventBoostPriority  (132, ...
 01965   760   NtWaitForSingleObject  ... ) == 0x0
 01983   760   NtSetEventBoostPriority  (132, ...
 01977   484   NtWaitForSingleObject  ... ) == 0x0
 01984   484   NtTestAlert  (... ) == 0x0
 01983   760   NtSetEventBoostPriority  ... ) == 0x0
 01982  1716   NtSetEventBoostPriority  ... ) == 0x0
 01981  1808   NtSetEventBoostPriority  ... ) == 0x0
 01985   896   NtQueryInformationThread  (252, Basic, 28, ...
 01986   484   NtContinue  (21232944, 1, ...
 01987   760   NtTestAlert  (...
 01988  1808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01985   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1252,Tid=1756,}, 0x0, ) == 0x0
 01989   484   NtRegisterThreadTerminatePort  (24, ...
 01987   760   NtTestAlert  ... ) == 0x0
 01988  1808   NtCreateEvent  ... 256, ) == 0x0
 01990   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0\334\6\0\0" ...  ...
 01989   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 01991   760   NtContinue  (20184368, 1, ...
 01992  1716   NtTestAlert  (...
 01990   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81893, 0}  ... {28, 56, reply, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0\334\6\0\0" )  ) == 0x0
 01993   484   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01994   760   NtRegisterThreadTerminatePort  (24, ...
 01992  1716   NtTestAlert  ... ) == 0x0
 01995   896   NtResumeThread  (252, ...
 01994   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 01996  1716   NtContinue  (19135792, 1, ...
 01997  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01993   484   NtSetInformationThread  ... ) == 0x0
 01998   760   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01999  1716   NtRegisterThreadTerminatePort  (24, ...
 01997  1808   NtDuplicateObject  ... 260, ) == 0x0
 01995   896   NtResumeThread  ... 1, ) == 0x0
 02000   484   NtWaitForSingleObject  (240, 0, 0x0, ...
 02001  1756   NtTestAlert  (...
 01999  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 02002  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 02003   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02001  1756   NtTestAlert  ... ) == 0x0
 02004  1716   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02002  1808   NtOpenKey  ... 264, ) == 0x0
 02003   896   NtAllocateVirtualMemory  ... 22282240, 1048576, ) == 0x0
 02005  1756   NtContinue  (22281520, 1, ...
 02006  1808   NtQueryValueKey  (264,  (264, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 02007   896   NtAllocateVirtualMemory  (-1, 23322624, 0, 8192, 4096, 4, ...
 02008  1756   NtRegisterThreadTerminatePort  (24, ...
 02006  1808   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02007   896   NtAllocateVirtualMemory  ... 23322624, 8192, ) == 0x0
 02008  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 02009   896   NtProtectVirtualMemory  (-1, (0x163e000), 4096, 260, ...
 02010  1808   NtClose  (264, ...
 02011  1756   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02010  1808   NtClose  ... ) == 0x0
 02012  1808   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02013  1808   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02014  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13627504, ... ) }, 13627504, ... ) == 0x0
 02015  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 264, ) }, ... 264, ) == 0x0
 02016  1808   NtQueryValueKey  (264,  (264, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (264, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 02009   896   NtProtectVirtualMemory  ... (0x163e000), 4096, 4, ) == 0x0
 02011  1756   NtSetInformationThread  ... ) == 0x0
 02017   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02018  1808   NtQueryValueKey  (264,  (264, "Transports", Partial, 144, ... , Partial, 144, ...
 02017   896   NtCreateThread  ... 268, {1252, 1292}, ) == 0x0
 02018  1808   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 02019   896   NtQueryInformationThread  (268, Basic, 28, ...
 02020  1808   NtClose  (264, ...
 02019   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1252,Tid=1292,}, 0x0, ) == 0x0
 02020  1808   NtClose  ... ) == 0x0
 02021   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\344\4\0\0\14\5\0\0" ...  ...
 02022  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 02023  1756   NtWaitForSingleObject  (240, 0, 0x0, ...
 02022  1808   NtOpenKey  ... 264, ) == 0x0
 02021   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81894, 0}  ... {28, 56, reply, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\344\4\0\0\14\5\0\0" )  ) == 0x0
 02024   896   NtResumeThread  (268, ... 1, ) == 0x0
 02025   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23330816, 1048576, ) == 0x0
 02026   896   NtAllocateVirtualMemory  (-1, 24371200, 0, 8192, 4096, 4, ... 24371200, 8192, ) == 0x0
 02027   896   NtProtectVirtualMemory  (-1, (0x173e000), 4096, 260, ... (0x173e000), 4096, 4, ) == 0x0
 02028   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 272, {1252, 1956}, ) == 0x0
 02029  1808   NtQueryValueKey  (264,  (264, "Mapping", Partial, 144, ... , Partial, 144, ...
 02030  1292   NtTestAlert  (...
 02029  1808   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02030  1292   NtTestAlert  ... ) == 0x0
 02031  1808   NtQueryValueKey  (264,  (264, "Mapping", Partial, 144, ... , Partial, 144, ...
 02032  1292   NtContinue  (23330096, 1, ...
 02031  1808   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02033  1292   NtRegisterThreadTerminatePort  (24, ...
 02034  1808   NtQueryValueKey  (264,  (264, "Mapping", Partial, 152, ... , Partial, 152, ...
 02033  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 02034  1808   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 02035   896   NtQueryInformationThread  (272, Basic, 28, ...
 02036  1292   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02035   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1252,Tid=1956,}, 0x0, ) == 0x0
 02037   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\344\4\0\0\244\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\344\4\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81895, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\344\4\0\0\244\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\344\4\0\0\244\7\0\0" )  ) == 0x0
 02038   896   NtResumeThread  (272, ... 1, ) == 0x0
 02039   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24379392, 1048576, ) == 0x0
 02040   896   NtAllocateVirtualMemory  (-1, 25419776, 0, 8192, 4096, 4, ... 25419776, 8192, ) == 0x0
 02041  1808   NtClose  (264, ... ) == 0x0
 02042  1808   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 264, ) }, ... 264, ) == 0x0
 02043  1808   NtQueryValueKey  (264,  (264, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (264, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02036  1292   NtSetInformationThread  ... ) == 0x0
 02044  1956   NtTestAlert  (...
 02045   896   NtProtectVirtualMemory  (-1, (0x183e000), 4096, 260, ...
 02046  1808   NtQueryValueKey  (264,  (264, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 02044  1956   NtTestAlert  ... ) == 0x0
 02045   896   NtProtectVirtualMemory  ... (0x183e000), 4096, 4, ) == 0x0
 02046  1808   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02047  1956   NtContinue  (24378672, 1, ...
 02048   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02049  1808   NtQueryValueKey  (264,  (264, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 02050  1956   NtRegisterThreadTerminatePort  (24, ...
 02048   896   NtCreateThread  ... 276, {1252, 1980}, ) == 0x0
 02049  1808   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02050  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 02051   896   NtQueryInformationThread  (276, Basic, 28, ...
 02052  1808   NtQueryValueKey  (264,  (264, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 02053  1292   NtWaitForSingleObject  (240, 0, 0x0, ...
 02051   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1252,Tid=1980,}, 0x0, ) == 0x0
 02052  1808   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02054  1956   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02055   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81895, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\344\4\0\0\274\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81896, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\344\4\0\0\274\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81896, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\344\4\0\0\274\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81896, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\344\4\0\0\274\7\0\0" )  ) == 0x0
 02056   896   NtResumeThread  (276, ... 1, ) == 0x0
 02057   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25427968, 1048576, ) == 0x0
 02058   896   NtAllocateVirtualMemory  (-1, 26468352, 0, 8192, 4096, 4, ... 26468352, 8192, ) == 0x0
 02059   896   NtProtectVirtualMemory  (-1, (0x193e000), 4096, 260, ... (0x193e000), 4096, 4, ) == 0x0
 02060   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02061  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13628460, ... }, 13628460, ...
 02054  1956   NtSetInformationThread  ... ) == 0x0
 02062  1980   NtWaitForSingleObject  (132, 0, 0x0, ...
 02061  1808   NtQueryAttributesFile  ... ) == 0x0
 02060   896   NtCreateThread  ... 280, {1252, 1556}, ) == 0x0
 02063  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 02064   896   NtQueryInformationThread  (280, Basic, 28, ...
 02063  1808   NtOpenFile  ... 284, {status=0x0, info=1}, ) == 0x0
 02064   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1252,Tid=1556,}, 0x0, ) == 0x0
 02065  1808   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ...
 02066   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81896, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81896, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\1\0\0\344\4\0\0\24\6\0\0" ...  ...
 02065  1808   NtCreateSection  ... 288, ) == 0x0
 02066   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81897, 0}  ... {28, 56, reply, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\1\0\0\344\4\0\0\24\6\0\0" )  ) == 0x0
 02067  1956   NtWaitForSingleObject  (240, 0, 0x0, ...
 02068  1808   NtClose  (284, ...
 02069   896   NtResumeThread  (280, ...
 02068  1808   NtClose  ... ) == 0x0
 02069   896   NtResumeThread  ... 1, ) == 0x0
 02070  1808   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02071   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02070  1808   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 02071   896   NtAllocateVirtualMemory  ... 26476544, 1048576, ) == 0x0
 02072  1808   NtClose  (288, ...
 02073   896   NtAllocateVirtualMemory  (-1, 27516928, 0, 8192, 4096, 4, ...
 02072  1808   NtClose  ... ) == 0x0
 02073   896   NtAllocateVirtualMemory  ... 27516928, 8192, ) == 0x0
 02074  1556   NtWaitForSingleObject  (132, 0, 0x0, ...
 02075   896   NtProtectVirtualMemory  (-1, (0x1a3e000), 4096, 260, ... (0x1a3e000), 4096, 4, ) == 0x0
 02076   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 288, {1252, 1480}, ) == 0x0
 02077   896   NtQueryInformationThread  (288, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1252,Tid=1480,}, 0x0, ) == 0x0
 02078  1808   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 02079  1808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13628768, ... ) }, 13628768, ... ) == 0x0
 02080  1808   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 02081  1808   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 292, ) == 0x0
 02082  1808   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02083   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\344\4\0\0\310\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\344\4\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81898, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\344\4\0\0\310\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\344\4\0\0\310\5\0\0" )  ) == 0x0
 02084   896   NtResumeThread  (288, ... 1, ) == 0x0
 02085   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27525120, 1048576, ) == 0x0
 02086   896   NtAllocateVirtualMemory  (-1, 28565504, 0, 8192, 4096, 4, ... 28565504, 8192, ) == 0x0
 02087   896   NtProtectVirtualMemory  (-1, (0x1b3e000), 4096, 260, ... (0x1b3e000), 4096, 4, ) == 0x0
 02088   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02089  1808   NtClose  (284, ...
 02090  1480   NtWaitForSingleObject  (132, 0, 0x0, ...
 02089  1808   NtClose  ... ) == 0x0
 02091  1808   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 02092  1808   NtClose  (292, ... ) == 0x0
 02093  1808   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 02094  1808   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 02088   896   NtCreateThread  ... 292, {1252, 460}, ) == 0x0
 02095   896   NtQueryInformationThread  (292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1252,Tid=460,}, 0x0, ) == 0x0
 02096   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\344\4\0\0\314\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\344\4\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81899, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\344\4\0\0\314\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\344\4\0\0\314\1\0\0" )  ) == 0x0
 02097   896   NtResumeThread  (292, ... 1, ) == 0x0
 02098   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28573696, 1048576, ) == 0x0
 02099   896   NtAllocateVirtualMemory  (-1, 29614080, 0, 8192, 4096, 4, ... 29614080, 8192, ) == 0x0
 02100  1808   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 02101   460   NtWaitForSingleObject  (132, 0, 0x0, ...
 02100  1808   NtFlushInstructionCache  ... ) == 0x0
 02102  1808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103  1808   NtSetEventBoostPriority  (132, ...
 02062  1980   NtWaitForSingleObject  ... ) == 0x0
 02104  1980   NtSetEventBoostPriority  (132, ...
 02074  1556   NtWaitForSingleObject  ... ) == 0x0
 02105  1556   NtSetEventBoostPriority  (132, ...
 02090  1480   NtWaitForSingleObject  ... ) == 0x0
 02106  1480   NtSetEventBoostPriority  (132, ...
 02101   460   NtWaitForSingleObject  ... ) == 0x0
 02107   460   NtTestAlert  (... ) == 0x0
 02106  1480   NtSetEventBoostPriority  ... ) == 0x0
 02105  1556   NtSetEventBoostPriority  ... ) == 0x0
 02104  1980   NtSetEventBoostPriority  ... ) == 0x0
 02103  1808   NtSetEventBoostPriority  ... ) == 0x0
 02108   896   NtProtectVirtualMemory  (-1, (0x1c3e000), 4096, 260, ...
 02109   460   NtContinue  (28572976, 1, ...
 02110  1480   NtTestAlert  (...
 02111  1556   NtTestAlert  (...
 02112  1808   NtClose  (264, ...
 02108   896   NtProtectVirtualMemory  ... (0x1c3e000), 4096, 4, ) == 0x0
 02113   460   NtRegisterThreadTerminatePort  (24, ...
 02110  1480   NtTestAlert  ... ) == 0x0
 02111  1556   NtTestAlert  ... ) == 0x0
 02112  1808   NtClose  ... ) == 0x0
 02114   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02113   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 02115  1480   NtContinue  (27524400, 1, ...
 02116  1556   NtContinue  (26475824, 1, ...
 02117  1808   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 13631104, 67, ... }, 0x0, 0, 3, 3, 0, 13631104, 67, ...
 02114   896   NtCreateThread  ... 264, {1252, 1856}, ) == 0x0
 02118   460   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02119  1480   NtRegisterThreadTerminatePort  (24, ...
 02120  1556   NtRegisterThreadTerminatePort  (24, ...
 02117  1808   NtCreateFile  ... 284, {status=0x0, info=0}, ) == 0x0
 02121   896   NtQueryInformationThread  (264, Basic, 28, ...
 02119  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 02120  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 02122  1980   NtTestAlert  (...
 02118   460   NtSetInformationThread  ... ) == 0x0
 02121   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1252,Tid=1856,}, 0x0, ) == 0x0
 02123  1480   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02124  1556   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02122  1980   NtTestAlert  ... ) == 0x0
 02125  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x1207b,  (284, 224, 0x0, 0x0, 0x1207b, "\7\0\0\0\250q\250q%\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 02126   460   NtWaitForSingleObject  (240, 0, 0x0, ...
 02127   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\344\4\0\0@\7\0\0" ...  ...
 02128  1980   NtContinue  (25427248, 1, ...
 02125  1808   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0\300A\23\341\0 \0\0\30*m\201", ) , ) == 0x0
 02127   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81900, 0}  ... {28, 56, reply, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\344\4\0\0@\7\0\0" )  ) == 0x0
 02129  1980   NtRegisterThreadTerminatePort  (24, ...
 02130  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x1207b,  (284, 224, 0x0, 0x0, 0x1207b, "\6\0\0\0\300A\23\341\0 \0\0\30*m\201", 16, 16, ... , 16, 16, ...
 02131   896   NtResumeThread  (264, ...
 02129  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 02130  1808   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0\300A\23\341\0 \0\0\30*m\201", ) , ) == 0x0
 02131   896   NtResumeThread  ... 1, ) == 0x0
 02132  1980   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02133  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x12047,  (284, 224, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\224\375\317\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\4\215\1\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02134   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02135  1856   NtTestAlert  (...
 02133  1808   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02135  1856   NtTestAlert  ... ) == 0x0
 02134   896   NtAllocateVirtualMemory  ... 29622272, 1048576, ) == 0x0
 02136  1856   NtContinue  (29621552, 1, ...
 02137   896   NtAllocateVirtualMemory  (-1, 30662656, 0, 8192, 4096, 4, ...
 02138  1856   NtRegisterThreadTerminatePort  (24, ...
 02137   896   NtAllocateVirtualMemory  ... 30662656, 8192, ) == 0x0
 02138  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 02139   896   NtProtectVirtualMemory  (-1, (0x1d3e000), 4096, 260, ...
 02140  1808   NtWaitForSingleObject  (188, 0, {0, 0}, ...
 02139   896   NtProtectVirtualMemory  ... (0x1d3e000), 4096, 4, ) == 0x0
 02140  1808   NtWaitForSingleObject  ... ) == 0x102
 02141   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02142  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x12003,  (284, 224, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02143  1856   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02142  1808   NtDeviceIoControlFile  ... {status=0x0, info=296},  ... {status=0x0, info=296}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02143  1856   NtSetInformationThread  ... ) == 0x0
 02141   896   NtCreateThread  ... 300, {1252, 1272}, ) == 0x0
 02144  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x12047,  (284, 224, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\4\215\1\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02145   896   NtQueryInformationThread  (300, Basic, 28, ...
 02144  1808   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02145   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1252,Tid=1272,}, 0x0, ) == 0x0
 02146  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x12037,  (284, 224, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02147   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\344\4\0\0\370\4\0\0" ...  ...
 02146  1808   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02147   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81901, 0}  ... {28, 56, reply, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\1\0\0\344\4\0\0\370\4\0\0" )  ) == 0x0
 02148  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x1200b,  (284, 224, 0x0, 0x0, 0x1200b, "\0\376\317\0\5\0\0\0\0\357\24\0", 12, 0, ... , 12, 0, ...
 02149  1856   NtWaitForSingleObject  (240, 0, 0x0, ...
 02148  1808   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02150   896   NtResumeThread  (300, ... 1, ) == 0x0
 02151   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30670848, 1048576, ) == 0x0
 02152   896   NtAllocateVirtualMemory  (-1, 31711232, 0, 8192, 4096, 4, ... 31711232, 8192, ) == 0x0
 02153   896   NtProtectVirtualMemory  (-1, (0x1e3e000), 4096, 260, ... (0x1e3e000), 4096, 4, ) == 0x0
 02154   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02155  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x12047,  (284, 224, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\317\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\4\215\1\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02156  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (284, 224, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02157  1808   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02158  1272   NtTestAlert  (...
 02154   896   NtCreateThread  ... 304, {1252, 1132}, ) == 0x0
 02158  1272   NtTestAlert  ... ) == 0x0
 02159   896   NtQueryInformationThread  (304, Basic, 28, ...
 02160  1272   NtContinue  (30670128, 1, ...
 02159   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1252,Tid=1132,}, 0x0, ) == 0x0
 02161  1272   NtRegisterThreadTerminatePort  (24, ...
 02162   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0l\4\0\0" ...  ...
 02161  1272   NtRegisterThreadTerminatePort  ... ) == 0x0
 02162   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81902, 0}  ... {28, 56, reply, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0l\4\0\0" )  ) == 0x0
 02163  1808   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 02164  1272   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02163  1808   NtOpenFile  ... 308, {status=0x0, info=0}, ) == 0x0
 02165  1808   NtDeviceIoControlFile  (308, 0, 0x0, 0x0, 0x390008,  (308, 0, 0x0, 0x0, 0x390008, "3\262{\26\326>\371\335$\302Fsot\354x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02166  1808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02167  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02168  1808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02169  1808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02170  1808   NtQuerySystemInformation  (Lookaside, 32, ...
 02171   896   NtResumeThread  (304, ...
 02164  1272   NtSetInformationThread  ... ) == 0x0
 02171   896   NtResumeThread  ... 1, ) == 0x0
 02170  1808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02172   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02173  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02172   896   NtAllocateVirtualMemory  ... 31719424, 1048576, ) == 0x0
 02173  1808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02174   896   NtAllocateVirtualMemory  (-1, 32759808, 0, 8192, 4096, 4, ...
 02175  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02174   896   NtAllocateVirtualMemory  ... 32759808, 8192, ) == 0x0
 02175  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02176  1272   NtWaitForSingleObject  (240, 0, 0x0, ...
 02177  1132   NtTestAlert  (...
 02178  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02179   896   NtProtectVirtualMemory  (-1, (0x1f3e000), 4096, 260, ...
 02177  1132   NtTestAlert  ... ) == 0x0
 02179   896   NtProtectVirtualMemory  ... (0x1f3e000), 4096, 4, ) == 0x0
 02180  1132   NtContinue  (31718704, 1, ...
 02181   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02182  1132   NtRegisterThreadTerminatePort  (24, ...
 02181   896   NtCreateThread  ... 312, {1252, 948}, ) == 0x0
 02182  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 02183   896   NtQueryInformationThread  (312, Basic, 28, ...
 02178  1808   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02183   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1252,Tid=948,}, 0x0, ) == 0x0
 02184  1808   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, " \254\204\303\332+dp1)t\266\240\375\240\251O!\17\0\202\206s\24$\31%r\324\260\210\346\361\31@F\356\255\211\266\320\1>*\11pn>2\264\23\128\372\333;E~\363\205\212 \235Vi\301~\334O]\321\253c\20s\235fO45", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, " \254\204\303\332+dp1)t\266\240\375\240\251O!\17\0\202\206s\24$\31%r\324\260\210\346\361\31@F\356\255\211\266\320\1>*\11pn>2\264\23\128\372\333;E~\363\205\212 \235Vi\301~\334O]\321\253c\20s\235fO45", 80, ... , 80, ...
 02185  1132   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02184  1808   NtSetValueKey  ... ) == 0x0
 02186  1808   NtClose  (-2147481484, ... ) == 0x0
 02165  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\374\260P\32OW\365\227\322\222W\323w1S\273\36[\342M\23\261\216\313\357\220a\264\264\212z\2158\32\314P\205\350\315\320aK\2426\24LS\312\274\300\3605\335\10\331]\17$\16NP>\336]J\357\214\245\365EwT7r\317\2343\303\17\232s\341\352\375\326-"\35\374\247\518\27\226\332\267\5\361:"p\4;$\321\200\262\30f\230\17\330\274\361\221\211\251\340@\230\362\335X\244\251yg\317\252\317H\215\310\323\30\367\252\24\302\222\35628\254\300\370\247\236E\307BN\216y\205\322\362\313q\207\376\360\312\303\275\313\274\240\250c\374\3079G\214\255\226M\14\376\257S\353Qb\177y\\236\355=\12\344\5\305\2345\246\353[\235U\344"n\266\335\32\371\270\37\223]\264\333\276\267\330h\321Y/\3249\24!\17'\257\12\311\272\333\300\323d\223"\277\275\105!\362X\223\203\305G\350wp!\173", ) \35\374\247\518\27\226\332\267\5\361: ... {status=0x0, info=256}, "\374\260P\32OW\365\227\322\222W\323w1S\273\36[\342M\23\261\216\313\357\220a\264\264\212z\2158\32\314P\205\350\315\320aK\2426\24LS\312\274\300\3605\335\10\331]\17$\16NP>\336]J\357\214\245\365EwT7r\317\2343\303\17\232s\341\352\375\326-"\35\374\247\518\27\226\332\267\5\361:"p\4;$\321\200\262\30f\230\17\330\274\361\221\211\251\340@\230\362\335X\244\251yg\317\252\317H\215\310\323\30\367\252\24\302\222\35628\254\300\370\247\236E\307BN\216y\205\322\362\313q\207\376\360\312\303\275\313\274\240\250c\374\3079G\214\255\226M\14\376\257S\353Qb\177y\\236\355=\12\344\5\305\2345\246\353[\235U\344"n\266\335\32\371\270\37\223]\264\333\276\267\330h\321Y/\3249\24!\17'\257\12\311\272\333\300\323d\223"\277\275\105!\362X\223\203\305G\350wp!\173", ) n\266\335\32\371\270\37\223]\264\333\276\267\330h\321Y/\3249\24!\17'\257\12\311\272\333\300\323d\223 ... {status=0x0, info=256}, "\374\260P\32OW\365\227\322\222W\323w1S\273\36[\342M\23\261\216\313\357\220a\264\264\212z\2158\32\314P\205\350\315\320aK\2426\24LS\312\274\300\3605\335\10\331]\17$\16NP>\336]J\357\214\245\365EwT7r\317\2343\303\17\232s\341\352\375\326-"\35\374\247\518\27\226\332\267\5\361:"p\4;$\321\200\262\30f\230\17\330\274\361\221\211\251\340@\230\362\335X\244\251yg\317\252\317H\215\310\323\30\367\252\24\302\222\35628\254\300\370\247\236E\307BN\216y\205\322\362\313q\207\376\360\312\303\275\313\274\240\250c\374\3079G\214\255\226M\14\376\257S\353Qb\177y\\236\355=\12\344\5\305\2345\246\353[\235U\344"n\266\335\32\371\270\37\223]\264\333\276\267\330h\321Y/\3249\24!\17'\257\12\311\272\333\300\323d\223"\277\275\105!\362X\223\203\305G\350wp!\173", ) , ) == 0x0
 02187  1808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 316, ) == 0x0
 02188  1808   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 13628024, 188, ... 320, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 13628024, 188, ... 320, 0x0, 0x0, 0x0, 188, ) == 0x0
 02189  1808   NtRequestWaitReplyPort  (320, {200, 224, new_msg, 0, 2883626, 1372480, 12, 2}  (320, {200, 224, new_msg, 0, 2883626, 1372480, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\107\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0|I\351\12\210\216\313\275\210"\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`"\25\0\27\25*\357x\1\24\0\200"\25\0h\1\24\0\0\0\0\0\0\0\0\0\200"\25\0P\0\0\0\210"\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\317\0\372\31\221|\214\370\317\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... \25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0` (320, {200, 224, new_msg, 0, 2883626, 1372480, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\107\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0|I\351\12\210\216\313\275\210"\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`"\25\0\27\25*\357x\1\24\0\200"\25\0h\1\24\0\0\0\0\0\0\0\0\0\200"\25\0P\0\0\0\210"\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\317\0\372\31\221|\214\370\317\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... \25\0h\1\24\0\0\0\0\0\0\0\0\0\200 (320, {200, 224, new_msg, 0, 2883626, 1372480, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\107\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0|I\351\12\210\216\313\275\210"\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`"\25\0\27\25*\357x\1\24\0\200"\25\0h\1\24\0\0\0\0\0\0\0\0\0\200"\25\0P\0\0\0\210"\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\317\0\372\31\221|\214\370\317\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... \25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\317\0\372\31\221|\214\370\317\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...
 02190   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\344\4\0\0\264\3\0\0" ...  ...
 02185  1132   NtSetInformationThread  ... ) == 0x0
 02190   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81904, 0}  ... {28, 56, reply, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\344\4\0\0\264\3\0\0" )  ) == 0x0
 02189  1808   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1808, 81905, 0}  ... {200, 224, reply, 0, 1252, 1808, 81905, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0|I\351\12\210\216\313\275\210"\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`"\25\0\27\25*\357x\1\24\0\200"\25\0h\1\24\0\0\0\0\0\0\0\0\0\200"\25\0P\0\0\0\210"\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\317\0\372\31\221|\214\370\317\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0` ... {200, 224, reply, 0, 1252, 1808, 81905, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0|I\351\12\210\216\313\275\210"\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`"\25\0\27\25*\357x\1\24\0\200"\25\0h\1\24\0\0\0\0\0\0\0\0\0\200"\25\0P\0\0\0\210"\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\317\0\372\31\221|\214\370\317\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0h\1\24\0\0\0\0\0\0\0\0\0\200 ... {200, 224, reply, 0, 1252, 1808, 81905, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0|I\351\12\210\216\313\275\210"\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`"\25\0\27\25*\357x\1\24\0\200"\25\0h\1\24\0\0\0\0\0\0\0\0\0\200"\25\0P\0\0\0\210"\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\317\0\372\31\221|\214\370\317\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) \25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\317\0\372\31\221|\214\370\317\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ) == 0x0
 02191   896   NtResumeThread  (312, ...
 02192  1808   NtRequestWaitReplyPort  (320, {44, 68, new_msg, 56, 0, 0, 0, 0}  (320, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\350#\25\0\322\0\0\0" ...  ...
 02191   896   NtResumeThread  ... 1, ) == 0x0
 02193   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02192  1808   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1808, 81906, 0}  ... {40, 64, reply, 0, 1252, 1808, 81906, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02194  1132   NtWaitForSingleObject  (240, 0, 0x0, ...
 02195   948   NtTestAlert  (...
 02196  1808   NtRequestWaitReplyPort  (320, {64, 88, new_msg, 56, 1310720, 13627892, 1385440, 0}  (320, {64, 88, new_msg, 56, 1310720, 13627892, 1385440, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\317\0\351\201\347w\214\370\317\0\30\356\220|p\5\221|\1\0\0\0\340$\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02193   896   NtAllocateVirtualMemory  ... 32768000, 1048576, ) == 0x0
 02195   948   NtTestAlert  ... ) == 0x0
 02197   896   NtAllocateVirtualMemory  (-1, 33808384, 0, 8192, 4096, 4, ...
 02198   948   NtContinue  (32767280, 1, ...
 02197   896   NtAllocateVirtualMemory  ... 33808384, 8192, ) == 0x0
 02199   948   NtRegisterThreadTerminatePort  (24, ...
 02200   896   NtProtectVirtualMemory  (-1, (0x203e000), 4096, 260, ...
 02199   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02200   896   NtProtectVirtualMemory  ... (0x203e000), 4096, 4, ) == 0x0
 02201   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 324, {1252, 188}, ) == 0x0
 02202   896   NtQueryInformationThread  (324, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1252,Tid=188,}, 0x0, ) == 0x0
 02203   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0\274\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81908, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0\274\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0\274\0\0\0" )  ) == 0x0
 02204   948   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02196  1808   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1808, 81907, 0}  ... {64, 88, reply, 56, 1252, 1808, 81907, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\317\0\351\201\347w\214\370\317\0\30\356\220|p\5\221|\1\0\0\0\340$\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02205  1808   NtRequestWaitReplyPort  (320, {44, 68, new_msg, 56, 1252, 1808, 81906, 0}  (320, {44, 68, new_msg, 56, 1252, 1808, 81906, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\350#\25\0\322\0\0\0" ... {40, 64, reply, 0, 1252, 1808, 81909, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ... {40, 64, reply, 0, 1252, 1808, 81909, 0}  (320, {44, 68, new_msg, 56, 1252, 1808, 81906, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\350#\25\0\322\0\0\0" ... {40, 64, reply, 0, 1252, 1808, 81909, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02206  1808   NtRequestWaitReplyPort  (320, {64, 88, new_msg, 56, 1310720, 13627892, 13628636, 0}  (320, {64, 88, new_msg, 56, 1310720, 13627892, 13628636, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\317\0\351\201\347w\214\370\317\0\30\356\220|p\5\221|\1\0\0\0\250)\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1252, 1808, 81910, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\317\0\351\201\347w\214\370\317\0\30\356\220|p\5\221|\1\0\0\0\250)\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1252, 1808, 81910, 0}  (320, {64, 88, new_msg, 56, 1310720, 13627892, 13628636, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\317\0\351\201\347w\214\370\317\0\30\356\220|p\5\221|\1\0\0\0\250)\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1252, 1808, 81910, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\317\0\351\201\347w\214\370\317\0\30\356\220|p\5\221|\1\0\0\0\250)\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02207  1808   NtRequestWaitReplyPort  (320, {44, 68, new_msg, 56, 1252, 1808, 81909, 0}  (320, {44, 68, new_msg, 56, 1252, 1808, 81909, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\350#\25\0\322\0\0\0" ... {40, 64, reply, 0, 1252, 1808, 81911, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ... {40, 64, reply, 0, 1252, 1808, 81911, 0}  (320, {44, 68, new_msg, 56, 1252, 1808, 81909, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\350#\25\0\322\0\0\0" ... {40, 64, reply, 0, 1252, 1808, 81911, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 02208  1808   NtRequestWaitReplyPort  (320, {64, 88, new_msg, 56, 1310720, 13627892, 13628636, 0}  (320, {64, 88, new_msg, 56, 1310720, 13627892, 13628636, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\317\0\351\201\347w\214\370\317\0\30\356\220|p\5\221|\1\0\0\0@,\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02209   896   NtResumeThread  (324, ...
 02204   948   NtSetInformationThread  ... ) == 0x0
 02209   896   NtResumeThread  ... 1, ) == 0x0
 02208  1808   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1808, 81912, 0}  ... {64, 88, reply, 56, 1252, 1808, 81912, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\317\0\351\201\347w\214\370\317\0\30\356\220|p\5\221|\1\0\0\0@,\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02210   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02211  1808   NtClose  (316, ...
 02210   896   NtAllocateVirtualMemory  ... 33816576, 1048576, ) == 0x0
 02211  1808   NtClose  ... ) == 0x0
 02212   896   NtAllocateVirtualMemory  (-1, 34856960, 0, 8192, 4096, 4, ...
 02213  1808   NtClose  (320, ...
 02212   896   NtAllocateVirtualMemory  ... 34856960, 8192, ) == 0x0
 02213  1808   NtClose  ... ) == 0x0
 02214   948   NtWaitForSingleObject  (240, 0, 0x0, ...
 02215   188   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ...
 02216   896   NtProtectVirtualMemory  (-1, (0x213e000), 4096, 260, ...
 02217  1808   NtDeviceIoControlFile  (308, 0, 0x0, 0x0, 0x390008,  (308, 0, 0x0, 0x0, 0x390008, "3\262{\26\326>\371\224\217.\6,\3206m\0\17\246^)p\241u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02215   188   NtAllocateVirtualMemory  ... 3624960, 4096, ) == 0x0
 02216   896   NtProtectVirtualMemory  ... (0x213e000), 4096, 4, ) == 0x0
 02218  1808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02219   188   NtTestAlert  (...
 02220   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02218  1808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02219   188   NtTestAlert  ... ) == 0x0
 02220   896   NtCreateThread  ... 320, {1252, 1240}, ) == 0x0
 02221  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02222   188   NtContinue  (33815856, 1, ...
 02223   896   NtQueryInformationThread  (320, Basic, 28, ...
 02221  1808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02223   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1252,Tid=1240,}, 0x0, ) == 0x0
 02224  1808   NtQuerySystemInformation  (Performance, 312, ...
 02225   188   NtRegisterThreadTerminatePort  (24, ...
 02226   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81908, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81908, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\344\4\0\0\330\4\0\0" ...  ...
 02225   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 02226   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81914, 0}  ... {28, 56, reply, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\344\4\0\0\330\4\0\0" )  ) == 0x0
 02227   188   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02228   896   NtResumeThread  (320, ... 1, ) == 0x0
 02229   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34865152, 1048576, ) == 0x0
 02230   896   NtAllocateVirtualMemory  (-1, 35905536, 0, 8192, 4096, 4, ... 35905536, 8192, ) == 0x0
 02231   896   NtProtectVirtualMemory  (-1, (0x223e000), 4096, 260, ... (0x223e000), 4096, 4, ) == 0x0
 02232   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02224  1808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02227   188   NtSetInformationThread  ... ) == 0x0
 02233  1240   NtTestAlert  (...
 02234  1808   NtQuerySystemInformation  (Exception, 16, ...
 02232   896   NtCreateThread  ... 316, {1252, 120}, ) == 0x0
 02233  1240   NtTestAlert  ... ) == 0x0
 02234  1808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02235   896   NtQueryInformationThread  (316, Basic, 28, ...
 02236  1240   NtContinue  (34864432, 1, ...
 02237  1808   NtQuerySystemInformation  (Lookaside, 32, ...
 02235   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1252,Tid=120,}, 0x0, ) == 0x0
 02238  1240   NtRegisterThreadTerminatePort  (24, ...
 02237  1808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02239   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\4\0\0x\0\0\0" ...  ...
 02238  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02240  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02239   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81915, 0}  ... {28, 56, reply, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\4\0\0x\0\0\0" )  ) == 0x0
 02241   188   NtWaitForSingleObject  (240, 0, 0x0, ...
 02242  1240   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02240  1808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02243   896   NtResumeThread  (316, ...
 02244  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02243   896   NtResumeThread  ... 1, ) == 0x0
 02244  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02245   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02246  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02245   896   NtAllocateVirtualMemory  ... 35913728, 1048576, ) == 0x0
 02246  1808   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02247   896   NtAllocateVirtualMemory  (-1, 36954112, 0, 8192, 4096, 4, ...
 02248  1808   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "U\304\366\200O\315\5\243\333\314\202?I!\327V\177g\25}\364,\242i\377\225/J?\247f\311\311.\234\270(\24\331\10F\320\217\267xF\300kg\355\3458\377\227\310\11\226\37\272\334Z\204\267\254\5\305\302\25\343z0\203\244S\341\361\265\334O", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "U\304\366\200O\315\5\243\333\314\202?I!\327V\177g\25}\364,\242i\377\225/J?\247f\311\311.\234\270(\24\331\10F\320\217\267xF\300kg\355\3458\377\227\310\11\226\37\272\334Z\204\267\254\5\305\302\25\343z0\203\244S\341\361\265\334O", 80, ... , 80, ...
 02247   896   NtAllocateVirtualMemory  ... 36954112, 8192, ) == 0x0
 02242  1240   NtSetInformationThread  ... ) == 0x0
 02249   120   NtTestAlert  (...
 02248  1808   NtSetValueKey  ... ) == 0x0
 02250   896   NtProtectVirtualMemory  (-1, (0x233e000), 4096, 260, ...
 02249   120   NtTestAlert  ... ) == 0x0
 02251  1808   NtClose  (-2147481484, ...
 02250   896   NtProtectVirtualMemory  ... (0x233e000), 4096, 4, ) == 0x0
 02252   120   NtContinue  (35913008, 1, ...
 02251  1808   NtClose  ... ) == 0x0
 02253   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02254   120   NtRegisterThreadTerminatePort  (24, ...
 02217  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "B\14%+?N\210\5\200j.\16\277\272z\236\231\201\332vf\360m\241\26\203A\262\360|\353K\204`u\6\37e\342\334\205\367\16\267\17#\325M\205\323\354\347^\341\2701\236\321\3478R\333\204\220\34A\21297\4*\236\330\365\16e\251\274I,-\240`\360\351\276lY\241m\201\315\364\266qI\363e\247\273\246\21\311\201T\251na\6\12A\33\12\1\337\2215\263\35\364\314\303\357s5\233\33In\206NC0\3U\322\320`\264 \241\323]%\303\315n\353(\210\223M"\350)\255hQ1\262\310\3766\316\306\215^\6\223u>\377\202G\315\247wK\\17p\336.\375\360]\202V\220\374\306N\24\22\233\243\37\250Or\36B\253\202NF\350:u\332\365\213\346&\202KA\333\16\315W\324;\362f x\220\326\12\11\225\201@o\272\2\341\317\272s\357f\3054\351\264\365\350D\304\24\35;\225\312", ) \350)\255hQ1\262\310\3766\316\306\215^\6\223u>\377\202G\315\247wK\\17p\336.\375\360]\202V\220\374\306N\24\22\233\243\37\250Or\36B\253\202NF\350:u\332\365\213\346&\202KA\333\16\315W\324;\362f x\220\326\12\11\225\201@o\272\2\341\317\272s\357f\3054\351\264\365\350D\304\24\35;\225\312", ) == 0x0
 02253   896   NtCreateThread  ... 328, {1252, 1728}, ) == 0x0
 02254   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02255  1808   NtDeviceIoControlFile  (308, 0, 0x0, 0x0, 0x390008,  (308, 0, 0x0, 0x0, 0x390008, "3\262{\26\326>\371\224\217.\6,\3206$\253\343\346\1\2262 \15\17\246^)p\241u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02256   896   NtQueryInformationThread  (328, Basic, 28, ...
 02257  1240   NtWaitForSingleObject  (240, 0, 0x0, ...
 02258  1808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02256   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1252,Tid=1728,}, 0x0, ) == 0x0
 02259   120   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02258  1808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02260  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02261  1808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02262  1808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02263  1808   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02264  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02265  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02266   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\344\4\0\0\300\6\0\0" ...  ...
 02259   120   NtSetInformationThread  ... ) == 0x0
 02266   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81916, 0}  ... {28, 56, reply, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\344\4\0\0\300\6\0\0" )  ) == 0x0
 02265  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02267   896   NtResumeThread  (328, ...
 02268  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02267   896   NtResumeThread  ... 1, ) == 0x0
 02268  1808   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02269   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02270  1808   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "ph\302\311\337dN\11\262w\352\346\225z\21\317\36\3762\253\343?F\353\270\336\305O\26`\0\363f\1\311M\250\257\5\17\254c\353\266\303\363\4nY5\201\303\320\213\\255\327\240K\375Zd\26\11\343\302\363\3114\332\246\35\265yXk\272\233\325\313", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "ph\302\311\337dN\11\262w\352\346\225z\21\317\36\3762\253\343?F\353\270\336\305O\26`\0\363f\1\311M\250\257\5\17\254c\353\266\303\363\4nY5\201\303\320\213\\255\327\240K\375Zd\26\11\343\302\363\3114\332\246\35\265yXk\272\233\325\313", 80, ... , 80, ...
 02271   120   NtWaitForSingleObject  (240, 0, 0x0, ...
 02272  1728   NtTestAlert  (...
 02270  1808   NtSetValueKey  ... ) == 0x0
 02269   896   NtAllocateVirtualMemory  ... 36962304, 1048576, ) == 0x0
 02272  1728   NtTestAlert  ... ) == 0x0
 02273  1808   NtClose  (-2147481484, ...
 02274   896   NtAllocateVirtualMemory  (-1, 38002688, 0, 8192, 4096, 4, ...
 02275  1728   NtContinue  (36961584, 1, ...
 02274   896   NtAllocateVirtualMemory  ... 38002688, 8192, ) == 0x0
 02276  1728   NtRegisterThreadTerminatePort  (24, ...
 02277   896   NtProtectVirtualMemory  (-1, (0x243e000), 4096, 260, ...
 02276  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 02277   896   NtProtectVirtualMemory  ... (0x243e000), 4096, 4, ) == 0x0
 02273  1808   NtClose  ... ) == 0x0
 02278   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02255  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\371\33\333\336\353\12\200\222!\20\326\346\373M\21\271!\31\353\362$\363\263\201)\212\7\207l\13?@r\201\33\377\367\326\2\275\221)H4\341\235\277\321\333\302Bb\6\263\236P\364A\356\274\12\20\325F\24\327\231Z\265?j\264\270v,\303\315\177r\362\324Y\314\0\217\0\212\365A\311hU}F\265\224\334\356O$\273p\271\254 \241\10\13h\202\1\274\201\37\217\27<\322?\221\356%\240\305\374\14\244%*\323\254zj\337\361\317\17Gq\236\274R\306\262E\363\317\336[\356\4\266\264+\310\212\30\1\330\212D\301l\356\244\270\32MuC\275m\371fU\200\301\201\207:\245e"~@\363\322\236\240\312\2t\203z\306\3575\356\1\235\270\350\4\203?c\364e\4>\327,zm\216w\323)M\210\350\224\203\34\237\324\357Bg\31\342\13gS\251\311\323\246p@\243\253~\3\30\35\355\17\215HW\225\371\314\276", ) ~@\363\322\236\240\312\2t\203z\306\3575\356\1\235\270\350\4\203?c\364e\4>\327,zm\216w\323)M\210\350\224\203\34\237\324\357Bg\31\342\13gS\251\311\323\246p@\243\253~\3\30\35\355\17\215HW\225\371\314\276", ) == 0x0
 02279  1728   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02280  1808   NtDeviceIoControlFile  (308, 0, 0x0, 0x0, 0x390008,  (308, 0, 0x0, 0x0, 0x390008, "3\262{\26\326>\371\224\217.\6,\3206$\253\343\346\1\2262i\246\343\346\1\2262 \15\17\246^)p\241u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02281  1808   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02282  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02283  1808   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02284  1808   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02285  1808   NtQuerySystemInformation  (Lookaside, 32, ...
 02278   896   NtCreateThread  ... 332, {1252, 1256}, ) == 0x0
 02279  1728   NtSetInformationThread  ... ) == 0x0
 02286   896   NtQueryInformationThread  (332, Basic, 28, ...
 02285  1808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02286   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1252,Tid=1256,}, 0x0, ) == 0x0
 02287  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02288   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0\350\4\0\0" ...  ...
 02287  1808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02288   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81917, 0}  ... {28, 56, reply, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\344\4\0\0\350\4\0\0" )  ) == 0x0
 02289  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02290  1728   NtWaitForSingleObject  (240, 0, 0x0, ...
 02289  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02291   896   NtResumeThread  (332, ...
 02292  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02291   896   NtResumeThread  ... 1, ) == 0x0
 02293   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38010880, 1048576, ) == 0x0
 02294   896   NtAllocateVirtualMemory  (-1, 39051264, 0, 8192, 4096, 4, ... 39051264, 8192, ) == 0x0
 02295   896   NtProtectVirtualMemory  (-1, (0x253e000), 4096, 260, ... (0x253e000), 4096, 4, ) == 0x0
 02296   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 336, {1252, 1536}, ) == 0x0
 02297   896   NtQueryInformationThread  (336, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1252,Tid=1536,}, 0x0, ) == 0x0
 02292  1808   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02298  1256   NtTestAlert  (...
 02299  1808   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\275<\213f\241\333\206\324^\274\32\360q\324/\233}Os[\2\231\275\232\272(6\334\361\213r\306\313\26\232\346:moEOp\23\331\277\265{PjF\274OPg\313\25\316\277\202=\256\364)\27\24\32\272\270\352\222\204\203\255\201\377\3\323\251\373\332", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\275<\213f\241\333\206\324^\274\32\360q\324/\233}Os[\2\231\275\232\272(6\334\361\213r\306\313\26\232\346:moEOp\23\331\277\265{PjF\274OPg\313\25\316\277\202=\256\364)\27\24\32\272\270\352\222\204\203\255\201\377\3\323\251\373\332", 80, ... , 80, ...
 02298  1256   NtTestAlert  ... ) == 0x0
 02299  1808   NtSetValueKey  ... ) == 0x0
 02300  1256   NtContinue  (38010160, 1, ...
 02301  1808   NtClose  (-2147481484, ...
 02302  1256   NtRegisterThreadTerminatePort  (24, ...
 02301  1808   NtClose  ... ) == 0x0
 02302  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 02280  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\25\242Age\221\354\254\220|\352~Q\260\310\320L\377D\275QL\7"\1\365\337\362\16\201Fi5\302\252\336\320\210\232\275\257\343\272\24h\344tK\221\206\216hI\36R\255\221\204\376Qd\250\0Si\326\207\217\355\271\314\316\234\13\374O\230\323\3544\12\2XCn&X\202+\27\346\257n=8\212\300\21\0I\316l\262\361\221\243\307\364\260\325\327=\276\225\364\3410\2654\241\10\371\6m_\4(\2+\3319\377@]\265\204\356\202Y9\217\221?\3211\375\24@\373'(\207ss\335zJJ\374\356\365\267\317\23\206Y\0\254a\315f\301\326J2\351\302\343S\230\20O\215\11\326\316QW(\344\221\345\212\200\363\343K\314\221]P0\236\322\307f\337\354\250L=\236\336\322$\240.I\216\231\6\335\2311\303\220\374\323\235"t\3638\3\254\307\23", ) \1\365\337\362\16\201Fi5\302\252\336\320\210\232\275\257\343\272\24h\344tK\221\206\216hI\36R\255\221\204\376Qd\250\0Si\326\207\217\355\271\314\316\234\13\374O\230\323\3544\12\2XCn&X\202+\27\346\257n=8\212\300\21\0I\316l\262\361\221\243\307\364\260\325\327=\276\225\364\3410\2654\241\10\371\6m_\4(\2+\3319\377@]\265\204\356\202Y9\217\221?\3211\375\24@\373'(\207ss\335zJJ\374\356\365\267\317\23\206Y\0\254a\315f\301\326J2\351\302\343S\230\20O\215\11\326\316QW(\344\221\345\212\200\363\343K\314\221]P0\236\322\307f\337\354\250L=\236\336\322$\240.I\216\231\6\335\2311\303\220\374\323\235 ... {status=0x0, info=256}, "\25\242Age\221\354\254\220|\352~Q\260\310\320L\377D\275QL\7"\1\365\337\362\16\201Fi5\302\252\336\320\210\232\275\257\343\272\24h\344tK\221\206\216hI\36R\255\221\204\376Qd\250\0Si\326\207\217\355\271\314\316\234\13\374O\230\323\3544\12\2XCn&X\202+\27\346\257n=8\212\300\21\0I\316l\262\361\221\243\307\364\260\325\327=\276\225\364\3410\2654\241\10\371\6m_\4(\2+\3319\377@]\265\204\356\202Y9\217\221?\3211\375\24@\373'(\207ss\335zJJ\374\356\365\267\317\23\206Y\0\254a\315f\301\326J2\351\302\343S\230\20O\215\11\326\316QW(\344\221\345\212\200\363\343K\314\221]P0\236\322\307f\337\354\250L=\236\336\322$\240.I\216\231\6\335\2311\303\220\374\323\235"t\3638\3\254\307\23", ) , ) == 0x0
 02303   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81917, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0\0\6\0\0" ...  ...
 02304  1256   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02303   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81918, 0}  ... {28, 56, reply, 0, 1252, 896, 81918, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0\0\6\0\0" )  ) == 0x0
 02305   896   NtResumeThread  (336, ... 1, ) == 0x0
 02306   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39059456, 1048576, ) == 0x0
 02307   896   NtAllocateVirtualMemory  (-1, 40099840, 0, 8192, 4096, 4, ... 40099840, 8192, ) == 0x0
 02308   896   NtProtectVirtualMemory  (-1, (0x263e000), 4096, 260, ... (0x263e000), 4096, 4, ) == 0x0
 02309   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02310  1808   NtDeviceIoControlFile  (308, 0, 0x0, 0x0, 0x390008,  (308, 0, 0x0, 0x0, 0x390008, "3\262{\26\326>\371\224\217.\6,\3206$\253\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262 \15\17\246^)p\241u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02304  1256   NtSetInformationThread  ... ) == 0x0
 02311  1536   NtTestAlert  (...
 02312  1808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02309   896   NtCreateThread  ... 340, {1252, 1936}, ) == 0x0
 02311  1536   NtTestAlert  ... ) == 0x0
 02312  1808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02313   896   NtQueryInformationThread  (340, Basic, 28, ...
 02314  1536   NtContinue  (39058736, 1, ...
 02313   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1252,Tid=1936,}, 0x0, ) == 0x0
 02315  1536   NtRegisterThreadTerminatePort  (24, ...
 02316   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81918, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81918, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\220\7\0\0" ...  ...
 02315  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 02316   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81919, 0}  ... {28, 56, reply, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\220\7\0\0" )  ) == 0x0
 02317  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02318  1256   NtWaitForSingleObject  (240, 0, 0x0, ...
 02319  1536   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02317  1808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02320   896   NtResumeThread  (340, ...
 02321  1808   NtQuerySystemInformation  (Performance, 312, ...
 02320   896   NtResumeThread  ... 1, ) == 0x0
 02321  1808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02322   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02323  1808   NtQuerySystemInformation  (Exception, 16, ...
 02322   896   NtAllocateVirtualMemory  ... 40108032, 1048576, ) == 0x0
 02323  1808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02324   896   NtAllocateVirtualMemory  (-1, 41148416, 0, 8192, 4096, 4, ...
 02319  1536   NtSetInformationThread  ... ) == 0x0
 02325  1936   NtTestAlert  (...
 02324   896   NtAllocateVirtualMemory  ... 41148416, 8192, ) == 0x0
 02326  1808   NtQuerySystemInformation  (Lookaside, 32, ...
 02325  1936   NtTestAlert  ... ) == 0x0
 02327  1536   NtWaitForSingleObject  (240, 0, 0x0, ...
 02326  1808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02328  1936   NtContinue  (40107312, 1, ...
 02329   896   NtProtectVirtualMemory  (-1, (0x273e000), 4096, 260, ...
 02330  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02331  1936   NtRegisterThreadTerminatePort  (24, ...
 02329   896   NtProtectVirtualMemory  ... (0x273e000), 4096, 4, ) == 0x0
 02330  1808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02331  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 02332   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02333  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02332   896   NtCreateThread  ... 344, {1252, 968}, ) == 0x0
 02333  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02334   896   NtQueryInformationThread  (344, Basic, 28, ...
 02335  1936   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02334   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1252,Tid=968,}, 0x0, ) == 0x0
 02335  1936   NtSetInformationThread  ... ) == 0x0
 02336  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02337   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\344\4\0\0\310\3\0\0" ...  ...
 02336  1808   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02337   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81920, 0}  ... {28, 56, reply, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\344\4\0\0\310\3\0\0" )  ) == 0x0
 02338  1808   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "X\211\271\262\303\321\200\210\316\15\305K\217\275\242\374\330\242Y\260\305\243?\6_\211\34)r\341\367\223\266i\277\332\115\50\342\223#V?\30\246\326\32\337\322\257\370\340\226\334`\243=(|\307\344\374\276\342\210\346;\322\316 \307\365\143^\235\360\235", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "X\211\271\262\303\321\200\210\316\15\305K\217\275\242\374\330\242Y\260\305\243?\6_\211\34)r\341\367\223\266i\277\332\115\50\342\223#V?\30\246\326\32\337\322\257\370\340\226\334`\243=(|\307\344\374\276\342\210\346;\322\316 \307\365\143^\235\360\235", 80, ... , 80, ...
 02339   896   NtResumeThread  (344, ...
 02338  1808   NtSetValueKey  ... ) == 0x0
 02339   896   NtResumeThread  ... 1, ) == 0x0
 02340  1808   NtClose  (-2147481484, ...
 02341   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02340  1808   NtClose  ... ) == 0x0
 02342  1936   NtWaitForSingleObject  (240, 0, 0x0, ...
 02343   968   NtTestAlert  (...
 02341   896   NtAllocateVirtualMemory  ... 41156608, 1048576, ) == 0x0
 02310  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "MJ\276\2315\312\\356U\214\361\275\25\207J\252\363&o\207`\206\227\36+\300\335\3255\335\264\330f\253\364\351\344\254H|\266\231\365\312z\4\16\203;p\224\1\255\211\342\352\230=(\247pK6\32\251l\202\10\263\2767\271\213\235\274u\351\214W-\226\265\213Z\240\21\223\13\365\334\264\315wr\34\264\319\256\331\261+}\344^\321pv\27,\251\364\254\32\27\225a\267*\364\330\4z\3005\376\335\324zrG\Gtz\344U\271\352ymx\227+\267z9\24\262\303\262\210"\276\302-\201x\347\316\203\264\221%\344\212$\273\210\2\325/\245\335\277o\365\344\326\236\376\207( +\31\315\331\260\321\356\361\263\1773UM_\375\252Z\374\10\37+\220\243\263b'~\327\246\357\221N\322Q\375\321\352\204\202"\322\366\326s\17\211'\257(\267Y\203\274`\303\214\214\302\31\5@\203\361N\325\227\5Lp\\350", ) \276\302-\201x\347\316\203\264\221%\344\212$\273\210\2\325/\245\335\277o\365\344\326\236\376\207( +\31\315\331\260\321\356\361\263\1773UM_\375\252Z\374\10\37+\220\243\263b'~\327\246\357\221N\322Q\375\321\352\204\202 ... {status=0x0, info=256}, "MJ\276\2315\312\\356U\214\361\275\25\207J\252\363&o\207`\206\227\36+\300\335\3255\335\264\330f\253\364\351\344\254H|\266\231\365\312z\4\16\203;p\224\1\255\211\342\352\230=(\247pK6\32\251l\202\10\263\2767\271\213\235\274u\351\214W-\226\265\213Z\240\21\223\13\365\334\264\315wr\34\264\319\256\331\261+}\344^\321pv\27,\251\364\254\32\27\225a\267*\364\330\4z\3005\376\335\324zrG\Gtz\344U\271\352ymx\227+\267z9\24\262\303\262\210"\276\302-\201x\347\316\203\264\221%\344\212$\273\210\2\325/\245\335\277o\365\344\326\236\376\207( +\31\315\331\260\321\356\361\263\1773UM_\375\252Z\374\10\37+\220\243\263b'~\327\246\357\221N\322Q\375\321\352\204\202"\322\366\326s\17\211'\257(\267Y\203\274`\303\214\214\302\31\5@\203\361N\325\227\5Lp\\350", ) , ) == 0x0
 02343   968   NtTestAlert  ... ) == 0x0
 02344   896   NtAllocateVirtualMemory  (-1, 42196992, 0, 8192, 4096, 4, ...
 02345  1808   NtDeviceIoControlFile  (308, 0, 0x0, 0x0, 0x390008,  (308, 0, 0x0, 0x0, 0x390008, "3\262{\26\326>\371\224\217.\6,\3206$\253\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262 \15\17\246^)p\241u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02346   968   NtContinue  (41155888, 1, ...
 02344   896   NtAllocateVirtualMemory  ... 42196992, 8192, ) == 0x0
 02347  1808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02348   968   NtRegisterThreadTerminatePort  (24, ...
 02349   896   NtProtectVirtualMemory  (-1, (0x283e000), 4096, 260, ...
 02347  1808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02348   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 02349   896   NtProtectVirtualMemory  ... (0x283e000), 4096, 4, ) == 0x0
 02350  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02351   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02350  1808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02352   968   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02351   896   NtCreateThread  ... 348, {1252, 1688}, ) == 0x0
 02353   896   NtQueryInformationThread  (348, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1252,Tid=1688,}, 0x0, ) == 0x0
 02354   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\230\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\230\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81921, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\230\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\230\6\0\0" )  ) == 0x0
 02355   896   NtResumeThread  (348, ... 1, ) == 0x0
 02356   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42205184, 1048576, ) == 0x0
 02357   896   NtAllocateVirtualMemory  (-1, 43245568, 0, 8192, 4096, 4, ... 43245568, 8192, ) == 0x0
 02358  1808   NtQuerySystemInformation  (Performance, 312, ...
 02359  1688   NtTestAlert  (...
 02352   968   NtSetInformationThread  ... ) == 0x0
 02358  1808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02359  1688   NtTestAlert  ... ) == 0x0
 02360   896   NtProtectVirtualMemory  (-1, (0x293e000), 4096, 260, ...
 02361  1808   NtQuerySystemInformation  (Exception, 16, ...
 02362  1688   NtContinue  (42204464, 1, ...
 02360   896   NtProtectVirtualMemory  ... (0x293e000), 4096, 4, ) == 0x0
 02361  1808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02363  1688   NtRegisterThreadTerminatePort  (24, ...
 02364   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02365  1808   NtQuerySystemInformation  (Lookaside, 32, ...
 02363  1688   NtRegisterThreadTerminatePort  ... ) == 0x0
 02364   896   NtCreateThread  ... 352, {1252, 308}, ) == 0x0
 02365  1808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02366   968   NtWaitForSingleObject  (240, 0, 0x0, ...
 02367   896   NtQueryInformationThread  (352, Basic, 28, ...
 02368  1688   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02369  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02367   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1252,Tid=308,}, 0x0, ) == 0x0
 02369  1808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02368  1688   NtSetInformationThread  ... ) == 0x0
 02370  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02371   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\4\0\04\1\0\0" ...  ...
 02370  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02371   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81922, 0}  ... {28, 56, reply, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\344\4\0\04\1\0\0" )  ) == 0x0
 02372  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02373   896   NtResumeThread  (352, ...
 02372  1808   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02373   896   NtResumeThread  ... 1, ) == 0x0
 02374  1688   NtWaitForSingleObject  (240, 0, 0x0, ...
 02375   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02376  1808   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\370)*\25\31_X\327Fs55\361\300\202\277wD!\342\210^\10\264\14\223X\243\342\254\366\275\375\317\265\244c\237\323_\260\25\256\346\360r\306q\302$h\244\31hu4NY\32\33\214\277\242e\264\12\177S_}\212\267\376"d\371\267\14\14", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\370)*\25\31_X\327Fs55\361\300\202\277wD!\342\210^\10\264\14\223X\243\342\254\366\275\375\317\265\244c\237\323_\260\25\256\346\360r\306q\302$h\244\31hu4NY\32\33\214\277\242e\264\12\177S_}\212\267\376"d\371\267\14\14", 80, ... d\371\267\14\14", 80, ...
 02377   308   NtTestAlert  (...
 02376  1808   NtSetValueKey  ... ) == 0x0
 02377   308   NtTestAlert  ... ) == 0x0
 02378  1808   NtClose  (-2147481484, ...
 02379   308   NtContinue  (43253040, 1, ...
 02378  1808   NtClose  ... ) == 0x0
 02380   308   NtRegisterThreadTerminatePort  (24, ...
 02345  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "9\330h\36\204G\13B&\216We\331\372\243\241Z\1\320\341\364\232.\17g0h<\217I \301B\331\330\356\353\251\223 P\305D\301\372\33\241T\223N\250\237h\232\245\23\366\25\301\7\37\263\236\17C\262g)\241;\25~UK&\264\227GF\222^\213\3342(\250c\360\373\352\264\311\303=xcm\14\336Dj\24\2646\243\250\343\330\330\336\274\363U\331\310ZS?\342\266\271\224\21\236\2\366:>K\302\231S\20\236\5\375 \3617\250\314\27\325\271kJ\331n\350\357)z\3234o\20\215\360\274v\3+\204C\360Ayn/T\302\2722Y~'\270t\316\355K&\30\226DC\206\336\26\205\312\371g\25\305\205~:k\367\317\32g\247\376\17\363\360\2633\324*\3403<:\11\307\354-\214&\323\207\12\332\364ai\334\336N\371/\307KR\3746W\222\275\241\253m\251", ) )z\3234o\20\215\360\274v\3+\204C\360Ayn/T\302\2722Y~'\270t\316\355K&\30\226DC\206\336\26\205\312\371g\25\305\205~:k\367\317\32g\247\376\17\363\360\2633\324*\3403<:\11\307\354-\214&\323\207\12\332\364ai\334\336N\371/\307KR\3746W\222\275\241\253m\251", ) == 0x0
 02380   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02381  1808   NtDeviceIoControlFile  (308, 0, 0x0, 0x0, 0x390008,  (308, 0, 0x0, 0x0, 0x390008, "3\262{\26\326>\371\224\217.\6,\3206$\253\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262 \15\17\246^)p\241u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02375   896   NtAllocateVirtualMemory  ... 43253760, 1048576, ) == 0x0
 02382   308   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02383   896   NtAllocateVirtualMemory  (-1, 44294144, 0, 8192, 4096, 4, ... 44294144, 8192, ) == 0x0
 02384   896   NtProtectVirtualMemory  (-1, (0x2a3e000), 4096, 260, ... (0x2a3e000), 4096, 4, ) == 0x0
 02385   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 356, {1252, 1584}, ) == 0x0
 02386   896   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1252,Tid=1584,}, 0x0, ) == 0x0
 02387   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\00\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\00\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81923, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\00\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\00\6\0\0" )  ) == 0x0
 02388  1808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02382   308   NtSetInformationThread  ... ) == 0x0
 02388  1808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02389   896   NtResumeThread  (356, ...
 02390  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02389   896   NtResumeThread  ... 1, ) == 0x0
 02390  1808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02391   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02392  1808   NtQuerySystemInformation  (Performance, 312, ...
 02391   896   NtAllocateVirtualMemory  ... 44302336, 1048576, ) == 0x0
 02392  1808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02393   896   NtAllocateVirtualMemory  (-1, 45342720, 0, 8192, 4096, 4, ...
 02394   308   NtWaitForSingleObject  (240, 0, 0x0, ...
 02395  1584   NtTestAlert  (...
 02393   896   NtAllocateVirtualMemory  ... 45342720, 8192, ) == 0x0
 02396  1808   NtQuerySystemInformation  (Exception, 16, ...
 02395  1584   NtTestAlert  ... ) == 0x0
 02396  1808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02397  1584   NtContinue  (44301616, 1, ...
 02398  1808   NtQuerySystemInformation  (Lookaside, 32, ...
 02399  1584   NtRegisterThreadTerminatePort  (24, ...
 02398  1808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02399  1584   NtRegisterThreadTerminatePort  ... ) == 0x0
 02400  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02401   896   NtProtectVirtualMemory  (-1, (0x2b3e000), 4096, 260, ...
 02400  1808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02401   896   NtProtectVirtualMemory  ... (0x2b3e000), 4096, 4, ) == 0x0
 02402  1584   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02403   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 360, {1252, 1496}, ) == 0x0
 02404   896   NtQueryInformationThread  (360, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1252,Tid=1496,}, 0x0, ) == 0x0
 02405   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0\330\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81924, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0\330\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0\330\5\0\0" )  ) == 0x0
 02406   896   NtResumeThread  (360, ... 1, ) == 0x0
 02407   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02408  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02402  1584   NtSetInformationThread  ... ) == 0x0
 02409  1496   NtTestAlert  (...
 02408  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02407   896   NtAllocateVirtualMemory  ... 45350912, 1048576, ) == 0x0
 02409  1496   NtTestAlert  ... ) == 0x0
 02410  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02411   896   NtAllocateVirtualMemory  (-1, 46391296, 0, 8192, 4096, 4, ...
 02412  1496   NtContinue  (45350192, 1, ...
 02410  1808   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02411   896   NtAllocateVirtualMemory  ... 46391296, 8192, ) == 0x0
 02413  1496   NtRegisterThreadTerminatePort  (24, ...
 02414  1808   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\225\260t=\275\376 \34h\317\311\6 \23\255\217z\230-\375\373YB\353\373\211\211x\253E\321L7\36w\254\376\0c\241\20V\260\0\367BQ\3v2\352\31\334\230@WS8\334\277Z\265Y\3217z'gK\14\276\312\235\335]y\212\314\253\207", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\225\260t=\275\376 \34h\317\311\6 \23\255\217z\230-\375\373YB\353\373\211\211x\253E\321L7\36w\254\376\0c\241\20V\260\0\367BQ\3v2\352\31\334\230@WS8\334\277Z\265Y\3217z'gK\14\276\312\235\335]y\212\314\253\207", 80, ... , 80, ...
 02415   896   NtProtectVirtualMemory  (-1, (0x2c3e000), 4096, 260, ...
 02413  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02414  1808   NtSetValueKey  ... ) == 0x0
 02415   896   NtProtectVirtualMemory  ... (0x2c3e000), 4096, 4, ) == 0x0
 02416  1584   NtWaitForSingleObject  (240, 0, 0x0, ...
 02417  1496   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02418   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02419  1808   NtClose  (-2147481484, ...
 02417  1496   NtSetInformationThread  ... ) == 0x0
 02419  1808   NtClose  ... ) == 0x0
 02418   896   NtCreateThread  ... 364, {1252, 1944}, ) == 0x0
 02381  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\210\3642\246\31\372`$\236rXa\222\20\35\345|\2~K3\4\310d9O\24 \346I\372\12K\354\201\305\214\246\247k\267\23#\20yb^\246\360\335\315\237f\221[n\357-^\332\254}\335St\315\375\20\323t\34\350l\213\245\267\367\303\70\227w\26\374\272\21\255\210 \23x\20\4\234\343\247g|\322C\242!\254\259\205\206\35\314W`\310\303y\3029l`\257\337q\205\232\272\264\263#"\355Ok\223-\270\272@\373\221\334\7\2121\366\242\221\241\226--\366\243\267\225\357\342\223JN>X\351/WM|\200!k\355\247HmY\307\240\255\3249\337kx\245\274\371\334\242\273\24H\346}z\373\221\211Y\200\326\213i\203wV_\355\31\2\320\215}\0\312}\315\274~v^\211E\336\214\33"\243#\312\23F\251C\246\251\377\21n\313\205\323\23\316\232\3221w\272N\2\271\22\3702\373E\6", ) \355Ok\223-\270\272@\373\221\334\7\2121\366\242\221\241\226--\366\243\267\225\357\342\223JN>X\351/WM|\200!k\355\247HmY\307\240\255\3249\337kx\245\274\371\334\242\273\24H\346}z\373\221\211Y\200\326\213i\203wV_\355\31\2\320\215}\0\312}\315\274~v^\211E\336\214\33 ... {status=0x0, info=256}, "\210\3642\246\31\372`$\236rXa\222\20\35\345|\2~K3\4\310d9O\24 \346I\372\12K\354\201\305\214\246\247k\267\23#\20yb^\246\360\335\315\237f\221[n\357-^\332\254}\335St\315\375\20\323t\34\350l\213\245\267\367\303\70\227w\26\374\272\21\255\210 \23x\20\4\234\343\247g|\322C\242!\254\259\205\206\35\314W`\310\303y\3029l`\257\337q\205\232\272\264\263#"\355Ok\223-\270\272@\373\221\334\7\2121\366\242\221\241\226--\366\243\267\225\357\342\223JN>X\351/WM|\200!k\355\247HmY\307\240\255\3249\337kx\245\274\371\334\242\273\24H\346}z\373\221\211Y\200\326\213i\203wV_\355\31\2\320\215}\0\312}\315\274~v^\211E\336\214\33"\243#\312\23F\251C\246\251\377\21n\313\205\323\23\316\232\3221w\272N\2\271\22\3702\373E\6", ) , ) == 0x0
 02420   896   NtQueryInformationThread  (364, Basic, 28, ...
 02421  1808   NtDeviceIoControlFile  (308, 0, 0x0, 0x0, 0x390008,  (308, 0, 0x0, 0x0, 0x390008, "3\262{\26\326>\371\224\217.\6,\3206$\253\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262i\246\343\346\1\2262 \15\17\246^)p\241u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02420   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1252,Tid=1944,}, 0x0, ) == 0x0
 02422  1808   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02423   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\230\7\0\0" ...  ...
 02422  1808   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02423   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81925, 0}  ... {28, 56, reply, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\230\7\0\0" )  ) == 0x0
 02424  1496   NtWaitForSingleObject  (240, 0, 0x0, ...
 02425  1808   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02426   896   NtResumeThread  (364, ...
 02425  1808   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02426   896   NtResumeThread  ... 1, ) == 0x0
 02427  1808   NtQuerySystemInformation  (Performance, 312, ...
 02428   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02427  1808   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02428   896   NtAllocateVirtualMemory  ... 46399488, 1048576, ) == 0x0
 02429  1808   NtQuerySystemInformation  (Exception, 16, ...
 02430   896   NtAllocateVirtualMemory  (-1, 47439872, 0, 8192, 4096, 4, ...
 02429  1808   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02430   896   NtAllocateVirtualMemory  ... 47439872, 8192, ) == 0x0
 02431  1944   NtTestAlert  (...
 02432  1808   NtQuerySystemInformation  (Lookaside, 32, ...
 02431  1944   NtTestAlert  ... ) == 0x0
 02432  1808   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02433  1944   NtContinue  (46398768, 1, ...
 02434  1808   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02435  1944   NtRegisterThreadTerminatePort  (24, ...
 02434  1808   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02435  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 02436  1808   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02437   896   NtProtectVirtualMemory  (-1, (0x2d3e000), 4096, 260, ...
 02436  1808   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02437   896   NtProtectVirtualMemory  ... (0x2d3e000), 4096, 4, ) == 0x0
 02438  1944   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02439   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 368, {1252, 1896}, ) == 0x0
 02440   896   NtQueryInformationThread  (368, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1252,Tid=1896,}, 0x0, ) == 0x0
 02441   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0h\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0h\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81926, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0h\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0h\7\0\0" )  ) == 0x0
 02442   896   NtResumeThread  (368, ... 1, ) == 0x0
 02443   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02444  1808   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02438  1944   NtSetInformationThread  ... ) == 0x0
 02445  1896   NtTestAlert  (...
 02444  1808   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02443   896   NtAllocateVirtualMemory  ... 47448064, 1048576, ) == 0x0
 02445  1896   NtTestAlert  ... ) == 0x0
 02446  1808   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "&\320\37Q\352\215\3&\340ey\255\241\361\274caTR\267O\300|f\203\201V\31\323\353\216\202\370\5{\203\275\327\245\366\367\202B\305\363,\201>I\351\362BnF\356y\335j\315\233em\22\33\250\315\260\25\201\206Lq\302\252\323R\300\300I3", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "&\320\37Q\352\215\3&\340ey\255\241\361\274caTR\267O\300|f\203\201V\31\323\353\216\202\370\5{\203\275\327\245\366\367\202B\305\363,\201>I\351\362BnF\356y\335j\315\233em\22\33\250\315\260\25\201\206Lq\302\252\323R\300\300I3", 80, ... , 80, ...
 02447   896   NtAllocateVirtualMemory  (-1, 48488448, 0, 8192, 4096, 4, ...
 02448  1896   NtContinue  (47447344, 1, ...
 02446  1808   NtSetValueKey  ... ) == 0x0
 02447   896   NtAllocateVirtualMemory  ... 48488448, 8192, ) == 0x0
 02449  1896   NtRegisterThreadTerminatePort  (24, ...
 02450  1808   NtClose  (-2147481484, ...
 02451   896   NtProtectVirtualMemory  (-1, (0x2e3e000), 4096, 260, ...
 02449  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02450  1808   NtClose  ... ) == 0x0
 02451   896   NtProtectVirtualMemory  ... (0x2e3e000), 4096, 4, ) == 0x0
 02452  1944   NtWaitForSingleObject  (240, 0, 0x0, ...
 02453  1896   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02454   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02421  1808   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\255\371\337\37\275S\30\271\361\327|\272\235<\15X~\337|\335\277\375\203\334\325OI\303f\365IT\271\223\330\302\312\255\207\365+\305\251#\30.|\2507\335\242\240n^\14\315]\14\365\17v\353\317\21I\367\373\271v\20@g`Yt\4n\274\35\225r\204\332\15\333l%\234\337g\7q\225\362W1\22\22\355\333.\20\7\273\201\370Q\346\245\240]\15\257M L\11\356\203\225\263*3\212\1\203\302B\360\231\356F\266\343Y\247P\270\2\210\26\254\363\206hM\254C\344k\16\273b\25\206S\221y)A\336\32\356]\357V\30O\205\265\355i\217\316#Zl\220\34\15\2739\205s\353\307\325\267eW\354\303\366) \305<\3\242\210"\322\212v\346c\30X\30}%\260\1\264\226[\361\350\213Z\241\333D\374\21\314\6\277\11\275}\220\340\37J\255S\332#i\1\241\254J\343i@\2\3#\177Z\330\12\223x", ) \322\212v\346c\30X\30}%\260\1\264\226[\361\350\213Z\241\333D\374\21\314\6\277\11\275}\220\340\37J\255S\332#i\1\241\254J\343i@\2\3#\177Z\330\12\223x", ) == 0x0
 02453  1896   NtSetInformationThread  ... ) == 0x0
 02455  1808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02454   896   NtCreateThread  ... 372, {1252, 240}, ) == 0x0
 02455  1808   NtCreateEvent  ... 376, ) == 0x0
 02456   896   NtQueryInformationThread  (372, Basic, 28, ...
 02457  1808   NtOpenThreadToken  (-2, 0xc, 1, ...
 02456   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1252,Tid=240,}, 0x0, ) == 0x0
 02457  1808   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02458   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\360\0\0\0" ...  ...
 02459  1808   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02458   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81927, 0}  ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\344\4\0\0\360\0\0\0" )  ) == 0x0
 02460  1896   NtWaitForSingleObject  (240, 0, 0x0, ...
 02459  1808   NtCreateEvent  ... 380, ) == 0x0
 02461   896   NtResumeThread  (372, ...
 02462  1808   NtOpenThreadToken  (-2, 0xc, 1, ...
 02461   896   NtResumeThread  ... 1, ) == 0x0
 02462  1808   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02463   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02464  1808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02463   896   NtAllocateVirtualMemory  ... 48496640, 1048576, ) == 0x0
 02464  1808   NtSetInformationThread  ... ) == 0x0
 02465   896   NtAllocateVirtualMemory  (-1, 49537024, 0, 8192, 4096, 4, ...
 02466  1808   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 13627584,  (0xc0100080, {24, 0, 0x40, 0, 13627584, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02465   896   NtAllocateVirtualMemory  ... 49537024, 8192, ) == 0x0
 02467   240   NtTestAlert  (...
 02466  1808   NtCreateFile  ... 384, {status=0x0, info=1}, ) == 0x0
 02467   240   NtTestAlert  ... ) == 0x0
 02468  1808   NtSetInformationFile  (384, 13627640, 8, Pipe, ...
 02469   240   NtContinue  (48495920, 1, ...
 02468  1808   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02470   240   NtRegisterThreadTerminatePort  (24, ...
 02471  1808   NtSetInformationFile  (384, 13627628, 8, Completion, ...
 02470   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02471  1808   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02472   896   NtProtectVirtualMemory  (-1, (0x2f3e000), 4096, 260, ...
 02473  1808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02472   896   NtProtectVirtualMemory  ... (0x2f3e000), 4096, 4, ) == 0x0
 02474   240   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02475   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 388, {1252, 2032}, ) == 0x0
 02476   896   NtQueryInformationThread  (388, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1252,Tid=2032,}, 0x0, ) == 0x0
 02477   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81928, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0\360\7\0\0" )  ) == 0x0
 02478   896   NtResumeThread  (388, ... 1, ) == 0x0
 02479   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02473  1808   NtSetInformationThread  ... ) == 0x0
 02474   240   NtSetInformationThread  ... ) == 0x0
 02480  2032   NtTestAlert  (...
 02481  1808   NtWriteFile  (384, 257, 0, 0,  (384, 257, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02479   896   NtAllocateVirtualMemory  ... 49545216, 1048576, ) == 0x0
 02480  2032   NtTestAlert  ... ) == 0x0
 02481  1808   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02482   896   NtAllocateVirtualMemory  (-1, 50585600, 0, 8192, 4096, 4, ...
 02483  2032   NtContinue  (49544496, 1, ...
 02484  1808   NtReadFile  (384, 257, 0, 0, 1024, {0, 0}, 0, ...
 02482   896   NtAllocateVirtualMemory  ... 50585600, 8192, ) == 0x0
 02485  2032   NtRegisterThreadTerminatePort  (24, ...
 02484  1808   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02486   896   NtProtectVirtualMemory  (-1, (0x303e000), 4096, 260, ...
 02485  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 02487  1808   NtFsControlFile  (384, 257, 0x0, 0x0, 0x11c017,  (384, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\317\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02486   896   NtProtectVirtualMemory  ... (0x303e000), 4096, 4, ) == 0x0
 02488   240   NtWaitForSingleObject  (240, 0, 0x0, ...
 02489  2032   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02490   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02487  1808   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02489  2032   NtSetInformationThread  ... ) == 0x0
 02491  1808   NtFsControlFile  (384, 257, 0x0, 0x0, 0x11c017,  (384, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351\1\0\0\0\1\0\0\0&\0(\0\230\3\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02490   896   NtCreateThread  ... 392, {1252, 476}, ) == 0x0
 02491  1808   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351\0\0\0\0", ) , ) == 0x103
 02492   896   NtQueryInformationThread  (392, Basic, 28, ...
 02493  1808   NtFsControlFile  (384, 257, 0x0, 0x0, 0x11c017,  (384, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351", 44, 1024, ... , 44, 1024, ...
 02492   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1252,Tid=476,}, 0x0, ) == 0x0
 02493  1808   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\320(\25\0\1\0\0\0\334(\25\0 \0\0\0\1\0\0\0\30\0\32\0\350(\25\0\4)\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0p/\25\0\1\0\0\0\5\0i\0\200/\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02494   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\344\4\0\0\334\1\0\0" ...  ...
 02495  1808   NtClose  (380, ...
 02494   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81929, 0}  ... {28, 56, reply, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\344\4\0\0\334\1\0\0" )  ) == 0x0
 02496  2032   NtWaitForSingleObject  (240, 0, 0x0, ...
 02495  1808   NtClose  ... ) == 0x0
 02497   896   NtResumeThread  (392, ...
 02498  1808   NtClose  (384, ...
 02497   896   NtResumeThread  ... 1, ) == 0x0
 02498  1808   NtClose  ... ) == 0x0
 02499   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02500  1808   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1388008, 0x0, 13629508, 188, ... , {12, 2, 1, 1}, 0x0, 1388008, 0x0, 13629508, 188, ...
 02499   896   NtAllocateVirtualMemory  ... 50593792, 1048576, ) == 0x0
 02500  1808   NtSecureConnectPort  ... 384, 0x0, 0x0, 0x0, 188, ) == 0x0
 02501   896   NtAllocateVirtualMemory  (-1, 51634176, 0, 8192, 4096, 4, ...
 02502   476   NtTestAlert  (...
 02501   896   NtAllocateVirtualMemory  ... 51634176, 8192, ) == 0x0
 02502   476   NtTestAlert  ... ) == 0x0
 02503  1808   NtOpenThreadToken  (-2, 0xc, 1, ...
 02504   476   NtContinue  (50593072, 1, ...
 02503  1808   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02505   476   NtRegisterThreadTerminatePort  (24, ...
 02506  1808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02505   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 02506  1808   NtSetInformationThread  ... ) == 0x0
 02507   896   NtProtectVirtualMemory  (-1, (0x313e000), 4096, 260, ...
 02508  1808   NtRequestWaitReplyPort  (384, {200, 224, new_msg, 0, 1372480, 12, 2, 1310977}  (384, {200, 224, new_msg, 0, 1372480, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\223;.\245\240W\341\364sVz\36\366o\267\320\12\0\0\0\341\4\26\370\271\216\274\201\0\0\0\0\360\4\25\0KK\345\366l9\344\366(\0\0\0\366Q\0R\0\0\24\0\240\366\317\0u\330\322\212\0\0\0\0\210"\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\317\0\372\31\221|X\376\317\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... \25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\317\0\372\31\221|X\376\317\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...
 02507   896   NtProtectVirtualMemory  ... (0x313e000), 4096, 4, ) == 0x0
 02509   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 380, {1252, 1404}, ) == 0x0
 02510   896   NtQueryInformationThread  (380, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1252,Tid=1404,}, 0x0, ) == 0x0
 02511   476   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 02512   476   NtWaitForSingleObject  (240, 0, 0x0, ...
 02513   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0|\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0|\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0|\5\0\0" )  ) == 0x0
 02514   896   NtResumeThread  (380, ... 1, ) == 0x0
 02515   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02508  1808   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1808, 81931, 0}  ... {200, 224, reply, 0, 1252, 1808, 81931, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\2\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\223;.\245\240W\341\364sVz\36\366o\267\320\12\0\0\0\341\4\26\370\271\216\274\201\0\0\0\0\360\4\25\0KK\345\366l9\344\366(\0\0\0\366Q\0R\0\0\24\0\240\366\317\0u\330\322\212\0\0\0\0\210"\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\317\0\372\31\221|X\376\317\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) \25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\317\0\372\31\221|X\376\317\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) == 0x0
 02516  1404   NtTestAlert  (...
 02517  1808   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02516  1404   NtTestAlert  ... ) == 0x0
 02517  1808   NtSetInformationThread  ... ) == 0x0
 02518  1404   NtContinue  (51641648, 1, ...
 02519  1808   NtRequestWaitReplyPort  (384, {56, 80, new_msg, 0, 44, 3, 20, 0}  (384, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\32\235JO\235\342d\324\312\304\340\351\1\0\0\0\0\0\0\0&\0(\0\34\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02520  1404   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02515   896   NtAllocateVirtualMemory  ... 51642368, 1048576, ) == 0x0
 02521   896   NtAllocateVirtualMemory  (-1, 52682752, 0, 8192, 4096, 4, ... 52682752, 8192, ) == 0x0
 02522   896   NtProtectVirtualMemory  (-1, (0x323e000), 4096, 260, ... (0x323e000), 4096, 4, ) == 0x0
 02523   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 396, {1252, 1744}, ) == 0x0
 02524   896   NtQueryInformationThread  (396, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1252,Tid=1744,}, 0x0, ) == 0x0
 02525   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\320\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81934, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\320\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\0\320\6\0\0" )  ) == 0x0
 02526  1404   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 02527  1404   NtWaitForSingleObject  (240, 0, 0x0, ...
 02528   896   NtResumeThread  (396, ... 1, ) == 0x0
 02529   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52690944, 1048576, ) == 0x0
 02530   896   NtAllocateVirtualMemory  (-1, 53731328, 0, 8192, 4096, 4, ... 53731328, 8192, ) == 0x0
 02519  1808   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1252, 1808, 81933, 0}  ... {44, 68, reply, 0, 1252, 1808, 81933, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02531  1744   NtTestAlert  (...
 02532   896   NtProtectVirtualMemory  (-1, (0x333e000), 4096, 260, ...
 02531  1744   NtTestAlert  ... ) == 0x0
 02532   896   NtProtectVirtualMemory  ... (0x333e000), 4096, 4, ) == 0x0
 02533  1744   NtContinue  (52690224, 1, ...
 02534   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02535  1744   NtRegisterThreadTerminatePort  (24, ...
 02534   896   NtCreateThread  ... 400, {1252, 1128}, ) == 0x0
 02535  1744   NtRegisterThreadTerminatePort  ... ) == 0x0
 02536   896   NtQueryInformationThread  (400, Basic, 28, ...
 02537  1808   NtRaiseException  (13629968, 13629228, 1, ...
 02536   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1252,Tid=1128,}, 0x0, ) == 0x0
 02538  1808   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02539  1744   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02538  1808   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02540  1808   NtContinue  (13628196, 0, ...
 02541  1808   NtDeviceIoControlFile  (284, 224, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 02542  1808   NtWaitForSingleObject  (224, 1, {-5000000, -1}, ...
 02543   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0h\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81935, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0h\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0h\4\0\0" )  ) == 0x0
 02544   896   NtResumeThread  (400, ... 1, ) == 0x0
 02545   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02539  1744   NtSetInformationThread  ... ) == 0x0
 02546  1128   NtTestAlert  (...
 02545   896   NtAllocateVirtualMemory  ... 53739520, 1048576, ) == 0x0
 02546  1128   NtTestAlert  ... ) == 0x0
 02547   896   NtAllocateVirtualMemory  (-1, 54779904, 0, 8192, 4096, 4, ...
 02548  1128   NtContinue  (53738800, 1, ...
 02547   896   NtAllocateVirtualMemory  ... 54779904, 8192, ) == 0x0
 02549  1128   NtRegisterThreadTerminatePort  (24, ...
 02550   896   NtProtectVirtualMemory  (-1, (0x343e000), 4096, 260, ...
 02549  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 02550   896   NtProtectVirtualMemory  ... (0x343e000), 4096, 4, ) == 0x0
 02551  1744   NtWaitForSingleObject  (240, 0, 0x0, ...
 02552   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02553  1128   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 02554  1128   NtWaitForSingleObject  (240, 0, 0x0, ...
 02552   896   NtCreateThread  ... 404, {1252, 1924}, ) == 0x0
 02555   896   NtQueryInformationThread  (404, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1252,Tid=1924,}, 0x0, ) == 0x0
 02556   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\204\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81936, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\204\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\0\204\7\0\0" )  ) == 0x0
 02557   896   NtResumeThread  (404, ... 1, ) == 0x0
 02558   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54788096, 1048576, ) == 0x0
 02559   896   NtAllocateVirtualMemory  (-1, 55828480, 0, 8192, 4096, 4, ... 55828480, 8192, ) == 0x0
 02560  1924   NtTestAlert  (... ) == 0x0
 02561  1924   NtContinue  (54787376, 1, ...
 02562  1924   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02563  1924   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02564   896   NtProtectVirtualMemory  (-1, (0x353e000), 4096, 260, ... (0x353e000), 4096, 4, ) == 0x0
 02565   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {1252, 768}, ) == 0x0
 02566   896   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1252,Tid=768,}, 0x0, ) == 0x0
 02567   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\0\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\0\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81937, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\0\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\0\3\0\0" )  ) == 0x0
 02568   896   NtResumeThread  (408, ... 1, ) == 0x0
 02569   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02570   768   NtTestAlert  (... ) == 0x0
 02571   768   NtContinue  (55835952, 1, ...
 02572   768   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02573   768   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02569   896   NtAllocateVirtualMemory  ... 55836672, 1048576, ) == 0x0
 02574   896   NtAllocateVirtualMemory  (-1, 56877056, 0, 8192, 4096, 4, ... 56877056, 8192, ) == 0x0
 02575   896   NtProtectVirtualMemory  (-1, (0x363e000), 4096, 260, ... (0x363e000), 4096, 4, ) == 0x0
 02576   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {1252, 2040}, ) == 0x0
 02577   896   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1252,Tid=2040,}, 0x0, ) == 0x0
 02578   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0\370\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81938, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0\370\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\344\4\0\0\370\7\0\0" )  ) == 0x0
 02579   896   NtResumeThread  (412, ... 1, ) == 0x0
 02580   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56885248, 1048576, ) == 0x0
 02581   896   NtAllocateVirtualMemory  (-1, 57925632, 0, 8192, 4096, 4, ... 57925632, 8192, ) == 0x0
 02582  2040   NtTestAlert  (... ) == 0x0
 02583  2040   NtContinue  (56884528, 1, ...
 02584  2040   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02585  2040   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02586   896   NtProtectVirtualMemory  (-1, (0x373e000), 4096, 260, ... (0x373e000), 4096, 4, ) == 0x0
 02587   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 416, {1252, 216}, ) == 0x0
 02588   896   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1252,Tid=216,}, 0x0, ) == 0x0
 02589   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\330\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81939, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\330\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\330\0\0\0" )  ) == 0x0
 02590   896   NtResumeThread  (416, ... 1, ) == 0x0
 02591   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02592   216   NtTestAlert  (... ) == 0x0
 02593   216   NtContinue  (57933104, 1, ...
 02594   216   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02595   216   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02591   896   NtAllocateVirtualMemory  ... 57933824, 1048576, ) == 0x0
 02596   896   NtAllocateVirtualMemory  (-1, 58974208, 0, 8192, 4096, 4, ... 58974208, 8192, ) == 0x0
 02597   896   NtProtectVirtualMemory  (-1, (0x383e000), 4096, 260, ... (0x383e000), 4096, 4, ) == 0x0
 02598   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 420, {1252, 1524}, ) == 0x0
 02599   896   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1252,Tid=1524,}, 0x0, ) == 0x0
 02600   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81939, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\364\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81940, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\364\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\344\4\0\0\364\5\0\0" )  ) == 0x0
 02601   896   NtResumeThread  (420, ... 1, ) == 0x0
 02602   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58982400, 1048576, ) == 0x0
 02603   896   NtAllocateVirtualMemory  (-1, 60022784, 0, 8192, 4096, 4, ... 60022784, 8192, ) == 0x0
 02604  1524   NtTestAlert  (... ) == 0x0
 02605  1524   NtContinue  (58981680, 1, ...
 02606  1524   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02607  1524   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02608   896   NtProtectVirtualMemory  (-1, (0x393e000), 4096, 260, ... (0x393e000), 4096, 4, ) == 0x0
 02609   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 424, {1252, 1864}, ) == 0x0
 02610   896   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1252,Tid=1864,}, 0x0, ) == 0x0
 02611   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0H\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0H\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81941, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0H\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0H\7\0\0" )  ) == 0x0
 02612   896   NtResumeThread  (424, ... 1, ) == 0x0
 02613   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02614  1864   NtTestAlert  (... ) == 0x0
 02615  1864   NtContinue  (60030256, 1, ...
 02616  1864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02617  1864   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02613   896   NtAllocateVirtualMemory  ... 60030976, 1048576, ) == 0x0
 02618   896   NtAllocateVirtualMemory  (-1, 61071360, 0, 8192, 4096, 4, ... 61071360, 8192, ) == 0x0
 02619   896   NtProtectVirtualMemory  (-1, (0x3a3e000), 4096, 260, ... (0x3a3e000), 4096, 4, ) == 0x0
 02620   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {1252, 388}, ) == 0x0
 02621   896   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1252,Tid=388,}, 0x0, ) == 0x0
 02622   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\204\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\204\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81942, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\204\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0\204\1\0\0" )  ) == 0x0
 02623   896   NtResumeThread  (428, ... 1, ) == 0x0
 02624   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61079552, 1048576, ) == 0x0
 02625   896   NtAllocateVirtualMemory  (-1, 62119936, 0, 8192, 4096, 4, ... 62119936, 8192, ) == 0x0
 02626   388   NtTestAlert  (... ) == 0x0
 02627   388   NtContinue  (61078832, 1, ...
 02628   388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02629   388   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02630   896   NtProtectVirtualMemory  (-1, (0x3b3e000), 4096, 260, ... (0x3b3e000), 4096, 4, ) == 0x0
 02631   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {1252, 1020}, ) == 0x0
 02632   896   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1252,Tid=1020,}, 0x0, ) == 0x0
 02633   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\374\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81943, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\374\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\374\3\0\0" )  ) == 0x0
 02634   896   NtResumeThread  (432, ... 1, ) == 0x0
 02635   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02636  1020   NtTestAlert  (... ) == 0x0
 02637  1020   NtContinue  (62127408, 1, ...
 02638  1020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02639  1020   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02635   896   NtAllocateVirtualMemory  ... 62128128, 1048576, ) == 0x0
 02640   896   NtAllocateVirtualMemory  (-1, 63168512, 0, 8192, 4096, 4, ... 63168512, 8192, ) == 0x0
 02641   896   NtProtectVirtualMemory  (-1, (0x3c3e000), 4096, 260, ... (0x3c3e000), 4096, 4, ) == 0x0
 02642   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {1252, 1804}, ) == 0x0
 02643   896   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1252,Tid=1804,}, 0x0, ) == 0x0
 02644   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\14\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\14\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81944, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\14\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\14\7\0\0" )  ) == 0x0
 02645   896   NtResumeThread  (436, ... 1, ) == 0x0
 02646   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 63176704, 1048576, ) == 0x0
 02647   896   NtAllocateVirtualMemory  (-1, 64217088, 0, 8192, 4096, 4, ... 64217088, 8192, ) == 0x0
 02648  1804   NtAllocateVirtualMemory  (-1, 3629056, 0, 4096, 4096, 4, ... 3629056, 4096, ) == 0x0
 02649  1804   NtTestAlert  (... ) == 0x0
 02650  1804   NtContinue  (63175984, 1, ...
 02651  1804   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02652  1804   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02653   896   NtProtectVirtualMemory  (-1, (0x3d3e000), 4096, 260, ... (0x3d3e000), 4096, 4, ) == 0x0
 02654   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {1252, 1644}, ) == 0x0
 02655   896   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1252,Tid=1644,}, 0x0, ) == 0x0
 02656   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0l\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0l\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81945, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0l\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0l\6\0\0" )  ) == 0x0
 02657   896   NtResumeThread  (440, ... 1, ) == 0x0
 02658   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02659  1644   NtTestAlert  (... ) == 0x0
 02660  1644   NtContinue  (64224560, 1, ...
 02661  1644   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02662  1644   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02658   896   NtAllocateVirtualMemory  ... 64225280, 1048576, ) == 0x0
 02663   896   NtAllocateVirtualMemory  (-1, 65265664, 0, 8192, 4096, 4, ... 65265664, 8192, ) == 0x0
 02664   896   NtProtectVirtualMemory  (-1, (0x3e3e000), 4096, 260, ... (0x3e3e000), 4096, 4, ) == 0x0
 02665   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {1252, 1124}, ) == 0x0
 02666   896   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1252,Tid=1124,}, 0x0, ) == 0x0
 02667   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0d\4\0\0" )  ) == 0x0
 02668   896   NtResumeThread  (444, ... 1, ) == 0x0
 02669   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65273856, 1048576, ) == 0x0
 02670   896   NtAllocateVirtualMemory  (-1, 66314240, 0, 8192, 4096, 4, ... 66314240, 8192, ) == 0x0
 02671  1124   NtTestAlert  (... ) == 0x0
 02672  1124   NtContinue  (65273136, 1, ...
 02673  1124   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02674  1124   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02675   896   NtProtectVirtualMemory  (-1, (0x3f3e000), 4096, 260, ... (0x3f3e000), 4096, 4, ) == 0x0
 02676   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {1252, 776}, ) == 0x0
 02677   896   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1252,Tid=776,}, 0x0, ) == 0x0
 02678   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0\10\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81947, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0\10\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0\10\3\0\0" )  ) == 0x0
 02679   896   NtResumeThread  (448, ... 1, ) == 0x0
 02680   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02681   776   NtTestAlert  (... ) == 0x0
 02682   776   NtContinue  (66321712, 1, ...
 02683   776   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02684   776   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02680   896   NtAllocateVirtualMemory  ... 66322432, 1048576, ) == 0x0
 02685   896   NtAllocateVirtualMemory  (-1, 67362816, 0, 8192, 4096, 4, ... 67362816, 8192, ) == 0x0
 02686   896   NtProtectVirtualMemory  (-1, (0x403e000), 4096, 260, ... (0x403e000), 4096, 4, ) == 0x0
 02687   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {1252, 1920}, ) == 0x0
 02688   896   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1252,Tid=1920,}, 0x0, ) == 0x0
 02689   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\4\0\0\200\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\4\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\4\0\0\200\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\344\4\0\0\200\7\0\0" )  ) == 0x0
 02690   896   NtResumeThread  (452, ... 1, ) == 0x0
 02691   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67371008, 1048576, ) == 0x0
 02692   896   NtAllocateVirtualMemory  (-1, 68411392, 0, 8192, 4096, 4, ... 68411392, 8192, ) == 0x0
 02693  1920   NtTestAlert  (... ) == 0x0
 02694  1920   NtContinue  (67370288, 1, ...
 02695  1920   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02696  1920   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02697   896   NtProtectVirtualMemory  (-1, (0x413e000), 4096, 260, ... (0x413e000), 4096, 4, ) == 0x0
 02698   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 456, {1252, 1396}, ) == 0x0
 02699   896   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1252,Tid=1396,}, 0x0, ) == 0x0
 02700   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0t\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0t\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0t\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0t\5\0\0" )  ) == 0x0
 02701   896   NtResumeThread  (456, ... 1, ) == 0x0
 02702   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02703  1396   NtTestAlert  (... ) == 0x0
 02704  1396   NtContinue  (68418864, 1, ...
 02705  1396   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02706  1396   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02702   896   NtAllocateVirtualMemory  ... 68419584, 1048576, ) == 0x0
 02707   896   NtAllocateVirtualMemory  (-1, 69459968, 0, 8192, 4096, 4, ... 69459968, 8192, ) == 0x0
 02708   896   NtProtectVirtualMemory  (-1, (0x423e000), 4096, 260, ... (0x423e000), 4096, 4, ) == 0x0
 02709   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 460, {1252, 1692}, ) == 0x0
 02710   896   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1252,Tid=1692,}, 0x0, ) == 0x0
 02711   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\4\0\0\234\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\4\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\4\0\0\234\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\344\4\0\0\234\6\0\0" )  ) == 0x0
 02712   896   NtResumeThread  (460, ... 1, ) == 0x0
 02713   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69468160, 1048576, ) == 0x0
 02714   896   NtAllocateVirtualMemory  (-1, 70508544, 0, 8192, 4096, 4, ... 70508544, 8192, ) == 0x0
 02715  1692   NtTestAlert  (... ) == 0x0
 02716  1692   NtContinue  (69467440, 1, ...
 02717  1692   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02718  1692   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02719   896   NtProtectVirtualMemory  (-1, (0x433e000), 4096, 260, ... (0x433e000), 4096, 4, ) == 0x0
 02720   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {1252, 1392}, ) == 0x0
 02721   896   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1252,Tid=1392,}, 0x0, ) == 0x0
 02722   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0p\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0p\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81951, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0p\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0p\5\0\0" )  ) == 0x0
 02723   896   NtResumeThread  (464, ... 1, ) == 0x0
 02724   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02725  1392   NtTestAlert  (... ) == 0x0
 02726  1392   NtContinue  (70516016, 1, ...
 02727  1392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02728  1392   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02724   896   NtAllocateVirtualMemory  ... 70516736, 1048576, ) == 0x0
 02729   896   NtAllocateVirtualMemory  (-1, 71557120, 0, 8192, 4096, 4, ... 71557120, 8192, ) == 0x0
 02730   896   NtProtectVirtualMemory  (-1, (0x443e000), 4096, 260, ... (0x443e000), 4096, 4, ) == 0x0
 02731   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 468, {1252, 1852}, ) == 0x0
 02732   896   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1252,Tid=1852,}, 0x0, ) == 0x0
 02733   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81952, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0<\7\0\0" )  ) == 0x0
 02734   896   NtResumeThread  (468, ... 1, ) == 0x0
 02735   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02736  1852   NtTestAlert  (... ) == 0x0
 02737  1852   NtContinue  (71564592, 1, ...
 02738  1852   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02739  1852   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02735   896   NtAllocateVirtualMemory  ... 71565312, 1048576, ) == 0x0
 02740   896   NtAllocateVirtualMemory  (-1, 72605696, 0, 8192, 4096, 4, ... 72605696, 8192, ) == 0x0
 02741   896   NtProtectVirtualMemory  (-1, (0x453e000), 4096, 260, ... (0x453e000), 4096, 4, ) == 0x0
 02742   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 472, {1252, 504}, ) == 0x0
 02743   896   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1252,Tid=504,}, 0x0, ) == 0x0
 02744   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\370\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81953, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\370\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\370\1\0\0" )  ) == 0x0
 02745   896   NtResumeThread  (472, ... 1, ) == 0x0
 02746   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72613888, 1048576, ) == 0x0
 02747   896   NtAllocateVirtualMemory  (-1, 73654272, 0, 8192, 4096, 4, ... 73654272, 8192, ) == 0x0
 02748   504   NtTestAlert  (... ) == 0x0
 02749   504   NtContinue  (72613168, 1, ...
 02750   504   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02751   504   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02752   896   NtProtectVirtualMemory  (-1, (0x463e000), 4096, 260, ... (0x463e000), 4096, 4, ) == 0x0
 02753   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 476, {1252, 800}, ) == 0x0
 02754   896   NtQueryInformationThread  (476, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1252,Tid=800,}, 0x0, ) == 0x0
 02755   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0 \3\0\0" ... {28, 56, reply, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0 \3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81954, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0 \3\0\0" ... {28, 56, reply, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0 \3\0\0" )  ) == 0x0
 02756   896   NtResumeThread  (476, ... 1, ) == 0x0
 02757   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02758   800   NtTestAlert  (... ) == 0x0
 02759   800   NtContinue  (73661744, 1, ...
 02760   800   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02761   800   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02757   896   NtAllocateVirtualMemory  ... 73662464, 1048576, ) == 0x0
 02762   896   NtAllocateVirtualMemory  (-1, 74702848, 0, 8192, 4096, 4, ... 74702848, 8192, ) == 0x0
 02763   896   NtProtectVirtualMemory  (-1, (0x473e000), 4096, 260, ... (0x473e000), 4096, 4, ) == 0x0
 02764   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 480, {1252, 1740}, ) == 0x0
 02765   896   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1252,Tid=1740,}, 0x0, ) == 0x0
 02766   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81954, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\314\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\314\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81955, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\314\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\314\6\0\0" )  ) == 0x0
 02767   896   NtResumeThread  (480, ... 1, ) == 0x0
 02768   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74711040, 1048576, ) == 0x0
 02769   896   NtAllocateVirtualMemory  (-1, 75751424, 0, 8192, 4096, 4, ... 75751424, 8192, ) == 0x0
 02770  1740   NtTestAlert  (... ) == 0x0
 02771  1740   NtContinue  (74710320, 1, ...
 02772  1740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02773  1740   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02774   896   NtProtectVirtualMemory  (-1, (0x483e000), 4096, 260, ... (0x483e000), 4096, 4, ) == 0x0
 02775   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 484, {1252, 1828}, ) == 0x0
 02776   896   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1252,Tid=1828,}, 0x0, ) == 0x0
 02777   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0$\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0$\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0$\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0$\7\0\0" )  ) == 0x0
 02778   896   NtResumeThread  (484, ... 1, ) == 0x0
 02779   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02780  1828   NtTestAlert  (... ) == 0x0
 02781  1828   NtContinue  (75758896, 1, ...
 02782  1828   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02783  1828   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02779   896   NtAllocateVirtualMemory  ... 75759616, 1048576, ) == 0x0
 02784   896   NtAllocateVirtualMemory  (-1, 76800000, 0, 8192, 4096, 4, ... 76800000, 8192, ) == 0x0
 02785   896   NtProtectVirtualMemory  (-1, (0x493e000), 4096, 260, ... (0x493e000), 4096, 4, ) == 0x0
 02786   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 488, {1252, 420}, ) == 0x0
 02787   896   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1252,Tid=420,}, 0x0, ) == 0x0
 02788   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\244\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81957, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\244\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\244\1\0\0" )  ) == 0x0
 02789   896   NtResumeThread  (488, ... 1, ) == 0x0
 02790   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76808192, 1048576, ) == 0x0
 02791   896   NtAllocateVirtualMemory  (-1, 77848576, 0, 8192, 4096, 4, ... 77848576, 8192, ) == 0x0
 02792   420   NtTestAlert  (... ) == 0x0
 02793   420   NtContinue  (76807472, 1, ...
 02794   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02795   420   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02796   896   NtProtectVirtualMemory  (-1, (0x4a3e000), 4096, 260, ... (0x4a3e000), 4096, 4, ) == 0x0
 02797   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {1252, 384}, ) == 0x0
 02798   896   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1252,Tid=384,}, 0x0, ) == 0x0
 02799   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81958, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\0\200\1\0\0" )  ) == 0x0
 02800   896   NtResumeThread  (492, ... 1, ) == 0x0
 02801   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02802   384   NtTestAlert  (... ) == 0x0
 02803   384   NtContinue  (77856048, 1, ...
 02804   384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02805   384   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02801   896   NtAllocateVirtualMemory  ... 77856768, 1048576, ) == 0x0
 02806   896   NtAllocateVirtualMemory  (-1, 78897152, 0, 8192, 4096, 4, ... 78897152, 8192, ) == 0x0
 02807   896   NtProtectVirtualMemory  (-1, (0x4b3e000), 4096, 260, ... (0x4b3e000), 4096, 4, ) == 0x0
 02808   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 496, {1252, 1028}, ) == 0x0
 02809   896   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1252,Tid=1028,}, 0x0, ) == 0x0
 02810   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0\4\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0\4\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0\4\4\0\0" )  ) == 0x0
 02811   896   NtResumeThread  (496, ... 1, ) == 0x0
 02812   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78905344, 1048576, ) == 0x0
 02813   896   NtAllocateVirtualMemory  (-1, 79945728, 0, 8192, 4096, 4, ... 79945728, 8192, ) == 0x0
 02814  1028   NtTestAlert  (... ) == 0x0
 02815  1028   NtContinue  (78904624, 1, ...
 02816  1028   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02817  1028   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02818   896   NtProtectVirtualMemory  (-1, (0x4c3e000), 4096, 260, ... (0x4c3e000), 4096, 4, ) == 0x0
 02819   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 500, {1252, 2012}, ) == 0x0
 02820   896   NtQueryInformationThread  (500, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1252,Tid=2012,}, 0x0, ) == 0x0
 02821   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0\334\7\0\0" )  ) == 0x0
 02822   896   NtResumeThread  (500, ... 1, ) == 0x0
 02823   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02824  2012   NtTestAlert  (... ) == 0x0
 02825  2012   NtContinue  (79953200, 1, ...
 02826  2012   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02827  2012   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02823   896   NtAllocateVirtualMemory  ... 79953920, 1048576, ) == 0x0
 02828   896   NtAllocateVirtualMemory  (-1, 80994304, 0, 8192, 4096, 4, ... 80994304, 8192, ) == 0x0
 02829   896   NtProtectVirtualMemory  (-1, (0x4d3e000), 4096, 260, ... (0x4d3e000), 4096, 4, ) == 0x0
 02830   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 504, {1252, 1528}, ) == 0x0
 02831   896   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1252,Tid=1528,}, 0x0, ) == 0x0
 02832   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\370\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\370\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\370\5\0\0" )  ) == 0x0
 02833   896   NtResumeThread  (504, ... 1, ) == 0x0
 02834   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81002496, 1048576, ) == 0x0
 02835   896   NtAllocateVirtualMemory  (-1, 82042880, 0, 8192, 4096, 4, ... 82042880, 8192, ) == 0x0
 02836  1528   NtTestAlert  (... ) == 0x0
 02837  1528   NtContinue  (81001776, 1, ...
 02838  1528   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02839  1528   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02840   896   NtProtectVirtualMemory  (-1, (0x4e3e000), 4096, 260, ... (0x4e3e000), 4096, 4, ) == 0x0
 02841   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 508, {1252, 1168}, ) == 0x0
 02842   896   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1252,Tid=1168,}, 0x0, ) == 0x0
 02843   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\4\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\344\4\0\0\220\4\0\0" )  ) == 0x0
 02844   896   NtResumeThread  (508, ... 1, ) == 0x0
 02845   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02846  1168   NtTestAlert  (... ) == 0x0
 02847  1168   NtContinue  (82050352, 1, ...
 02848  1168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02849  1168   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02845   896   NtAllocateVirtualMemory  ... 82051072, 1048576, ) == 0x0
 02850   896   NtAllocateVirtualMemory  (-1, 83091456, 0, 8192, 4096, 4, ... 83091456, 8192, ) == 0x0
 02851   896   NtProtectVirtualMemory  (-1, (0x4f3e000), 4096, 260, ... (0x4f3e000), 4096, 4, ) == 0x0
 02852   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 512, {1252, 1180}, ) == 0x0
 02853   896   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1252,Tid=1180,}, 0x0, ) == 0x0
 02854   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\234\4\0\0" )  ) == 0x0
 02855   896   NtResumeThread  (512, ... 1, ) == 0x0
 02856   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83099648, 1048576, ) == 0x0
 02857   896   NtAllocateVirtualMemory  (-1, 84140032, 0, 8192, 4096, 4, ... 84140032, 8192, ) == 0x0
 02858  1180   NtTestAlert  (... ) == 0x0
 02859  1180   NtContinue  (83098928, 1, ...
 02860  1180   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02861  1180   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02862   896   NtProtectVirtualMemory  (-1, (0x503e000), 4096, 260, ... (0x503e000), 4096, 4, ) == 0x0
 02863   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 516, {1252, 928}, ) == 0x0
 02864   896   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1252,Tid=928,}, 0x0, ) == 0x0
 02865   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81964, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\240\3\0\0" )  ) == 0x0
 02866   896   NtResumeThread  (516, ... 1, ) == 0x0
 02867   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02868   928   NtTestAlert  (... ) == 0x0
 02869   928   NtContinue  (84147504, 1, ...
 02870   928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02871   928   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02867   896   NtAllocateVirtualMemory  ... 84148224, 1048576, ) == 0x0
 02872   896   NtAllocateVirtualMemory  (-1, 85188608, 0, 8192, 4096, 4, ... 85188608, 8192, ) == 0x0
 02873   896   NtProtectVirtualMemory  (-1, (0x513e000), 4096, 260, ... (0x513e000), 4096, 4, ) == 0x0
 02874   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 520, {1252, 428}, ) == 0x0
 02875   896   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1252,Tid=428,}, 0x0, ) == 0x0
 02876   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\254\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81965, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\254\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\254\1\0\0" )  ) == 0x0
 02877   896   NtResumeThread  (520, ... 1, ) == 0x0
 02878   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85196800, 1048576, ) == 0x0
 02879   896   NtAllocateVirtualMemory  (-1, 86237184, 0, 8192, 4096, 4, ... 86237184, 8192, ) == 0x0
 02880   428   NtTestAlert  (... ) == 0x0
 02881   428   NtContinue  (85196080, 1, ...
 02882   428   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02883   428   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02884   896   NtProtectVirtualMemory  (-1, (0x523e000), 4096, 260, ... (0x523e000), 4096, 4, ) == 0x0
 02885   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 524, {1252, 1732}, ) == 0x0
 02886   896   NtQueryInformationThread  (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1252,Tid=1732,}, 0x0, ) == 0x0
 02887   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\304\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81966, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\304\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\304\6\0\0" )  ) == 0x0
 02888   896   NtResumeThread  (524, ... 1, ) == 0x0
 02889   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02890  1732   NtTestAlert  (... ) == 0x0
 02891  1732   NtContinue  (86244656, 1, ...
 02892  1732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02893  1732   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02889   896   NtAllocateVirtualMemory  ... 86245376, 1048576, ) == 0x0
 02894   896   NtAllocateVirtualMemory  (-1, 87285760, 0, 8192, 4096, 4, ... 87285760, 8192, ) == 0x0
 02895   896   NtProtectVirtualMemory  (-1, (0x533e000), 4096, 260, ... (0x533e000), 4096, 4, ) == 0x0
 02896   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 528, {1252, 748}, ) == 0x0
 02897   896   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1252,Tid=748,}, 0x0, ) == 0x0
 02898   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81967, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\354\2\0\0" )  ) == 0x0
 02899   896   NtResumeThread  (528, ... 1, ) == 0x0
 02900   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87293952, 1048576, ) == 0x0
 02901   896   NtAllocateVirtualMemory  (-1, 88334336, 0, 8192, 4096, 4, ... 88334336, 8192, ) == 0x0
 02902   748   NtTestAlert  (... ) == 0x0
 02903   748   NtContinue  (87293232, 1, ...
 02904   748   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02905   748   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02906   896   NtProtectVirtualMemory  (-1, (0x543e000), 4096, 260, ... (0x543e000), 4096, 4, ) == 0x0
 02907   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {1252, 1388}, ) == 0x0
 02908   896   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1252,Tid=1388,}, 0x0, ) == 0x0
 02909   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81968, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0l\5\0\0" )  ) == 0x0
 02910   896   NtResumeThread  (532, ... 1, ) == 0x0
 02911   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88342528, 1048576, ) == 0x0
 02912   896   NtAllocateVirtualMemory  (-1, 89382912, 0, 8192, 4096, 4, ... 89382912, 8192, ) == 0x0
 02913   896   NtProtectVirtualMemory  (-1, (0x553e000), 4096, 260, ... (0x553e000), 4096, 4, ) == 0x0
 02914   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02915  1388   NtTestAlert  (... ) == 0x0
 02916  1388   NtContinue  (88341808, 1, ...
 02917  1388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02918  1388   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02914   896   NtCreateThread  ... 536, {1252, 2036}, ) == 0x0
 02919   896   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1252,Tid=2036,}, 0x0, ) == 0x0
 02920   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81969, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\364\7\0\0" )  ) == 0x0
 02921   896   NtResumeThread  (536, ... 1, ) == 0x0
 02922   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89391104, 1048576, ) == 0x0
 02923   896   NtAllocateVirtualMemory  (-1, 90431488, 0, 8192, 4096, 4, ... 90431488, 8192, ) == 0x0
 02924  2036   NtTestAlert  (... ) == 0x0
 02925  2036   NtContinue  (89390384, 1, ...
 02926  2036   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02927  2036   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02928   896   NtProtectVirtualMemory  (-1, (0x563e000), 4096, 260, ... (0x563e000), 4096, 4, ) == 0x0
 02929   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 540, {1252, 1372}, ) == 0x0
 02930   896   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1252,Tid=1372,}, 0x0, ) == 0x0
 02931   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81970, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\\5\0\0" )  ) == 0x0
 02932   896   NtResumeThread  (540, ... 1, ) == 0x0
 02933   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02934  1372   NtTestAlert  (... ) == 0x0
 02935  1372   NtContinue  (90438960, 1, ...
 02936  1372   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02937  1372   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02933   896   NtAllocateVirtualMemory  ... 90439680, 1048576, ) == 0x0
 02938   896   NtAllocateVirtualMemory  (-1, 91480064, 0, 8192, 4096, 4, ... 91480064, 8192, ) == 0x0
 02939   896   NtProtectVirtualMemory  (-1, (0x573e000), 4096, 260, ... (0x573e000), 4096, 4, ) == 0x0
 02940   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 544, {1252, 1600}, ) == 0x0
 02941   896   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1252,Tid=1600,}, 0x0, ) == 0x0
 02942   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0@\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81971, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0@\6\0\0" )  ) == 0x0
 02943   896   NtResumeThread  (544, ... 1, ) == 0x0
 02944   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91488256, 1048576, ) == 0x0
 02945   896   NtAllocateVirtualMemory  (-1, 92528640, 0, 8192, 4096, 4, ... 92528640, 8192, ) == 0x0
 02946  1600   NtTestAlert  (... ) == 0x0
 02947  1600   NtContinue  (91487536, 1, ...
 02948  1600   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02949  1600   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02950   896   NtProtectVirtualMemory  (-1, (0x583e000), 4096, 260, ... (0x583e000), 4096, 4, ) == 0x0
 02951   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 548, {1252, 1948}, ) == 0x0
 02952   896   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1252,Tid=1948,}, 0x0, ) == 0x0
 02953   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81972, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0\234\7\0\0" )  ) == 0x0
 02954   896   NtResumeThread  (548, ... 1, ) == 0x0
 02955   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02956  1948   NtTestAlert  (... ) == 0x0
 02957  1948   NtContinue  (92536112, 1, ...
 02958  1948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02959  1948   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02955   896   NtAllocateVirtualMemory  ... 92536832, 1048576, ) == 0x0
 02960   896   NtAllocateVirtualMemory  (-1, 93577216, 0, 8192, 4096, 4, ... 93577216, 8192, ) == 0x0
 02961   896   NtProtectVirtualMemory  (-1, (0x593e000), 4096, 260, ... (0x593e000), 4096, 4, ) == 0x0
 02962   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 552, {1252, 252}, ) == 0x0
 02963   896   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1252,Tid=252,}, 0x0, ) == 0x0
 02964   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0\374\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81973, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0\374\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0\374\0\0\0" )  ) == 0x0
 02965   896   NtResumeThread  (552, ... 1, ) == 0x0
 02966   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93585408, 1048576, ) == 0x0
 02967   896   NtAllocateVirtualMemory  (-1, 94625792, 0, 8192, 4096, 4, ... 94625792, 8192, ) == 0x0
 02968   252   NtAllocateVirtualMemory  (-1, 3633152, 0, 4096, 4096, 4, ... 3633152, 4096, ) == 0x0
 02969   252   NtTestAlert  (... ) == 0x0
 02970   252   NtContinue  (93584688, 1, ...
 02971   252   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02972   252   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02973   896   NtProtectVirtualMemory  (-1, (0x5a3e000), 4096, 260, ... (0x5a3e000), 4096, 4, ) == 0x0
 02974   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 556, {1252, 1300}, ) == 0x0
 02975   896   NtQueryInformationThread  (556, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1252,Tid=1300,}, 0x0, ) == 0x0
 02976   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81974, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0\24\5\0\0" )  ) == 0x0
 02977   896   NtResumeThread  (556, ... 1, ) == 0x0
 02978   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02979  1300   NtTestAlert  (... ) == 0x0
 02980  1300   NtContinue  (94633264, 1, ...
 02981  1300   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02982  1300   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02978   896   NtAllocateVirtualMemory  ... 94633984, 1048576, ) == 0x0
 02983   896   NtAllocateVirtualMemory  (-1, 95674368, 0, 8192, 4096, 4, ... 95674368, 8192, ) == 0x0
 02984   896   NtProtectVirtualMemory  (-1, (0x5b3e000), 4096, 260, ... (0x5b3e000), 4096, 4, ) == 0x0
 02985   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 560, {1252, 1096}, ) == 0x0
 02986   896   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1252,Tid=1096,}, 0x0, ) == 0x0
 02987   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81975, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0H\4\0\0" )  ) == 0x0
 02988   896   NtResumeThread  (560, ... 1, ) == 0x0
 02989   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95682560, 1048576, ) == 0x0
 02990   896   NtAllocateVirtualMemory  (-1, 96722944, 0, 8192, 4096, 4, ... 96722944, 8192, ) == 0x0
 02991  1096   NtTestAlert  (... ) == 0x0
 02992  1096   NtContinue  (95681840, 1, ...
 02993  1096   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02994  1096   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02995   896   NtProtectVirtualMemory  (-1, (0x5c3e000), 4096, 260, ... (0x5c3e000), 4096, 4, ) == 0x0
 02996   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 564, {1252, 1708}, ) == 0x0
 02997   896   NtQueryInformationThread  (564, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1252,Tid=1708,}, 0x0, ) == 0x0
 02998   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81976, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0\254\6\0\0" )  ) == 0x0
 02999   896   NtResumeThread  (564, ... 1, ) == 0x0
 03000   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03001  1708   NtTestAlert  (... ) == 0x0
 03002  1708   NtContinue  (96730416, 1, ...
 03003  1708   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03004  1708   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03000   896   NtAllocateVirtualMemory  ... 96731136, 1048576, ) == 0x0
 03005   896   NtAllocateVirtualMemory  (-1, 97771520, 0, 8192, 4096, 4, ... 97771520, 8192, ) == 0x0
 03006   896   NtProtectVirtualMemory  (-1, (0x5d3e000), 4096, 260, ... (0x5d3e000), 4096, 4, ) == 0x0
 03007   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {1252, 1024}, ) == 0x0
 03008   896   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1252,Tid=1024,}, 0x0, ) == 0x0
 03009   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81977, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0\0\4\0\0" )  ) == 0x0
 03010   896   NtResumeThread  (568, ... 1, ) == 0x0
 03011   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97779712, 1048576, ) == 0x0
 03012   896   NtAllocateVirtualMemory  (-1, 98820096, 0, 8192, 4096, 4, ... 98820096, 8192, ) == 0x0
 03013  1024   NtTestAlert  (... ) == 0x0
 03014  1024   NtContinue  (97778992, 1, ...
 03015  1024   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03016  1024   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03017   896   NtProtectVirtualMemory  (-1, (0x5e3e000), 4096, 260, ... (0x5e3e000), 4096, 4, ) == 0x0
 03018   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 572, {1252, 1324}, ) == 0x0
 03019   896   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1252,Tid=1324,}, 0x0, ) == 0x0
 03020   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0,\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81978, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\344\4\0\0,\5\0\0" )  ) == 0x0
 03021   896   NtResumeThread  (572, ... 1, ) == 0x0
 03022   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03023  1324   NtTestAlert  (... ) == 0x0
 03024  1324   NtContinue  (98827568, 1, ...
 03025  1324   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03026  1324   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03022   896   NtAllocateVirtualMemory  ... 98828288, 1048576, ) == 0x0
 03027   896   NtAllocateVirtualMemory  (-1, 99868672, 0, 8192, 4096, 4, ... 99868672, 8192, ) == 0x0
 03028   896   NtProtectVirtualMemory  (-1, (0x5f3e000), 4096, 260, ... (0x5f3e000), 4096, 4, ) == 0x0
 03029   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {1252, 1776}, ) == 0x0
 03030   896   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1252,Tid=1776,}, 0x0, ) == 0x0
 03031   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81979, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\360\6\0\0" )  ) == 0x0
 03032   896   NtResumeThread  (576, ... 1, ) == 0x0
 03033   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99876864, 1048576, ) == 0x0
 03034   896   NtAllocateVirtualMemory  (-1, 100917248, 0, 8192, 4096, 4, ... 100917248, 8192, ) == 0x0
 03035  1776   NtTestAlert  (... ) == 0x0
 03036  1776   NtContinue  (99876144, 1, ...
 03037  1776   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03038  1776   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03039   896   NtProtectVirtualMemory  (-1, (0x603e000), 4096, 260, ... (0x603e000), 4096, 4, ) == 0x0
 03040   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 580, {1252, 248}, ) == 0x0
 03041   896   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1252,Tid=248,}, 0x0, ) == 0x0
 03042   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81980, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\344\4\0\0\370\0\0\0" )  ) == 0x0
 03043   896   NtResumeThread  (580, ... 1, ) == 0x0
 03044   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03045   248   NtTestAlert  (... ) == 0x0
 03046   248   NtContinue  (100924720, 1, ...
 03047   248   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03048   248   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03044   896   NtAllocateVirtualMemory  ... 100925440, 1048576, ) == 0x0
 03049   896   NtAllocateVirtualMemory  (-1, 101965824, 0, 8192, 4096, 4, ... 101965824, 8192, ) == 0x0
 03050   896   NtProtectVirtualMemory  (-1, (0x613e000), 4096, 260, ... (0x613e000), 4096, 4, ) == 0x0
 03051   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {1252, 1884}, ) == 0x0
 03052   896   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1252,Tid=1884,}, 0x0, ) == 0x0
 03053   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81981, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\\7\0\0" )  ) == 0x0
 03054   896   NtResumeThread  (584, ... 1, ) == 0x0
 03055   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101974016, 1048576, ) == 0x0
 03056   896   NtAllocateVirtualMemory  (-1, 103014400, 0, 8192, 4096, 4, ... 103014400, 8192, ) == 0x0
 03057  1884   NtTestAlert  (... ) == 0x0
 03058  1884   NtContinue  (101973296, 1, ...
 03059  1884   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03060  1884   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03061   896   NtProtectVirtualMemory  (-1, (0x623e000), 4096, 260, ... (0x623e000), 4096, 4, ) == 0x0
 03062   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {1252, 1308}, ) == 0x0
 03063   896   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1252,Tid=1308,}, 0x0, ) == 0x0
 03064   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\34\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81982, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\34\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\344\4\0\0\34\5\0\0" )  ) == 0x0
 03065   896   NtResumeThread  (588, ... 1, ) == 0x0
 03066   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03067  1308   NtTestAlert  (... ) == 0x0
 03068  1308   NtContinue  (103021872, 1, ...
 03069  1308   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03070  1308   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03066   896   NtAllocateVirtualMemory  ... 103022592, 1048576, ) == 0x0
 03071   896   NtAllocateVirtualMemory  (-1, 104062976, 0, 8192, 4096, 4, ... 104062976, 8192, ) == 0x0
 03072   896   NtProtectVirtualMemory  (-1, (0x633e000), 4096, 260, ... (0x633e000), 4096, 4, ) == 0x0
 03073   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1252, 1676}, ) == 0x0
 03074   896   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1252,Tid=1676,}, 0x0, ) == 0x0
 03075   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81983, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\214\6\0\0" )  ) == 0x0
 03076   896   NtResumeThread  (592, ... 1, ) == 0x0
 03077   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104071168, 1048576, ) == 0x0
 03078   896   NtAllocateVirtualMemory  (-1, 105111552, 0, 8192, 4096, 4, ... 105111552, 8192, ) == 0x0
 03079  1676   NtTestAlert  (... ) == 0x0
 03080  1676   NtContinue  (104070448, 1, ...
 03081  1676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03082  1676   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03083   896   NtProtectVirtualMemory  (-1, (0x643e000), 4096, 260, ... (0x643e000), 4096, 4, ) == 0x0
 03084   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {1252, 1620}, ) == 0x0
 03085   896   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1252,Tid=1620,}, 0x0, ) == 0x0
 03086   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0T\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81984, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0T\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0T\6\0\0" )  ) == 0x0
 03087   896   NtResumeThread  (596, ... 1, ) == 0x0
 03088   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03089  1620   NtTestAlert  (... ) == 0x0
 03090  1620   NtContinue  (105119024, 1, ...
 03091  1620   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03092  1620   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03088   896   NtAllocateVirtualMemory  ... 105119744, 1048576, ) == 0x0
 03093   896   NtAllocateVirtualMemory  (-1, 106160128, 0, 8192, 4096, 4, ... 106160128, 8192, ) == 0x0
 03094   896   NtProtectVirtualMemory  (-1, (0x653e000), 4096, 260, ... (0x653e000), 4096, 4, ) == 0x0
 03095   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1252, 1296}, ) == 0x0
 03096   896   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1252,Tid=1296,}, 0x0, ) == 0x0
 03097   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\20\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81985, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\20\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\20\5\0\0" )  ) == 0x0
 03098   896   NtResumeThread  (600, ... 1, ) == 0x0
 03099   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 106168320, 1048576, ) == 0x0
 03100   896   NtAllocateVirtualMemory  (-1, 107208704, 0, 8192, 4096, 4, ... 107208704, 8192, ) == 0x0
 03101  1296   NtTestAlert  (... ) == 0x0
 03102  1296   NtContinue  (106167600, 1, ...
 03103  1296   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03104  1296   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03105   896   NtProtectVirtualMemory  (-1, (0x663e000), 4096, 260, ... (0x663e000), 4096, 4, ) == 0x0
 03106   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1252, 440}, ) == 0x0
 03107   896   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1252,Tid=440,}, 0x0, ) == 0x0
 03108   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81986, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0\270\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0\270\1\0\0" )  ) == 0x0
 03109   896   NtResumeThread  (604, ... 1, ) == 0x0
 03110   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03111   440   NtTestAlert  (... ) == 0x0
 03112   440   NtContinue  (107216176, 1, ...
 03113   440   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03114   440   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03110   896   NtAllocateVirtualMemory  ... 107216896, 1048576, ) == 0x0
 03115   896   NtAllocateVirtualMemory  (-1, 108257280, 0, 8192, 4096, 4, ... 108257280, 8192, ) == 0x0
 03116   896   NtProtectVirtualMemory  (-1, (0x673e000), 4096, 260, ... (0x673e000), 4096, 4, ) == 0x0
 03117   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1252, 1588}, ) == 0x0
 03118   896   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1252,Tid=1588,}, 0x0, ) == 0x0
 03119   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\04\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81987, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\04\6\0\0" )  ) == 0x0
 03120   896   NtResumeThread  (608, ... 1, ) == 0x0
 03121   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108265472, 1048576, ) == 0x0
 03122   896   NtAllocateVirtualMemory  (-1, 109305856, 0, 8192, 4096, 4, ... 109305856, 8192, ) == 0x0
 03123  1588   NtTestAlert  (... ) == 0x0
 03124  1588   NtContinue  (108264752, 1, ...
 03125  1588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03126  1588   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03127   896   NtProtectVirtualMemory  (-1, (0x683e000), 4096, 260, ... (0x683e000), 4096, 4, ) == 0x0
 03128   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {1252, 2044}, ) == 0x0
 03129   896   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1252,Tid=2044,}, 0x0, ) == 0x0
 03130   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\374\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81988, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\374\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\374\7\0\0" )  ) == 0x0
 03131   896   NtResumeThread  (612, ... 1, ) == 0x0
 03132   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03133  2044   NtTestAlert  (... ) == 0x0
 03134  2044   NtContinue  (109313328, 1, ...
 03135  2044   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03136  2044   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03132   896   NtAllocateVirtualMemory  ... 109314048, 1048576, ) == 0x0
 03137   896   NtAllocateVirtualMemory  (-1, 110354432, 0, 8192, 4096, 4, ... 110354432, 8192, ) == 0x0
 03138   896   NtProtectVirtualMemory  (-1, (0x693e000), 4096, 260, ... (0x693e000), 4096, 4, ) == 0x0
 03139   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1252, 588}, ) == 0x0
 03140   896   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1252,Tid=588,}, 0x0, ) == 0x0
 03141   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81989, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0L\2\0\0" )  ) == 0x0
 03142   896   NtResumeThread  (616, ... 1, ) == 0x0
 03143   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110362624, 1048576, ) == 0x0
 03144   896   NtAllocateVirtualMemory  (-1, 111403008, 0, 8192, 4096, 4, ... 111403008, 8192, ) == 0x0
 03145   588   NtTestAlert  (... ) == 0x0
 03146   588   NtContinue  (110361904, 1, ...
 03147   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03148   588   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03149   896   NtProtectVirtualMemory  (-1, (0x6a3e000), 4096, 260, ... (0x6a3e000), 4096, 4, ) == 0x0
 03150   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1252, 1652}, ) == 0x0
 03151   896   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1252,Tid=1652,}, 0x0, ) == 0x0
 03152   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81990, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0t\6\0\0" )  ) == 0x0
 03153   896   NtResumeThread  (620, ... 1, ) == 0x0
 03154   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03155  1652   NtTestAlert  (... ) == 0x0
 03156  1652   NtContinue  (111410480, 1, ...
 03157  1652   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03158  1652   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03154   896   NtAllocateVirtualMemory  ... 111411200, 1048576, ) == 0x0
 03159   896   NtAllocateVirtualMemory  (-1, 112451584, 0, 8192, 4096, 4, ... 112451584, 8192, ) == 0x0
 03160   896   NtProtectVirtualMemory  (-1, (0x6b3e000), 4096, 260, ... (0x6b3e000), 4096, 4, ) == 0x0
 03161   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1252, 1376}, ) == 0x0
 03162   896   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1252,Tid=1376,}, 0x0, ) == 0x0
 03163   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0`\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81991, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0`\5\0\0" )  ) == 0x0
 03164   896   NtResumeThread  (624, ... 1, ) == 0x0
 03165   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112459776, 1048576, ) == 0x0
 03166   896   NtAllocateVirtualMemory  (-1, 113500160, 0, 8192, 4096, 4, ... 113500160, 8192, ) == 0x0
 03167  1376   NtTestAlert  (... ) == 0x0
 03168  1376   NtContinue  (112459056, 1, ...
 03169  1376   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03170  1376   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03171   896   NtProtectVirtualMemory  (-1, (0x6c3e000), 4096, 260, ... (0x6c3e000), 4096, 4, ) == 0x0
 03172   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1252, 1436}, ) == 0x0
 03173   896   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1252,Tid=1436,}, 0x0, ) == 0x0
 03174   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0\234\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81992, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\344\4\0\0\234\5\0\0" )  ) == 0x0
 03175   896   NtResumeThread  (628, ... 1, ) == 0x0
 03176   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03177  1436   NtTestAlert  (... ) == 0x0
 03178  1436   NtContinue  (113507632, 1, ...
 03179  1436   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03180  1436   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03176   896   NtAllocateVirtualMemory  ... 113508352, 1048576, ) == 0x0
 03181   896   NtAllocateVirtualMemory  (-1, 114548736, 0, 8192, 4096, 4, ... 114548736, 8192, ) == 0x0
 03182   896   NtProtectVirtualMemory  (-1, (0x6d3e000), 4096, 260, ... (0x6d3e000), 4096, 4, ) == 0x0
 03183   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {1252, 1368}, ) == 0x0
 03184   896   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1252,Tid=1368,}, 0x0, ) == 0x0
 03185   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0X\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0X\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81993, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0X\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0X\5\0\0" )  ) == 0x0
 03186   896   NtResumeThread  (632, ... 1, ) == 0x0
 03187   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 114556928, 1048576, ) == 0x0
 03188   896   NtAllocateVirtualMemory  (-1, 115597312, 0, 8192, 4096, 4, ... 115597312, 8192, ) == 0x0
 03189  1368   NtTestAlert  (... ) == 0x0
 03190  1368   NtContinue  (114556208, 1, ...
 03191  1368   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03192  1368   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03193   896   NtProtectVirtualMemory  (-1, (0x6e3e000), 4096, 260, ... (0x6e3e000), 4096, 4, ) == 0x0
 03194   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1252, 724}, ) == 0x0
 03195   896   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1252,Tid=724,}, 0x0, ) == 0x0
 03196   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\324\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81994, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\324\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\344\4\0\0\324\2\0\0" )  ) == 0x0
 03197   896   NtResumeThread  (636, ... 1, ) == 0x0
 03198   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03199   724   NtTestAlert  (... ) == 0x0
 03200   724   NtContinue  (115604784, 1, ...
 03201   724   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03202   724   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03198   896   NtAllocateVirtualMemory  ... 115605504, 1048576, ) == 0x0
 03203   896   NtAllocateVirtualMemory  (-1, 116645888, 0, 8192, 4096, 4, ... 116645888, 8192, ) == 0x0
 03204   896   NtProtectVirtualMemory  (-1, (0x6f3e000), 4096, 260, ... (0x6f3e000), 4096, 4, ) == 0x0
 03205   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1252, 1276}, ) == 0x0
 03206   896   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1252,Tid=1276,}, 0x0, ) == 0x0
 03207   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\374\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81995, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\374\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\374\4\0\0" )  ) == 0x0
 03208   896   NtResumeThread  (640, ... 1, ) == 0x0
 03209   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 116654080, 1048576, ) == 0x0
 03210   896   NtAllocateVirtualMemory  (-1, 117694464, 0, 8192, 4096, 4, ... 117694464, 8192, ) == 0x0
 03211  1276   NtTestAlert  (... ) == 0x0
 03212  1276   NtContinue  (116653360, 1, ...
 03213  1276   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03214  1276   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03215   896   NtProtectVirtualMemory  (-1, (0x703e000), 4096, 260, ... (0x703e000), 4096, 4, ) == 0x0
 03216   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1252, 220}, ) == 0x0
 03217   896   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1252,Tid=220,}, 0x0, ) == 0x0
 03218   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0\334\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81996, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0\334\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0\334\0\0\0" )  ) == 0x0
 03219   896   NtResumeThread  (644, ... 1, ) == 0x0
 03220   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03221   220   NtTestAlert  (... ) == 0x0
 03222   220   NtContinue  (117701936, 1, ...
 03223   220   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03224   220   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03220   896   NtAllocateVirtualMemory  ... 117702656, 1048576, ) == 0x0
 03225   896   NtAllocateVirtualMemory  (-1, 118743040, 0, 8192, 4096, 4, ... 118743040, 8192, ) == 0x0
 03226   896   NtProtectVirtualMemory  (-1, (0x713e000), 4096, 260, ... (0x713e000), 4096, 4, ) == 0x0
 03227   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1252, 1328}, ) == 0x0
 03228   896   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1252,Tid=1328,}, 0x0, ) == 0x0
 03229   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\00\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\00\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81997, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\00\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\00\5\0\0" )  ) == 0x0
 03230   896   NtResumeThread  (648, ... 1, ) == 0x0
 03231   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 118751232, 1048576, ) == 0x0
 03232   896   NtAllocateVirtualMemory  (-1, 119791616, 0, 8192, 4096, 4, ... 119791616, 8192, ) == 0x0
 03233  1328   NtTestAlert  (... ) == 0x0
 03234  1328   NtContinue  (118750512, 1, ...
 03235  1328   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03236  1328   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03237   896   NtProtectVirtualMemory  (-1, (0x723e000), 4096, 260, ... (0x723e000), 4096, 4, ) == 0x0
 03238   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1252, 704}, ) == 0x0
 03239   896   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=1252,Tid=704,}, 0x0, ) == 0x0
 03240   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\300\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81998, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\300\2\0\0" )  ) == 0x0
 03241   896   NtResumeThread  (652, ... 1, ) == 0x0
 03242   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03243   704   NtTestAlert  (... ) == 0x0
 03244   704   NtContinue  (119799088, 1, ...
 03245   704   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03246   704   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03242   896   NtAllocateVirtualMemory  ... 119799808, 1048576, ) == 0x0
 03247   896   NtAllocateVirtualMemory  (-1, 120840192, 0, 8192, 4096, 4, ... 120840192, 8192, ) == 0x0
 03248   896   NtProtectVirtualMemory  (-1, (0x733e000), 4096, 260, ... (0x733e000), 4096, 4, ) == 0x0
 03249   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1252, 1152}, ) == 0x0
 03250   896   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=1252,Tid=1152,}, 0x0, ) == 0x0
 03251   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\200\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\200\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81999, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\200\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\200\4\0\0" )  ) == 0x0
 03252   896   NtResumeThread  (656, ... 1, ) == 0x0
 03253   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 120848384, 1048576, ) == 0x0
 03254   896   NtAllocateVirtualMemory  (-1, 121888768, 0, 8192, 4096, 4, ... 121888768, 8192, ) == 0x0
 03255  1152   NtTestAlert  (... ) == 0x0
 03256  1152   NtContinue  (120847664, 1, ...
 03257  1152   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03258  1152   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03259   896   NtProtectVirtualMemory  (-1, (0x743e000), 4096, 260, ... (0x743e000), 4096, 4, ) == 0x0
 03260   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1252, 792}, ) == 0x0
 03261   896   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=1252,Tid=792,}, 0x0, ) == 0x0
 03262   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0\30\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0\30\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82000, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0\30\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0\30\3\0\0" )  ) == 0x0
 03263   896   NtResumeThread  (660, ... 1, ) == 0x0
 03264   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03265   792   NtTestAlert  (... ) == 0x0
 03266   792   NtContinue  (121896240, 1, ...
 03267   792   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03268   792   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03264   896   NtAllocateVirtualMemory  ... 121896960, 1048576, ) == 0x0
 03269   896   NtAllocateVirtualMemory  (-1, 122937344, 0, 8192, 4096, 4, ... 122937344, 8192, ) == 0x0
 03270   896   NtProtectVirtualMemory  (-1, (0x753e000), 4096, 260, ... (0x753e000), 4096, 4, ) == 0x0
 03271   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1252, 888}, ) == 0x0
 03272   896   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=1252,Tid=888,}, 0x0, ) == 0x0
 03273   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0x\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0x\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82001, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0x\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0x\3\0\0" )  ) == 0x0
 03274   896   NtResumeThread  (664, ... 1, ) == 0x0
 03275   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 122945536, 1048576, ) == 0x0
 03276   896   NtAllocateVirtualMemory  (-1, 123985920, 0, 8192, 4096, 4, ... 123985920, 8192, ) == 0x0
 03277   888   NtAllocateVirtualMemory  (-1, 3637248, 0, 4096, 4096, 4, ... 3637248, 4096, ) == 0x0
 03278   888   NtTestAlert  (... ) == 0x0
 03279   888   NtContinue  (122944816, 1, ...
 03280   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03281   888   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03282   896   NtProtectVirtualMemory  (-1, (0x763e000), 4096, 260, ... (0x763e000), 4096, 4, ) == 0x0
 03283   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1252, 1120}, ) == 0x0
 03284   896   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=1252,Tid=1120,}, 0x0, ) == 0x0
 03285   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0`\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82002, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0`\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\0`\4\0\0" )  ) == 0x0
 03286   896   NtResumeThread  (668, ... 1, ) == 0x0
 03287   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03288  1120   NtTestAlert  (... ) == 0x0
 03289  1120   NtContinue  (123993392, 1, ...
 03290  1120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03291  1120   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03287   896   NtAllocateVirtualMemory  ... 123994112, 1048576, ) == 0x0
 03292   896   NtAllocateVirtualMemory  (-1, 125034496, 0, 8192, 4096, 4, ... 125034496, 8192, ) == 0x0
 03293   896   NtProtectVirtualMemory  (-1, (0x773e000), 4096, 260, ... (0x773e000), 4096, 4, ) == 0x0
 03294   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1252, 1484}, ) == 0x0
 03295   896   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=1252,Tid=1484,}, 0x0, ) == 0x0
 03296   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\314\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\314\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82003, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\314\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0\314\5\0\0" )  ) == 0x0
 03297   896   NtResumeThread  (672, ... 1, ) == 0x0
 03298   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125042688, 1048576, ) == 0x0
 03299   896   NtAllocateVirtualMemory  (-1, 126083072, 0, 8192, 4096, 4, ... 126083072, 8192, ) == 0x0
 03300  1484   NtTestAlert  (... ) == 0x0
 03301  1484   NtContinue  (125041968, 1, ...
 03302  1484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03303  1484   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03304   896   NtProtectVirtualMemory  (-1, (0x783e000), 4096, 260, ... (0x783e000), 4096, 4, ) == 0x0
 03305   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1252, 840}, ) == 0x0
 03306   896   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=1252,Tid=840,}, 0x0, ) == 0x0
 03307   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0H\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0H\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82004, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0H\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0H\3\0\0" )  ) == 0x0
 03308   896   NtResumeThread  (676, ... 1, ) == 0x0
 03309   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03310   840   NtTestAlert  (... ) == 0x0
 03311   840   NtContinue  (126090544, 1, ...
 03312   840   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03313   840   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03309   896   NtAllocateVirtualMemory  ... 126091264, 1048576, ) == 0x0
 03314   896   NtAllocateVirtualMemory  (-1, 127131648, 0, 8192, 4096, 4, ... 127131648, 8192, ) == 0x0
 03315   896   NtProtectVirtualMemory  (-1, (0x793e000), 4096, 260, ... (0x793e000), 4096, 4, ) == 0x0
 03316   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1252, 876}, ) == 0x0
 03317   896   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=1252,Tid=876,}, 0x0, ) == 0x0
 03318   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0l\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82005, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0l\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0l\3\0\0" )  ) == 0x0
 03319   896   NtResumeThread  (680, ... 1, ) == 0x0
 03320   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 127139840, 1048576, ) == 0x0
 03321   896   NtAllocateVirtualMemory  (-1, 128180224, 0, 8192, 4096, 4, ... 128180224, 8192, ) == 0x0
 03322   876   NtTestAlert  (... ) == 0x0
 03323   876   NtContinue  (127139120, 1, ...
 03324   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03325   876   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03326   896   NtProtectVirtualMemory  (-1, (0x7a3e000), 4096, 260, ... (0x7a3e000), 4096, 4, ) == 0x0
 03327   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1252, 1104}, ) == 0x0
 03328   896   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=1252,Tid=1104,}, 0x0, ) == 0x0
 03329   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82006, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0P\4\0\0" )  ) == 0x0
 03330   896   NtResumeThread  (684, ... 1, ) == 0x0
 03331   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 128188416, 1048576, ) == 0x0
 03332   896   NtAllocateVirtualMemory  (-1, 129228800, 0, 8192, 4096, 4, ... 129228800, 8192, ) == 0x0
 03333  1104   NtTestAlert  (... ) == 0x0
 03334  1104   NtContinue  (128187696, 1, ...
 03335  1104   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03336  1104   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03337   896   NtProtectVirtualMemory  (-1, (0x7b3e000), 4096, 260, ... (0x7b3e000), 4096, 4, ) == 0x0
 03338   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1252, 860}, ) == 0x0
 03339   896   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=1252,Tid=860,}, 0x0, ) == 0x0
 03340   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82007, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\\3\0\0" )  ) == 0x0
 03341   896   NtResumeThread  (688, ... 1, ) == 0x0
 03342   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03343   860   NtTestAlert  (... ) == 0x0
 03344   860   NtContinue  (129236272, 1, ...
 03345   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03346   860   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03342   896   NtAllocateVirtualMemory  ... 129236992, 1048576, ) == 0x0
 03347   896   NtAllocateVirtualMemory  (-1, 130277376, 0, 8192, 4096, 4, ... 130277376, 8192, ) == 0x0
 03348   896   NtProtectVirtualMemory  (-1, (0x7c3e000), 4096, 260, ... (0x7c3e000), 4096, 4, ) == 0x0
 03349   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1252, 1516}, ) == 0x0
 03350   896   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=1252,Tid=1516,}, 0x0, ) == 0x0
 03351   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\354\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82008, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\354\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\354\5\0\0" )  ) == 0x0
 03352   896   NtResumeThread  (692, ... 1, ) == 0x0
 03353   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 130285568, 1048576, ) == 0x0
 03354   896   NtAllocateVirtualMemory  (-1, 131325952, 0, 8192, 4096, 4, ... 131325952, 8192, ) == 0x0
 03355  1516   NtTestAlert  (... ) == 0x0
 03356  1516   NtContinue  (130284848, 1, ...
 03357  1516   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03358  1516   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03359   896   NtProtectVirtualMemory  (-1, (0x7d3e000), 4096, 260, ... (0x7d3e000), 4096, 4, ) == 0x0
 03360   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1252, 780}, ) == 0x0
 03361   896   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=1252,Tid=780,}, 0x0, ) == 0x0
 03362   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82009, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\14\3\0\0" )  ) == 0x0
 03363   896   NtResumeThread  (696, ... 1, ) == 0x0
 03364   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03365   780   NtTestAlert  (... ) == 0x0
 03366   780   NtContinue  (131333424, 1, ...
 03367   780   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03368   780   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03364   896   NtAllocateVirtualMemory  ... 131334144, 1048576, ) == 0x0
 03369   896   NtAllocateVirtualMemory  (-1, 132374528, 0, 8192, 4096, 4, ... 132374528, 8192, ) == 0x0
 03370   896   NtProtectVirtualMemory  (-1, (0x7e3e000), 4096, 260, ... (0x7e3e000), 4096, 4, ) == 0x0
 03371   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1252, 940}, ) == 0x0
 03372   896   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=1252,Tid=940,}, 0x0, ) == 0x0
 03373   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\254\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82010, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\254\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\254\3\0\0" )  ) == 0x0
 03374   896   NtResumeThread  (700, ... 1, ) == 0x0
 03375   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 132382720, 1048576, ) == 0x0
 03376   896   NtAllocateVirtualMemory  (-1, 133423104, 0, 8192, 4096, 4, ... 133423104, 8192, ) == 0x0
 03377   940   NtTestAlert  (... ) == 0x0
 03378   940   NtContinue  (132382000, 1, ...
 03379   940   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03380   940   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03381   896   NtProtectVirtualMemory  (-1, (0x7f3e000), 4096, 260, ... (0x7f3e000), 4096, 4, ) == 0x0
 03382   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1252, 1268}, ) == 0x0
 03383   896   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=1252,Tid=1268,}, 0x0, ) == 0x0
 03384   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\364\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82011, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\364\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\364\4\0\0" )  ) == 0x0
 03385   896   NtResumeThread  (704, ... 1, ) == 0x0
 03386   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03387  1268   NtTestAlert  (... ) == 0x0
 03388  1268   NtContinue  (133430576, 1, ...
 03389  1268   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03390  1268   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03386   896   NtAllocateVirtualMemory  ... 133431296, 1048576, ) == 0x0
 03391   896   NtAllocateVirtualMemory  (-1, 134471680, 0, 8192, 4096, 4, ... 134471680, 8192, ) == 0x0
 03392   896   NtProtectVirtualMemory  (-1, (0x803e000), 4096, 260, ... (0x803e000), 4096, 4, ) == 0x0
 03393   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1252, 644}, ) == 0x0
 03394   896   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=1252,Tid=644,}, 0x0, ) == 0x0
 03395   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\204\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82012, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\204\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\204\2\0\0" )  ) == 0x0
 03396   896   NtResumeThread  (708, ... 1, ) == 0x0
 03397   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 134479872, 1048576, ) == 0x0
 03398   896   NtAllocateVirtualMemory  (-1, 135520256, 0, 8192, 4096, 4, ... 135520256, 8192, ) == 0x0
 03399   644   NtTestAlert  (... ) == 0x0
 03400   644   NtContinue  (134479152, 1, ...
 03401   644   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03402   644   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03403   896   NtProtectVirtualMemory  (-1, (0x813e000), 4096, 260, ... (0x813e000), 4096, 4, ) == 0x0
 03404   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1252, 1736}, ) == 0x0
 03405   896   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=1252,Tid=1736,}, 0x0, ) == 0x0
 03406   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\310\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\310\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82013, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\310\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\310\6\0\0" )  ) == 0x0
 03407   896   NtResumeThread  (712, ... 1, ) == 0x0
 03408   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03409  1736   NtTestAlert  (... ) == 0x0
 03410  1736   NtContinue  (135527728, 1, ...
 03411  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03412  1736   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03408   896   NtAllocateVirtualMemory  ... 135528448, 1048576, ) == 0x0
 03413   896   NtAllocateVirtualMemory  (-1, 136568832, 0, 8192, 4096, 4, ... 136568832, 8192, ) == 0x0
 03414   896   NtProtectVirtualMemory  (-1, (0x823e000), 4096, 260, ... (0x823e000), 4096, 4, ) == 0x0
 03415   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1252, 320}, ) == 0x0
 03416   896   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=1252,Tid=320,}, 0x0, ) == 0x0
 03417   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0@\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0@\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82014, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0@\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0@\1\0\0" )  ) == 0x0
 03418   896   NtResumeThread  (716, ... 1, ) == 0x0
 03419   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 136577024, 1048576, ) == 0x0
 03420   896   NtAllocateVirtualMemory  (-1, 137617408, 0, 8192, 4096, 4, ... 137617408, 8192, ) == 0x0
 03421   320   NtTestAlert  (... ) == 0x0
 03422   320   NtContinue  (136576304, 1, ...
 03423   320   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03424   320   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03425   896   NtProtectVirtualMemory  (-1, (0x833e000), 4096, 260, ... (0x833e000), 4096, 4, ) == 0x0
 03426   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1252, 380}, ) == 0x0
 03427   896   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=1252,Tid=380,}, 0x0, ) == 0x0
 03428   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0|\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82015, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0|\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0|\1\0\0" )  ) == 0x0
 03429   896   NtResumeThread  (720, ... 1, ) == 0x0
 03430   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03431   380   NtTestAlert  (... ) == 0x0
 03432   380   NtContinue  (137624880, 1, ...
 03433   380   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03434   380   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03430   896   NtAllocateVirtualMemory  ... 137625600, 1048576, ) == 0x0
 03435   896   NtAllocateVirtualMemory  (-1, 138665984, 0, 8192, 4096, 4, ... 138665984, 8192, ) == 0x0
 03436   896   NtProtectVirtualMemory  (-1, (0x843e000), 4096, 260, ... (0x843e000), 4096, 4, ) == 0x0
 03437   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1252, 1332}, ) == 0x0
 03438   896   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=1252,Tid=1332,}, 0x0, ) == 0x0
 03439   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\04\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\04\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82016, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\04\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\04\5\0\0" )  ) == 0x0
 03440   896   NtResumeThread  (724, ... 1, ) == 0x0
 03441   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 138674176, 1048576, ) == 0x0
 03442   896   NtAllocateVirtualMemory  (-1, 139714560, 0, 8192, 4096, 4, ... 139714560, 8192, ) == 0x0
 03443  1332   NtTestAlert  (... ) == 0x0
 03444  1332   NtContinue  (138673456, 1, ...
 03445  1332   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03446  1332   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03447   896   NtProtectVirtualMemory  (-1, (0x853e000), 4096, 260, ... (0x853e000), 4096, 4, ) == 0x0
 03448   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1252, 1336}, ) == 0x0
 03449   896   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=1252,Tid=1336,}, 0x0, ) == 0x0
 03450   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\08\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\08\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82017, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\08\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\08\5\0\0" )  ) == 0x0
 03451   896   NtResumeThread  (728, ... 1, ) == 0x0
 03452   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03453  1336   NtTestAlert  (... ) == 0x0
 03454  1336   NtContinue  (139722032, 1, ...
 03455  1336   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03456  1336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03452   896   NtAllocateVirtualMemory  ... 139722752, 1048576, ) == 0x0
 03457   896   NtAllocateVirtualMemory  (-1, 140763136, 0, 8192, 4096, 4, ... 140763136, 8192, ) == 0x0
 03458   896   NtProtectVirtualMemory  (-1, (0x863e000), 4096, 260, ... (0x863e000), 4096, 4, ) == 0x0
 03459   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1252, 468}, ) == 0x0
 03460   896   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff37000,Pid=1252,Tid=468,}, 0x0, ) == 0x0
 03461   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\324\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82018, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\324\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\324\1\0\0" )  ) == 0x0
 03462   896   NtResumeThread  (732, ... 1, ) == 0x0
 03463   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 140771328, 1048576, ) == 0x0
 03464   896   NtAllocateVirtualMemory  (-1, 141811712, 0, 8192, 4096, 4, ... 141811712, 8192, ) == 0x0
 03465   468   NtTestAlert  (... ) == 0x0
 03466   468   NtContinue  (140770608, 1, ...
 03467   468   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03468   468   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03469   896   NtProtectVirtualMemory  (-1, (0x873e000), 4096, 260, ... (0x873e000), 4096, 4, ) == 0x0
 03470   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1252, 1564}, ) == 0x0
 03471   896   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff36000,Pid=1252,Tid=1564,}, 0x0, ) == 0x0
 03472   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82019, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\0\34\6\0\0" )  ) == 0x0
 03473   896   NtResumeThread  (736, ... 1, ) == 0x0
 03474   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03475  1564   NtTestAlert  (... ) == 0x0
 03476  1564   NtContinue  (141819184, 1, ...
 03477  1564   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03478  1564   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03474   896   NtAllocateVirtualMemory  ... 141819904, 1048576, ) == 0x0
 03479   896   NtAllocateVirtualMemory  (-1, 142860288, 0, 8192, 4096, 4, ... 142860288, 8192, ) == 0x0
 03480   896   NtProtectVirtualMemory  (-1, (0x883e000), 4096, 260, ... (0x883e000), 4096, 4, ) == 0x0
 03481   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1252, 1568}, ) == 0x0
 03482   896   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff35000,Pid=1252,Tid=1568,}, 0x0, ) == 0x0
 03483   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0 \6\0\0" ... {28, 56, reply, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82020, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0 \6\0\0" ... {28, 56, reply, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0 \6\0\0" )  ) == 0x0
 03484   896   NtResumeThread  (740, ... 1, ) == 0x0
 03485   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 142868480, 1048576, ) == 0x0
 03486   896   NtAllocateVirtualMemory  (-1, 143908864, 0, 8192, 4096, 4, ... 143908864, 8192, ) == 0x0
 03487  1568   NtTestAlert  (... ) == 0x0
 03488  1568   NtContinue  (142867760, 1, ...
 03489  1568   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03490  1568   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03491   896   NtProtectVirtualMemory  (-1, (0x893e000), 4096, 260, ... (0x893e000), 4096, 4, ) == 0x0
 03492   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1252, 1440}, ) == 0x0
 03493   896   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff34000,Pid=1252,Tid=1440,}, 0x0, ) == 0x0
 03494   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\240\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82021, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\240\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\240\5\0\0" )  ) == 0x0
 03495   896   NtResumeThread  (744, ... 1, ) == 0x0
 03496   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03497  1440   NtTestAlert  (... ) == 0x0
 03498  1440   NtContinue  (143916336, 1, ...
 03499  1440   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03500  1440   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03496   896   NtAllocateVirtualMemory  ... 143917056, 1048576, ) == 0x0
 03501   896   NtAllocateVirtualMemory  (-1, 144957440, 0, 8192, 4096, 4, ... 144957440, 8192, ) == 0x0
 03502   896   NtProtectVirtualMemory  (-1, (0x8a3e000), 4096, 260, ... (0x8a3e000), 4096, 4, ) == 0x0
 03503   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1252, 1664}, ) == 0x0
 03504   896   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff33000,Pid=1252,Tid=1664,}, 0x0, ) == 0x0
 03505   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82022, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\200\6\0\0" )  ) == 0x0
 03506   896   NtResumeThread  (748, ... 1, ) == 0x0
 03507   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 144965632, 1048576, ) == 0x0
 03508   896   NtAllocateVirtualMemory  (-1, 146006016, 0, 8192, 4096, 4, ... 146006016, 8192, ) == 0x0
 03509  1664   NtTestAlert  (... ) == 0x0
 03510  1664   NtContinue  (144964912, 1, ...
 03511  1664   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03512  1664   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03513   896   NtProtectVirtualMemory  (-1, (0x8b3e000), 4096, 260, ... (0x8b3e000), 4096, 4, ) == 0x0
 03514   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1252, 1972}, ) == 0x0
 03515   896   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff32000,Pid=1252,Tid=1972,}, 0x0, ) == 0x0
 03516   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\264\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82023, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\264\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\264\7\0\0" )  ) == 0x0
 03517   896   NtResumeThread  (752, ... 1, ) == 0x0
 03518   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03519  1972   NtTestAlert  (... ) == 0x0
 03520  1972   NtContinue  (146013488, 1, ...
 03521  1972   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03522  1972   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03518   896   NtAllocateVirtualMemory  ... 146014208, 1048576, ) == 0x0
 03523   896   NtAllocateVirtualMemory  (-1, 147054592, 0, 8192, 4096, 4, ... 147054592, 8192, ) == 0x0
 03524   896   NtProtectVirtualMemory  (-1, (0x8c3e000), 4096, 260, ... (0x8c3e000), 4096, 4, ) == 0x0
 03525   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1252, 1036}, ) == 0x0
 03526   896   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff31000,Pid=1252,Tid=1036,}, 0x0, ) == 0x0
 03527   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\14\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82024, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\14\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\14\4\0\0" )  ) == 0x0
 03528   896   NtResumeThread  (756, ... 1, ) == 0x0
 03529   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 147062784, 1048576, ) == 0x0
 03530   896   NtAllocateVirtualMemory  (-1, 148103168, 0, 8192, 4096, 4, ... 148103168, 8192, ) == 0x0
 03531  1036   NtTestAlert  (... ) == 0x0
 03532  1036   NtContinue  (147062064, 1, ...
 03533  1036   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03534  1036   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03535   896   NtProtectVirtualMemory  (-1, (0x8d3e000), 4096, 260, ... (0x8d3e000), 4096, 4, ) == 0x0
 03536   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1252, 1248}, ) == 0x0
 03537   896   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff30000,Pid=1252,Tid=1248,}, 0x0, ) == 0x0
 03538   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\340\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82025, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\340\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\340\4\0\0" )  ) == 0x0
 03539   896   NtResumeThread  (760, ... 1, ) == 0x0
 03540  1248   NtTestAlert  (... ) == 0x0
 03541  1248   NtContinue  (148110640, 1, ...
 03542  1248   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03543   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03544   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 764, ) == 0x0
 03545   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03546   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03547   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243192,  (0xc0100080, {24, 0, 0x40, 0, 1243192, "\??\PIPE\InitShutdown"}, 0x0, 0, 3, 1, 64, 0, 0, ... 768, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 768, {status=0x0, info=1}, ) == 0x0
 03548   896   NtSetInformationFile  (768, 1243248, 8, Pipe, ...
 03549  1248   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 03550  1248   NtWaitForSingleObject  (240, 0, 0x0, ...
 03548   896   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03551   896   NtSetInformationFile  (768, 1243236, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03552   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03553   896   NtWriteFile  (768, 57, 0, 0,  (768, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\300\340M\211U\15\323\21\243"\0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03554   896   NtReadFile  (768, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (768, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\234(\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03555   896   NtFsControlFile  (768, 57, 0x0, 0x0, 0x11c017,  (768, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0\210J", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\234(\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=76},  (768, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0\210J", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\234(\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03556   896   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 03557   896   NtClose  (764, ... ) == 0x0
 03558   896   NtClose  (768, ... ) == 0x0
 03559   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03560   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 768, ) == 0x0
 03561   896   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03562   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03563   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243188,  (0xc0100080, {24, 0, 0x40, 0, 1243188, "\??\PIPE\winreg"}, 0x0, 0, 3, 1, 64, 0, 0, ... 764, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 764, {status=0x0, info=1}, ) == 0x0
 03564   896   NtSetInformationFile  (764, 1243244, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03565   896   NtSetInformationFile  (764, 1243232, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03566   896   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03567   896   NtWriteFile  (764, 57, 0, 0,  (764, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\1\320\2143D"\3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03568   896   NtReadFile  (764, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (764, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03569   896   NtFsControlFile  (764, 57, 0x0, 0x0, 0x11c017,  (764, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0\210J", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=68},  (764, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0\210J", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03570   896   NtWaitForSingleObject  (57, 0, 0x0, ...
 01935   164   NtOpenKey  ... 772, ) == 0x0
 03571   164   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Policies"}, ... 776, ) }, ... 776, ) == 0x0
 03572   164   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software"}, ... }, ...
 03570   896   NtWaitForSingleObject  ... ) == 0x0
 03573   896   NtClose  (768, ... ) == 0x0
 03574   896   NtClose  (764, ... ) == 0x0
 03575   896   NtDelayExecution  (0, {-10000000, -1}, ...
 03572   164   NtOpenKey  ... 764, ) == 0x0
 03576   164   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software"}, ... }, ...
 01998   760   NtSetInformationThread  ... ) == 0x0
 02004  1716   NtSetInformationThread  ... ) == 0x0
 02123  1480   NtSetInformationThread  ... ) == 0x0
 02124  1556   NtSetInformationThread  ... ) == 0x0
 02132  1980   NtSetInformationThread  ... ) == 0x0
 02563  1924   NtSetInformationThread  ... ) == 0x0
 02573   768   NtSetInformationThread  ... ) == 0x0
 02585  2040   NtSetInformationThread  ... ) == 0x0
 02595   216   NtSetInformationThread  ... ) == 0x0
 02607  1524   NtSetInformationThread  ... ) == 0x0
 02617  1864   NtSetInformationThread  ... ) == 0x0
 02629   388   NtSetInformationThread  ... ) == 0x0
 02639  1020   NtSetInformationThread  ... ) == 0x0
 02652  1804   NtSetInformationThread  ... ) == 0x0
 02662  1644   NtSetInformationThread  ... ) == 0x0
 02674  1124   NtSetInformationThread  ... ) == 0x0
 02684   776   NtSetInformationThread  ... ) == 0x0
 02696  1920   NtSetInformationThread  ... ) == 0x0
 02706  1396   NtSetInformationThread  ... ) == 0x0
 02718  1692   NtSetInformationThread  ... ) == 0x0
 02728  1392   NtSetInformationThread  ... ) == 0x0
 02739  1852   NtSetInformationThread  ... ) == 0x0
 02751   504   NtSetInformationThread  ... ) == 0x0
 02761   800   NtSetInformationThread  ... ) == 0x0
 02773  1740   NtSetInformationThread  ... ) == 0x0
 02783  1828   NtSetInformationThread  ... ) == 0x0
 02795   420   NtSetInformationThread  ... ) == 0x0
 02805   384   NtSetInformationThread  ... ) == 0x0
 02817  1028   NtSetInformationThread  ... ) == 0x0
 02827  2012   NtSetInformationThread  ... ) == 0x0
 02839  1528   NtSetInformationThread  ... ) == 0x0
 02849  1168   NtSetInformationThread  ... ) == 0x0
 02861  1180   NtSetInformationThread  ... ) == 0x0
 02871   928   NtSetInformationThread  ... ) == 0x0
 02883   428   NtSetInformationThread  ... ) == 0x0
 02893  1732   NtSetInformationThread  ... ) == 0x0
 02905   748   NtSetInformationThread  ... ) == 0x0
 02918  1388   NtSetInformationThread  ... ) == 0x0
 02927  2036   NtSetInformationThread  ... ) == 0x0
 02937  1372   NtSetInformationThread  ... ) == 0x0
 02949  1600   NtSetInformationThread  ... ) == 0x0
 02959  1948   NtSetInformationThread  ... ) == 0x0
 02972   252   NtSetInformationThread  ... ) == 0x0
 02982  1300   NtSetInformationThread  ... ) == 0x0
 02994  1096   NtSetInformationThread  ... ) == 0x0
 03004  1708   NtSetInformationThread  ... ) == 0x0
 03016  1024   NtSetInformationThread  ... ) == 0x0
 03026  1324   NtSetInformationThread  ... ) == 0x0
 03038  1776   NtSetInformationThread  ... ) == 0x0
 03048   248   NtSetInformationThread  ... ) == 0x0
 03060  1884   NtSetInformationThread  ... ) == 0x0
 03070  1308   NtSetInformationThread  ... ) == 0x0
 03082  1676   NtSetInformationThread  ... ) == 0x0
 03092  1620   NtSetInformationThread  ... ) == 0x0
 03104  1296   NtSetInformationThread  ... ) == 0x0
 03114   440   NtSetInformationThread  ... ) == 0x0
 03126  1588   NtSetInformationThread  ... ) == 0x0
 03136  2044   NtSetInformationThread  ... ) == 0x0
 03148   588   NtSetInformationThread  ... ) == 0x0
 03158  1652   NtSetInformationThread  ... ) == 0x0
 03170  1376   NtSetInformationThread  ... ) == 0x0
 03180  1436   NtSetInformationThread  ... ) == 0x0
 03192  1368   NtSetInformationThread  ... ) == 0x0
 03202   724   NtSetInformationThread  ... ) == 0x0
 03214  1276   NtSetInformationThread  ... ) == 0x0
 03224   220   NtSetInformationThread  ... ) == 0x0
 03236  1328   NtSetInformationThread  ... ) == 0x0
 03246   704   NtSetInformationThread  ... ) == 0x0
 03258  1152   NtSetInformationThread  ... ) == 0x0
 03268   792   NtSetInformationThread  ... ) == 0x0
 03281   888   NtSetInformationThread  ... ) == 0x0
 03291  1120   NtSetInformationThread  ... ) == 0x0
 03303  1484   NtSetInformationThread  ... ) == 0x0
 03313   840   NtSetInformationThread  ... ) == 0x0
 03325   876   NtSetInformationThread  ... ) == 0x0
 03336  1104   NtSetInformationThread  ... ) == 0x0
 03346   860   NtSetInformationThread  ... ) == 0x0
 03358  1516   NtSetInformationThread  ... ) == 0x0
 03368   780   NtSetInformationThread  ... ) == 0x0
 03380   940   NtSetInformationThread  ... ) == 0x0
 03390  1268   NtSetInformationThread  ... ) == 0x0
 03402   644   NtSetInformationThread  ... ) == 0x0
 03412  1736   NtSetInformationThread  ... ) == 0x0
 03424   320   NtSetInformationThread  ... ) == 0x0
 03434   380   NtSetInformationThread  ... ) == 0x0
 03446  1332   NtSetInformationThread  ... ) == 0x0
 03456  1336   NtSetInformationThread  ... ) == 0x0
 03468   468   NtSetInformationThread  ... ) == 0x0
 03478  1564   NtSetInformationThread  ... ) == 0x0
 03490  1568   NtSetInformationThread  ... ) == 0x0
 03500  1440   NtSetInformationThread  ... ) == 0x0
 03512  1664   NtSetInformationThread  ... ) == 0x0
 03522  1972   NtSetInformationThread  ... ) == 0x0
 03534  1036   NtSetInformationThread  ... ) == 0x0
 03577   760   NtWaitForSingleObject  (240, 0, 0x0, ...
 03578  1716   NtWaitForSingleObject  (240, 0, 0x0, ...
 03579  1480   NtWaitForSingleObject  (240, 0, 0x0, ...
 03580  1556   NtWaitForSingleObject  (240, 0, 0x0, ...
 03581  1980   NtWaitForSingleObject  (240, 0, 0x0, ...
 03582  1924   NtWaitForSingleObject  (240, 0, 0x0, ...
 03583   768   NtWaitForSingleObject  (240, 0, 0x0, ...
 03584  2040   NtWaitForSingleObject  (240, 0, 0x0, ...
 03585   216   NtWaitForSingleObject  (240, 0, 0x0, ...
 03586  1524   NtWaitForSingleObject  (240, 0, 0x0, ...
 03587  1864   NtWaitForSingleObject  (240, 0, 0x0, ...
 03588   388   NtWaitForSingleObject  (240, 0, 0x0, ...
 03589  1020   NtWaitForSingleObject  (240, 0, 0x0, ...
 03590  1804   NtWaitForSingleObject  (240, 0, 0x0, ...
 03591  1644   NtWaitForSingleObject  (240, 0, 0x0, ...
 03592  1124   NtWaitForSingleObject  (240, 0, 0x0, ...
 03593   776   NtWaitForSingleObject  (240, 0, 0x0, ...
 03594  1920   NtWaitForSingleObject  (240, 0, 0x0, ...
 03595  1396   NtWaitForSingleObject  (240, 0, 0x0, ...
 03596  1692   NtWaitForSingleObject  (240, 0, 0x0, ...
 03597  1392   NtWaitForSingleObject  (240, 0, 0x0, ...
 03598  1852   NtWaitForSingleObject  (240, 0, 0x0, ...
 03599   504   NtWaitForSingleObject  (240, 0, 0x0, ...
 03600   800   NtWaitForSingleObject  (240, 0, 0x0, ...
 03601  1740   NtWaitForSingleObject  (240, 0, 0x0, ...
 03602  1828   NtWaitForSingleObject  (240, 0, 0x0, ...
 03603   420   NtWaitForSingleObject  (240, 0, 0x0, ...
 03604   384   NtWaitForSingleObject  (240, 0, 0x0, ...
 03605  1028   NtWaitForSingleObject  (240, 0, 0x0, ...
 03606  2012   NtWaitForSingleObject  (240, 0, 0x0, ...
 03607  1528   NtWaitForSingleObject  (240, 0, 0x0, ...
 03608  1168   NtWaitForSingleObject  (240, 0, 0x0, ...
 03609  1180   NtWaitForSingleObject  (240, 0, 0x0, ...
 03610   928   NtWaitForSingleObject  (240, 0, 0x0, ...
 03611   428   NtWaitForSingleObject  (240, 0, 0x0, ...
 03612  1732   NtWaitForSingleObject  (240, 0, 0x0, ...
 03613   748   NtWaitForSingleObject  (240, 0, 0x0, ...
 03614  1388   NtWaitForSingleObject  (240, 0, 0x0, ...
 03615  2036   NtWaitForSingleObject  (240, 0, 0x0, ...
 03616  1372   NtWaitForSingleObject  (240, 0, 0x0, ...
 03617  1600   NtWaitForSingleObject  (240, 0, 0x0, ...
 03618  1948   NtWaitForSingleObject  (240, 0, 0x0, ...
 03619   252   NtWaitForSingleObject  (240, 0, 0x0, ...
 03620  1300   NtWaitForSingleObject  (240, 0, 0x0, ...
 03621  1096   NtWaitForSingleObject  (240, 0, 0x0, ...
 03622  1708   NtWaitForSingleObject  (240, 0, 0x0, ...
 03623  1024   NtWaitForSingleObject  (240, 0, 0x0, ...
 03624  1324   NtWaitForSingleObject  (240, 0, 0x0, ...
 03625  1776   NtWaitForSingleObject  (240, 0, 0x0, ...
 03626   248   NtWaitForSingleObject  (240, 0, 0x0, ...
 03627  1884   NtWaitForSingleObject  (240, 0, 0x0, ...
 03628  1308   NtWaitForSingleObject  (240, 0, 0x0, ...
 03629  1676   NtWaitForSingleObject  (240, 0, 0x0, ...
 03630  1620   NtWaitForSingleObject  (240, 0, 0x0, ...
 03631  1296   NtWaitForSingleObject  (240, 0, 0x0, ...
 03632   440   NtWaitForSingleObject  (240, 0, 0x0, ...
 03633  1588   NtWaitForSingleObject  (240, 0, 0x0, ...
 03634  2044   NtWaitForSingleObject  (240, 0, 0x0, ...
 03635   588   NtWaitForSingleObject  (240, 0, 0x0, ...
 03636  1652   NtWaitForSingleObject  (240, 0, 0x0, ...
 03637  1376   NtWaitForSingleObject  (240, 0, 0x0, ...
 03638  1436   NtWaitForSingleObject  (240, 0, 0x0, ...
 03639  1368   NtWaitForSingleObject  (240, 0, 0x0, ...
 03640   724   NtWaitForSingleObject  (240, 0, 0x0, ...
 03641  1276   NtWaitForSingleObject  (240, 0, 0x0, ...
 03642   220   NtWaitForSingleObject  (240, 0, 0x0, ...
 03643  1328   NtWaitForSingleObject  (240, 0, 0x0, ...
 03644   704   NtWaitForSingleObject  (240, 0, 0x0, ...
 03645  1152   NtWaitForSingleObject  (240, 0, 0x0, ...
 03646   792   NtWaitForSingleObject  (240, 0, 0x0, ...
 03647   888   NtWaitForSingleObject  (240, 0, 0x0, ...
 03648  1120   NtWaitForSingleObject  (240, 0, 0x0, ...
 03649  1484   NtWaitForSingleObject  (240, 0, 0x0, ...
 03650   840   NtWaitForSingleObject  (240, 0, 0x0, ...
 03651   876   NtWaitForSingleObject  (240, 0, 0x0, ...
 03652  1104   NtWaitForSingleObject  (240, 0, 0x0, ...
 03653   860   NtWaitForSingleObject  (240, 0, 0x0, ...
 03654  1516   NtWaitForSingleObject  (240, 0, 0x0, ...
 03655   780   NtWaitForSingleObject  (240, 0, 0x0, ...
 03656   940   NtWaitForSingleObject  (240, 0, 0x0, ...
 03657  1268   NtWaitForSingleObject  (240, 0, 0x0, ...
 03658   644   NtWaitForSingleObject  (240, 0, 0x0, ...
 03659  1736   NtWaitForSingleObject  (240, 0, 0x0, ...
 03660   320   NtWaitForSingleObject  (240, 0, 0x0, ...
 03661   380   NtWaitForSingleObject  (240, 0, 0x0, ...
 03662  1332   NtWaitForSingleObject  (240, 0, 0x0, ...
 03663  1336   NtWaitForSingleObject  (240, 0, 0x0, ...
 03664   468   NtWaitForSingleObject  (240, 0, 0x0, ...
 03665  1564   NtWaitForSingleObject  (240, 0, 0x0, ...
 03666  1568   NtWaitForSingleObject  (240, 0, 0x0, ...
 03667  1440   NtWaitForSingleObject  (240, 0, 0x0, ...
 03668  1664   NtWaitForSingleObject  (240, 0, 0x0, ...
 03669  1972   NtWaitForSingleObject  (240, 0, 0x0, ...
 03670  1036   NtWaitForSingleObject  (240, 0, 0x0, ...
 03576   164   NtOpenKey  ... 768, ) == 0x0
 03671   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03672   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03673   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03674   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 780, ) }, ... 780, ) == 0x0
 03675   164   NtQueryValueKey  (780,  (780, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (780, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03676   164   NtClose  (780, ... ) == 0x0
 03677   164   NtQueryValueKey  (136,  (136, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03678   164   NtQueryValueKey  (136,  (136, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03679   164   NtQueryValueKey  (136,  (136, "IdnEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03680   164   NtQueryValueKey  (136,  (136, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03681   164   NtQueryValueKey  (136,  (136, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03682   164   NtQueryValueKey  (136,  (136, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03683   164   NtQueryValueKey  (136,  (136, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03684   164   NtQueryValueKey  (136,  (136, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03685   164   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03686   164   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03687   164   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03688   164   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 780, ) }, ... 780, ) == 0x0
 03689   164   NtQueryValueKey  (780,  (780, "Feature_ClientAuthCertFilter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03690   164   NtClose  (780, ... ) == 0x0
 03691   164   NtAllocateVirtualMemory  (-1, 17027072, 0, 4096, 4096, 260, ... 17027072, 4096, ) == 0x0
 03692   164   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03693   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 17034896, ... ) }, 17034896, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03694   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 17034896, ... ) }, 17034896, ... ) == 0x0
 03695   164   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 780, {status=0x0, info=1}, ) }, 5, 96, ... 780, {status=0x0, info=1}, ) == 0x0
 03696   164   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 780, ... 784, ) == 0x0
 03697   164   NtQuerySection  (784, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03698   164   NtClose  (780, ... ) == 0x0
 03699   164   NtMapViewOfSection  (784, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 03700   164   NtClose  (784, ... ) == 0x0
 03701   164   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 03702   164   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 03703   164   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 03704   164   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03705   164   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 784, ) == 0x0
 03706   164   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 780, ) == 0x0
 03707   164   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 788, ) }, ... 788, ) == 0x0
 03708   164   NtQueryEvent  (788, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 03709   164   NtClose  (788, ... ) == 0x0
 03710   164   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 17036468, 140, ... 788, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 17036468, 140, ... 788, 0x0, 0x0, 256, 140, ) == 0x0
 03711   164   NtRequestWaitReplyPort  (788, {28, 52, new_msg, 0, 0, 0, 0, 0}  (788, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\240\373\24\0" ... {188, 212, reply, 0, 1252, 164, 82027, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 1252, 164, 82027, 0}  (788, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\240\373\24\0" ... {188, 212, reply, 0, 1252, 164, 82027, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 03712   164   NtQueryValueKey  (136,  (136, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03713   164   NtOpenKey  (0x9, {24, 36, 0x40, 0, 0,  (0x9, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 792, ) }, ... 792, ) == 0x0
 03714   164   NtQueryValueKey  (792,  (792, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03715   164   NtClose  (792, ... ) == 0x0
 03716   164   NtOpenKey  (0xf, {24, 36, 0x40, 0, 0,  (0xf, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 792, ) }, ... 792, ) == 0x0
 03717   164   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 796, ) }, ... 796, ) == 0x0
 03718   164   NtOpenKey  (0x9, {24, 140, 0x40, 0, 0,  (0x9, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 800, ) }, ... 800, ) == 0x0
 03719   164   NtQueryValueKey  (800,  (800, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03720   164   NtQueryValueKey  (800,  (800, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03721   164   NtClose  (800, ... ) == 0x0
 03722   164   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "Content"}, ... 800, ) }, ... 800, ) == 0x0
 03723   164   NtQueryValueKey  (800,  (800, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03724   164   NtOpenKey  (0xf, {24, 792, 0x40, 0, 0,  (0xf, {24, 792, 0x40, 0, 0, "Content"}, ... 804, ) }, ... 804, ) == 0x0
 03725   164   NtQueryValueKey  (804,  (804, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (804, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03726   164   NtClose  (804, ... ) == 0x0
 03727   164   NtClose  (800, ... ) == 0x0
 03728   164   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "Content"}, ... 800, ) }, ... 800, ) == 0x0
 03729   164   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 804, ) }, ... 804, ) == 0x0
 03730   164   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 03731   164   NtClose  (804, ... ) == 0x0
 03732   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03733   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03734   164   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03735   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03736   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03737   164   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03738   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03739   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03740   164   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03741   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03742   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03743   164   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03744   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03745   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03746   164   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03747   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03748   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03749   164   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03750   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03751   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03752   164   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03753   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03754   164   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03755   164   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03756   164   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03757   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 804, ) }, ... 804, ) == 0x0
 03758   164   NtQueryValueKey  (804,  (804, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (804, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03759   164   NtAllocateVirtualMemory  (-1, 17022976, 0, 4096, 4096, 260, ... 17022976, 4096, ) == 0x0
 03760   164   NtClose  (804, ... ) == 0x0
 03761   164   NtQueryDefaultUILanguage  (17031492, ...
 03762   164   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03763   164   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481484, ) == 0x0
 03764   164   NtQueryInformationToken  (-2147481484, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03765   164   NtClose  (-2147481484, ... ) == 0x0
 03766   164   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481484, ) }, ... -2147481484, ) == 0x0
 03767   164   NtOpenKey  (0x80000000, {24, -2147481484, 0x240, 0, 0,  (0x80000000, {24, -2147481484, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03768   164   NtOpenKey  (0x80000000, {24, -2147481484, 0x640, 0, 0,  (0x80000000, {24, -2147481484, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482104, ) }, ... -2147482104, ) == 0x0
 03769   164   NtQueryValueKey  (-2147482104,  (-2147482104, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03770   164   NtClose  (-2147482104, ... ) == 0x0
 03771   164   NtClose  (-2147481484, ... ) == 0x0
 03761   164   NtQueryDefaultUILanguage  ... ) == 0x0
 03772   164   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 804, {status=0x0, info=1}, ) }, 1, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 03773   164   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 804, ... 808, ) == 0x0
 03774   164   NtMapViewOfSection  (808, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d40000), 0x0, 8462336, ) == 0x0
 03775   164   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03776   164   NtAllocateVirtualMemory  (-1, 17018880, 0, 4096, 4096, 260, ... 17018880, 4096, ) == 0x0
 03777   164   NtQueryDefaultLocale  (1, 17029588, ... ) == 0x0
 03778   164   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03779   164   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 17030624, 1179817, 17030348}  (24, {128, 156, new_msg, 0, 2088850039, 17030624, 1179817, 17030348} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1$\3\0\0\377\377\377\377\0\0\0\0@ \367\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\324\341\3\1\0\0\0\0" ... {128, 156, reply, 0, 1252, 164, 82028, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1$\3\0\0\377\377\377\377\0\0\0\0@ \367\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\324\341\3\1\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 164, 82028, 0}  (24, {128, 156, new_msg, 0, 2088850039, 17030624, 1179817, 17030348} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1$\3\0\0\377\377\377\377\0\0\0\0@ \367\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\324\341\3\1\0\0\0\0" ... {128, 156, reply, 0, 1252, 164, 82028, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1$\3\0\0\377\377\377\377\0\0\0\0@ \367\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\324\341\3\1\0\0\0\0" )  ) == 0x0
 03780   164   NtClose  (804, ... ) == 0x0
 03781   164   NtClose  (808, ... ) == 0x0
 03782   164   NtUnmapViewOfSection  (-1, 0x8d40000, ... ) == 0x0
 03783   164   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03784   164   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03785   164   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03786   164   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03787   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 17028780, ... ) }, 17028780, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03788   164   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03789   164   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03790   164   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03791   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 17028844, ... ) }, 17028844, ... ) == 0x0
 03792   164   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 808, {status=0x0, info=1}, ) }, 3, 33, ... 808, {status=0x0, info=1}, ) == 0x0
 03793   164   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03794   164   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 804, {status=0x0, info=1}, ) }, 5, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 03795   164   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 804, ... 812, ) == 0x0
 03796   164   NtClose  (804, ... ) == 0x0
 03797   164   NtMapViewOfSection  (812, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d40000), 0x0, 1056768, ) == 0x0
 03798   164   NtClose  (812, ... ) == 0x0
 03799   164   NtUnmapViewOfSection  (-1, 0x8d40000, ... ) == 0x0
 03800   164   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 812, {status=0x0, info=1}, ) }, 5, 96, ... 812, {status=0x0, info=1}, ) == 0x0
 03801   164   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 812, ... 804, ) == 0x0
 03802   164   NtQuerySection  (804, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03803   164   NtClose  (812, ... ) == 0x0
 03804   164   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 03805   164   NtClose  (804, ... ) == 0x0
 03806   164   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03807   164   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03808   164   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03809   164   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03810   164   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03811   164   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03812   164   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03813   164   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03814   164   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03815   164   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03816   164   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03817   164   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03818   164   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03819   164   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03820   164   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03821   164   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03822   164   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03823   164   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03824   164   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03825   164   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03826   164   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03827   164   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03828   164   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 17030324, ... ) , 42, 17030324, ... ) == 0x0
 03829   164   NtQueryDefaultUILanguage  (17029008, ...
 03830   164   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03831   164   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481484, ) == 0x0
 03832   164   NtQueryInformationToken  (-2147481484, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03833   164   NtClose  (-2147481484, ... ) == 0x0
 03834   164   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481484, ) }, ... -2147481484, ) == 0x0
 03835   164   NtOpenKey  (0x80000000, {24, -2147481484, 0x240, 0, 0,  (0x80000000, {24, -2147481484, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03836   164   NtOpenKey  (0x80000000, {24, -2147481484, 0x640, 0, 0,  (0x80000000, {24, -2147481484, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482104, ) }, ... -2147482104, ) == 0x0
 03837   164   NtQueryValueKey  (-2147482104,  (-2147482104, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03838   164   NtClose  (-2147482104, ... ) == 0x0
 03839   164   NtClose  (-2147481484, ... ) == 0x0
 03829   164   NtQueryDefaultUILanguage  ... ) == 0x0
 03840   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 17027848, ... ) }, 17027848, ... ) == 0x0
 03841   164   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 804, {status=0x0, info=1}, ) }, 5, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 03842   164   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 804, ... 812, ) == 0x0
 03843   164   NtClose  (804, ... ) == 0x0
 03844   164   NtMapViewOfSection  (812, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 03845   164   NtClose  (812, ... ) == 0x0
 03846   164   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 03847   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 17027444, ... ) }, 17027444, ... ) == 0x0
 03848   164   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 17028188,  (0x80100080, {24, 0, 0x40, 0, 17028188, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 812, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 812, {status=0x0, info=1}, ) == 0x0
 03849   164   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 812, ... 804, ) == 0x0
 03850   164   NtClose  (812, ... ) == 0x0
 03851   164   NtMapViewOfSection  (804, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 03852   164   NtClose  (804, ... ) == 0x0
 03853   164   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 03854   164   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 804, {status=0x0, info=1}, ) }, 1, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 03855   164   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 804, ... 812, ) == 0x0
 03856   164   NtMapViewOfSection  (812, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 03857   164   NtQueryInformationFile  (804, 17027840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03858   164   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03859   164   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 17028140, 1179817, 17027864}  (24, {128, 156, new_msg, 0, 2088850039, 17028140, 1179817, 17027864} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1$\3\0\0,\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0 \330\3\1\0\0\0\0" ... {128, 156, reply, 0, 1252, 164, 82029, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1$\3\0\0,\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0 \330\3\1\0\0\0\0" )  ... {128, 156, reply, 0, 1252, 164, 82029, 0}  (24, {128, 156, new_msg, 0, 2088850039, 17028140, 1179817, 17027864} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1$\3\0\0,\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0 \330\3\1\0\0\0\0" ... {128, 156, reply, 0, 1252, 164, 82029, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1$\3\0\0,\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0 \330\3\1\0\0\0\0" )  ) == 0x0
 03860   164   NtClose  (804, ... ) == 0x0
 03861   164   NtClose  (812, ... ) == 0x0
 03862   164   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 03863   164   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03864   164   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 812, ) == 0x0
 03865   164   NtCallbackReturn  (0, 0, 0, ...
 03866   164   NtUserGetThreadState  (18, ... ) == 0x1
 03867   164   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 03868   164   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 03869   164   NtUserGetDC  (0, ... ) == 0x1010051
 03870   164   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 03871   164   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 03872   164   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 03873   164   NtUserSystemParametersInfo  (66, 12, 17029840, 0, ... ) == 0x1
 03874   164   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03875   164   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 804, ) == 0x0
 03876   164   NtQueryInformationToken  (804, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03877   164   NtClose  (804, ... ) == 0x0
 03878   164   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 804, ) }, ... 804, ) == 0x0
 03879   164   NtOpenProcessToken  (-1, 0x8, ... 816, ) == 0x0
 03880   164   NtAccessCheck  (1344040, 816, 0x1, 17029672, 17029724, 56, 17029704, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 03881   164   NtClose  (816, ... ) == 0x0
 03882   164   NtOpenKey  (0x20019, {24, 804, 0x40, 0, 0,  (0x20019, {24, 804, 0x40, 0, 0, "Control Panel\Desktop"}, ... 816, ) }, ... 816, ) == 0x0
 03883   164   NtQueryValueKey  (816,  (816, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03884   164   NtClose  (816, ... ) == 0x0
 03885   164   NtUserSystemParametersInfo  (41, 500, 17029868, 0, ... ) == 0x1
 03886   164   NtOpenProcessToken  (-1, 0x8, ... 816, ) == 0x0
 03887   164   NtAccessCheck  (1344040, 816, 0x1, 17029672, 17029724, 56, 17029704, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 03888   164   NtClose  (816, ... ) == 0x0
 03889   164   NtOpenKey  (0x20019, {24, 804, 0x40, 0, 0,  (0x20019, {24, 804, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 816, ) }, ... 816, ) == 0x0
 03890   164   NtQueryValueKey  (816,  (816, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03891   164   NtClose  (816, ... ) == 0x0
 03892   164   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 03893   164   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 03894   164   NtClose  (804, ... ) == 0x0
 03895   164   NtUserSystemParametersInfo  (4130, 0, 17030372, 0, ... ) == 0x1
 03896   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 804, ) }, ... 804, ) == 0x0
 03897   164   NtEnumerateValueKey  (804, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03898   164   NtClose  (804, ... ) == 0x0
 03899   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03900   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc03b
 03901   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc03d
 03902   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03903   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc03f
 03904   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03905   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc041
 03906   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03907   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc043
 03908   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc045
 03909   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03910   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc047
 03911   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03912   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc049
 03913   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03914   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc04b
 03915   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03916   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc04d
 03917   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03918   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc04f
 03919   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc051
 03920   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03921   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc053
 03922   164   NtUserFindExistingCursorIcon  (17029616, 17029632, 17029680, ... ) == 0x10011
 03923   164   NtUserRegisterClassExWOW  (17029560, 17029628, 17029644, 17029660, 0, 384, 0, ... ) == 0x819fc055
 03924   164   NtUserFindExistingCursorIcon  (17029616, 17029632, 17029680, ... ) == 0x10011
 03925   164   NtUserRegisterClassExWOW  (17029560, 17029628, 17029644, 17029660, 0, 384, 0, ... ) == 0x819fc057
 03926   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03927   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc059
 03928   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10013
 03929   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc05b
 03930   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03931   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc05d
 03932   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03933   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc05f
 03934   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03935   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc017
 03936   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03937   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc019
 03938   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10013
 03939   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc018
 03940   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03941   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc01a
 03942   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03943   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc01c
 03944   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03945   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc01e
 03946   164   NtUserFindExistingCursorIcon  (17029612, 17029628, 17029676, ... ) == 0x10011
 03947   164   NtUserRegisterClassExWOW  (17029612, 17029680, 17029696, 17029712, 0, 384, 0, ... ) == 0x819fc01b
 03948   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03949   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc068
 03950   164   NtUserFindExistingCursorIcon  (17029620, 17029636, 17029684, ... ) == 0x10011
 03951   164   NtUserRegisterClassExWOW  (17029564, 17029632, 17029648, 17029664, 0, 384, 0, ... ) == 0x819fc06a
 03952   164   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03953   164   NtCreateSemaphore  (0x1f0003, {24, 16, 0x80, 1338216, 0,  (0x1f0003, {24, 16, 0x80, 1338216, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 804, ) }, 0, 2147483647, ... 804, ) == STATUS_OBJECT_NAME_EXISTS
 03954   164   NtReleaseSemaphore  (804, 1, ... 0, ) == 0x0
 03955   164   NtWaitForSingleObject  (804, 0, {0, 0}, ... ) == 0x0
 03956   164   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 03957   164   NtQueryValueKey  (816,  (816, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (816, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 03958   164   NtClose  (816, ... ) == 0x0
 03959   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17034564, ... ) }, 17034564, ... ) == 0x0
 03960   164   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 03961   164   NtSetValueKey  (816,  (816, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1,  (816, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0
 03962   164   NtClose  (816, ... ) == 0x0
 03963   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17035256, ... ) }, 17035256, ... ) == 0x0
 03964   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 17034464, ... ) }, 17034464, ... ) == 0x0
 03965   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 03966   164   NtSetInformationFile  (816, 17034436, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03967   164   NtClose  (816, ... ) == 0x0
 03968   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 17034460, ... ) }, 17034460, ... ) == 0x0
 03969   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 17035256, ... ) }, 17035256, ... ) == 0x0
 03970   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 17034464, ... ) }, 17034464, ... ) == 0x0
 03971   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 03972   164   NtSetInformationFile  (816, 17034436, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03973   164   NtClose  (816, ... ) == 0x0
 03974   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 17034460, ... ) }, 17034460, ... ) == 0x0
 03975   164   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03976   164   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03977   164   NtQueryValueKey  (800,  (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 03978   164   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "Cookies"}, ... 816, ) }, ... 816, ) == 0x0
 03979   164   NtQueryValueKey  (816,  (816, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03980   164   NtOpenKey  (0xf, {24, 792, 0x40, 0, 0,  (0xf, {24, 792, 0x40, 0, 0, "Cookies"}, ... 820, ) }, ... 820, ) == 0x0
 03981   164   NtQueryValueKey  (820,  (820, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (820, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03982   164   NtClose  (820, ... ) == 0x0
 03983   164   NtClose  (816, ... ) == 0x0
 03984   164   NtClose  (800, ... ) == 0x0
 03985   164   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "Cookies"}, ... 800, ) }, ... 800, ) == 0x0
 03986   164   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03987   164   NtReleaseSemaphore  (804, 1, ... 0, ) == 0x0
 03988   164   NtWaitForSingleObject  (804, 0, {0, 0}, ... ) == 0x0
 03989   164   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 03990   164   NtQueryValueKey  (816,  (816, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (816, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03991   164   NtClose  (816, ... ) == 0x0
 03992   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 17034564, ... ) }, 17034564, ... ) == 0x0
 03993   164   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 03994   164   NtSetValueKey  (816,  (816, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 0, 1,  (816, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 98, ... ) == 0x0
 03995   164   NtClose  (816, ... ) == 0x0
 03996   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 17035256, ... ) }, 17035256, ... ) == 0x0
 03997   164   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 03998   164   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 03999   164   NtQueryValueKey  (800,  (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04000   164   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "History"}, ... 816, ) }, ... 816, ) == 0x0
 04001   164   NtQueryValueKey  (816,  (816, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04002   164   NtOpenKey  (0xf, {24, 792, 0x40, 0, 0,  (0xf, {24, 792, 0x40, 0, 0, "History"}, ... 820, ) }, ... 820, ) == 0x0
 04003   164   NtQueryValueKey  (820,  (820, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (820, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04004   164   NtClose  (820, ... ) == 0x0
 04005   164   NtClose  (816, ... ) == 0x0
 04006   164   NtClose  (800, ... ) == 0x0
 04007   164   NtOpenKey  (0xf, {24, 796, 0x40, 0, 0,  (0xf, {24, 796, 0x40, 0, 0, "History"}, ... 800, ) }, ... 800, ) == 0x0
 04008   164   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04009   164   NtReleaseSemaphore  (804, 1, ... 0, ) == 0x0
 04010   164   NtWaitForSingleObject  (804, 0, {0, 0}, ... ) == 0x0
 04011   164   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 04012   164   NtQueryValueKey  (816,  (816, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (816, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 04013   164   NtClose  (816, ... ) == 0x0
 04014   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17034564, ... ) }, 17034564, ... ) == 0x0
 04015   164   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 816, 2, ) }, 0, 0x0, 0, ... 816, 2, ) == 0x0
 04016   164   NtSetValueKey  (816,  (816, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 0, 1,  (816, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 128, ... ) == 0x0
 04017   164   NtClose  (816, ... ) == 0x0
 04018   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17035256, ... ) }, 17035256, ... ) == 0x0
 04019   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 17034464, ... ) }, 17034464, ... ) == 0x0
 04020   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 04021   164   NtSetInformationFile  (816, 17034436, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04022   164   NtClose  (816, ... ) == 0x0
 04023   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 17034460, ... ) }, 17034460, ... ) == 0x0
 04024   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 17035256, ... ) }, 17035256, ... ) == 0x0
 04025   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 17034464, ... ) }, 17034464, ... ) == 0x0
 04026   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 04027   164   NtSetInformationFile  (816, 17034436, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04028   164   NtClose  (816, ... ) == 0x0
 04029   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 17034460, ... ) }, 17034460, ... ) == 0x0
 04030   164   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 04031   164   NtQueryValueKey  (800,  (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 04032   164   NtQueryValueKey  (800,  (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (800, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04033   164   NtClose  (800, ... ) == 0x0
 04034   164   NtClose  (796, ... ) == 0x0
 04035   164   NtClose  (792, ... ) == 0x0
 04036   164   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... 792, ) }, ... 792, ) == 0x0
 04037   164   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... 796, ) }, ... 796, ) == 0x0
 04038   164   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04039   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 17036564, ... ) }, 17036564, ... ) == 0x0
 04040   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 800, {status=0x0, info=1}, ) }, 7, 2113568, ... 800, {status=0x0, info=1}, ) == 0x0
 04041   164   NtSetInformationFile  (800, 17036540, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04042   164   NtClose  (800, ... ) == 0x0
 04043   164   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17036480,  (0xc0100080, {24, 0, 0x40, 0, 17036480, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 800, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 800, {status=0x0, info=1}, ) == 0x0
 04044   164   NtSetInformationFile  (800, 17036532, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04045   164   NtQueryInformationFile  (800, 17036532, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04046   164   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... 816, ) }, ... 816, ) == 0x0
 04047   164   NtMapViewOfSection  (816, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8d40000), {0, 0}, 802816, ) == 0x0
 04048   164   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04049   164   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... 820, ) }, ... 820, ) == 0x0
 04050   164   NtWaitForSingleObject  (820, 0, 0x0, ... ) == 0x0
 04051   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 17036564, ... ) }, 17036564, ... ) == 0x0
 04052   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... 824, {status=0x0, info=1}, ) }, 7, 2113568, ... 824, {status=0x0, info=1}, ) == 0x0
 04053   164   NtSetInformationFile  (824, 17036540, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04054   164   NtClose  (824, ... ) == 0x0
 04055   164   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17036480,  (0xc0100080, {24, 0, 0x40, 0, 17036480, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 824, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 824, {status=0x0, info=1}, ) == 0x0
 04056   164   NtSetInformationFile  (824, 17036532, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04057   164   NtQueryInformationFile  (824, 17036532, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04058   164   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... 828, ) }, ... 828, ) == 0x0
 04059   164   NtMapViewOfSection  (828, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 32768, ) == 0x0
 04060   164   NtReleaseMutant  (820, ... 0x0, ) == 0x0
 04061   164   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... 832, ) }, ... 832, ) == 0x0
 04062   164   NtWaitForSingleObject  (832, 0, 0x0, ... ) == 0x0
 04063   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 17036564, ... ) }, 17036564, ... ) == 0x0
 04064   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 836, {status=0x0, info=1}, ) }, 7, 2113568, ... 836, {status=0x0, info=1}, ) == 0x0
 04065   164   NtSetInformationFile  (836, 17036540, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04066   164   NtClose  (836, ... ) == 0x0
 04067   164   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 17036480,  (0xc0100080, {24, 0, 0x40, 0, 17036480, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 836, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 836, {status=0x0, info=1}, ) == 0x0
 04068   164   NtSetInformationFile  (836, 17036532, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04069   164   NtQueryInformationFile  (836, 17036532, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04070   164   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... 840, ) }, ... 840, ) == 0x0
 04071   164   NtMapViewOfSection  (840, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xe00000), {0, 0}, 81920, ) == 0x0
 04072   164   NtReleaseMutant  (832, ... 0x0, ) == 0x0
 04073   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 17036140, ... ) }, 17036140, ... ) == 0x0
 04074   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 844, {status=0x0, info=1}, ) }, 7, 2113568, ... 844, {status=0x0, info=1}, ) == 0x0
 04075   164   NtSetInformationFile  (844, 17036112, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04076   164   NtClose  (844, ... ) == 0x0
 04077   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 17036136, ... ) }, 17036136, ... ) == 0x0
 04078   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 17036140, ... ) }, 17036140, ... ) == 0x0
 04079   164   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 844, {status=0x0, info=1}, ) }, 7, 2113568, ... 844, {status=0x0, info=1}, ) == 0x0
 04080   164   NtSetInformationFile  (844, 17036112, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04081   164   NtClose  (844, ... ) == 0x0
 04082   164   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 17036136, ... ) }, 17036136, ... ) == 0x0
 04083   164   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04084   164   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04085   164   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 844, ) }, ... 844, ) == 0x0
 04086   164   NtOpenKey  (0xf, {24, 844, 0x40, 0, 0,  (0xf, {24, 844, 0x40, 0, 0, "Extensible Cache"}, ... 848, ) }, ... 848, ) == 0x0
 04087   164   NtClose  (844, ... ) == 0x0
 04088   164   NtWaitForSingleObject  (792, 0, {-600000000, -1}, ... ) == 0x0
 04089   164   NtEnumerateKey  (848, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= (848, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 04090   164   NtOpenKey  (0xf, {24, 848, 0x40, 0, 0,  (0xf, {24, 848, 0x40, 0, 0, "feedplat"}, ... 844, ) }, ... 844, ) == 0x0
 04091   164   NtQueryValueKey  (844,  (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04092   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04093   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 04094   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04095   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 04096   164   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 04097   164   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 04098   164   NtQueryValueKey  (844,  (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04099   164   NtQueryValueKey  (844,  (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04100   164   NtClose  (844, ... ) == 0x0
 04101   164   NtEnumerateKey  (848, 1, Basic, 288, ... {LastWrite={0x450668aa,0x1c8b090}, TitleIdx=0, Name= (848, 1, Basic, 288, ... {LastWrite={0x450668aa,0x1c8b090}, TitleIdx=0, Name="MSHist012008050720080508"}, 64, ) }, 64, ) == 0x0
 04102   164   NtOpenKey  (0xf, {24, 848, 0x40, 0, 0,  (0xf, {24, 848, 0x40, 0, 0, "MSHist012008050720080508"}, ... 844, ) }, ... 844, ) == 0x0
 04103   164   NtQueryValueKey  (844,  (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04104   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04105   164   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 04106   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 04107   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04108   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 04109   164   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04110   164   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04111   164   NtQueryValueKey  (844,  (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04112   164   NtQueryValueKey  (844,  (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 04113   164   NtClose  (844, ... ) == 0x0
 04114   164   NtEnumerateKey  (848, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (848, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 04115   164   NtOpenKey  (0xf, {24, 848, 0x40, 0, 0,  (0xf, {24, 848, 0x40, 0, 0, "UserData"}, ... 844, ) }, ... 844, ) == 0x0
 04116   164   NtQueryValueKey  (844,  (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04117   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04118   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 04119   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04120   164   NtQueryValueKey  (844,  (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (844, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 04121   164   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 04122   164   NtQueryValueKey  (844,  (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (844, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 04123   164   NtQueryValueKey  (844,  (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 04124   164   NtQueryValueKey  (844,  (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 04125   164   NtClose  (844, ... ) == 0x0
 04126   164   NtEnumerateKey  (848, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 04127   164   NtReleaseMutant  (792, ... 0x0, ) == 0x0
 04128   164   NtClose  (848, ... ) == 0x0
 04129   164   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04130   164   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04131   164   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04132   164   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04133   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04134   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04135   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04136   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04137   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04138   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04139   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04140   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 848, ) }, ... 848, ) == 0x0
 04141   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04142   164   NtOpenKey  (0x1, {24, 848, 0x40, 0, 0,  (0x1, {24, 848, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04143   164   NtClose  (848, ... ) == 0x0
 04144   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04145   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04146   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 848, ) }, ... 848, ) == 0x0
 04147   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04148   164   NtOpenKey  (0x1, {24, 848, 0x40, 0, 0,  (0x1, {24, 848, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04149   164   NtClose  (848, ... ) == 0x0
 04150   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04151   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04152   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 848, ) }, ... 848, ) == 0x0
 04153   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04154   164   NtOpenKey  (0x1, {24, 848, 0x40, 0, 0,  (0x1, {24, 848, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04155   164   NtClose  (848, ... ) == 0x0
 04156   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04157   164   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04158   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04159   164   NtQueryValueKey  (848,  (848, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04160   164   NtClose  (848, ... ) == 0x0
 04161   164   NtQueryValueKey  (136,  (136, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04162   164   NtQueryValueKey  (136,  (136, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04163   164   NtQueryValueKey  (136,  (136, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04164   164   NtQueryValueKey  (136,  (136, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04165   164   NtQueryValueKey  (136,  (136, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04166   164   NtQueryValueKey  (136,  (136, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04167   164   NtQueryValueKey  (136,  (136, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04168   164   NtQueryValueKey  (136,  (136, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04169   164   NtQueryValueKey  (136,  (136, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04170   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04171   164   NtQueryValueKey  (848,  (848, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04172   164   NtClose  (848, ... ) == 0x0
 04173   164   NtQueryValueKey  (136,  (136, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04174   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04175   164   NtQueryValueKey  (848,  (848, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04176   164   NtClose  (848, ... ) == 0x0
 04177   164   NtQueryValueKey  (136,  (136, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04178   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04179   164   NtQueryValueKey  (848,  (848, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04180   164   NtClose  (848, ... ) == 0x0
 04181   164   NtQueryValueKey  (136,  (136, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04182   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04183   164   NtQueryValueKey  (848,  (848, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04184   164   NtClose  (848, ... ) == 0x0
 04185   164   NtQueryValueKey  (136,  (136, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04186   164   NtQueryValueKey  (136,  (136, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04187   164   NtQueryValueKey  (136,  (136, "CertCacheNoValidate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04188   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 848, ) }, ... 848, ) == 0x0
 04189   164   NtQueryValueKey  (848,  (848, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04190   164   NtClose  (848, ... ) == 0x0
 04191   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04192   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04193   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04194   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 848, ) }, ... 848, ) == 0x0
 04195   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 844, ) }, ... 844, ) == 0x0
 04196   164   NtQueryValueKey  (844,  (844, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04197   164   NtQueryValueKey  (848,  (848, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04198   164   NtClose  (848, ... ) == 0x0
 04199   164   NtClose  (844, ... ) == 0x0
 04200   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04201   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04202   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04203   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04204   164   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04205   164   NtClose  (844, ... ) == 0x0
 04206   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04207   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04208   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04209   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04210   164   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04211   164   NtClose  (844, ... ) == 0x0
 04212   164   NtQueryValueKey  (136,  (136, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04213   164   NtQueryValueKey  (136,  (136, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04214   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04215   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04216   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04217   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04218   164   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04219   164   NtClose  (844, ... ) == 0x0
 04220   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04221   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04222   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04223   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04224   164   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 848, ) }, ... 848, ) == 0x0
 04225   164   NtQueryValueKey  (848,  (848, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04226   164   NtQueryValueKey  (848,  (848, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04227   164   NtClose  (848, ... ) == 0x0
 04228   164   NtClose  (844, ... ) == 0x0
 04229   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04230   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04231   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 844, ) }, ... 844, ) == 0x0
 04232   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04233   164   NtOpenKey  (0x1, {24, 844, 0x40, 0, 0,  (0x1, {24, 844, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04234   164   NtClose  (844, ... ) == 0x0
 04235   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04236   164   NtQueryValueKey  (844,  (844, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (844, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04237   164   NtClose  (844, ... ) == 0x0
 04238   164   NtQueryValueKey  (136,  (136, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04239   164   NtQueryValueKey  (136,  (136, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04240   164   NtQueryValueKey  (136,  (136, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04241   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04242   164   NtQueryValueKey  (844,  (844, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04243   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04244   164   NtQueryValueKey  (848,  (848, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04245   164   NtClose  (844, ... ) == 0x0
 04246   164   NtClose  (848, ... ) == 0x0
 04247   164   NtQueryValueKey  (136,  (136, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04248   164   NtQueryValueKey  (136,  (136, "BypassFtpTimeCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04249   164   NtQueryValueKey  (136,  (136, "ReleaseSocketDuringAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04250   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04251   164   NtQueryValueKey  (848,  (848, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04252   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04253   164   NtQueryValueKey  (844,  (844, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04254   164   NtClose  (848, ... ) == 0x0
 04255   164   NtClose  (844, ... ) == 0x0
 04256   164   NtQueryValueKey  (136,  (136, "WpadSearchAllDomains", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04257   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04258   164   NtQueryValueKey  (844,  (844, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04259   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04260   164   NtQueryValueKey  (848,  (848, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04261   164   NtClose  (844, ... ) == 0x0
 04262   164   NtClose  (848, ... ) == 0x0
 04263   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04264   164   NtQueryValueKey  (848,  (848, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04265   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04266   164   NtQueryValueKey  (844,  (844, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04267   164   NtClose  (848, ... ) == 0x0
 04268   164   NtClose  (844, ... ) == 0x0
 04269   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04270   164   NtQueryValueKey  (844,  (844, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04271   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04272   164   NtQueryValueKey  (848,  (848, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04273   164   NtClose  (844, ... ) == 0x0
 04274   164   NtClose  (848, ... ) == 0x0
 04275   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04276   164   NtQueryValueKey  (848,  (848, "EnableHttpTrace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04277   164   NtClose  (848, ... ) == 0x0
 04278   164   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 848, ) }, ... 848, ) == 0x0
 04279   164   NtQueryValueKey  (848,  (848, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04280   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04281   164   NtQueryValueKey  (844,  (844, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04282   164   NtClose  (848, ... ) == 0x0
 04283   164   NtClose  (844, ... ) == 0x0
 04284   164   NtQueryValueKey  (136,  (136, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04285   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04286   164   NtQueryValueKey  (844,  (844, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04287   164   NtClose  (844, ... ) == 0x0
 04288   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 844, ) }, ... 844, ) == 0x0
 04289   164   NtQueryValueKey  (844,  (844, "ShareCredsWithWinHttp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04290   164   NtClose  (844, ... ) == 0x0
 04291   164   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 04292   164   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 04293   164   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 04294   164   NtQueryValueKey  (136,  (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 04295   164   NtQueryValueKey  (136,  (136, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04296   164   NtQueryValueKey  (136,  (136, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04297   164   NtQueryValueKey  (136,  (136, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04298   164   NtQueryValueKey  (136,  (136, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04299   164   NtQueryValueKey  (136,  (136, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (136, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04300   164   NtQueryValueKey  (136,  (136, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04301   164   NtQueryValueKey  (136,  (136, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04302   164   NtQueryValueKey  (136,  (136, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04303   164   NtQueryValueKey  (136,  (136, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04304   164   NtQueryValueKey  (136,  (136, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04305   164   NtQueryValueKey  (136,  (136, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04306   164   NtQueryValueKey  (136,  (136, "WarnOnHTTPSToHTTPRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04307   164   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\WininetStartupMutex"}, ... 844, ) }, ... 844, ) == 0x0
 04308   164   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 848, ) == 0x0
 04309   164   NtQueryValueKey  (136,  (136, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04310   164   NtWaitForSingleObject  (796, 0, 0x0, ... ) == 0x0
 04311   164   NtReleaseMutant  (796, ... 0x0, ) == 0x0
 04312   164   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\WininetConnectionMutex"}, ... 852, ) }, ... 852, ) == 0x0
 04313   164   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\WininetProxyRegistryMutex"}, ... 856, ) }, ... 856, ) == 0x0
 04314   164   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 860, ) == 0x0
 04315   164   NtQueryValueKey  (136,  (136, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04316   164   NtQueryValueKey  (136,  (136, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04317   164   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 864, ) == 0x0
 04318   164   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 868, ) }, ... 868, ) == 0x0
 04319   164   NtQueryValueKey  (868,  (868, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (868, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 04320   164   NtQueryValueKey  (868,  (868, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (868, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 04321   164   NtClose  (868, ... ) == 0x0
 04322   164   NtQueryValueKey  (136,  (136, "TruncateFileName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04323   164   NtQueryValueKey  (136,  (136, "BadProxyExpiresTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04324   164   NtSetEventBoostPriority  (240, ...
 01933  1964   NtWaitForSingleObject  ... ) == 0x0
 04325  1964   NtSetEventBoostPriority  (240, ...
 01939  1380   NtWaitForSingleObject  ... ) == 0x0
 04326  1380   NtSetEventBoostPriority  (240, ...
 01941   752   NtWaitForSingleObject  ... ) == 0x0
 04327   752   NtSetEventBoostPriority  (240, ...
 02000   484   NtWaitForSingleObject  ... ) == 0x0
 04328   484   NtSetEventBoostPriority  (240, ...
 02023  1756   NtWaitForSingleObject  ... ) == 0x0
 04329  1756   NtSetEventBoostPriority  (240, ...
 02053  1292   NtWaitForSingleObject  ... ) == 0x0
 04330  1292   NtSetEventBoostPriority  (240, ...
 02067  1956   NtWaitForSingleObject  ... ) == 0x0
 04331  1956   NtSetEventBoostPriority  (240, ...
 02126   460   NtWaitForSingleObject  ... ) == 0x0
 04332   460   NtSetEventBoostPriority  (240, ...
 02149  1856   NtWaitForSingleObject  ... ) == 0x0
 04333  1856   NtSetEventBoostPriority  (240, ...
 02176  1272   NtWaitForSingleObject  ... ) == 0x0
 04334  1272   NtSetEventBoostPriority  (240, ...
 02194  1132   NtWaitForSingleObject  ... ) == 0x0
 04335  1132   NtSetEventBoostPriority  (240, ...
 02214   948   NtWaitForSingleObject  ... ) == 0x0
 04336   948   NtSetEventBoostPriority  (240, ...
 02241   188   NtWaitForSingleObject  ... ) == 0x0
 04337   188   NtSetEventBoostPriority  (240, ...
 02257  1240   NtWaitForSingleObject  ... ) == 0x0
 04338  1240   NtSetEventBoostPriority  (240, ...
 02271   120   NtWaitForSingleObject  ... ) == 0x0
 04339   120   NtSetEventBoostPriority  (240, ...
 02290  1728   NtWaitForSingleObject  ... ) == 0x0
 04340  1728   NtSetEventBoostPriority  (240, ...
 02318  1256   NtWaitForSingleObject  ... ) == 0x0
 04341  1256   NtSetEventBoostPriority  (240, ...
 02327  1536   NtWaitForSingleObject  ... ) == 0x0
 04342  1536   NtSetEventBoostPriority  (240, ...
 02342  1936   NtWaitForSingleObject  ... ) == 0x0
 04343  1936   NtSetEventBoostPriority  (240, ...
 02366   968   NtWaitForSingleObject  ... ) == 0x0
 04344   968   NtSetEventBoostPriority  (240, ...
 02374  1688   NtWaitForSingleObject  ... ) == 0x0
 04345  1688   NtSetEventBoostPriority  (240, ...
 02394   308   NtWaitForSingleObject  ... ) == 0x0
 04346   308   NtSetEventBoostPriority  (240, ...
 02416  1584   NtWaitForSingleObject  ... ) == 0x0
 04347  1584   NtSetEventBoostPriority  (240, ...
 02424  1496   NtWaitForSingleObject  ... ) == 0x0
 04348  1496   NtSetEventBoostPriority  (240, ...
 02452  1944   NtWaitForSingleObject  ... ) == 0x0
 04349  1944   NtSetEventBoostPriority  (240, ...
 02460  1896   NtWaitForSingleObject  ... ) == 0x0
 04350  1896   NtSetEventBoostPriority  (240, ...
 02488   240   NtWaitForSingleObject  ... ) == 0x0
 04351   240   NtSetEventBoostPriority  (240, ...
 02496  2032   NtWaitForSingleObject  ... ) == 0x0
 04352  2032   NtSetEventBoostPriority  (240, ...
 02512   476   NtWaitForSingleObject  ... ) == 0x0
 04353   476   NtSetEventBoostPriority  (240, ...
 02527  1404   NtWaitForSingleObject  ... ) == 0x0
 04354  1404   NtSetEventBoostPriority  (240, ...
 02551  1744   NtWaitForSingleObject  ... ) == 0x0
 04355  1744   NtSetEventBoostPriority  (240, ...
 02554  1128   NtWaitForSingleObject  ... ) == 0x0
 04356  1128   NtSetEventBoostPriority  (240, ...
 03550  1248   NtWaitForSingleObject  ... ) == 0x0
 04357  1248   NtSetEventBoostPriority  (240, ...
 03577   760   NtWaitForSingleObject  ... ) == 0x0
 04358   760   NtSetEventBoostPriority  (240, ...
 03578  1716   NtWaitForSingleObject  ... ) == 0x0
 04359  1716   NtSetEventBoostPriority  (240, ...
 03579  1480   NtWaitForSingleObject  ... ) == 0x0
 04360  1480   NtSetEventBoostPriority  (240, ...
 03580  1556   NtWaitForSingleObject  ... ) == 0x0
 04361  1556   NtSetEventBoostPriority  (240, ...
 03581  1980   NtWaitForSingleObject  ... ) == 0x0
 04362  1980   NtSetEventBoostPriority  (240, ...
 03582  1924   NtWaitForSingleObject  ... ) == 0x0
 04363  1924   NtSetEventBoostPriority  (240, ...
 03583   768   NtWaitForSingleObject  ... ) == 0x0
 04364   768   NtSetEventBoostPriority  (240, ...
 03584  2040   NtWaitForSingleObject  ... ) == 0x0
 04365  2040   NtSetEventBoostPriority  (240, ...
 03585   216   NtWaitForSingleObject  ... ) == 0x0
 04366   216   NtSetEventBoostPriority  (240, ...
 03586  1524   NtWaitForSingleObject  ... ) == 0x0
 04367  1524   NtSetEventBoostPriority  (240, ...
 03587  1864   NtWaitForSingleObject  ... ) == 0x0
 04368  1864   NtSetEventBoostPriority  (240, ...
 03588   388   NtWaitForSingleObject  ... ) == 0x0
 04369   388   NtSetEventBoostPriority  (240, ...
 03589  1020   NtWaitForSingleObject  ... ) == 0x0
 04370  1020   NtSetEventBoostPriority  (240, ...
 03590  1804   NtWaitForSingleObject  ... ) == 0x0
 04371  1804   NtSetEventBoostPriority  (240, ...
NtAdjustPrivilegesToken(>)	1	NtConnectPort(>)	2	NtQueryInformationProcess(>)	7	NtOpenSection(>)	57
NtCreateMutant(>)	1	NtCreateIoCompletion(>)	2	NtDuplicateObject(>)	8	NtQueryAttributesFile(>)	58
NtDelayExecution(>)	1	NtGdiCreateSolidBrush(>)	2	NtReleaseMutant(>)	8	NtQueryVirtualMemory(>)	59
NtDuplicateToken(>)	1	NtNotifyChangeKey(>)	2	NtOpenProcessTokenEx(>)	11	NtUserRegisterClassExWOW(>)	61
NtEnumerateValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtOpenThreadTokenEx(>)	11	NtSetEventBoostPriority(>)	70
NtGdiCreateBitmap(>)	1	NtQueryPerformanceCounter(>)	2	NtQuerySection(>)	11	NtCreateSection(>)	80
NtGdiInit(>)	1	NtUserGetDC(>)	2	NtQueryDefaultUILanguage(>)	12	NtFlushInstructionCache(>)	87
NtGdiQueryFontAssocInfo(>)	1	NtWaitForMultipleObjects(>)	2	NtUserSystemParametersInfo(>)	12	NtMapViewOfSection(>)	114
NtGdiSelectBitmap(>)	1	NtDeleteValueKey(>)	3	NtFsControlFile(>)	13	NtWriteVirtualMemory(>)	116
NtOpenEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryInformationFile(>)	13	NtQuerySystemInformation(>)	120
NtOpenKeyedEvent(>)	1	NtReleaseSemaphore(>)	3	NtQueryDirectoryFile(>)	14	NtContinue(>)	135
NtOpenSymbolicLinkObject(>)	1	NtSecureConnectPort(>)	3	NtQueryInformationToken(>)	14	NtQueryInformationThread(>)	151
NtQueryEvent(>)	1	NtSetInformationObject(>)	3	NtOpenThreadToken(>)	18	NtResumeThread(>)	151
NtQueryInstallUILanguage(>)	1	NtUserRegisterWindowMessage(>)	3	NtQueryDebugFilterState(>)	21	NtCreateThread(>)	154
NtQueryObject(>)	1	NtAccessCheck(>)	4	NtSetValueKey(>)	21	NtTestAlert(>)	166
NtQuerySymbolicLinkObject(>)	1	NtEnumerateKey(>)	4	NtCreateKey(>)	23	NtRegisterThreadTerminatePort(>)	168
NtQuerySystemTime(>)	1	NtSetEvent(>)	4	NtFreeVirtualMemory(>)	29	NtRequestWaitReplyPort(>)	177
NtRaiseException(>)	1	NtGdiGetStockObject(>)	5	NtCreateFile(>)	30	NtWaitForSingleObject(>)	216
NtSetInformationProcess(>)	1	NtQueryVolumeInformationFile(>)	5	NtOpenProcess(>)	30	NtOpenKey(>)	232
NtUserCallNoParam(>)	1	NtCreateSemaphore(>)	6	NtSetInformationFile(>)	30	NtSetInformationThread(>)	267
NtUserCallOneParam(>)	1	NtQueryDefaultLocale(>)	6	NtCreateEvent(>)	39	NtQueryValueKey(>)	307
NtUserGetThreadDesktop(>)	1	NtReadFile(>)	6	NtDeviceIoControlFile(>)	45	NtProtectVirtualMemory(>)	449
NtUserGetThreadState(>)	1	NtWriteFile(>)	6	NtOpenFile(>)	48	NtClose(>)	452
NtAddAtom(>)	2	NtOpenMutant(>)	7	NtUserFindExistingCursorIcon(>)	50	NtAllocateVirtualMemory(>)	461
NtCallbackReturn(>)	2	NtOpenProcessToken(>)	7	NtUnmapViewOfSection(>)	53