Summary:


NtCancelTimer(>)  1 
NtConnectPort(>)  2 
NtFsControlFile(>)  6 
NtCreateEvent(>)  46 

NtCreateMutant(>)  1 
NtDelayExecution(>)  2 
NtOpenProcessToken(>)  6 
NtUserFindExistingCursorIcon(>)  50 

NtCreateTimer(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultLocale(>)  6 
NtOpenFile(>)  51 

NtDuplicateToken(>)  1 
NtNotifyChangeKey(>)  2 
NtOpenMutant(>)  7 
NtMapViewOfSection(>)  54 

NtEnumerateValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateSemaphore(>)  8 
NtQueryVirtualMemory(>)  59 

NtGdiCreateBitmap(>)  1 
NtQueryPerformanceCounter(>)  2 
NtReleaseMutant(>)  8 
NtUserRegisterClassExWOW(>)  61 

NtGdiInit(>)  1 
NtQuerySystemTime(>)  2 
NtDuplicateObject(>)  9 
NtQueryAttributesFile(>)  66 

NtGdiQueryFontAssocInfo(>)  1 
NtRemoveIoCompletion(>)  2 
NtQueryInformationProcess(>)  9 
NtFlushInstructionCache(>)  114 

NtGdiSelectBitmap(>)  1 
NtSetIoCompletion(>)  2 
NtOpenProcessTokenEx(>)  11 
NtQuerySystemInformation(>)  117 

NtOpenEvent(>)  1 
NtUserGetDC(>)  2 
NtOpenThreadTokenEx(>)  11 
NtContinue(>)  136 

NtOpenKeyedEvent(>)  1 
NtWaitForMultipleObjects(>)  2 
NtQueryDefaultUILanguage(>)  12 
NtQueryInformationThread(>)  152 

NtOpenProcess(>)  1 
NtCallbackReturn(>)  3 
NtQueryInformationFile(>)  12 
NtResumeThread(>)  153 

NtOpenSymbolicLinkObject(>)  1 
NtDeleteValueKey(>)  3 
NtUserSystemParametersInfo(>)  12 
NtCreateThread(>)  155 

NtQueryEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenThreadToken(>)  14 
NtRegisterThreadTerminatePort(>)  172 

NtQueryInstallUILanguage(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtQueryInformationToken(>)  14 
NtTestAlert(>)  173 

NtQueryObject(>)  1 
NtReadFile(>)  3 
NtQuerySection(>)  17 
NtRequestWaitReplyPort(>)  184 

NtQuerySymbolicLinkObject(>)  1 
NtReleaseSemaphore(>)  3 
NtSetValueKey(>)  18 
NtOpenKey(>)  242 

NtQueryTimerResolution(>)  1 
NtSecureConnectPort(>)  3 
NtUnmapViewOfSection(>)  19 
NtSetInformationThread(>)  267 

NtRaiseException(>)  1 
NtAccessCheck(>)  4 
NtCreateFile(>)  21 
NtClose(>)  288 

NtSetInformationProcess(>)  1 
NtEnumerateKey(>)  4 
NtCreateKey(>)  21 
NtSetEventBoostPriority(>)  290 

NtSetTimer(>)  1 
NtSetInformationObject(>)  4 
NtQueryDebugFilterState(>)  21 
NtQueryValueKey(>)  354 

NtUserCallNoParam(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtSetInformationFile(>)  25 
NtProtectVirtualMemory(>)  383 

NtUserCallOneParam(>)  1 
NtCreateIoCompletion(>)  5 
NtFreeVirtualMemory(>)  28 
NtWaitForSingleObject(>)  441 

NtUserGetThreadDesktop(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateSection(>)  31 
NtAllocateVirtualMemory(>)  464 

NtUserGetThreadState(>)  1 
NtSetEvent(>)  5 
NtOpenSection(>)  34 

NtAddAtom(>)  2 
NtWriteFile(>)  5 

Trace:
 00001  1740   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1740   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1740   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1740   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1740   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1740   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1740   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1740   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1740   NtClose  (12, ... ) == 0x0
 00015  1740   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1740   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1740   NtClose  (16, ... ) == 0x0
 00021  1740   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1740   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1740   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1740   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1740   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1740   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1740   NtClose  (16, ... ) == 0x0
 00030  1740   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1740   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1740   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1740   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 928, 1740, 57932, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57932, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 928, 1740, 57932, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036  1740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1740   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1740   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1740   NtClose  (16, ... ) == 0x0
 00041  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1740   NtClose  (16, ... ) == 0x0
 00044  1740   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1740   NtClose  (16, ... ) == 0x0
 00048  1740   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1740   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1740   NtClose  (16, ... ) == 0x0
 00052  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1740   NtClose  (16, ... ) == 0x0
 00055  1740   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1740   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1740   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 928, 1740, 57933, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 928, 1740, 57933, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 928, 1740, 57933, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57934, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57934, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57934, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061  1740   NtProtectVirtualMemory  (-1, (0x408000), 65536, 4, ... (0x408000), 65536, 128, ) == 0x0
 00062  1740   NtProtectVirtualMemory  (-1, (0x408000), 65536, 128, ... (0x408000), 65536, 4, ) == 0x0
 00063  1740   NtFlushInstructionCache  (-1, 4227072, 65536, ... ) == 0x0
 00064  1740   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1740   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1740   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1740   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1740   NtClose  (16, ... ) == 0x0
 00069  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1740   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1740   NtClose  (16, ... ) == 0x0
 00072  1740   NtTestAlert  (... ) == 0x0
 00073  1740   NtContinue  (1244464, 1, ...
 00074  1740   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40292e,}, 4, ... ) == 0x0
 00075  1740   NtQueryVirtualMemory  (-1, 0x408729, Basic, 28, ... {BaseAddress=0x408000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076  1740   NtContinue  (1244400, 0, ...
 00077  1740   NtAllocateVirtualMemory  (-1, 0, 0, 2398, 4096, 64, ... 3276800, 4096, ) == 0x0
 00078  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079  1740   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1740   NtClose  (16, ... ) == 0x0
 00081  1740   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00084  1740   NtClose  (16, ... ) == 0x0
 00085  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00086  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00087  1740   NtClose  (16, ... ) == 0x0
 00088  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090  1740   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093  1740   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1740   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1740   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099  1740   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102  1740   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1740   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1740   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00109  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 928, 1740, 57935, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57935, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 928, 1740, 57935, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00110  1740   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00111  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00112  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00113  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00114  1740   NtClose  (16, ... ) == 0x0
 00115  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00116  1740   NtClose  (28, ... ) == 0x0
 00117  1740   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00118  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00119  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00120  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00121  1740   NtClose  (28, ... ) == 0x0
 00122  1740   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00123  1740   NtClose  (16, ... ) == 0x0
 00124  1740   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00125  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00126  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00127  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00128  1740   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00129  1740   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130  1740   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00131  1740   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00133  1740   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134  1740   NtClose  (36, ... ) == 0x0
 00135  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00136  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00137  1740   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00138  1740   NtClose  (36, ... ) == 0x0
 00139  1740   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140  1740   NtClose  (32, ... ) == 0x0
 00141  1740   NtClose  (16, ... ) == 0x0
 00142  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00143  1740   NtClose  (28, ... ) == 0x0
 00144  1740   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145  1740   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146  1740   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147  1740   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148  1740   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149  1740   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150  1740   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00151  1740   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00152  1740   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00153  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00154  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00155  1740   NtClose  (28, ... ) == 0x0
 00156  1740   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00157  1740   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00158  1740   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00159  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00160  1740   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00161  1740   NtClose  (28, ... ) == 0x0
 00162  1740   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00163  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165  1740   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168  1740   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00170  1740   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00171  1740   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00172  1740   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00173  1740   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00174  1740   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00175  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1740   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00177  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00179  1740   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180  1740   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181  1740   NtClose  (28, ... ) == 0x0
 00182  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00183  1740   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184  1740   NtClose  (28, ... ) == 0x0
 00185  1740   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00186  1740   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00187  1740   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00191  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00194  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00196  1740   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1740   NtClose  (16, ... ) == 0x0
 00198  1740   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00199  1740   NtClose  (-2147482740, ... ) == 0x0
 00200  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00201  1740   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00202  1740   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00203  1740   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00204  1740   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00205  1740   NtClose  (-2147482740, ... ) == 0x0
 00206  1740   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00207  1740   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00208  1740   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00209  1740   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00210  1740   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1740   NtClose  (-2147482740, ... ) == 0x0
 00212  1740   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00213  1740   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1740   NtClose  (-2147482740, ... ) == 0x0
 00215  1740   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00216  1740   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00217  1740   NtUserCallNoParam  (24, ... ) == 0x0
 00218  1740   NtGdiCreateCompatibleDC  (0, ...
 00219  1740   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00218  1740   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00220  1740   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00221  1740   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00222  1740   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00223  1740   NtGdiCreateSolidBrush  (0, 0, ...
 00224  1740   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00223  1740   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00225  1740   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00226  1740   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00227  1740   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00228  1740   NtUserGetThreadDesktop  (1740, 0, ... ) == 0x24
 00229  1740   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00230  1740   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00231  1740   NtClose  (44, ... ) == 0x0
 00232  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00233  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x81b1c017
 00234  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x81b1c01c
 00236  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x81b1c01e
 00238  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81b18002
 00240  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00241  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x81b1c018
 00242  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00243  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x81b1c01a
 00244  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x81b1c01d
 00246  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x81b1c026
 00248  1740   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249  1740   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x81b1c019
 00250  1740   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c020
 00251  1740   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81b1c022
 00252  1740   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c023
 00253  1740   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x81b1c024
 00254  1740   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x81b1c025
 00255  1740   NtCallbackReturn  (0, 0, 0, ...
 00256  1740   NtGdiInit  (... ) == 0x1
 00257  1740   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00258  1740   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00259  1740   NtAllocateVirtualMemory  (-1, 0, 0, 27136, 4096, 64, ... 8716288, 28672, ) == 0x0
 00260  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00263  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00264  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00265  1740   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266  1740   NtClose  (44, ... ) == 0x0
 00267  1740   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00268  1740   NtClose  (48, ... ) == 0x0
 00269  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00270  1740   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00271  1740   NtClose  (48, ... ) == 0x0
 00272  1740   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00273  1740   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00274  1740   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00275  1740   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00276  1740   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00277  1740   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00278  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00281  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00282  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00283  1740   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00284  1740   NtClose  (48, ... ) == 0x0
 00285  1740   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00286  1740   NtClose  (44, ... ) == 0x0
 00287  1740   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00288  1740   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00289  1740   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00290  1740   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00291  1740   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00292  1740   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00293  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00296  1740   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00297  1740   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00298  1740   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00299  1740   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00300  1740   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00301  1740   NtClose  (44, ... ) == 0x0
 00302  1740   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00303  1740   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00304  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00305  1740   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00306  1740   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00307  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00310  1740   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00311  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00312  1740   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 00313  1740   NtClose  (44, ... ) == 0x0
 00314  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00315  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00316  1740   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00317  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00318  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00319  1740   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00320  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00321  1740   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00322  1740   NtClose  (44, ... ) == 0x0
 00323  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00324  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00325  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00326  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00327  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00328  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00329  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00330  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00331  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00332  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00333  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00334  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00335  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00336  1740   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00337  1740   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00338  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00339  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00340  1740   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00341  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00342  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00343  1740   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00344  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00345  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00346  1740   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00347  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00348  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00349  1740   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00350  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00351  1740   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x880000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 00352  1740   NtProtectVirtualMemory  (-1, (0x881000), 18944, 4, ... (0x881000), 20480, 32, ) == 0x0
 00353  1740   NtProtectVirtualMemory  (-1, (0x887000), 1024, 4, ... (0x887000), 4096, 2, ) == 0x0
 00354  1740   NtProtectVirtualMemory  (-1, (0x888000), 1536, 4, ... (0x888000), 4096, 2, ) == 0x0
 00355  1740   NtMapViewOfSection  (44, -1, (0x880000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00356  1740   NtProtectVirtualMemory  (-1, (0x881000), 18944, 16, ... (0x881000), 20480, 4, ) == 0x0
 00357  1740   NtProtectVirtualMemory  (-1, (0x887000), 1024, 2, ... (0x887000), 4096, 8, ) == 0x0
 00358  1740   NtProtectVirtualMemory  (-1, (0x888000), 1536, 2, ... (0x888000), 4096, 8, ) == 0x0
 00359  1740   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00360  1740   NtClose  (44, ... ) == 0x0
 00361  1740   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00362  1740   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00363  1740   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00364  1740   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00365  1740   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00366  1740   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00367  1740   NtProtectVirtualMemory  (-1, (0x881000), 160, 4, ... (0x881000), 4096, 16, ) == 0x0
 00368  1740   NtProtectVirtualMemory  (-1, (0x881000), 4096, 16, ... (0x881000), 4096, 4, ) == 0x0
 00369  1740   NtFlushInstructionCache  (-1, 8916992, 160, ... ) == 0x0
 00370  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00371  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00372  1740   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00373  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00374  1740   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00375  1740   NtClose  (44, ... ) == 0x0
 00376  1740   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00377  1740   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00378  1740   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00379  1740   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00380  1740   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00381  1740   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00382  1740   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00383  1740   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00384  1740   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00385  1740   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00386  1740   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00387  1740   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00388  1740   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00389  1740   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00390  1740   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00391  1740   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00392  1740   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00393  1740   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00394  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00395  1740   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00396  1740   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00397  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398  1740   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399  1740   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00400  1740   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1330488, 0,  (0x1f0003, {24, 44, 0x80, 1330488, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 48, ) }, 0, 2147483647, ... 48, ) == STATUS_OBJECT_NAME_EXISTS
 00401  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403  1740   NtQueryPerformanceCounter  (... {924144273, 10}, {3579545, 0}, ) == 0x0
 00404  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00405  1740   NtQueryPerformanceCounter  (... {924144840, 10}, {3579545, 0}, ) == 0x0
 00406  1740   NtAllocateVirtualMemory  (-1, 1331200, 0, 8192, 4096, 4, ... 1331200, 8192, ) == 0x0
 00407  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00408  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00409  1740   NtAllocateVirtualMemory  (-1, 8978432, 0, 4096, 4096, 4, ... 8978432, 4096, ) == 0x0
 00410  1740   NtAllocateVirtualMemory  (-1, 8982528, 0, 8192, 4096, 4, ... 8982528, 8192, ) == 0x0
 00411  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00412  1740   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242348,  (0xc0100080, {24, 0, 0x40, 0, 1242348, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) == 0x0
 00413  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 60, ) == 0x0
 00414  1740   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f54c, 0x22414c,  (56, 60, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00415  1740   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00416  1740   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417  1740   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418  1740   NtClose  (-2147482740, ... ) == 0x0
 00419  1740   NtClose  (908, ... ) == 0x0
 00414  1740   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\350\16\37\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#e\0r\02\0-\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00420  1740   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242564,  (0xc0100080, {24, 0, 0x40, 0, 1242564, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) == 0x0
 00421  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00422  1740   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 76, ) == 0x0
 00423  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 80, ) == 0x0
 00424  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00425  1740   NtAllocateVirtualMemory  (-1, 8990720, 0, 8192, 4096, 4, ... 8990720, 8192, ) == 0x0
 00426  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00427  1740   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00428  1740   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00429  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1241648, 1241592, 1, ... 88, {928, 860}, ) == 0x0
 00430  1740   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=928,Tid=860,}, 0x0, ) == 0x0
 00431  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808}  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\240\3\0\0\\3\0\0" ... {28, 56, reply, 0, 928, 1740, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\240\3\0\0\\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57942, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\240\3\0\0\\3\0\0" ... {28, 56, reply, 0, 928, 1740, 57942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\240\3\0\0\\3\0\0" )  ) == 0x0
 00432  1740   NtResumeThread  (88, ... 1, ) == 0x0
 00433   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 92, ) == 0x0
 00434   860   NtWaitForSingleObject  (92, 0, 0x0, ...
 00435  1740   NtClose  (88, ... ) == 0x0
 00436  1740   NtSetEvent  (72, ... 0x0, ) == 0x0
 00437  1740   NtSetEvent  (52, ... 0x0, ) == 0x0
 00438  1740   NtClose  (52, ... ) == 0x0
 00439  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00440  1740   NtAllocateVirtualMemory  (-1, 8998912, 0, 4096, 4096, 4, ... 8998912, 4096, ) == 0x0
 00441  1740   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f54c, 0x22414c,  (56, 60, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00442  1740   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00443  1740   NtQueryValueKey  (-2147482740,  (-2147482740, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444  1740   NtQueryValueKey  (-2147482740,  (-2147482740, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445  1740   NtClose  (-2147482740, ... ) == 0x0
 00446  1740   NtClose  (908, ... ) == 0x0
 00441  1740   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\250\33\257\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344e\0r\0IoNm\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00447  1740   NtSetEvent  (72, ... 0x0, ) == 0x0
 00448  1740   NtSetEvent  (52, ... 0x0, ) == 0x0
 00449  1740   NtClose  (52, ... ) == 0x0
 00450  1740   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00451  1740   NtOpenProcessToken  (-1, 0xa, ... 52, ) == 0x0
 00452  1740   NtDuplicateToken  (52, 0xc, {24, 0, 0x0, 0, 1242832, 0x0}, 0, 2, ... 96, ) == 0x0
 00453  1740   NtClose  (52, ... ) == 0x0
 00454  1740   NtAccessCheck  (1336312, 96, 0x1, 1242908, 1242960, 56, 1242940, ... (0x1), ) == 0x0
 00455  1740   NtClose  (96, ... ) == 0x0
 00456  1740   NtQueryDefaultUILanguage  (1241712, ...
 00457  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00458  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00459  1740   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00460  1740   NtClose  (-2147482740, ... ) == 0x0
 00461  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00462  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00464  1740   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465  1740   NtClose  (-2147481328, ... ) == 0x0
 00466  1740   NtClose  (-2147482740, ... ) == 0x0
 00456  1740   NtQueryDefaultUILanguage  ... ) == 0x0
 00467  1740   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468  1740   NtQueryDefaultUILanguage  (2090319928, ...
 00469  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00470  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00471  1740   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00472  1740   NtClose  (-2147482740, ... ) == 0x0
 00473  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00474  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00476  1740   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477  1740   NtClose  (-2147481328, ... ) == 0x0
 00478  1740   NtClose  (-2147482740, ... ) == 0x0
 00468  1740   NtQueryDefaultUILanguage  ... ) == 0x0
 00479  1740   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00480  1740   NtQueryDefaultLocale  (1, 1239808, ... ) == 0x0
 00481  1740   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482  1740   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 928, 1740, 57943, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 928, 1740, 57943, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 928, 1740, 57943, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ) == 0x0
 00483  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00484  1740   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00485  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00486  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00487  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239036, ... ) }, 1239036, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00488  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00489  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00490  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00491  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239100, ... ) }, 1239100, ... ) == 0x0
 00492  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00493  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00494  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00495  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00496  1740   NtClose  (52, ... ) == 0x0
 00497  1740   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaa0000), 0x0, 1056768, ) == 0x0
 00498  1740   NtClose  (100, ... ) == 0x0
 00499  1740   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00500  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00501  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 52, ) == 0x0
 00502  1740   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00503  1740   NtClose  (100, ... ) == 0x0
 00504  1740   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00505  1740   NtClose  (52, ... ) == 0x0
 00506  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00507  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00508  1740   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00509  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00510  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00511  1740   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00512  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00513  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00514  1740   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00515  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00516  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00517  1740   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00518  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00519  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00520  1740   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00521  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00522  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00523  1740   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00524  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00525  1740   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00526  1740   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00527  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528  1740   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240580, ... ) , 42, 1240580, ... ) == 0x0
 00529  1740   NtQueryDefaultUILanguage  (1239264, ...
 00530  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00531  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00532  1740   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00533  1740   NtClose  (-2147482740, ... ) == 0x0
 00534  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00535  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00537  1740   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538  1740   NtClose  (-2147481328, ... ) == 0x0
 00539  1740   NtClose  (-2147482740, ... ) == 0x0
 00529  1740   NtQueryDefaultUILanguage  ... ) == 0x0
 00540  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238104, ... ) }, 1238104, ... ) == 0x0
 00541  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00542  1740   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00543  1740   NtClose  (52, ... ) == 0x0
 00544  1740   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaa0000), 0x0, 4096, ) == 0x0
 00545  1740   NtClose  (100, ... ) == 0x0
 00546  1740   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00547  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237700, ... ) }, 1237700, ... ) == 0x0
 00548  1740   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238444,  (0x80100080, {24, 0, 0x40, 0, 1238444, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00549  1740   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 100, ... 52, ) == 0x0
 00550  1740   NtClose  (100, ... ) == 0x0
 00551  1740   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xaa0000), {0, 0}, 4096, ) == 0x0
 00552  1740   NtClose  (52, ... ) == 0x0
 00553  1740   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00554  1740   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00555  1740   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 100, ) == 0x0
 00556  1740   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xaa0000), 0x0, 4096, ) == 0x0
 00557  1740   NtQueryInformationFile  (52, 1238096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00558  1740   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559  1740   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 928, 1740, 57944, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 928, 1740, 57944, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 928, 1740, 57944, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ) == 0x0
 00560  1740   NtClose  (52, ... ) == 0x0
 00561  1740   NtClose  (100, ... ) == 0x0
 00562  1740   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 00563  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00564  1740   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00565  1740   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00566  1740   NtUserGetDC  (0, ... ) == 0x1010051
 00567  1740   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00568  1740   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00569  1740   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00570  1740   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00571  1740   NtContinue  (1238304, 0, ...
 00572  1740   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00573  1740   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 00574  1740   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00575  1740   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 00576  1740   NtClose  (96, ... ) == 0x0
 00577  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00578  1740   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00579  1740   NtClose  (96, ... ) == 0x0
 00580  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00581  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00582  1740   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00583  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00584  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00585  1740   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00586  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00587  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00588  1740   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00589  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00590  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00591  1740   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00592  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00593  1740   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00594  1740   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00595  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00597  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11075584, 65536, ) == 0x0
 00598  1740   NtAllocateVirtualMemory  (-1, 11075584, 0, 4096, 4096, 4, ... 11075584, 4096, ) == 0x0
 00599  1740   NtAllocateVirtualMemory  (-1, 11079680, 0, 8192, 4096, 4, ... 11079680, 8192, ) == 0x0
 00600  1740   NtAllocateVirtualMemory  (-1, 11087872, 0, 4096, 4096, 4, ... 11087872, 4096, ) == 0x0
 00601  1740   NtAllocateVirtualMemory  (-1, 11091968, 0, 4096, 4096, 4, ... 11091968, 4096, ) == 0x0
 00602  1740   NtQueryDefaultUILanguage  (1238736, ...
 00603  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00604  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00605  1740   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00606  1740   NtClose  (-2147482740, ... ) == 0x0
 00607  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00608  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609  1740   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00610  1740   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611  1740   NtClose  (-2147481328, ... ) == 0x0
 00612  1740   NtClose  (-2147482740, ... ) == 0x0
 00602  1740   NtQueryDefaultUILanguage  ... ) == 0x0
 00613  1740   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00614  1740   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00615  1740   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xac0000), 0x0, 618496, ) == 0x0
 00616  1740   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617  1740   NtQueryDefaultLocale  (1, 1236832, ... ) == 0x0
 00618  1740   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619  1740   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 928, 1740, 57945, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 928, 1740, 57945, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 928, 1740, 57945, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1`\0\0\0\377\377\377\377\0\0\0\0\340q\263\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ) == 0x0
 00620  1740   NtClose  (96, ... ) == 0x0
 00621  1740   NtClose  (100, ... ) == 0x0
 00622  1740   NtUnmapViewOfSection  (-1, 0xac0000, ... ) == 0x0
 00623  1740   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00624  1740   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {928, 0}, ... 100, ) == 0x0
 00625  1740   NtQueryInformationProcess  (100, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00626  1740   NtClose  (100, ... ) == 0x0
 00627  1740   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00628  1740   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00629  1740   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00630  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00631  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00632  1740   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00633  1740   NtClose  (100, ... ) == 0x0
 00634  1740   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00635  1740   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00636  1740   NtAccessCheck  (1336312, 96, 0x1, 1239928, 1239980, 56, 1239960, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00637  1740   NtClose  (96, ... ) == 0x0
 00638  1740   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 96, ) }, ... 96, ) == 0x0
 00639  1740   NtQueryValueKey  (96,  (96, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00640  1740   NtClose  (96, ... ) == 0x0
 00641  1740   NtUserSystemParametersInfo  (41, 500, 1240108, 0, ... ) == 0x1
 00642  1740   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00643  1740   NtClose  (100, ... ) == 0x0
 00644  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00645  1740   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00646  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c03b
 00647  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c03d
 00648  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00649  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c03f
 00650  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00651  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c041
 00652  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00653  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c043
 00654  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c045
 00655  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00656  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c047
 00657  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00658  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c049
 00659  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00660  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c04b
 00661  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00662  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c04d
 00663  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00664  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c04f
 00665  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c051
 00666  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00667  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c053
 00668  1740   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 00669  1740   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x81b1c055
 00670  1740   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 00671  1740   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x81b1c057
 00672  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00673  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c059
 00674  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10013
 00675  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c05b
 00676  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00677  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c05d
 00678  1740   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 00679  1740   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x81b1c05f
 00680  1740   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00681  1740   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00682  1740   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00683  1740   NtClose  (100, ... ) == 0x0
 00684  1740   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00685  1740   NtSetInformationObject  (100, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00686  1740   NtCreateKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00687  1740   NtSetEventBoostPriority  (92, ...
 00434   860   NtWaitForSingleObject  ... ) == 0x0
 00688   860   NtTestAlert  (... ) == 0x0
 00689   860   NtContinue  (11074864, 1, ...
 00690   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00691   860   NtDeviceIoControlFile  (68, 80, 0x0, 0x77e466a0, 0x228144,  (68, 80, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0X\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00687  1740   NtSetEventBoostPriority  ... ) == 0x0
 00692  1740   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00693  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242908, ... }, 1242908, ...
 00694   860   NtWaitForMultipleObjects  (2, (72, 80, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 00695   860   NtDeviceIoControlFile  (68, 84, 0x0, 0x77e46680, 0x228144,  (68, 84, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0X\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00696   860   NtWaitForMultipleObjects  (2, (72, 84, ), 1, 1, {1294967296, -1}, ...
 00693  1740   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697  1740   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00698  1740   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00699  1740   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 104, ) == 0x0
 00700  1740   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00701  1740   NtClose  (52, ... ) == 0x0
 00702  1740   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 00703  1740   NtClose  (104, ... ) == 0x0
 00704  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00705  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00706  1740   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00707  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00708  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00709  1740   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00710  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00711  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00712  1740   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00713  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00714  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00715  1740   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00716  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00717  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00718  1740   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00719  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00720  1740   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00721  1740   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00722  1740   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00724  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11272192, 65536, ) == 0x0
 00725  1740   NtAllocateVirtualMemory  (-1, 11272192, 0, 4096, 4096, 4, ... 11272192, 4096, ) == 0x0
 00726  1740   NtAllocateVirtualMemory  (-1, 11276288, 0, 8192, 4096, 4, ... 11276288, 8192, ) == 0x0
 00727  1740   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 104, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 104, {status=0x0, info=0}, ) == 0x0
 00728  1740   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) == 0x0
 00729  1740   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 108, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 108, {status=0x0, info=0}, ) == 0x0
 00730  1740   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 112, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 112, {status=0x0, info=0}, ) == 0x0
 00731  1740   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242836,  (0x20100080, {24, 0, 0x40, 0, 1242836, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 116, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 116, {status=0x0, info=0}, ) == 0x0
 00732  1740   NtAllocateVirtualMemory  (-1, 11284480, 0, 36864, 4096, 4, ... 11284480, 36864, ) == 0x0
 00733  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00734  1740   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00735  1740   NtClose  (120, ... ) == 0x0
 00736  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00737  1740   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 00738  1740   NtClose  (120, ... ) == 0x0
 00739  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00740  1740   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\241\201\1\0\0\0\5\0\0\0\232A\250\25\324\207>\3\251\274\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0}\371%\0\203B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (104, 120, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\241\201\1\0\0\0\5\0\0\0\232A\250\25\324\207>\3\251\274\0\0\362\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0}\371%\0\203B\0\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 00741  1740   NtClose  (120, ... ) == 0x0
 00742  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00743  1740   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (104, 120, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00744  1740   NtClose  (120, ... ) == 0x0
 00745  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00746  1740   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 00747  1740   NtClose  (120, ... ) == 0x0
 00748  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00749  1740   NtDeviceIoControlFile  (104, 120, 0x0, 0x0, 0x120003,  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (104, 120, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 00750  1740   NtClose  (120, ... ) == 0x0
 00751  1740   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 120, ) == 0x0
 00752  1740   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 124, ) == 0x0
 00753  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00754  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00755  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00756  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00757  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00758  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00759  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00760  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00761  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00762  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00763  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00764  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00765  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00766  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00767  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00768  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00769  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00770  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00771  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00772  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00773  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00774  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00775  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00776  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00777  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00778  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00779  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00780  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00781  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00782  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00783  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00784  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00785  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00786  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00787  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00788  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00789  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00790  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00791  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00792  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00793  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00794  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00795  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00796  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00797  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00798  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00799  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00800  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00801  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00802  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00803  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00804  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00805  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00806  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00807  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00808  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00809  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00810  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00811  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00812  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00813  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00814  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00815  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00816  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00817  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00818  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00819  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00820  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00821  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00822  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00823  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00824  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00825  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00826  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00827  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00828  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00829  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00830  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00831  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00832  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00833  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00834  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00835  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00836  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00837  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00838  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00839  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00840  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00841  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00842  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00843  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00844  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00845  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00846  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00847  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00848  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00849  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00850  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00851  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00852  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00853  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00854  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00855  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00856  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00857  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00858  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00859  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00860  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00861  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00862  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00863  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00864  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00865  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00866  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00867  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00868  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00869  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00870  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00871  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00872  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00873  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00874  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00875  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 1, 4096, 4, ... 11337728, 4096, ) == 0x0
 00876  1740   NtQueryVirtualMemory  (-1, 0xad0000, Basic, 28, ... {BaseAddress=0xad0000,AllocationBase=0xad0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00877  1740   NtFreeVirtualMemory  (-1, (0xad0000), 0, 32768, ... (0xad0000), 65536, ) == 0x0
 00878  1740   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 128, ) }, ... 128, ) == 0x0
 00879  1740   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 132, ) }, ... 132, ) == 0x0
 00880  1740   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 136, ) }, ... 136, ) == 0x0
 00881  1740   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 140, ) }, ... 140, ) == 0x0
 00882  1740   NtQueryDefaultLocale  (1, 1242816, ... ) == 0x0
 00883  1740   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00884  1740   NtFreeVirtualMemory  (-1, (0x320147), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00885  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00886  1740   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00887  1740   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00888  1740   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00889  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11337728, 1048576, ) == 0x0
 00890  1740   NtAllocateVirtualMemory  (-1, 11337728, 0, 32768, 4096, 4, ... 11337728, 32768, ) == 0x0
 00891  1740   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 00892  1740   NtQueryValueKey  (144,  (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00893  1740   NtQueryValueKey  (144,  (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (144, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00894  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 148, ) == 0x0
 00895  1740   NtOpenKey  (0x2000000, {24, 144, 0x40, 0, 0,  (0x2000000, {24, 144, 0x40, 0, 0, "Protocol_Catalog9"}, ... 152, ) }, ... 152, ) == 0x0
 00896  1740   NtQueryValueKey  (152,  (152, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00897  1740   NtNotifyChangeKey  (152, 148, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00898  1740   NtQueryValueKey  (152,  (152, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00899  1740   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900  1740   NtQueryValueKey  (152,  (152, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00901  1740   NtQueryValueKey  (152,  (152, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00902  1740   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Catalog_Entries"}, ... 156, ) }, ... 156, ) == 0x0
 00903  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000001"}, ... 160, ) }, ... 160, ) == 0x0
 00904  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00905  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00906  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\213\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\213\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\214\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\215\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\213\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\213\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\214\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\215\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\213\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\213\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\214\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\215\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00907  1740   NtClose  (160, ... ) == 0x0
 00908  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000002"}, ... 160, ) }, ... 160, ) == 0x0
 00909  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00910  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00911  1740   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00912  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\221\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\221\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\222\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\223\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\221\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\221\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\222\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\223\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\221\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\221\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\222\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\223\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00913  1740   NtClose  (160, ... ) == 0x0
 00914  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000003"}, ... 160, ) }, ... 160, ) == 0x0
 00915  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00916  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00917  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\226\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\226\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\227\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\230\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\226\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\226\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\227\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\230\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\226\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\226\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\227\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\230\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00918  1740   NtClose  (160, ... ) == 0x0
 00919  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000004"}, ... 160, ) }, ... 160, ) == 0x0
 00920  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00921  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00922  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\233\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\233\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\234\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\235\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\233\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\233\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\234\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\235\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\233\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\233\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\234\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\235\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00923  1740   NtClose  (160, ... ) == 0x0
 00924  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000005"}, ... 160, ) }, ... 160, ) == 0x0
 00925  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00926  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00927  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\240\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\240\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\241\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\242\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\240\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\240\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\241\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\242\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\240\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\240\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\241\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\242\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00928  1740   NtClose  (160, ... ) == 0x0
 00929  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000006"}, ... 160, ) }, ... 160, ) == 0x0
 00930  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00931  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00932  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\245\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\246\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\247\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\245\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\246\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\247\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\245\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\245\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\246\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\246\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\247\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\247\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\250\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00933  1740   NtClose  (160, ... ) == 0x0
 00934  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000007"}, ... 160, ) }, ... 160, ) == 0x0
 00935  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00936  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00937  1740   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00938  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\253\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\254\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\255\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\253\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\254\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\255\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\253\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\253\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\254\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\255\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00939  1740   NtClose  (160, ... ) == 0x0
 00940  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000008"}, ... 160, ) }, ... 160, ) == 0x0
 00941  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00942  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00943  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\260\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\261\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\262\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\260\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\261\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\262\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\260\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\260\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\261\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\262\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00944  1740   NtClose  (160, ... ) == 0x0
 00945  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000009"}, ... 160, ) }, ... 160, ) == 0x0
 00946  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00947  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00948  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\265\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\265\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\266\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\267\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\265\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\265\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\266\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\267\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\265\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\265\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\266\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\267\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00949  1740   NtClose  (160, ... ) == 0x0
 00950  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000010"}, ... 160, ) }, ... 160, ) == 0x0
 00951  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00952  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00953  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\272\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\272\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\273\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\274\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\272\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\272\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\273\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\274\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\272\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\272\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\273\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\274\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00954  1740   NtClose  (160, ... ) == 0x0
 00955  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000011"}, ... 160, ) }, ... 160, ) == 0x0
 00956  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00957  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00958  1740   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00959  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\300\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\300\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\301\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\302\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\300\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\300\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\301\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\302\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\300\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\300\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\301\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\302\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00960  1740   NtClose  (160, ... ) == 0x0
 00961  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000012"}, ... 160, ) }, ... 160, ) == 0x0
 00962  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00963  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00964  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\305\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\305\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\306\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\307\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\305\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\305\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\306\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\307\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\305\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\305\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\306\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\307\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00965  1740   NtClose  (160, ... ) == 0x0
 00966  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000013"}, ... 160, ) }, ... 160, ) == 0x0
 00967  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00968  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00969  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\312\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\312\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\313\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\314\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\312\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\312\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\313\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\314\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\312\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\312\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\313\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\314\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00970  1740   NtClose  (160, ... ) == 0x0
 00971  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000014"}, ... 160, ) }, ... 160, ) == 0x0
 00972  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00973  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00974  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\317\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\317\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\320\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\321\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\317\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\317\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\320\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\321\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\317\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\317\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\320\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\321\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\321\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00975  1740   NtClose  (160, ... ) == 0x0
 00976  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000015"}, ... 160, ) }, ... 160, ) == 0x0
 00977  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00978  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00979  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\324\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\324\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\325\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\326\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\324\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\324\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\325\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\326\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\324\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\324\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\325\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\326\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\326\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00980  1740   NtClose  (160, ... ) == 0x0
 00981  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000016"}, ... 160, ) }, ... 160, ) == 0x0
 00982  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00983  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00984  1740   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00985  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\332\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\332\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\333\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\334\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\332\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\332\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\333\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\334\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\332\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\332\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\333\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\334\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\334\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00986  1740   NtClose  (160, ... ) == 0x0
 00987  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000017"}, ... 160, ) }, ... 160, ) == 0x0
 00988  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00989  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00990  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\337\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\337\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\340\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\341\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\337\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\337\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\340\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\341\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\337\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\337\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\340\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\340\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\341\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\341\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00991  1740   NtClose  (160, ... ) == 0x0
 00992  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000018"}, ... 160, ) }, ... 160, ) == 0x0
 00993  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00994  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00995  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\344\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\344\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\345\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\346\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\344\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\344\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\345\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\346\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\344\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\344\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\345\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\345\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\346\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\346\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\347\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00996  1740   NtClose  (160, ... ) == 0x0
 00997  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000019"}, ... 160, ) }, ... 160, ) == 0x0
 00998  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00999  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01000  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\351\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\351\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\352\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\353\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\351\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\351\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\352\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\353\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\351\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\351\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\352\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\353\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\353\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01001  1740   NtClose  (160, ... ) == 0x0
 01002  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000020"}, ... 160, ) }, ... 160, ) == 0x0
 01003  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01004  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01005  1740   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01006  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\357\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\357\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\360\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\361\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\357\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\357\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\360\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\361\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\357\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\357\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\360\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\361\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01007  1740   NtClose  (160, ... ) == 0x0
 01008  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000021"}, ... 160, ) }, ... 160, ) == 0x0
 01009  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01010  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01011  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\364\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\364\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\365\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\366\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\364\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\364\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\365\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\366\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0 (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\364\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\364\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\365\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\234\0\0\0h\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00k\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\365\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\240\0\0\0\366\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\366\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\367\3\0\0\240\3\0\0\314\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\240\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01012  1740   NtClose  (160, ... ) == 0x0
 01013  1740   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "000000000022"}, ... 160, ) }, ... 160, ) == 0x0
 01014  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01015  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01016  1740   NtQueryValueKey  (160,  (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\371\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\371\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\234\0\0\0\372\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\240\3\0\0\314\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\373\3\0\0\240\3\0\0\314\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\374\3\0\0\240\3\0\0\314\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0\240\3\0\0\314\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\234\0\0\0\375\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\220\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (160, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\371\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\371\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\234\0\0\0\372\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\240\3\0\0\314\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\373\3\0\0\240\3\0\0\314\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\374\3\0\0\240\3\0\0\314\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0\240\3\0\0\314\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\234\0\0\0\375\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\220\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\371\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\240\0\0\0\371\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\234\0\0\0\372\3\0\0\240\3\0\0\314\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\240\3\0\0\314\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\224\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\373\3\0\0\240\3\0\0\314\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\374\3\0\0\240\3\0\0\314\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\374\3\0\0\240\3\0\0\314\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\234\0\0\0\375\3\0\0\240\3\0\0\314\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\220\0\0\0\220\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0pr\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01017  1740   NtClose  (160, ... ) == 0x0
 01018  1740   NtClose  (156, ... ) == 0x0
 01019  1740   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x102
 01020  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01021  1740   NtOpenKey  (0x2000000, {24, 144, 0x40, 0, 0,  (0x2000000, {24, 144, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 160, ) }, ... 160, ) == 0x0
 01022  1740   NtQueryValueKey  (160,  (160, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01023  1740   NtNotifyChangeKey  (160, 156, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01024  1740   NtQueryValueKey  (160,  (160, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01025  1740   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026  1740   NtQueryValueKey  (160,  (160, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01027  1740   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, "Catalog_Entries"}, ... 164, ) }, ... 164, ) == 0x0
 01028  1740   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "000000000001"}, ... 168, ) }, ... 168, ) == 0x0
 01029  1740   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01030  1740   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01031  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01032  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01033  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01034  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01035  1740   NtQueryValueKey  (168,  (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01036  1740   NtQueryValueKey  (168,  (168, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01037  1740   NtQueryValueKey  (168,  (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01038  1740   NtQueryValueKey  (168,  (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01039  1740   NtQueryValueKey  (168,  (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040  1740   NtQueryValueKey  (168,  (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01041  1740   NtClose  (168, ... ) == 0x0
 01042  1740   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "000000000002"}, ... 168, ) }, ... 168, ) == 0x0
 01043  1740   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01044  1740   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01045  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01046  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01047  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01048  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01049  1740   NtQueryValueKey  (168,  (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01050  1740   NtQueryValueKey  (168,  (168, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051  1740   NtQueryValueKey  (168,  (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01052  1740   NtQueryValueKey  (168,  (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01053  1740   NtQueryValueKey  (168,  (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01054  1740   NtQueryValueKey  (168,  (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01055  1740   NtClose  (168, ... ) == 0x0
 01056  1740   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "000000000003"}, ... 168, ) }, ... 168, ) == 0x0
 01057  1740   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01058  1740   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01059  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01060  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01061  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01062  1740   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01063  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01064  1740   NtQueryValueKey  (168,  (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01065  1740   NtQueryValueKey  (168,  (168, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01066  1740   NtQueryValueKey  (168,  (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01067  1740   NtQueryValueKey  (168,  (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01068  1740   NtQueryValueKey  (168,  (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01069  1740   NtQueryValueKey  (168,  (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01070  1740   NtClose  (168, ... ) == 0x0
 01071  1740   NtOpenKey  (0x20019, {24, 164, 0x40, 0, 0,  (0x20019, {24, 164, 0x40, 0, 0, "000000000004"}, ... 168, ) }, ... 168, ) == 0x0
 01072  1740   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01073  1740   NtQueryValueKey  (168,  (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01074  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01075  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01076  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01077  1740   NtQueryValueKey  (168,  (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01078  1740   NtQueryValueKey  (168,  (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01079  1740   NtQueryValueKey  (168,  (168, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080  1740   NtQueryValueKey  (168,  (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01081  1740   NtQueryValueKey  (168,  (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01082  1740   NtQueryValueKey  (168,  (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01083  1740   NtQueryValueKey  (168,  (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01084  1740   NtClose  (168, ... ) == 0x0
 01085  1740   NtClose  (164, ... ) == 0x0
 01086  1740   NtWaitForSingleObject  (156, 0, {0, 0}, ... ) == 0x102
 01087  1740   NtClose  (144, ... ) == 0x0
 01088  1740   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01089  1740   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01090  1740   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 01091  1740   NtQueryValueKey  (144,  (144, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092  1740   NtClose  (144, ... ) == 0x0
 01093  1740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01094  1740   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241640,  (0x80100080, {24, 0, 0x40, 0, 1241640, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01095  1740   NtQueryInformationFile  (164, 1242076, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01096  1740   NtQueryInformationFile  (164, 1241992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01097  1740   NtQueryInformationFile  (164, 1241808, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01098  1740   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01099  1740   NtQueryInformationFile  (164, 1365424, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01100  1740   NtQueryInformationFile  (164, 1240256, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01101  1740   NtQueryInformationFile  (164, 1240532, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01102  1740   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240408,  (0x40110080, {24, 0, 0x40, 0, 1240408, "\??\C:\WINDOWS\lsasss.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01103  1740   NtClose  (-2147482740, ... ) == 0x0
 01102  1740   NtCreateFile  ... 168, {status=0x0, info=2}, ) == 0x0
 01104  1740   NtQueryVolumeInformationFile  (168, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01105  1740   NtQueryInformationFile  (168, 1240144, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01106  1740   NtQueryVolumeInformationFile  (164, 1240560, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01107  1740   NtSetInformationFile  (168, 1240460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01108  1740   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 164, ... 172, ) == 0x0
 01109  1740   NtMapViewOfSection  (172, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 16384, ) == 0x0
 01110  1740   NtClose  (172, ... ) == 0x0
 01111  1740   NtWriteFile  (168, 0, 0, 0,  (168, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0i8\366\222-Y\230\301-Y\230\301-Y\230\301\256Q\305\301/Y\230\301-Y\230\301.Y\230\301\305F\222\3017Y\230\301\256E\226\301&Y\230\301-Y\231\301}Y\230\301OF\213\301$Y\230\301\305F\223\301)Y\230\301Rich-Y\230\301\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\6\302\226@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0.)\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 15872, 0x0, 0, ... {status=0x0, info=15872}, ) \0\0\0\0\0\0.)\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 15872, 0x0, 0, ... {status=0x0, info=15872}, ) == 0x0
 01112  1740   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01113  1740   NtSetInformationFile  (168, 1241808, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01114  1740   NtClose  (164, ... ) == 0x0
 01115  1740   NtClose  (168, ... ) == 0x0
 01116  1740   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 168, ) }, ... 168, ) == 0x0
 01117  1740   NtSetValueKey  (168,  (168, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 0, 1,  (168, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 44, ...
 01118  1740   NtSetInformationFile  (-2147482448, -139610320, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01119  1740   NtSetInformationFile  (-2147482448, -139610412, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01120  1740   NtSetInformationFile  (-2147482448, -139610720, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01117  1740   NtSetValueKey  ... ) == 0x0
 01121  1740   NtClose  (168, ... ) == 0x0
 01122  1740   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 168, ) }, ... 168, ) == 0x0
 01123  1740   NtDeleteValueKey  (168,  (168, "ssgrate.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124  1740   NtClose  (168, ... ) == 0x0
 01125  1740   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 168, ) }, ... 168, ) == 0x0
 01126  1740   NtDeleteValueKey  (168,  (168, "drvsys.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127  1740   NtClose  (168, ... ) == 0x0
 01128  1740   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 168, ) }, ... 168, ) == 0x0
 01129  1740   NtDeleteValueKey  (168,  (168, "Drvddll_exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130  1740   NtClose  (168, ... ) == 0x0
 01131  1740   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "SkynetNotice"}, 0, ... 168, ) }, 0, ... 168, ) == 0x0
 01132  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12386304, 1048576, ) == 0x0
 01133  1740   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 01134  1740   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 01135  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 164, {928, 1580}, ) == 0x0
 01136  1740   NtQueryInformationThread  (164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=928,Tid=1580,}, 0x0, ) == 0x0
 01137  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\240\3\0\0,\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\240\3\0\0,\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57948, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\240\3\0\0,\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\240\3\0\0,\6\0\0" )  ) == 0x0
 01138  1740   NtResumeThread  (164, ... 1, ) == 0x0
 01139  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 01140  1740   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 01141  1580   NtTestAlert  (... ) == 0x0
 01142  1580   NtContinue  (13434160, 1, ...
 01143  1580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01144  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 172, ) == 0x0
 01145  1580   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x102
 01146  1580   NtAllocateVirtualMemory  (-1, 13422592, 0, 4096, 4096, 260, ...
 01147  1740   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ... (0xdce000), 4096, 4, ) == 0x0
 01148  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 176, {928, 1756}, ) == 0x0
 01149  1740   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=928,Tid=1756,}, 0x0, ) == 0x0
 01150  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57948, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\240\3\0\0\334\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\240\3\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57949, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\240\3\0\0\334\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\0\0\0\240\3\0\0\334\6\0\0" )  ) == 0x0
 01151  1740   NtResumeThread  (176, ... 1, ) == 0x0
 01152  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01146  1580   NtAllocateVirtualMemory  ... 13422592, 4096, ) == 0x0
 01153  1756   NtWaitForSingleObject  (92, 0, 0x0, ...
 01154  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13431284, ... ) }, 13431284, ... ) == 0x0
 01155  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01156  1580   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01157  1580   NtClose  (180, ... ) == 0x0
 01158  1580   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdd0000), 0x0, 245760, ) == 0x0
 01159  1580   NtClose  (184, ...
 01152  1740   NtAllocateVirtualMemory  ... 14745600, 1048576, ) == 0x0
 01160  1740   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01161  1740   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 01162  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 180, {928, 1292}, ) == 0x0
 01163  1740   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=928,Tid=1292,}, 0x0, ) == 0x0
 01164  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57949, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\240\3\0\0\14\5\0\0" ... {28, 56, reply, 0, 928, 1740, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\240\3\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57950, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\240\3\0\0\14\5\0\0" ... {28, 56, reply, 0, 928, 1740, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\0\0\0\240\3\0\0\14\5\0\0" )  ) == 0x0
 01159  1580   NtClose  ... ) == 0x0
 01165  1740   NtResumeThread  (180, ... 1, ) == 0x0
 01166  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01167  1740   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ... 16834560, 8192, ) == 0x0
 01168  1580   NtUnmapViewOfSection  (-1, 0xdd0000, ...
 01169  1292   NtWaitForSingleObject  (92, 0, 0x0, ...
 01168  1580   NtUnmapViewOfSection  ... ) == 0x0
 01170  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13431592, ... ) }, 13431592, ... ) == 0x0
 01171  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01172  1580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 188, ) == 0x0
 01173  1580   NtQuerySection  (188, Image, 48, ...
 01174  1740   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ... (0x100e000), 4096, 4, ) == 0x0
 01175  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {928, 1956}, ) == 0x0
 01176  1740   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=928,Tid=1956,}, 0x0, ) == 0x0
 01177  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57950, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\240\3\0\0\244\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\240\3\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57951, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\240\3\0\0\244\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\240\3\0\0\244\7\0\0" )  ) == 0x0
 01178  1740   NtResumeThread  (192, ... 1, ) == 0x0
 01179  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01173  1580   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01180  1956   NtWaitForSingleObject  (92, 0, 0x0, ...
 01181  1580   NtClose  (184, ... ) == 0x0
 01182  1580   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01183  1580   NtClose  (188, ... ) == 0x0
 01184  1580   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01185  1580   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01179  1740   NtAllocateVirtualMemory  ... 16842752, 1048576, ) == 0x0
 01186  1740   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ... 17883136, 8192, ) == 0x0
 01187  1740   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ... (0x110e000), 4096, 4, ) == 0x0
 01188  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 188, {928, 1980}, ) == 0x0
 01189  1740   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=928,Tid=1980,}, 0x0, ) == 0x0
 01190  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57951, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\240\3\0\0\274\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\240\3\0\0\274\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57952, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\240\3\0\0\274\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0\240\3\0\0\274\7\0\0" )  ) == 0x0
 01185  1580   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01191  1580   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01192  1580   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01193  1580   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01194  1580   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01195  1580   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01196  1580   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 01197  1740   NtResumeThread  (188, ... 1, ) == 0x0
 01198  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17891328, 1048576, ) == 0x0
 01199  1740   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ... 18931712, 8192, ) == 0x0
 01200  1740   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 01201  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 184, {928, 1784}, ) == 0x0
 01202  1740   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=928,Tid=1784,}, 0x0, ) == 0x0
 01196  1580   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 01203  1980   NtWaitForSingleObject  (92, 0, 0x0, ...
 01204  1580   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01205  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57952, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\240\3\0\0\370\6\0\0" ...  ...
 01206  1580   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207  1580   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01208  1580   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01209  1580   NtSetEventBoostPriority  (92, ...
 01205  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57953, 0}  ... {28, 56, reply, 0, 928, 1740, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\240\3\0\0\370\6\0\0" )  ) == 0x0
 01210  1740   NtResumeThread  (184, ... 1, ) == 0x0
 01211  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18939904, 1048576, ) == 0x0
 01212  1740   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01213  1740   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01214  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01153  1756   NtWaitForSingleObject  ... ) == 0x0
 01209  1580   NtSetEventBoostPriority  ... ) == 0x0
 01215  1784   NtWaitForSingleObject  (92, 0, 0x0, ...
 01216  1756   NtSetEventBoostPriority  (92, ...
 01217  1580   NtWaitForSingleObject  (92, 0, 0x0, ...
 01169  1292   NtWaitForSingleObject  ... ) == 0x0
 01216  1756   NtSetEventBoostPriority  ... ) == 0x0
 01218  1292   NtSetEventBoostPriority  (92, ...
 01214  1740   NtCreateThread  ... 196, {928, 1480}, ) == 0x0
 01180  1956   NtWaitForSingleObject  ... ) == 0x0
 01218  1292   NtSetEventBoostPriority  ... ) == 0x0
 01219  1956   NtSetEventBoostPriority  (92, ...
 01220  1740   NtQueryInformationThread  (196, Basic, 28, ...
 01221  1756   NtTestAlert  (...
 01203  1980   NtWaitForSingleObject  ... ) == 0x0
 01219  1956   NtSetEventBoostPriority  ... ) == 0x0
 01220  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=928,Tid=1480,}, 0x0, ) == 0x0
 01222  1980   NtSetEventBoostPriority  (92, ...
 01221  1756   NtTestAlert  ... ) == 0x0
 01223  1292   NtTestAlert  (...
 01215  1784   NtWaitForSingleObject  ... ) == 0x0
 01222  1980   NtSetEventBoostPriority  ... ) == 0x0
 01224  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57953, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\240\3\0\0\310\5\0\0" ...  ...
 01225  1756   NtContinue  (14482736, 1, ...
 01226  1784   NtSetEventBoostPriority  (92, ...
 01223  1292   NtTestAlert  ... ) == 0x0
 01227  1956   NtTestAlert  (...
 01224  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57954, 0}  ... {28, 56, reply, 0, 928, 1740, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\240\3\0\0\310\5\0\0" )  ) == 0x0
 01217  1580   NtWaitForSingleObject  ... ) == 0x0
 01226  1784   NtSetEventBoostPriority  ... ) == 0x0
 01228  1756   NtRegisterThreadTerminatePort  (24, ...
 01229  1292   NtContinue  (15793456, 1, ...
 01227  1956   NtTestAlert  ... ) == 0x0
 01230  1980   NtTestAlert  (...
 01231  1580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01232  1740   NtResumeThread  (196, ...
 01228  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 01233  1292   NtRegisterThreadTerminatePort  (24, ...
 01234  1956   NtContinue  (16842032, 1, ...
 01231  1580   NtCreateEvent  ... 200, ) == 0x0
 01230  1980   NtTestAlert  ... ) == 0x0
 01232  1740   NtResumeThread  ... 1, ) == 0x0
 01235  1756   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01233  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 01236  1956   NtRegisterThreadTerminatePort  (24, ...
 01237  1784   NtTestAlert  (...
 01238  1480   NtTestAlert  (...
 01239  1980   NtContinue  (17890608, 1, ...
 01240  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01241  1580   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01242  1292   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01236  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01237  1784   NtTestAlert  ... ) == 0x0
 01238  1480   NtTestAlert  ... ) == 0x0
 01243  1980   NtRegisterThreadTerminatePort  (24, ...
 01240  1740   NtAllocateVirtualMemory  ... 19988480, 1048576, ) == 0x0
 01241  1580   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244  1956   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01245  1784   NtContinue  (18939184, 1, ...
 01246  1480   NtContinue  (19987760, 1, ...
 01243  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 01247  1740   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ...
 01248  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 13431204, ... }, 13431204, ...
 01249  1784   NtRegisterThreadTerminatePort  (24, ...
 01250  1480   NtRegisterThreadTerminatePort  (24, ...
 01251  1980   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01247  1740   NtAllocateVirtualMemory  ... 21028864, 8192, ) == 0x0
 01249  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01250  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 01252  1784   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01253  1740   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ...
 01254  1480   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01253  1740   NtProtectVirtualMemory  ... (0x140e000), 4096, 4, ) == 0x0
 01255  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 204, {928, 1556}, ) == 0x0
 01256  1740   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=928,Tid=1556,}, 0x0, ) == 0x0
 01257  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57954, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\240\3\0\0\24\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\240\3\0\0\24\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57955, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\240\3\0\0\24\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\240\3\0\0\24\6\0\0" )  ) == 0x0
 01258  1740   NtResumeThread  (204, ... 1, ) == 0x0
 01259  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01254  1480   NtSetInformationThread  ... ) == 0x0
 01260  1556   NtWaitForSingleObject  (92, 0, 0x0, ...
 01259  1740   NtAllocateVirtualMemory  ... 21037056, 1048576, ) == 0x0
 01261  1740   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 01262  1740   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01263  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {928, 460}, ) == 0x0
 01264  1740   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=928,Tid=460,}, 0x0, ) == 0x0
 01265  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57955, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\240\3\0\0\314\1\0\0" ... {28, 56, reply, 0, 928, 1740, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\240\3\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57956, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\240\3\0\0\314\1\0\0" ... {28, 56, reply, 0, 928, 1740, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\240\3\0\0\314\1\0\0" )  ) == 0x0
 01266  1740   NtResumeThread  (208, ... 1, ) == 0x0
 01267  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22085632, 1048576, ) == 0x0
 01268  1740   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ... 23126016, 8192, ) == 0x0
 01248  1580   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   460   NtWaitForSingleObject  (92, 0, 0x0, ...
 01270  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 13431204, ... ) }, 13431204, ... ) == 0x0
 01271  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01272  1580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01273  1580   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01274  1580   NtClose  (212, ... ) == 0x0
 01275  1580   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01276  1740   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ... (0x160e000), 4096, 4, ) == 0x0
 01277  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {928, 1068}, ) == 0x0
 01278  1740   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=928,Tid=1068,}, 0x0, ) == 0x0
 01279  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57956, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\240\3\0\0,\4\0\0" ... {28, 56, reply, 0, 928, 1740, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\240\3\0\0,\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57957, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\240\3\0\0,\4\0\0" ... {28, 56, reply, 0, 928, 1740, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\240\3\0\0,\4\0\0" )  ) == 0x0
 01280  1740   NtResumeThread  (212, ... 1, ) == 0x0
 01281  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01275  1580   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 01282  1068   NtWaitForSingleObject  (92, 0, 0x0, ...
 01283  1580   NtClose  (216, ... ) == 0x0
 01284  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01285  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01286  1580   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01287  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01288  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01281  1740   NtAllocateVirtualMemory  ... 23134208, 1048576, ) == 0x0
 01289  1740   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ... 24174592, 8192, ) == 0x0
 01290  1740   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ... (0x170e000), 4096, 4, ) == 0x0
 01291  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {928, 1856}, ) == 0x0
 01292  1740   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=928,Tid=1856,}, 0x0, ) == 0x0
 01293  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57957, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\240\3\0\0@\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\240\3\0\0@\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57958, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\240\3\0\0@\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\240\3\0\0@\7\0\0" )  ) == 0x0
 01288  1580   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01294  1580   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01295  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01296  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01297  1580   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01298  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01299  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01300  1740   NtResumeThread  (216, ... 1, ) == 0x0
 01301  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24182784, 1048576, ) == 0x0
 01302  1740   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ... 25223168, 8192, ) == 0x0
 01303  1740   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ... (0x180e000), 4096, 4, ) == 0x0
 01304  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {928, 1596}, ) == 0x0
 01305  1740   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=928,Tid=1596,}, 0x0, ) == 0x0
 01299  1580   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01306  1856   NtWaitForSingleObject  (92, 0, 0x0, ...
 01307  1580   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01308  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01309  1580   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01310  1580   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01311  1580   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312  1580   NtSetEventBoostPriority  (92, ...
 01313  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57958, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\240\3\0\0<\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\240\3\0\0<\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57959, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\240\3\0\0<\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\240\3\0\0<\6\0\0" )  ) == 0x0
 01314  1740   NtResumeThread  (220, ... 1, ) == 0x0
 01315  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25231360, 1048576, ) == 0x0
 01316  1740   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ... 26271744, 8192, ) == 0x0
 01317  1740   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01318  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01260  1556   NtWaitForSingleObject  ... ) == 0x0
 01312  1580   NtSetEventBoostPriority  ... ) == 0x0
 01319  1596   NtWaitForSingleObject  (92, 0, 0x0, ...
 01320  1556   NtSetEventBoostPriority  (92, ...
 01321  1580   NtWaitForSingleObject  (92, 0, 0x0, ...
 01269   460   NtWaitForSingleObject  ... ) == 0x0
 01320  1556   NtSetEventBoostPriority  ... ) == 0x0
 01322   460   NtSetEventBoostPriority  (92, ...
 01318  1740   NtCreateThread  ... 224, {928, 1128}, ) == 0x0
 01282  1068   NtWaitForSingleObject  ... ) == 0x0
 01322   460   NtSetEventBoostPriority  ... ) == 0x0
 01323  1068   NtSetEventBoostPriority  (92, ...
 01324  1740   NtQueryInformationThread  (224, Basic, 28, ...
 01325  1556   NtTestAlert  (...
 01306  1856   NtWaitForSingleObject  ... ) == 0x0
 01323  1068   NtSetEventBoostPriority  ... ) == 0x0
 01324  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=928,Tid=1128,}, 0x0, ) == 0x0
 01326  1856   NtSetEventBoostPriority  (92, ...
 01325  1556   NtTestAlert  ... ) == 0x0
 01327   460   NtTestAlert  (...
 01319  1596   NtWaitForSingleObject  ... ) == 0x0
 01326  1856   NtSetEventBoostPriority  ... ) == 0x0
 01328  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57959, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\240\3\0\0h\4\0\0" ...  ...
 01329  1556   NtContinue  (21036336, 1, ...
 01330  1596   NtSetEventBoostPriority  (92, ...
 01327   460   NtTestAlert  ... ) == 0x0
 01331  1068   NtTestAlert  (...
 01328  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57960, 0}  ... {28, 56, reply, 0, 928, 1740, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\240\3\0\0h\4\0\0" )  ) == 0x0
 01321  1580   NtWaitForSingleObject  ... ) == 0x0
 01330  1596   NtSetEventBoostPriority  ... ) == 0x0
 01332  1556   NtRegisterThreadTerminatePort  (24, ...
 01333   460   NtContinue  (22084912, 1, ...
 01331  1068   NtTestAlert  ... ) == 0x0
 01334  1856   NtTestAlert  (...
 01335  1580   NtQuerySystemInformation  (Basic, 44, ...
 01336  1740   NtResumeThread  (224, ...
 01332  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 01337   460   NtRegisterThreadTerminatePort  (24, ...
 01338  1068   NtContinue  (23133488, 1, ...
 01335  1580   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01334  1856   NtTestAlert  ... ) == 0x0
 01336  1740   NtResumeThread  ... 1, ) == 0x0
 01339  1556   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01337   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 01340  1068   NtRegisterThreadTerminatePort  (24, ...
 01341  1596   NtTestAlert  (...
 01342  1128   NtTestAlert  (...
 01343  1856   NtContinue  (24182064, 1, ...
 01344  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01345  1580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01346   460   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01340  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 01341  1596   NtTestAlert  ... ) == 0x0
 01342  1128   NtTestAlert  ... ) == 0x0
 01347  1856   NtRegisterThreadTerminatePort  (24, ...
 01344  1740   NtAllocateVirtualMemory  ... 26279936, 1048576, ) == 0x0
 01345  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348  1068   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01349  1596   NtContinue  (25230640, 1, ...
 01350  1128   NtContinue  (26279216, 1, ...
 01347  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01351  1740   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ...
 01352  1580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01353  1596   NtRegisterThreadTerminatePort  (24, ...
 01354  1128   NtRegisterThreadTerminatePort  (24, ...
 01355  1856   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01351  1740   NtAllocateVirtualMemory  ... 27320320, 8192, ) == 0x0
 01352  1580   NtOpenKey  ... 228, ) == 0x0
 01353  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01354  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 01356  1580   NtQueryValueKey  (228,  (228, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01357  1596   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01358  1740   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ...
 01356  1580   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01359  1128   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01358  1740   NtProtectVirtualMemory  ... (0x1a0e000), 4096, 4, ) == 0x0
 01360  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {928, 1256}, ) == 0x0
 01361  1740   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=928,Tid=1256,}, 0x0, ) == 0x0
 01362  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57960, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\240\3\0\0\350\4\0\0" ... {28, 56, reply, 0, 928, 1740, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\240\3\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57961, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\240\3\0\0\350\4\0\0" ... {28, 56, reply, 0, 928, 1740, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\240\3\0\0\350\4\0\0" )  ) == 0x0
 01363  1740   NtResumeThread  (232, ... 1, ) == 0x0
 01364  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01365  1580   NtClose  (228, ...
 01359  1128   NtSetInformationThread  ... ) == 0x0
 01366  1256   NtTestAlert  (...
 01365  1580   NtClose  ... ) == 0x0
 01364  1740   NtAllocateVirtualMemory  ... 27328512, 1048576, ) == 0x0
 01366  1256   NtTestAlert  ... ) == 0x0
 01367  1580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01368  1740   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ...
 01369  1256   NtContinue  (27327792, 1, ...
 01367  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368  1740   NtAllocateVirtualMemory  ... 28368896, 8192, ) == 0x0
 01370  1256   NtRegisterThreadTerminatePort  (24, ...
 01371  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01372  1740   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ...
 01370  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 01371  1580   NtCreateEvent  ... 228, ) == 0x0
 01372  1740   NtProtectVirtualMemory  ... (0x1b0e000), 4096, 4, ) == 0x0
 01373  1128   NtQueryValueKey  (96,  (96, "FromCacheTimeout", Partial, 144, ... , Partial, 144, ...
 01374  1256   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01375  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01376  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01374  1256   NtSetInformationThread  ... ) == 0x0
 01373  1128   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376  1580   NtCreateEvent  ... 236, ) == 0x0
 01375  1740   NtCreateThread  ... 240, {928, 220}, ) == 0x0
 01377  1256   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01378  1580   NtQuerySystemTime  (...
 01379  1740   NtQueryInformationThread  (240, Basic, 28, ...
 01380  1128   NtQueryValueKey  (96,  (96, "SecureProtocols", Partial, 144, ... , Partial, 144, ...
 01378  1580   NtQuerySystemTime  ... {-946013966, 29915145}, ) == 0x0
 01379  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=928,Tid=220,}, 0x0, ) == 0x0
 01377  1256   NtCreateEvent  ... 244, ) == 0x0
 01381  1580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01382  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57961, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\240\3\0\0\334\0\0\0" ...  ...
 01380  1128   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 01381  1580   NtCreateEvent  ... 248, ) == 0x0
 01382  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57962, 0}  ... {28, 56, reply, 0, 928, 1740, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\240\3\0\0\334\0\0\0" )  ) == 0x0
 01383  1256   NtWaitForSingleObject  (244, 0, 0x0, ...
 01235  1756   NtSetInformationThread  ... ) == 0x0
 01242  1292   NtSetInformationThread  ... ) == 0x0
 01244  1956   NtSetInformationThread  ... ) == 0x0
 01251  1980   NtSetInformationThread  ... ) == 0x0
 01252  1784   NtSetInformationThread  ... ) == 0x0
 01384  1480   NtWaitForSingleObject  (244, 0, 0x0, ...
 01339  1556   NtSetInformationThread  ... ) == 0x0
 01346   460   NtSetInformationThread  ... ) == 0x0
 01348  1068   NtSetInformationThread  ... ) == 0x0
 01355  1856   NtSetInformationThread  ... ) == 0x0
 01357  1596   NtSetInformationThread  ... ) == 0x0
 01385  1580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 01386  1740   NtResumeThread  (240, ...
 01387  1756   NtWaitForSingleObject  (244, 0, 0x0, ...
 01388  1292   NtWaitForSingleObject  (244, 0, 0x0, ...
 01389  1956   NtWaitForSingleObject  (244, 0, 0x0, ...
 01390  1980   NtWaitForSingleObject  (244, 0, 0x0, ...
 01391  1784   NtWaitForSingleObject  (244, 0, 0x0, ...
 01392  1556   NtWaitForSingleObject  (244, 0, 0x0, ...
 01393   460   NtWaitForSingleObject  (244, 0, 0x0, ...
 01394  1068   NtWaitForSingleObject  (244, 0, 0x0, ...
 01395  1856   NtWaitForSingleObject  (244, 0, 0x0, ...
 01385  1580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386  1740   NtResumeThread  ... 1, ) == 0x0
 01396  1596   NtWaitForSingleObject  (244, 0, 0x0, ...
 01397   220   NtTestAlert  (...
 01398  1580   NtQuerySystemInformation  (Performance, 312, ...
 01399  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01397   220   NtTestAlert  ... ) == 0x0
 01398  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01399  1740   NtAllocateVirtualMemory  ... 28377088, 1048576, ) == 0x0
 01400   220   NtContinue  (28376368, 1, ...
 01401  1580   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 01402  1740   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ...
 01403   220   NtRegisterThreadTerminatePort  (24, ...
 01401  1580   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01402  1740   NtAllocateVirtualMemory  ... 29417472, 8192, ) == 0x0
 01403   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01404  1580   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01405  1740   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ...
 01404  1580   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01405  1740   NtProtectVirtualMemory  ... (0x1c0e000), 4096, 4, ) == 0x0
 01406  1580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01407  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01406  1580   NtCreateEvent  ... 252, ) == 0x0
 01407  1740   NtCreateThread  ... 256, {928, 1800}, ) == 0x0
 01408  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01409  1740   NtQueryInformationThread  (256, Basic, 28, ...
 01408  1580   NtDuplicateObject  ... 260, ) == 0x0
 01409  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=928,Tid=1800,}, 0x0, ) == 0x0
 01410   220   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01411  1580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... 264, ) }, ... 264, ) == 0x0
 01412  1580   NtQueryValueKey  (264,  (264, "DefaultAuthLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413  1580   NtClose  (264, ... ) == 0x0
 01414  1580   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01415  1580   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 01416  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13430896, ... ) }, 13430896, ... ) == 0x0
 01417  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57962, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\240\3\0\0\10\7\0\0" ...  ...
 01410   220   NtSetInformationThread  ... ) == 0x0
 01417  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57963, 0}  ... {28, 56, reply, 0, 928, 1740, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\240\3\0\0\10\7\0\0" )  ) == 0x0
 01418  1580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01419  1740   NtResumeThread  (256, ...
 01418  1580   NtOpenKey  ... 264, ) == 0x0
 01419  1740   NtResumeThread  ... 1, ) == 0x0
 01420  1580   NtQueryValueKey  (264,  (264, "Transports", Partial, 144, ... , Partial, 144, ...
 01421  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01420  1580   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01422   220   NtWaitForSingleObject  (244, 0, 0x0, ...
 01423  1800   NtTestAlert  (...
 01424  1580   NtQueryValueKey  (264,  (264, "Transports", Partial, 144, ... , Partial, 144, ...
 01421  1740   NtAllocateVirtualMemory  ... 29425664, 1048576, ) == 0x0
 01423  1800   NtTestAlert  ... ) == 0x0
 01424  1580   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01425  1740   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ...
 01426  1800   NtContinue  (29424944, 1, ...
 01425  1740   NtAllocateVirtualMemory  ... 30466048, 8192, ) == 0x0
 01427  1800   NtRegisterThreadTerminatePort  (24, ...
 01428  1740   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ...
 01427  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01428  1740   NtProtectVirtualMemory  ... (0x1d0e000), 4096, 4, ) == 0x0
 01429  1580   NtClose  (264, ...
 01430  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01429  1580   NtClose  ... ) == 0x0
 01431  1800   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01432  1580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 264, ) }, ... 264, ) == 0x0
 01433  1580   NtQueryValueKey  (264,  (264, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01434  1580   NtQueryValueKey  (264,  (264, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01435  1580   NtQueryValueKey  (264,  (264, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (264, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01436  1580   NtClose  (264, ... ) == 0x0
 01430  1740   NtCreateThread  ... 264, {928, 1796}, ) == 0x0
 01431  1800   NtSetInformationThread  ... ) == 0x0
 01437  1740   NtQueryInformationThread  (264, Basic, 28, ...
 01438  1580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01437  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=928,Tid=1796,}, 0x0, ) == 0x0
 01438  1580   NtOpenKey  ... 268, ) == 0x0
 01439  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57963, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\240\3\0\0\4\7\0\0" ...  ...
 01440  1580   NtQueryValueKey  (268,  (268, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01439  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57964, 0}  ... {28, 56, reply, 0, 928, 1740, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0\240\3\0\0\4\7\0\0" )  ) == 0x0
 01440  1580   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01441  1800   NtWaitForSingleObject  (244, 0, 0x0, ...
 01442  1580   NtQueryValueKey  (268,  (268, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01443  1740   NtResumeThread  (264, ...
 01442  1580   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01443  1740   NtResumeThread  ... 1, ) == 0x0
 01444  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30474240, 1048576, ) == 0x0
 01445  1740   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ... 31514624, 8192, ) == 0x0
 01446  1740   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ... (0x1e0e000), 4096, 4, ) == 0x0
 01447  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01448  1580   NtQueryValueKey  (268,  (268, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01449  1580   NtQueryValueKey  (268,  (268, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (268, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01450  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13431852, ... ) }, 13431852, ... ) == 0x0
 01451  1796   NtWaitForSingleObject  (92, 0, 0x0, ...
 01447  1740   NtCreateThread  ... 272, {928, 1808}, ) == 0x0
 01452  1740   NtQueryInformationThread  (272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=928,Tid=1808,}, 0x0, ) == 0x0
 01453  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57964, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\240\3\0\0\20\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\240\3\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57965, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\240\3\0\0\20\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\240\3\0\0\20\7\0\0" )  ) == 0x0
 01454  1740   NtResumeThread  (272, ... 1, ) == 0x0
 01455  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31522816, 1048576, ) == 0x0
 01456  1740   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 01457  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01458  1808   NtWaitForSingleObject  (92, 0, 0x0, ...
 01457  1580   NtOpenFile  ... 276, {status=0x0, info=1}, ) == 0x0
 01459  1580   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 280, ) == 0x0
 01460  1580   NtClose  (276, ... ) == 0x0
 01461  1580   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 20480, ) == 0x0
 01462  1580   NtClose  (280, ... ) == 0x0
 01463  1740   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ... (0x1f0e000), 4096, 4, ) == 0x0
 01464  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 280, {928, 1700}, ) == 0x0
 01465  1740   NtQueryInformationThread  (280, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=928,Tid=1700,}, 0x0, ) == 0x0
 01466  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57965, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\1\0\0\240\3\0\0\244\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\1\0\0\240\3\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57966, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\1\0\0\240\3\0\0\244\6\0\0" ... {28, 56, reply, 0, 928, 1740, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\1\0\0\240\3\0\0\244\6\0\0" )  ) == 0x0
 01467  1740   NtResumeThread  (280, ... 1, ) == 0x0
 01468  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01469  1580   NtUnmapViewOfSection  (-1, 0x850000, ...
 01470  1700   NtWaitForSingleObject  (92, 0, 0x0, ...
 01469  1580   NtUnmapViewOfSection  ... ) == 0x0
 01471  1580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13432160, ... ) }, 13432160, ... ) == 0x0
 01472  1580   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01473  1580   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ... 284, ) == 0x0
 01474  1580   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01468  1740   NtAllocateVirtualMemory  ... 32571392, 1048576, ) == 0x0
 01475  1740   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ... 33611776, 8192, ) == 0x0
 01476  1740   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ... (0x200e000), 4096, 4, ) == 0x0
 01477  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 288, {928, 1156}, ) == 0x0
 01478  1740   NtQueryInformationThread  (288, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=928,Tid=1156,}, 0x0, ) == 0x0
 01479  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57966, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\240\3\0\0\204\4\0\0" ... {28, 56, reply, 0, 928, 1740, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\240\3\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57967, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\240\3\0\0\204\4\0\0" ... {28, 56, reply, 0, 928, 1740, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\240\3\0\0\204\4\0\0" )  ) == 0x0
 01480  1580   NtClose  (276, ... ) == 0x0
 01481  1580   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01482  1580   NtClose  (284, ... ) == 0x0
 01483  1580   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01484  1580   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01485  1740   NtResumeThread  (288, ... 1, ) == 0x0
 01486  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33619968, 1048576, ) == 0x0
 01487  1740   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ... 34660352, 8192, ) == 0x0
 01488  1740   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ... (0x210e000), 4096, 4, ) == 0x0
 01489  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 284, {928, 712}, ) == 0x0
 01490  1740   NtQueryInformationThread  (284, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=928,Tid=712,}, 0x0, ) == 0x0
 01491  1580   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 01492  1156   NtWaitForSingleObject  (92, 0, 0x0, ...
 01491  1580   NtFlushInstructionCache  ... ) == 0x0
 01493  1580   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1580   NtSetEventBoostPriority  (92, ...
 01451  1796   NtWaitForSingleObject  ... ) == 0x0
 01495  1796   NtSetEventBoostPriority  (92, ...
 01458  1808   NtWaitForSingleObject  ... ) == 0x0
 01496  1808   NtSetEventBoostPriority  (92, ...
 01470  1700   NtWaitForSingleObject  ... ) == 0x0
 01497  1700   NtSetEventBoostPriority  (92, ...
 01492  1156   NtWaitForSingleObject  ... ) == 0x0
 01498  1156   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ... 8802304, 4096, ) == 0x0
 01497  1700   NtSetEventBoostPriority  ... ) == 0x0
 01496  1808   NtSetEventBoostPriority  ... ) == 0x0
 01495  1796   NtSetEventBoostPriority  ... ) == 0x0
 01494  1580   NtSetEventBoostPriority  ... ) == 0x0
 01499  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57967, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\240\3\0\0\310\2\0\0" ...  ...
 01500  1156   NtTestAlert  (...
 01501  1700   NtTestAlert  (...
 01502  1808   NtTestAlert  (...
 01503  1580   NtClose  (268, ...
 01499  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57968, 0}  ... {28, 56, reply, 0, 928, 1740, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\240\3\0\0\310\2\0\0" )  ) == 0x0
 01500  1156   NtTestAlert  ... ) == 0x0
 01501  1700   NtTestAlert  ... ) == 0x0
 01502  1808   NtTestAlert  ... ) == 0x0
 01503  1580   NtClose  ... ) == 0x0
 01504  1740   NtResumeThread  (284, ...
 01505  1156   NtContinue  (33619248, 1, ...
 01506  1700   NtContinue  (32570672, 1, ...
 01507  1808   NtContinue  (31522096, 1, ...
 01508  1580   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 13434496, 67, ... }, 0x0, 0, 3, 3, 0, 13434496, 67, ...
 01504  1740   NtResumeThread  ... 1, ) == 0x0
 01509  1156   NtRegisterThreadTerminatePort  (24, ...
 01510  1700   NtRegisterThreadTerminatePort  (24, ...
 01511  1808   NtRegisterThreadTerminatePort  (24, ...
 01508  1580   NtCreateFile  ... 268, {status=0x0, info=0}, ) == 0x0
 01512  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01509  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 01510  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 01511  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01513  1796   NtTestAlert  (...
 01514   712   NtTestAlert  (...
 01515  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x1207b,  (268, 200, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01516  1156   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01517  1700   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01518  1808   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01513  1796   NtTestAlert  ... ) == 0x0
 01514   712   NtTestAlert  ... ) == 0x0
 01515  1580   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01512  1740   NtAllocateVirtualMemory  ... 34668544, 1048576, ) == 0x0
 01519  1796   NtContinue  (30473520, 1, ...
 01520   712   NtContinue  (34667824, 1, ...
 01521  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x1207b,  (268, 200, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 01522  1740   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ...
 01523  1796   NtRegisterThreadTerminatePort  (24, ...
 01524   712   NtRegisterThreadTerminatePort  (24, ...
 01521  1580   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01522  1740   NtAllocateVirtualMemory  ... 35708928, 8192, ) == 0x0
 01523  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01524   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 01525  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x12047,  (268, 200, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01526  1740   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ...
 01527  1796   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01525  1580   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01526  1740   NtProtectVirtualMemory  ... (0x220e000), 4096, 4, ) == 0x0
 01528   712   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01529  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01528   712   NtSetInformationThread  ... ) == 0x0
 01530  1580   NtWaitForSingleObject  (148, 0, {0, 0}, ...
 01529  1740   NtCreateThread  ... 276, {928, 1728}, ) == 0x0
 01530  1580   NtWaitForSingleObject  ... ) == 0x102
 01531  1740   NtQueryInformationThread  (276, Basic, 28, ...
 01532  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x12003,  (268, 200, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01531  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=928,Tid=1728,}, 0x0, ) == 0x0
 01532  1580   NtDeviceIoControlFile  ... {status=0x0, info=292},  ... {status=0x0, info=292}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01533  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57968, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\240\3\0\0\300\6\0\0" ...  ...
 01534   712   NtWaitForSingleObject  (244, 0, 0x0, ...
 01533  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57969, 0}  ... {28, 56, reply, 0, 928, 1740, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\240\3\0\0\300\6\0\0" )  ) == 0x0
 01535  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x12047,  (268, 200, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01536  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x12037,  (268, 200, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (268, 200, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01537  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x1200b,  (268, 200, 0x0, 0x0, 0x1200b, "\0\376\314\0\5\0\0\0\0\323\24\0", 12, 0, ... {status=0x0, info=0}, 0x0, ) , 12, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01538  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x12047,  (268, 200, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\314\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01539  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (268, 200, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01540  1580   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01541  1740   NtResumeThread  (276, ... 1, ) == 0x0
 01542  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35717120, 1048576, ) == 0x0
 01543  1740   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ... 36757504, 8192, ) == 0x0
 01544  1740   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ... (0x230e000), 4096, 4, ) == 0x0
 01545  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 296, {928, 1356}, ) == 0x0
 01546  1740   NtQueryInformationThread  (296, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=928,Tid=1356,}, 0x0, ) == 0x0
 01547  1580   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01548  1728   NtTestAlert  (...
 01547  1580   NtOpenFile  ... 300, {status=0x0, info=0}, ) == 0x0
 01548  1728   NtTestAlert  ... ) == 0x0
 01549  1580   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "\221\370\260\225\336\25\373\323|H\354"\320\256\237\242\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \320\256\237\242\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01550  1728   NtContinue  (35716400, 1, ...
 01551  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01552  1728   NtRegisterThreadTerminatePort  (24, ...
 01551  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01552  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01553  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01554  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57969, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\240\3\0\0L\5\0\0" ...  ...
 01555  1728   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01554  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57970, 0}  ... {28, 56, reply, 0, 928, 1740, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\240\3\0\0L\5\0\0" )  ) == 0x0
 01555  1728   NtSetInformationThread  ... ) == 0x0
 01553  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01556  1740   NtResumeThread  (296, ...
 01557  1580   NtQuerySystemInformation  (Performance, 312, ...
 01556  1740   NtResumeThread  ... 1, ) == 0x0
 01557  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01558  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01559  1580   NtQuerySystemInformation  (Exception, 16, ...
 01558  1740   NtAllocateVirtualMemory  ... 36765696, 1048576, ) == 0x0
 01559  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01560  1740   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ...
 01561  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 01560  1740   NtAllocateVirtualMemory  ... 37806080, 8192, ) == 0x0
 01562  1728   NtWaitForSingleObject  (244, 0, 0x0, ...
 01563  1356   NtTestAlert  (...
 01561  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01564  1740   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ...
 01563  1356   NtTestAlert  ... ) == 0x0
 01565  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01564  1740   NtProtectVirtualMemory  ... (0x240e000), 4096, 4, ) == 0x0
 01566  1356   NtContinue  (36764976, 1, ...
 01565  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01567  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01568  1356   NtRegisterThreadTerminatePort  (24, ...
 01569  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01567  1740   NtCreateThread  ... 304, {928, 1536}, ) == 0x0
 01568  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 01569  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01570  1740   NtQueryInformationThread  (304, Basic, 28, ...
 01571  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01570  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=928,Tid=1536,}, 0x0, ) == 0x0
 01572  1356   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01571  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01573  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\306\360\220\217\321\316\27\240\221\11\256\237\312\222i.>\360\226Un\251\3656\177\334\3015ym\223\333\256\336\232N\261^\316W\314\14\307&\218\215U\331\274h3Z\22\6X\203\242\377\325\234\14'b\211\264\212a \16s\211\236m\235\276\220V\220G", 80, ... ) , 0, 3,  (-2147481344, "Seed", 0, 3, "\306\360\220\217\321\316\27\240\221\11\256\237\312\222i.>\360\226Un\251\3656\177\334\3015ym\223\333\256\336\232N\261^\316W\314\14\307&\218\215U\331\274h3Z\22\6X\203\242\377\325\234\14'b\211\264\212a \16s\211\236m\235\276\220V\220G", 80, ... ) , 80, ... ) == 0x0
 01574  1580   NtClose  (-2147481344, ... ) == 0x0
 01549  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\353+h\3641pQe8\2600\267y\207\261\216\351\363\235\271\33$\33\351\202)x, ) , ) == 0x0
 01575  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 308, ) == 0x0
 01576  1580   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 13431416, 188, ... 312, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 13431416, 188, ... 312, 0x0, 0x0, 0x0, 188, ) == 0x0
 01577  1580   NtRequestWaitReplyPort  (312, {200, 224, new_msg, 0, 2883626, 1365368, 12, 2}  (312, {200, 224, new_msg, 0, 2883626, 1365368, 12, 2} "\0\1\0\0\320\2\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\240<\24\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\264\324\2331W\333\7\314\250\16\25\0`\1\24\0\12\0\0\0\0\0\0\0@\0\0\0(\0\0\0\260\16\25\0i\313Ly\320\2\24\0\320\16\25\0`\1\24\0\0\0\0\0\0\0\0\0\320\16\25\0P\0\0\0\330\16\25\0\360\6\221|\250\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\314\0\372\31\221|\214\370\314\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01578  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57970, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\240\3\0\0\0\6\0\0" ...  ...
 01572  1356   NtSetInformationThread  ... ) == 0x0
 01578  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57972, 0}  ... {28, 56, reply, 0, 928, 1740, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\240\3\0\0\0\6\0\0" )  ) == 0x0
 01577  1580   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 928, 1580, 57973, 0}  ... {200, 224, reply, 0, 928, 1580, 57973, 0} "\7\1\0\0\320\2\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\264\324\2331W\333\7\314\250\16\25\0`\1\24\0\12\0\0\0\0\0\0\0@\0\0\0(\0\0\0\260\16\25\0i\313Ly\320\2\24\0\320\16\25\0`\1\24\0\0\0\0\0\0\0\0\0\320\16\25\0P\0\0\0\330\16\25\0\360\6\221|\250\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\314\0\372\31\221|\214\370\314\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01579  1740   NtResumeThread  (304, ...
 01580  1580   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01579  1740   NtResumeThread  ... 1, ) == 0x0
 01580  1580   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01581  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01582  1580   NtRequestWaitReplyPort  (312, {44, 68, new_msg, 56, 0, 0, 0, 0}  (312, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\08\20\25\0\322\0\0\0" ...  ...
 01583  1356   NtWaitForSingleObject  (244, 0, 0x0, ...
 01584  1536   NtTestAlert  (...
 01581  1740   NtAllocateVirtualMemory  ... 37814272, 1048576, ) == 0x0
 01584  1536   NtTestAlert  ... ) == 0x0
 01585  1740   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ...
 01586  1536   NtContinue  (37813552, 1, ...
 01585  1740   NtAllocateVirtualMemory  ... 38854656, 8192, ) == 0x0
 01587  1536   NtRegisterThreadTerminatePort  (24, ...
 01588  1740   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ...
 01587  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 01588  1740   NtProtectVirtualMemory  ... (0x250e000), 4096, 4, ) == 0x0
 01582  1580   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 928, 1580, 57974, 0}  ... {40, 64, reply, 0, 928, 1580, 57974, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01589  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01590  1580   NtRequestWaitReplyPort  (312, {64, 88, new_msg, 56, 1310720, 13431284, 1380400, 0}  (312, {64, 88, new_msg, 56, 1310720, 13431284, 1380400, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\00\21\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01591  1536   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01590  1580   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 928, 1580, 57975, 0}  ... {64, 88, reply, 56, 928, 1580, 57975, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\00\21\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01592  1580   NtRequestWaitReplyPort  (312, {44, 68, new_msg, 56, 928, 1580, 57974, 0}  (312, {44, 68, new_msg, 56, 928, 1580, 57974, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\08\20\25\0\322\0\0\0" ...  ...
 01589  1740   NtCreateThread  ... 316, {928, 444}, ) == 0x0
 01593  1740   NtQueryInformationThread  (316, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=928,Tid=444,}, 0x0, ) == 0x0
 01594  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57972, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\240\3\0\0\274\1\0\0" ... {28, 56, reply, 0, 928, 1740, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\240\3\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57977, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\240\3\0\0\274\1\0\0" ... {28, 56, reply, 0, 928, 1740, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\240\3\0\0\274\1\0\0" )  ) == 0x0
 01591  1536   NtSetInformationThread  ... ) == 0x0
 01592  1580   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 928, 1580, 57976, 0}  ... {40, 64, reply, 0, 928, 1580, 57976, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 01595  1740   NtResumeThread  (316, ...
 01596  1580   NtRequestWaitReplyPort  (312, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0}  (312, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0\0\36\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01595  1740   NtResumeThread  ... 1, ) == 0x0
 01597  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38862848, 1048576, ) == 0x0
 01598  1740   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ... 39903232, 8192, ) == 0x0
 01596  1580   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 928, 1580, 57978, 0}  ... {64, 88, reply, 56, 928, 1580, 57978, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0\0\36\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01599  1536   NtWaitForSingleObject  (244, 0, 0x0, ...
 01600   444   NtTestAlert  (...
 01601  1580   NtRequestWaitReplyPort  (312, {44, 68, new_msg, 56, 928, 1580, 57976, 0}  (312, {44, 68, new_msg, 56, 928, 1580, 57976, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\08\20\25\0\322\0\0\0" ...  ...
 01602  1740   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ...
 01600   444   NtTestAlert  ... ) == 0x0
 01602  1740   NtProtectVirtualMemory  ... (0x260e000), 4096, 4, ) == 0x0
 01603   444   NtContinue  (38862128, 1, ...
 01604  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01605   444   NtRegisterThreadTerminatePort  (24, ...
 01604  1740   NtCreateThread  ... 320, {928, 1904}, ) == 0x0
 01605   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 01606  1740   NtQueryInformationThread  (320, Basic, 28, ...
 01601  1580   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 928, 1580, 57979, 0}  ... {40, 64, reply, 0, 928, 1580, 57979, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 01606  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=928,Tid=1904,}, 0x0, ) == 0x0
 01607  1580   NtRequestWaitReplyPort  (312, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0}  (312, {64, 88, new_msg, 56, 1310720, 13431284, 13432028, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0h\26\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01608   444   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01607  1580   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 928, 1580, 57980, 0}  ... {64, 88, reply, 56, 928, 1580, 57980, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\314\0\351\201\347w\214\370\314\0\30\356\220|p\5\221|\1\0\0\0h\26\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01609  1580   NtClose  (308, ... ) == 0x0
 01610  1580   NtClose  (312, ... ) == 0x0
 01611  1580   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "\221\370\260\225\336\25\373iH\244\364\203S\5\203'K4\25\303L1\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01612  1580   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01613  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01614  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57977, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\240\3\0\0p\7\0\0" ...  ...
 01608   444   NtSetInformationThread  ... ) == 0x0
 01614  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57983, 0}  ... {28, 56, reply, 0, 928, 1740, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\240\3\0\0p\7\0\0" )  ) == 0x0
 01613  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01615  1740   NtResumeThread  (320, ...
 01616  1580   NtQuerySystemInformation  (Performance, 312, ...
 01615  1740   NtResumeThread  ... 1, ) == 0x0
 01616  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01617  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01618  1580   NtQuerySystemInformation  (Exception, 16, ...
 01619   444   NtWaitForSingleObject  (244, 0, 0x0, ...
 01620  1904   NtTestAlert  (...
 01618  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01617  1740   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 01620  1904   NtTestAlert  ... ) == 0x0
 01621  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 01622  1740   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ...
 01623  1904   NtContinue  (39910704, 1, ...
 01622  1740   NtAllocateVirtualMemory  ... 40951808, 8192, ) == 0x0
 01624  1904   NtRegisterThreadTerminatePort  (24, ...
 01625  1740   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 01624  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 01625  1740   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 01621  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01626  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01627  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01628  1904   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01627  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01629  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01630  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481344, 2, ) }, 0, 0x0, 0, ... -2147481344, 2, ) == 0x0
 01631  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "6\272\237$\5\262\270>\342jg\205\204\201\177\227#\331\16\326\305\337<\373\212\21G\252#\350\5\274\213\274\267y\244\270\321Y\302\3473\224n\277\335\16\272\273F\223\2373\340<%\1\37\367Q`U\177\324\253&c\226\21\377\20\351\2\333+\332\307\372^", 80, ... ) , 0, 3,  (-2147481344, "Seed", 0, 3, "6\272\237$\5\262\270>\342jg\205\204\201\177\227#\331\16\326\305\337<\373\212\21G\252#\350\5\274\213\274\267y\244\270\321Y\302\3473\224n\277\335\16\272\273F\223\2373\340<%\1\37\367Q`U\177\324\253&c\226\21\377\20\351\2\333+\332\307\372^", 80, ... ) , 80, ... ) == 0x0
 01632  1580   NtClose  (-2147481344, ... ) == 0x0
 01611  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\242\320\241+\27\315\333\230\265\270\3\15\236\314\247\275\356T\22\210\371\276\257\376(O/\271-G\312/\31\2006g\356\10\272M\15\217X\262\202{~\4\204\53\13'.\17\243g\239\366\17\265\244,\230\344\214\3178D'K\372\2305\307\246\353^9\241x\33\276+\17Y(\203\317\24Tx\342]\235r\240\364\243\203)~Oi\363,4\371\237'\24\232+V`\361oRl\262\303\333~yy\262smz\10Q|\233\373\243\365F\36\324\247\324To\201\313\365\243\234\254\366\244\325\323\211*PLv\246\300\214\215\210^\231_\30\276qU\263js[h\303\223\213\266\334\337S\364\365\364G\13\372\26\362}{\35\266\224\354\32Y\211\223\366T\301\307\274\17\340W\313\324#=\37^\221\365\201\32$\243\245h|\370\240\21\232W"\177\374\12\351\177\266\12\0\221\365\344\0\17\337\331\15\206CK\243\4\366\247\250f!", ) \177\374\12\351\177\266\12\0\221\365\344\0\17\337\331\15\206CK\243\4\366\247\250f!", ) == 0x0
 01626  1740   NtCreateThread  ... 312, {928, 1648}, ) == 0x0
 01628  1904   NtSetInformationThread  ... ) == 0x0
 01633  1740   NtQueryInformationThread  (312, Basic, 28, ...
 01634  1580   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "\221\370\260\225\336\25\373iH\244\364\203S\59\23\247,\264@\347-0K4\25\303L1\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01633  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=928,Tid=1648,}, 0x0, ) == 0x0
 01635  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01636  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57983, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\240\3\0\0p\6\0\0" ...  ...
 01635  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01636  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57984, 0}  ... {28, 56, reply, 0, 928, 1740, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\240\3\0\0p\6\0\0" )  ) == 0x0
 01637  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01638  1904   NtWaitForSingleObject  (244, 0, 0x0, ...
 01637  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01639  1740   NtResumeThread  (312, ...
 01640  1580   NtQuerySystemInformation  (Performance, 312, ...
 01639  1740   NtResumeThread  ... 1, ) == 0x0
 01641  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40960000, 1048576, ) == 0x0
 01642  1740   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ... 42000384, 8192, ) == 0x0
 01643  1740   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ... (0x280e000), 4096, 4, ) == 0x0
 01644  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 308, {928, 148}, ) == 0x0
 01645  1740   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=928,Tid=148,}, 0x0, ) == 0x0
 01640  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01646  1648   NtTestAlert  (...
 01647  1580   NtQuerySystemInformation  (Exception, 16, ...
 01646  1648   NtTestAlert  ... ) == 0x0
 01647  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01648  1648   NtContinue  (40959280, 1, ...
 01649  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 01650  1648   NtRegisterThreadTerminatePort  (24, ...
 01649  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01650  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 01651  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01652  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57984, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\240\3\0\0\224\0\0\0" ...  ...
 01653  1648   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01652  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57985, 0}  ... {28, 56, reply, 0, 928, 1740, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\240\3\0\0\224\0\0\0" )  ) == 0x0
 01654  1740   NtResumeThread  (308, ... 1, ) == 0x0
 01655  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42008576, 1048576, ) == 0x0
 01656  1740   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ... 43048960, 8192, ) == 0x0
 01657  1740   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ... (0x290e000), 4096, 4, ) == 0x0
 01658  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01651  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01653  1648   NtSetInformationThread  ... ) == 0x0
 01659   148   NtTestAlert  (...
 01660  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01658  1740   NtCreateThread  ... 324, {928, 1828}, ) == 0x0
 01659   148   NtTestAlert  ... ) == 0x0
 01660  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01661  1740   NtQueryInformationThread  (324, Basic, 28, ...
 01662   148   NtContinue  (42007856, 1, ...
 01663  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01661  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=928,Tid=1828,}, 0x0, ) == 0x0
 01664   148   NtRegisterThreadTerminatePort  (24, ...
 01663  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01665  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57985, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\240\3\0\0$\7\0\0" ...  ...
 01664   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 01666  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\325\11\207M\24J\3\206\354\274\30\240S\240\26\214b\243\376\1\35\252\21\376~.\320\336\274JZ1\204\367\330\234<\222l&\367\355<\226sO\314o\226iG\206&&`t\0\220\2770T\306\273S3\274\36161\215\224zXR_\35-E\260t", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\325\11\207M\24J\3\206\354\274\30\240S\240\26\214b\243\376\1\35\252\21\376~.\320\336\274JZ1\204\367\330\234<\222l&\367\355<\226sO\314o\226iG\206&&`t\0\220\2770T\306\273S3\274\36161\215\224zXR_\35-E\260t", 80, ... , 80, ...
 01665  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57986, 0}  ... {28, 56, reply, 0, 928, 1740, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\240\3\0\0$\7\0\0" )  ) == 0x0
 01667  1648   NtWaitForSingleObject  (244, 0, 0x0, ...
 01668   148   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01666  1580   NtSetValueKey  ... ) == 0x0
 01669  1740   NtResumeThread  (324, ...
 01670  1580   NtClose  (-2147481344, ...
 01669  1740   NtResumeThread  ... 1, ) == 0x0
 01670  1580   NtClose  ... ) == 0x0
 01671  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01634  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\21\322\246\324\263g\277\262\157\333\21\203\240\23/P\256f\11\20\206wn\257<\241\247\3304;\337\1\322\220y\237\11\301\31t\353\7\237\263\373\312g\343l\215~\12\262\20\265\5f\236+\224\326L\305\200\22\261\275\34x\257+&\264\232\211T\334\310N2~\247\27\261T/@\17\36\255\33\3548\267\352\60%F\2344\231k\334*F6'q1~\34\305O\235\317;]\354N1\303\326\266\217\361\234v#\227\357\7LP@X\314*\113\30\273\307\315\250\13\212<\217P\332\366\3670\240\266\15\23\12\234\224\320\267\307\2567\245\301\307\13-+\352}c\32@\216;\346\6\270\233\374 \255\242\203\235\302\35\15KQ\327\272\2527\245\275\267\337\246\235A+x" \323G\337\323b.Q\216e\206\273\327\355\251\346|\311p\361\24B,\1o\14x\3040R\325g+", )  \323G\337\323b.Q\216e\206\273\327\355\251\346|\311p\361\24B,\1o\14x\3040R\325g+", ) == 0x0
 01671  1740   NtAllocateVirtualMemory  ... 43057152, 1048576, ) == 0x0
 01672  1580   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "\221\370\260\225\336\25\373iH\244\364\203S\59\23\247,\264@\347\227\4\247,\264@\347-0K4\25\303L1\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01673  1740   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ...
 01674  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01673  1740   NtAllocateVirtualMemory  ... 44097536, 8192, ) == 0x0
 01668   148   NtSetInformationThread  ... ) == 0x0
 01675  1828   NtTestAlert  (...
 01674  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01676  1740   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ...
 01675  1828   NtTestAlert  ... ) == 0x0
 01677  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01676  1740   NtProtectVirtualMemory  ... (0x2a0e000), 4096, 4, ) == 0x0
 01678  1828   NtContinue  (43056432, 1, ...
 01677  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01679  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01680  1828   NtRegisterThreadTerminatePort  (24, ...
 01681  1580   NtQuerySystemInformation  (Performance, 312, ...
 01679  1740   NtCreateThread  ... 328, {928, 1864}, ) == 0x0
 01680  1828   NtRegisterThreadTerminatePort  ... ) == 0x0
 01681  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01682  1740   NtQueryInformationThread  (328, Basic, 28, ...
 01683   148   NtWaitForSingleObject  (244, 0, 0x0, ...
 01684  1580   NtQuerySystemInformation  (Exception, 16, ...
 01682  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=928,Tid=1864,}, 0x0, ) == 0x0
 01685  1828   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01684  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01686  1580   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01687  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01688  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01689  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481344, 2, ) }, 0, 0x0, 0, ... -2147481344, 2, ) == 0x0
 01690  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\243\263Wt\24\373\333\2639PU^r\327\353cgEe\231>\264\357\2260\334\223\345W\1\376\273\323\35=\320\352\374\17\247(\346\276\303\227\10\363\273\307(8\10'\30S?\375"\230\226F\324\334\334G\273\242\17\356h\373#y\223\317\371erb\372", 80, ... ) , 0, 3,  (-2147481344, "Seed", 0, 3, "\243\263Wt\24\373\333\2639PU^r\327\353cgEe\231>\264\357\2260\334\223\345W\1\376\273\323\35=\320\352\374\17\247(\346\276\303\227\10\363\273\307(8\10'\30S?\375"\230\226F\324\334\334G\273\242\17\356h\373#y\223\317\371erb\372", 80, ... ) \230\226F\324\334\334G\273\242\17\356h\373#y\223\317\371erb\372", 80, ... ) == 0x0
 01691  1580   NtClose  (-2147481344, ...
 01692  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57986, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\240\3\0\0H\7\0\0" ...  ...
 01685  1828   NtSetInformationThread  ... ) == 0x0
 01692  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57987, 0}  ... {28, 56, reply, 0, 928, 1740, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\240\3\0\0H\7\0\0" )  ) == 0x0
 01691  1580   NtClose  ... ) == 0x0
 01693  1740   NtResumeThread  (328, ...
 01672  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\224\224\236O\333\3347\13R<\25\257\373\263\374<\232\323IJQ6L\25088:+\203\304\217qI\351w\321E8\11\325q[\32.J\366\0\223(\343J\266\300t9I&\14>\372x\351\353\346\21\23)\2261\177\325\353\350>Ow\300\221>7j\234>3\300\345(\350L\236\305\374L\3254}\214\335E\357\16\323\205\250_N\346\302\265*)\314\300\372\304>\21\251\324\304Y^\327~\246y\325\255\240\243`\261\355\336\214_\353\316\327\316N\361\2640\330\375\247\317&D\17\223\377v\220B\265\36E#I\2251\222\232\24]\243N\374\321\2576\356\23\216\4\201d\216X\35\2519\366\16\365\336\211%\30M)"\331?"\345\12\264\274\214\243\20v=\244q)\1S\317P\270Z\255R=\364\231\243\333\6\370\233[\23\337\274\205JAN\211\366z\143\365\30\350Ce\227\3334\372\305\10;SQ\255\234P6", ) \331? ... {status=0x0, info=256}, "\224\224\236O\333\3347\13R<\25\257\373\263\374<\232\323IJQ6L\25088:+\203\304\217qI\351w\321E8\11\325q[\32.J\366\0\223(\343J\266\300t9I&\14>\372x\351\353\346\21\23)\2261\177\325\353\350>Ow\300\221>7j\234>3\300\345(\350L\236\305\374L\3254}\214\335E\357\16\323\205\250_N\346\302\265*)\314\300\372\304>\21\251\324\304Y^\327~\246y\325\255\240\243`\261\355\336\214_\353\316\327\316N\361\2640\330\375\247\317&D\17\223\377v\220B\265\36E#I\2251\222\232\24]\243N\374\321\2576\356\23\216\4\201d\216X\35\2519\366\16\365\336\211%\30M)"\331?"\345\12\264\274\214\243\20v=\244q)\1S\317P\270Z\255R=\364\231\243\333\6\370\233[\23\337\274\205JAN\211\366z\143\365\30\350Ce\227\3334\372\305\10;SQ\255\234P6", ) , ) == 0x0
 01693  1740   NtResumeThread  ... 1, ) == 0x0
 01694  1580   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "\221\370\260\225\336\25\373iH\244\364\203S\59\23\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347-0K4\25\303L1\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01695  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01696  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01697  1828   NtWaitForSingleObject  (244, 0, 0x0, ...
 01698  1864   NtTestAlert  (...
 01696  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01695  1740   NtAllocateVirtualMemory  ... 44105728, 1048576, ) == 0x0
 01698  1864   NtTestAlert  ... ) == 0x0
 01699  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01700  1740   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ...
 01701  1864   NtContinue  (44105008, 1, ...
 01700  1740   NtAllocateVirtualMemory  ... 45146112, 8192, ) == 0x0
 01702  1864   NtRegisterThreadTerminatePort  (24, ...
 01703  1740   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ...
 01702  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01703  1740   NtProtectVirtualMemory  ... (0x2b0e000), 4096, 4, ) == 0x0
 01699  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01704  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01705  1580   NtQuerySystemInformation  (Performance, 312, ...
 01706  1864   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01705  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01707  1580   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01708  1580   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01709  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01710  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01711  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01704  1740   NtCreateThread  ... 332, {928, 1896}, ) == 0x0
 01706  1864   NtSetInformationThread  ... ) == 0x0
 01712  1740   NtQueryInformationThread  (332, Basic, 28, ...
 01711  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01712  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=928,Tid=1896,}, 0x0, ) == 0x0
 01713  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "[\304de\204G\355'\327\212\323\343F\7\327*\4E\235&\2467>\14.\2177\3\11?\27\246\35n\241\216i\370\374r\337\322\303Xr\311\16fHD/\204\253\307b\224\364\2\13\35\3\241\345\300t\230\25\323e\303\245\310\364\232\324\263\214\34Ha", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "[\304de\204G\355'\327\212\323\343F\7\327*\4E\235&\2467>\14.\2177\3\11?\27\246\35n\241\216i\370\374r\337\322\303Xr\311\16fHD/\204\253\307b\224\364\2\13\35\3\241\345\300t\230\25\323e\303\245\310\364\232\324\263\214\34Ha", 80, ... , 80, ...
 01714  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57987, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\240\3\0\0h\7\0\0" ...  ...
 01713  1580   NtSetValueKey  ... ) == 0x0
 01714  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57988, 0}  ... {28, 56, reply, 0, 928, 1740, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\240\3\0\0h\7\0\0" )  ) == 0x0
 01715  1580   NtClose  (-2147481344, ...
 01716  1864   NtWaitForSingleObject  (244, 0, 0x0, ...
 01715  1580   NtClose  ... ) == 0x0
 01717  1740   NtResumeThread  (332, ...
 01694  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\270\256\255/\374cz\271\343\207I\210\360Q\270\37fFh'DE\30\224\375\37|g\227\252\361\272\320\275\256\265p\245#e\226dl\323(\232\321\0N\32{7\23\265\20{\235\3008\215\313q\23(\361\241\273O\312\263;\325}\272\177mja\10\336\366\0\236\207\250\256\235\254\267K\232\376u\245\251%\372\303m\274\323\324R\31D\257\27\350\315\351\231Q\351\241}JB;#}\31>\227\246\262\343\340\263.\270\262!\241\326\351\270!\4wt\222\273v\341\0=\26\347\354n(b\336\317\331#\376\316\230\36\360\212y\233@j\15\263\372\242\312\7\34\6i\230\322d\27l{\305\351\337\211\334\344\300y\331\2300\214\216\257\12bA\213K\34v\3452nR\13", ) , ) == 0x0
 01717  1740   NtResumeThread  ... 1, ) == 0x0
 01718  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45154304, 1048576, ) == 0x0
 01719  1740   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ... 46194688, 8192, ) == 0x0
 01720  1740   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ... (0x2c0e000), 4096, 4, ) == 0x0
 01721  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 336, {928, 1524}, ) == 0x0
 01722  1740   NtQueryInformationThread  (336, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=928,Tid=1524,}, 0x0, ) == 0x0
 01723  1580   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "\221\370\260\225\336\25\373iH\244\364\203S\59\23\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347-0K4\25\303L1\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01724  1896   NtTestAlert  (...
 01725  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01724  1896   NtTestAlert  ... ) == 0x0
 01725  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01726  1896   NtContinue  (45153584, 1, ...
 01727  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01728  1896   NtRegisterThreadTerminatePort  (24, ...
 01727  1580   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01728  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01729  1580   NtQuerySystemInformation  (Performance, 312, ...
 01730  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57988, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\240\3\0\0\364\5\0\0" ...  ...
 01731  1896   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01730  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57989, 0}  ... {28, 56, reply, 0, 928, 1740, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\240\3\0\0\364\5\0\0" )  ) == 0x0
 01732  1740   NtResumeThread  (336, ... 1, ) == 0x0
 01733  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 46202880, 1048576, ) == 0x0
 01734  1740   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ... 47243264, 8192, ) == 0x0
 01735  1740   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ... (0x2d0e000), 4096, 4, ) == 0x0
 01736  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01729  1580   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01731  1896   NtSetInformationThread  ... ) == 0x0
 01737  1524   NtTestAlert  (...
 01738  1580   NtQuerySystemInformation  (Exception, 16, ...
 01736  1740   NtCreateThread  ... 340, {928, 1944}, ) == 0x0
 01737  1524   NtTestAlert  ... ) == 0x0
 01738  1580   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01739  1740   NtQueryInformationThread  (340, Basic, 28, ...
 01740  1524   NtContinue  (46202160, 1, ...
 01741  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 01739  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=928,Tid=1944,}, 0x0, ) == 0x0
 01742  1524   NtRegisterThreadTerminatePort  (24, ...
 01741  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01743  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57989, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\240\3\0\0\230\7\0\0" ...  ...
 01742  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 01744  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01743  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57990, 0}  ... {28, 56, reply, 0, 928, 1740, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\240\3\0\0\230\7\0\0" )  ) == 0x0
 01745  1896   NtWaitForSingleObject  (244, 0, 0x0, ...
 01746  1524   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01744  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01747  1740   NtResumeThread  (340, ...
 01748  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01747  1740   NtResumeThread  ... 1, ) == 0x0
 01748  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01749  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01750  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01749  1740   NtAllocateVirtualMemory  ... 47251456, 1048576, ) == 0x0
 01750  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01751  1740   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ...
 01752  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\370S\246\270\2303\361i_\273\3227g/{>}:\360+ \332u\276A\311\224\224.yY\375\227\336\320\331\367\267[\362\315\20\323\3\352\361w\332!\21\364\313\10\351\2746?\276\265\355B\220$\26j\355\252-\354\246<\\263\375R\2337\372b\16", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\370S\246\270\2303\361i_\273\3227g/{>}:\360+ \332u\276A\311\224\224.yY\375\227\336\320\331\367\267[\362\315\20\323\3\352\361w\332!\21\364\313\10\351\2746?\276\265\355B\220$\26j\355\252-\354\246<\\263\375R\2337\372b\16", 80, ... , 80, ...
 01751  1740   NtAllocateVirtualMemory  ... 48291840, 8192, ) == 0x0
 01746  1524   NtSetInformationThread  ... ) == 0x0
 01753  1944   NtTestAlert  (...
 01752  1580   NtSetValueKey  ... ) == 0x0
 01754  1740   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ...
 01753  1944   NtTestAlert  ... ) == 0x0
 01755  1580   NtClose  (-2147481344, ...
 01754  1740   NtProtectVirtualMemory  ... (0x2e0e000), 4096, 4, ) == 0x0
 01756  1944   NtContinue  (47250736, 1, ...
 01755  1580   NtClose  ... ) == 0x0
 01757  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01758  1944   NtRegisterThreadTerminatePort  (24, ...
 01723  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\4\303{\375\352w[Q\213\257`l\204&\335a^\312\226\337\232\352\232l\357\256m\6D\233\2\4\337\340[\251-\3479K\177\311\27R\204\26\214\304\276\251\1m\233k\5\3Q\307\376\320\304V\24f\34D\235U\260\270E\300\10\306\367\307\27\17\373|z|\304\17\351\267D\370\245@o\345g\3211\23\255.(v\203\273!nM\207\337w@L\15A]3\275K\317e6cH\340\5^\340m\0s\215\374\6\12z\221\374\225\324\2247\305u\244lx\375\264\242\263RuX\312\321\306Y\267\313\204\372\275R\257S<\277\257\370J(\323\377k\20\306\306\346\205\363#=\31\263\270\230I\351 \22TG\334\324s\30\312\267qW\303W\337x\12b\211\353\341E\300\267\231\375\371-i\2060\11\251\343\263\330\300Lg\3433+\372n\347M\2031\201\261\275b\250\307\20+\351f\226\0\257byq\303c\372\256\321|", ) , ) == 0x0
 01757  1740   NtCreateThread  ... 344, {928, 2044}, ) == 0x0
 01758  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01759  1580   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "\221\370\260\225\336\25\373iH\244\364\203S\59\23\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347-0K4\25\303L1\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01760  1740   NtQueryInformationThread  (344, Basic, 28, ...
 01761  1524   NtWaitForSingleObject  (244, 0, 0x0, ...
 01762  1580   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01760  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=928,Tid=2044,}, 0x0, ) == 0x0
 01763  1944   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01762  1580   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01764  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01765  1580   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01766  1580   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01767  1580   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01768  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01769  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01770  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57990, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\240\3\0\0\374\7\0\0" ...  ...
 01763  1944   NtSetInformationThread  ... ) == 0x0
 01770  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57991, 0}  ... {28, 56, reply, 0, 928, 1740, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\240\3\0\0\374\7\0\0" )  ) == 0x0
 01769  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01771  1740   NtResumeThread  (344, ...
 01772  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01771  1740   NtResumeThread  ... 1, ) == 0x0
 01772  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01773  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01774  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\355h\177\23\314\353\344d[@)tJ&y\316\375o9\23\270\231\231O\223\32w\347\245$3}\2M\372n\2\304J\230\31t\274p3W\3469\30=\15\3573\316\223\356\20G\322\233\221\223\243#\222m\11\376\213/\331r\334\222\257\350\265u\265:", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\355h\177\23\314\353\344d[@)tJ&y\316\375o9\23\270\231\231O\223\32w\347\245$3}\2M\372n\2\304J\230\31t\274p3W\3469\30=\15\3573\316\223\356\20G\322\233\221\223\243#\222m\11\376\213/\331r\334\222\257\350\265u\265:", 80, ... , 80, ...
 01775  1944   NtWaitForSingleObject  (244, 0, 0x0, ...
 01776  2044   NtTestAlert  (...
 01774  1580   NtSetValueKey  ... ) == 0x0
 01773  1740   NtAllocateVirtualMemory  ... 48300032, 1048576, ) == 0x0
 01776  2044   NtTestAlert  ... ) == 0x0
 01777  1580   NtClose  (-2147481344, ...
 01778  1740   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 01779  2044   NtContinue  (48299312, 1, ...
 01778  1740   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 01780  2044   NtRegisterThreadTerminatePort  (24, ...
 01781  1740   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 01780  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01781  1740   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 01777  1580   NtClose  ... ) == 0x0
 01782  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01759  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\276V\304\2136\2102\11\3\3518\223\257g\254?\343yr\0I\15]\363L@\377\37\220\25xF\327\310\256\321\246\242\355\315v\314\271\237\354\6<\34\33B\261\364m\340/T_,\204B\276\300ZS>\322\363o\224\267\337[vm-\1\353\335'\31\275\251\3526\314\327\330$\16\4\252\325\371\377\273\220\227\264G\321\236`\221\22\207/\34\5\356fm\370T\251\12\210\303\344\301l\200T\17\22\335\343\12\333:Q8wb\2547\10\362K\241\3445\36\359\0MSW\351V\234\3238\326\261\207Y\334\335\273\13\10D\35)q\267\\277\26\277\232\210\\33w\263\331\22\277}\203ip4\22\353\363\257\372>n\313\255\0\34\232|\1q\343c\305\215\222\323z\350\205|s&\245I[Zp/`\344\345\243{rb\3\324\310\10\304G\227\36\14_X\273\272\16\273\327\334\354\324\363r\304\371\230\20\325\250\315&v", ) , ) == 0x0
 01783  2044   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01784  1580   NtDeviceIoControlFile  (300, 0, 0x0, 0x0, 0x390008,  (300, 0, 0x0, 0x0, 0x390008, "\221\370\260\225\336\25\373iH\244\364\203S\59\23\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347\227\4\247,\264@\347-0K4\25\303L1\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01785  1580   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01786  1580   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01787  1580   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01788  1580   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01789  1580   NtQuerySystemInformation  (Lookaside, 32, ...
 01782  1740   NtCreateThread  ... 348, {928, 240}, ) == 0x0
 01783  2044   NtSetInformationThread  ... ) == 0x0
 01790  1740   NtQueryInformationThread  (348, Basic, 28, ...
 01789  1580   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01790  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=928,Tid=240,}, 0x0, ) == 0x0
 01791  1580   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01792  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57991, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\240\3\0\0\360\0\0\0" ...  ...
 01791  1580   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01792  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57992, 0}  ... {28, 56, reply, 0, 928, 1740, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\240\3\0\0\360\0\0\0" )  ) == 0x0
 01793  1580   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01794  2044   NtWaitForSingleObject  (244, 0, 0x0, ...
 01793  1580   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01795  1740   NtResumeThread  (348, ...
 01796  1580   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01795  1740   NtResumeThread  ... 1, ) == 0x0
 01797  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 49348608, 1048576, ) == 0x0
 01798  1740   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ... 50388992, 8192, ) == 0x0
 01799  1740   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ... (0x300e000), 4096, 4, ) == 0x0
 01800  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 352, {928, 968}, ) == 0x0
 01801  1740   NtQueryInformationThread  (352, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=928,Tid=968,}, 0x0, ) == 0x0
 01796  1580   NtCreateKey  ... -2147481344, 2, ) == 0x0
 01802   240   NtTestAlert  (...
 01803  1580   NtSetValueKey  (-2147481344,  (-2147481344, "Seed", 0, 3, "\275\3\16\321w\12LbI\32!\0\257$\220{\207\17\345")&\2721\266\324\304\236\31}\350<'u\252r\17\11\212\225\3\S/\270\333E\353\331\240\274\254xu\356A3\34\22u\247\376\202g}.\221%,\177\337\374\324o-\2148%\345\314", 80, ... , 0, 3,  (-2147481344, "Seed", 0, 3, "\275\3\16\321w\12LbI\32!\0\257$\220{\207\17\345")&\2721\266\324\304\236\31}\350<'u\252r\17\11\212\225\3\S/\270\333E\353\331\240\274\254xu\356A3\34\22u\247\376\202g}.\221%,\177\337\374\324o-\2148%\345\314", 80, ... )&\2721\266\324\304\236\31}\350<'u\252r\17\11\212\225\3\S/\270\333E\353\331\240\274\254xu\356A3\34\22u\247\376\202g}.\221%,\177\337\374\324o-\2148%\345\314", 80, ...
 01802   240   NtTestAlert  ... ) == 0x0
 01803  1580   NtSetValueKey  ... ) == 0x0
 01804   240   NtContinue  (49347888, 1, ...
 01805  1580   NtClose  (-2147481344, ...
 01806   240   NtRegisterThreadTerminatePort  (24, ...
 01805  1580   NtClose  ... ) == 0x0
 01806   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 01784  1580   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ";@\377\302$Q\223\305\301\177\260+}\41\21kP\314\350\220Jg\3450>\205\336(Y?\5\7F\11q\265\262\273?\204\333\34\270\363':\16]Q[U\354\242h\310\225\246\244$\372D\243s\254g\360\311\1Z\12@3\33\4i\217\233wq\251$@\262\13\341\250(\226'\240\5\324\211\260\365R\13L\342?\250\232\347\24|V\243\20vr\244\316:\367\243\354\11\372PN\360,\356\3\332\306\12L\210\27\350\326\373T~\263\2\355)\220\377\341\260`3\367\255\323\224\315~/\346,f<\343\317\352#\2!\277\35&\210{^\315\272\205\270", ) \341\260`3\367\255\323\224\315~/\346,f<\343\317\352#\2!\277\35&\210{^\315\272\205\270", ) == 0x0
 01807  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57992, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\240\3\0\0\310\3\0\0" ...  ...
 01808   240   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01807  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57993, 0}  ... {28, 56, reply, 0, 928, 1740, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\240\3\0\0\310\3\0\0" )  ) == 0x0
 01809  1740   NtResumeThread  (352, ... 1, ) == 0x0
 01810  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50397184, 1048576, ) == 0x0
 01811  1740   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ... 51437568, 8192, ) == 0x0
 01812  1740   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ... (0x310e000), 4096, 4, ) == 0x0
 01813  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01814  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01808   240   NtSetInformationThread  ... ) == 0x0
 01815   968   NtTestAlert  (...
 01814  1580   NtCreateEvent  ... 356, ) == 0x0
 01813  1740   NtCreateThread  ... 360, {928, 308}, ) == 0x0
 01815   968   NtTestAlert  ... ) == 0x0
 01816  1580   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01817  1740   NtQueryInformationThread  (360, Basic, 28, ...
 01818   968   NtContinue  (50396464, 1, ...
 01816  1580   NtOpenKey  ... 364, ) == 0x0
 01817  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=928,Tid=308,}, 0x0, ) == 0x0
 01819   968   NtRegisterThreadTerminatePort  (24, ...
 01820  1580   NtOpenKey  (0x20019, {24, 364, 0x40, 0, 0,  (0x20019, {24, 364, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01821  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57993, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\240\3\0\04\1\0\0" ...  ...
 01819   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 01820  1580   NtOpenKey  ... 368, ) == 0x0
 01821  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57994, 0}  ... {28, 56, reply, 0, 928, 1740, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\240\3\0\04\1\0\0" )  ) == 0x0
 01822   240   NtWaitForSingleObject  (244, 0, 0x0, ...
 01823   968   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01824  1580   NtQueryValueKey  (368,  (368, "ComputerName", Full, 108, ... , Full, 108, ...
 01825  1740   NtResumeThread  (360, ...
 01824  1580   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01825  1740   NtResumeThread  ... 1, ) == 0x0
 01826  1580   NtClose  (368, ...
 01827  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01826  1580   NtClose  ... ) == 0x0
 01827  1740   NtAllocateVirtualMemory  ... 51445760, 1048576, ) == 0x0
 01828  1580   NtClose  (364, ...
 01829  1740   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ...
 01828  1580   NtClose  ... ) == 0x0
 01829  1740   NtAllocateVirtualMemory  ... 52486144, 8192, ) == 0x0
 01823   968   NtSetInformationThread  ... ) == 0x0
 01830   308   NtTestAlert  (...
 01831  1580   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01832  1740   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ...
 01830   308   NtTestAlert  ... ) == 0x0
 01831  1580   NtCreateIoCompletion  ... 364, ) == 0x0
 01832  1740   NtProtectVirtualMemory  ... (0x320e000), 4096, 4, ) == 0x0
 01833   308   NtContinue  (51445040, 1, ...
 01834  1580   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01835  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01836   308   NtRegisterThreadTerminatePort  (24, ...
 01837   968   NtWaitForSingleObject  (244, 0, 0x0, ...
 01835  1740   NtCreateThread  ... 368, {928, 764}, ) == 0x0
 01836   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01834  1580   NtCreateIoCompletion  ... 372, ) == 0x0
 01838  1740   NtQueryInformationThread  (368, Basic, 28, ...
 01839  1580   NtDuplicateObject  (-1, 364, -1, 0x0, 0, 2, ...
 01838  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=928,Tid=764,}, 0x0, ) == 0x0
 01839  1580   NtDuplicateObject  ... 376, ) == 0x0
 01840   308   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01841  1580   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01842  1580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 01843  1580   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01844  1580   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01845  1580   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 13430976,  (0xc0100080, {24, 0, 0x40, 0, 13430976, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 01846  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57994, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\240\3\0\0\374\2\0\0" ...  ...
 01840   308   NtSetInformationThread  ... ) == 0x0
 01846  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57995, 0}  ... {28, 56, reply, 0, 928, 1740, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\240\3\0\0\374\2\0\0" )  ) == 0x0
 01845  1580   NtCreateFile  ... 384, {status=0x0, info=1}, ) == 0x0
 01847  1740   NtResumeThread  (368, ...
 01848  1580   NtSetInformationFile  (384, 13431032, 8, Pipe, ...
 01847  1740   NtResumeThread  ... 1, ) == 0x0
 01848  1580   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01849  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01850  1580   NtSetInformationFile  (384, 13431020, 8, Completion, ...
 01851   308   NtWaitForSingleObject  (244, 0, 0x0, ...
 01852   764   NtTestAlert  (...
 01850  1580   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01849  1740   NtAllocateVirtualMemory  ... 52494336, 1048576, ) == 0x0
 01852   764   NtTestAlert  ... ) == 0x0
 01853  1580   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01854  1740   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ...
 01855   764   NtContinue  (52493616, 1, ...
 01854  1740   NtAllocateVirtualMemory  ... 53534720, 8192, ) == 0x0
 01856   764   NtRegisterThreadTerminatePort  (24, ...
 01857  1740   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ...
 01856   764   NtRegisterThreadTerminatePort  ... ) == 0x0
 01857  1740   NtProtectVirtualMemory  ... (0x330e000), 4096, 4, ) == 0x0
 01853  1580   NtSetInformationThread  ... ) == 0x0
 01858  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01859  1580   NtWriteFile  (384, 253, 0, 0,  (384, 253, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01860   764   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01859  1580   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01861  1580   NtReadFile  (384, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (384, 253, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01862  1580   NtFsControlFile  (384, 253, 0x0, 0x0, 0x11c017,  (384, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\314\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (384, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\314\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01863  1580   NtFsControlFile  (384, 253, 0x0, 0x0, 0x11c017,  (384, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\1\0\0\0\1\0\0\0&\0(\0\350\357\24\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) , 136, 1024, ... {status=0x103, info=48},  (384, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\1\0\0\0\1\0\0\0&\0(\0\350\357\24\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) , ) == 0x103
 01864  1580   NtFsControlFile  (384, 253, 0x0, 0x0, 0x11c017,  (384, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0 \25\25\0\1\0\0\0,\25\25\0 \0\0\0\1\0\0\0\30\0\32\08\25\25\0T\25\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\210\376\24\0\1\0\0\0\5\0i\0\230\376\24\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=156},  (384, 253, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0 \25\25\0\1\0\0\0,\25\25\0 \0\0\0\1\0\0\0\30\0\32\08\25\25\0T\25\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\210\376\24\0\1\0\0\0\5\0i\0\230\376\24\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01865  1580   NtClose  (380, ...
 01858  1740   NtCreateThread  ... 388, {928, 2000}, ) == 0x0
 01860   764   NtSetInformationThread  ... ) == 0x0
 01866  1740   NtQueryInformationThread  (388, Basic, 28, ...
 01865  1580   NtClose  ... ) == 0x0
 01866  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=928,Tid=2000,}, 0x0, ) == 0x0
 01867  1580   NtClose  (384, ...
 01868  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57995, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\240\3\0\0\320\7\0\0" ...  ...
 01867  1580   NtClose  ... ) == 0x0
 01868  1740   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 928, 1740, 57996, 0}  ... {28, 56, reply, 0, 928, 1740, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\240\3\0\0\320\7\0\0" )  ) == 0x0
 01869  1580   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1382416, 0x0, 13432900, 188, ... , {12, 2, 1, 1}, 0x0, 1382416, 0x0, 13432900, 188, ...
 01870   764   NtWaitForSingleObject  (244, 0, 0x0, ...
 01869  1580   NtSecureConnectPort  ... 384, 0x0, 0x0, 0x0, 188, ) == 0x0
 01871  1740   NtResumeThread  (388, ... 1, ) == 0x0
 01872  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53542912, 1048576, ) == 0x0
 01873  1740   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ... 54583296, 8192, ) == 0x0
 01874  1740   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ... (0x340e000), 4096, 4, ) == 0x0
 01875  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 380, {928, 1852}, ) == 0x0
 01876  1740   NtQueryInformationThread  (380, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=928,Tid=1852,}, 0x0, ) == 0x0
 01877  1580   NtOpenThreadToken  (-2, 0xc, 1, ...
 01878  2000   NtTestAlert  (...
 01877  1580   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01878  2000   NtTestAlert  ... ) == 0x0
 01879  1580   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01880  2000   NtContinue  (53542192, 1, ...
 01879  1580   NtSetInformationThread  ... ) == 0x0
 01881  2000   NtRegisterThreadTerminatePort  (24, ...
 01882  1580   NtRequestWaitReplyPort  (384, {200, 224, new_msg, 0, 1365368, 12, 2, 1310977}  (384, {200, 224, new_msg, 0, 1365368, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0h\260\363I\5{\335d\213C \253\314\346\333N\12\0\0\0Y\25;\27\204\30x\2\0\0\0\0@\361\24\0\206\240\206w`\377Y\227(\0\0\0y\376\0\275\0\0\24\0\240\366\314\0\231>@\205\0\0\0\0\330\16\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\314\0\372\31\221|X\376\314\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01881  2000   NtRegisterThreadTerminatePort  ... ) == 0x0
 01883  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57996, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\240\3\0\0<\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\240\3\0\0<\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 57999, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\240\3\0\0<\7\0\0" ... {28, 56, reply, 0, 928, 1740, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\240\3\0\0<\7\0\0" )  ) == 0x0
 01884  1740   NtResumeThread  (380, ... 1, ) == 0x0
 01885  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54591488, 1048576, ) == 0x0
 01886  1740   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ... 55631872, 8192, ) == 0x0
 01887  1740   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ... (0x350e000), 4096, 4, ) == 0x0
 01888  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01889  2000   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01882  1580   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 928, 1580, 57998, 0}  ... {200, 224, reply, 0, 928, 1580, 57998, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\2\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0h\260\363I\5{\335d\213C \253\314\346\333N\12\0\0\0Y\25;\27\204\30x\2\0\0\0\0@\361\24\0\206\240\206w`\377Y\227(\0\0\0y\376\0\275\0\0\24\0\240\366\314\0\231>@\205\0\0\0\0\330\16\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\314\0\372\31\221|X\376\314\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01890  1852   NtTestAlert  (...
 01891  1580   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01890  1852   NtTestAlert  ... ) == 0x0
 01891  1580   NtSetInformationThread  ... ) == 0x0
 01892  1852   NtContinue  (54590768, 1, ...
 01893  1580   NtRequestWaitReplyPort  (384, {56, 80, new_msg, 0, 44, 3, 20, 0}  (384, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\215\373FC\227[\347p\214Nse\1\0\0\0\0\0\0\0&\0(\0\14\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01894  1852   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01888  1740   NtCreateThread  ... 392, {928, 1420}, ) == 0x0
 01889  2000   NtSetInformationThread  ... ) == 0x0
 01895  1740   NtQueryInformationThread  (392, Basic, 28, ...
 01896  1852   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01895  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=928,Tid=1420,}, 0x0, ) == 0x0
 01897  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 57999, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\240\3\0\0\214\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\240\3\0\0\214\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58001, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\240\3\0\0\214\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\240\3\0\0\214\5\0\0" )  ) == 0x0
 01898  1740   NtResumeThread  (392, ... 1, ) == 0x0
 01899  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55640064, 1048576, ) == 0x0
 01900  1740   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ... 56680448, 8192, ) == 0x0
 01901  2000   NtWaitForSingleObject  (244, 0, 0x0, ...
 01896  1852   NtSetInformationThread  ... ) == 0x0
 01893  1580   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 928, 1580, 58000, 0}  ... {44, 68, reply, 0, 928, 1580, 58000, 0} "\4\31\221|\0\0\221|\200\300\227|p\31\221|\0\276\21\0\330\0\0\0\204-|\2\0\220\366\177\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01902  1420   NtTestAlert  (...
 01903  1740   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ...
 01904  1852   NtWaitForSingleObject  (244, 0, 0x0, ...
 01902  1420   NtTestAlert  ... ) == 0x0
 01903  1740   NtProtectVirtualMemory  ... (0x360e000), 4096, 4, ) == 0x0
 01905  1580   NtRaiseException  (13433360, 13432620, 1, ...
 01906  1420   NtContinue  (55639344, 1, ...
 01907  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01908  1580   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 01909  1420   NtRegisterThreadTerminatePort  (24, ...
 01907  1740   NtCreateThread  ... 396, {928, 164}, ) == 0x0
 01908  1580   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01909  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01910  1740   NtQueryInformationThread  (396, Basic, 28, ...
 01911  1580   NtContinue  (13431588, 0, ...
 01910  1740   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=928,Tid=164,}, 0x0, ) == 0x0
 01912  1420   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01913  1420   NtWaitForSingleObject  (244, 0, 0x0, ...
 01914  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58001, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\240\3\0\0\244\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\240\3\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58002, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\240\3\0\0\244\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\240\3\0\0\244\0\0\0" )  ) == 0x0
 01915  1740   NtResumeThread  (396, ... 1, ) == 0x0
 01916  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01917   164   NtTestAlert  (... ) == 0x0
 01918   164   NtContinue  (56687920, 1, ...
 01919   164   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01920   164   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01916  1740   NtAllocateVirtualMemory  ... 56688640, 1048576, ) == 0x0
 01921  1740   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ... 57729024, 8192, ) == 0x0
 01922  1740   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ... (0x370e000), 4096, 4, ) == 0x0
 01923  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01924  1580   NtDeviceIoControlFile  (268, 200, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 01925  1580   NtWaitForSingleObject  (200, 1, {-5000000, -1}, ...
 01923  1740   NtCreateThread  ... 400, {928, 1564}, ) == 0x0
 01926  1740   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=928,Tid=1564,}, 0x0, ) == 0x0
 01927  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58002, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\240\3\0\0\34\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\240\3\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58003, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\240\3\0\0\34\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\240\3\0\0\34\6\0\0" )  ) == 0x0
 01928  1740   NtResumeThread  (400, ... 1, ) == 0x0
 01929  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57737216, 1048576, ) == 0x0
 01930  1740   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ... 58777600, 8192, ) == 0x0
 01931  1564   NtTestAlert  (... ) == 0x0
 01932  1564   NtContinue  (57736496, 1, ...
 01933  1564   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01934  1564   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01935  1740   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ... (0x380e000), 4096, 4, ) == 0x0
 01936  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 404, {928, 1592}, ) == 0x0
 01937  1740   NtQueryInformationThread  (404, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=928,Tid=1592,}, 0x0, ) == 0x0
 01938  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58003, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\240\3\0\08\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\240\3\0\08\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58004, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\240\3\0\08\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\240\3\0\08\6\0\0" )  ) == 0x0
 01939  1740   NtResumeThread  (404, ... 1, ) == 0x0
 01940  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01941  1592   NtTestAlert  (... ) == 0x0
 01942  1592   NtContinue  (58785072, 1, ...
 01943  1592   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01944  1592   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01940  1740   NtAllocateVirtualMemory  ... 58785792, 1048576, ) == 0x0
 01945  1740   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ... 59826176, 8192, ) == 0x0
 01946  1740   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ... (0x390e000), 4096, 4, ) == 0x0
 01947  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {928, 2032}, ) == 0x0
 01948  1740   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=928,Tid=2032,}, 0x0, ) == 0x0
 01949  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58004, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\240\3\0\0\360\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\240\3\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58005, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\240\3\0\0\360\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\240\3\0\0\360\7\0\0" )  ) == 0x0
 01950  1740   NtResumeThread  (408, ... 1, ) == 0x0
 01951  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59834368, 1048576, ) == 0x0
 01952  1740   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ... 60874752, 8192, ) == 0x0
 01953  2032   NtTestAlert  (... ) == 0x0
 01954  2032   NtContinue  (59833648, 1, ...
 01955  2032   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01956  2032   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01957  1740   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ... (0x3a0e000), 4096, 4, ) == 0x0
 01958  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {928, 1500}, ) == 0x0
 01959  1740   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=928,Tid=1500,}, 0x0, ) == 0x0
 01960  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58005, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\240\3\0\0\334\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\240\3\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58006, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\240\3\0\0\334\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\240\3\0\0\334\5\0\0" )  ) == 0x0
 01961  1740   NtResumeThread  (412, ... 1, ) == 0x0
 01962  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01963  1500   NtTestAlert  (... ) == 0x0
 01964  1500   NtContinue  (60882224, 1, ...
 01965  1500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01966  1500   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01962  1740   NtAllocateVirtualMemory  ... 60882944, 1048576, ) == 0x0
 01967  1740   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ... 61923328, 8192, ) == 0x0
 01968  1740   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ... (0x3b0e000), 4096, 4, ) == 0x0
 01969  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 416, {928, 932}, ) == 0x0
 01970  1740   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=928,Tid=932,}, 0x0, ) == 0x0
 01971  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58006, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\240\3\0\0\244\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\240\3\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58007, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\240\3\0\0\244\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\240\3\0\0\244\3\0\0" )  ) == 0x0
 01972  1740   NtResumeThread  (416, ... 1, ) == 0x0
 01973  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61931520, 1048576, ) == 0x0
 01974  1740   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ... 62971904, 8192, ) == 0x0
 01975   932   NtTestAlert  (... ) == 0x0
 01976   932   NtContinue  (61930800, 1, ...
 01977   932   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01978   932   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01979  1740   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ... (0x3c0e000), 4096, 4, ) == 0x0
 01980  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 420, {928, 1528}, ) == 0x0
 01981  1740   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=928,Tid=1528,}, 0x0, ) == 0x0
 01982  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58007, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\240\3\0\0\370\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\240\3\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58008, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\240\3\0\0\370\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\240\3\0\0\370\5\0\0" )  ) == 0x0
 01983  1740   NtResumeThread  (420, ... 1, ) == 0x0
 01984  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01985  1528   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ... 8806400, 4096, ) == 0x0
 01986  1528   NtTestAlert  (... ) == 0x0
 01987  1528   NtContinue  (62979376, 1, ...
 01988  1528   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01989  1528   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01984  1740   NtAllocateVirtualMemory  ... 62980096, 1048576, ) == 0x0
 01990  1740   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ... 64020480, 8192, ) == 0x0
 01991  1740   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ... (0x3d0e000), 4096, 4, ) == 0x0
 01992  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 424, {928, 1780}, ) == 0x0
 01993  1740   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=928,Tid=1780,}, 0x0, ) == 0x0
 01994  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58008, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\240\3\0\0\364\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\240\3\0\0\364\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58009, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\240\3\0\0\364\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\240\3\0\0\364\6\0\0" )  ) == 0x0
 01995  1740   NtResumeThread  (424, ... 1, ) == 0x0
 01996  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64028672, 1048576, ) == 0x0
 01997  1740   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ... 65069056, 8192, ) == 0x0
 01998  1780   NtTestAlert  (... ) == 0x0
 01999  1780   NtContinue  (64027952, 1, ...
 02000  1780   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02001  1780   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02002  1740   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ... (0x3e0e000), 4096, 4, ) == 0x0
 02003  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {928, 1804}, ) == 0x0
 02004  1740   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=928,Tid=1804,}, 0x0, ) == 0x0
 02005  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58009, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\240\3\0\0\14\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\240\3\0\0\14\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58010, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\240\3\0\0\14\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\240\3\0\0\14\7\0\0" )  ) == 0x0
 02006  1740   NtResumeThread  (428, ... 1, ) == 0x0
 02007  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02008  1804   NtTestAlert  (... ) == 0x0
 02009  1804   NtContinue  (65076528, 1, ...
 02010  1804   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02011  1804   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02007  1740   NtAllocateVirtualMemory  ... 65077248, 1048576, ) == 0x0
 02012  1740   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ... 66117632, 8192, ) == 0x0
 02013  1740   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ... (0x3f0e000), 4096, 4, ) == 0x0
 02014  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {928, 1644}, ) == 0x0
 02015  1740   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=928,Tid=1644,}, 0x0, ) == 0x0
 02016  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58010, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\240\3\0\0l\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\240\3\0\0l\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58011, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\240\3\0\0l\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\240\3\0\0l\6\0\0" )  ) == 0x0
 02017  1740   NtResumeThread  (432, ... 1, ) == 0x0
 02018  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66125824, 1048576, ) == 0x0
 02019  1740   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ... 67166208, 8192, ) == 0x0
 02020  1644   NtTestAlert  (... ) == 0x0
 02021  1644   NtContinue  (66125104, 1, ...
 02022  1644   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02023  1644   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02024  1740   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ... (0x400e000), 4096, 4, ) == 0x0
 02025  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {928, 336}, ) == 0x0
 02026  1740   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=928,Tid=336,}, 0x0, ) == 0x0
 02027  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58011, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\240\3\0\0P\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\240\3\0\0P\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58012, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\240\3\0\0P\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\240\3\0\0P\1\0\0" )  ) == 0x0
 02028  1740   NtResumeThread  (436, ... 1, ) == 0x0
 02029  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02030   336   NtTestAlert  (... ) == 0x0
 02031   336   NtContinue  (67173680, 1, ...
 02032   336   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02033   336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02029  1740   NtAllocateVirtualMemory  ... 67174400, 1048576, ) == 0x0
 02034  1740   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 02035  1740   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ... (0x410e000), 4096, 4, ) == 0x0
 02036  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {928, 800}, ) == 0x0
 02037  1740   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=928,Tid=800,}, 0x0, ) == 0x0
 02038  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58012, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\240\3\0\0 \3\0\0" ... {28, 56, reply, 0, 928, 1740, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\240\3\0\0 \3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58013, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\240\3\0\0 \3\0\0" ... {28, 56, reply, 0, 928, 1740, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\240\3\0\0 \3\0\0" )  ) == 0x0
 02039  1740   NtResumeThread  (440, ... 1, ) == 0x0
 02040  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68222976, 1048576, ) == 0x0
 02041  1740   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ... 69263360, 8192, ) == 0x0
 02042   800   NtTestAlert  (... ) == 0x0
 02043   800   NtContinue  (68222256, 1, ...
 02044   800   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02045   800   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02046  1740   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ... (0x420e000), 4096, 4, ) == 0x0
 02047  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {928, 504}, ) == 0x0
 02048  1740   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=928,Tid=504,}, 0x0, ) == 0x0
 02049  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58013, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\240\3\0\0\370\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\240\3\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58014, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\240\3\0\0\370\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\240\3\0\0\370\1\0\0" )  ) == 0x0
 02050  1740   NtResumeThread  (444, ... 1, ) == 0x0
 02051  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02052   504   NtTestAlert  (... ) == 0x0
 02053   504   NtContinue  (69270832, 1, ...
 02054   504   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02055   504   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02051  1740   NtAllocateVirtualMemory  ... 69271552, 1048576, ) == 0x0
 02056  1740   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 02057  1740   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 02058  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {928, 888}, ) == 0x0
 02059  1740   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=928,Tid=888,}, 0x0, ) == 0x0
 02060  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58014, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\240\3\0\0x\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\240\3\0\0x\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58015, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\240\3\0\0x\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\240\3\0\0x\3\0\0" )  ) == 0x0
 02061  1740   NtResumeThread  (448, ... 1, ) == 0x0
 02062  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 70320128, 1048576, ) == 0x0
 02063  1740   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ... 71360512, 8192, ) == 0x0
 02064   888   NtTestAlert  (... ) == 0x0
 02065   888   NtContinue  (70319408, 1, ...
 02066   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02067   888   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02068  1740   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ... (0x440e000), 4096, 4, ) == 0x0
 02069  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {928, 1392}, ) == 0x0
 02070  1740   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=928,Tid=1392,}, 0x0, ) == 0x0
 02071  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58015, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\240\3\0\0p\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\240\3\0\0p\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58016, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\240\3\0\0p\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\240\3\0\0p\5\0\0" )  ) == 0x0
 02072  1740   NtResumeThread  (452, ... 1, ) == 0x0
 02073  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02074  1392   NtTestAlert  (... ) == 0x0
 02075  1392   NtContinue  (71367984, 1, ...
 02076  1392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02077  1392   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02073  1740   NtAllocateVirtualMemory  ... 71368704, 1048576, ) == 0x0
 02078  1740   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ... 72409088, 8192, ) == 0x0
 02079  1740   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ... (0x450e000), 4096, 4, ) == 0x0
 02080  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 456, {928, 2020}, ) == 0x0
 02081  1740   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=928,Tid=2020,}, 0x0, ) == 0x0
 02082  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58016, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\240\3\0\0\344\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\240\3\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58017, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\240\3\0\0\344\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\240\3\0\0\344\7\0\0" )  ) == 0x0
 02083  1740   NtResumeThread  (456, ... 1, ) == 0x0
 02084  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72417280, 1048576, ) == 0x0
 02085  1740   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ... 73457664, 8192, ) == 0x0
 02086  2020   NtTestAlert  (... ) == 0x0
 02087  2020   NtContinue  (72416560, 1, ...
 02088  2020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02089  2020   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02090  1740   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ... (0x460e000), 4096, 4, ) == 0x0
 02091  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 460, {928, 740}, ) == 0x0
 02092  1740   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=928,Tid=740,}, 0x0, ) == 0x0
 02093  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58017, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\240\3\0\0\344\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\240\3\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58018, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\240\3\0\0\344\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\240\3\0\0\344\2\0\0" )  ) == 0x0
 02094  1740   NtResumeThread  (460, ... 1, ) == 0x0
 02095  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02096   740   NtTestAlert  (... ) == 0x0
 02097   740   NtContinue  (73465136, 1, ...
 02098   740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02099   740   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02095  1740   NtAllocateVirtualMemory  ... 73465856, 1048576, ) == 0x0
 02100  1740   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ... 74506240, 8192, ) == 0x0
 02101  1740   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ... (0x470e000), 4096, 4, ) == 0x0
 02102  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {928, 1676}, ) == 0x0
 02103  1740   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=928,Tid=1676,}, 0x0, ) == 0x0
 02104  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58018, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\240\3\0\0\214\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\240\3\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58019, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\240\3\0\0\214\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\240\3\0\0\214\6\0\0" )  ) == 0x0
 02105  1740   NtResumeThread  (464, ... 1, ) == 0x0
 02106  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02107  1740   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02108  1676   NtTestAlert  (... ) == 0x0
 02109  1676   NtContinue  (74513712, 1, ...
 02110  1676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02111  1676   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02112  1740   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02113  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 468, {928, 496}, ) == 0x0
 02114  1740   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=928,Tid=496,}, 0x0, ) == 0x0
 02115  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58019, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\240\3\0\0\360\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\240\3\0\0\360\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58020, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\240\3\0\0\360\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\240\3\0\0\360\1\0\0" )  ) == 0x0
 02116  1740   NtResumeThread  (468, ... 1, ) == 0x0
 02117  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02118   496   NtTestAlert  (... ) == 0x0
 02119   496   NtContinue  (75562288, 1, ...
 02120   496   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02121   496   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02117  1740   NtAllocateVirtualMemory  ... 75563008, 1048576, ) == 0x0
 02122  1740   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 02123  1740   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ... (0x490e000), 4096, 4, ) == 0x0
 02124  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 472, {928, 1020}, ) == 0x0
 02125  1740   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=928,Tid=1020,}, 0x0, ) == 0x0
 02126  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58020, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\240\3\0\0\374\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\240\3\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58021, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\240\3\0\0\374\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\240\3\0\0\374\3\0\0" )  ) == 0x0
 02127  1740   NtResumeThread  (472, ... 1, ) == 0x0
 02128  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76611584, 1048576, ) == 0x0
 02129  1740   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ... 77651968, 8192, ) == 0x0
 02130  1020   NtTestAlert  (... ) == 0x0
 02131  1020   NtContinue  (76610864, 1, ...
 02132  1020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02133  1020   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02134  1740   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ... (0x4a0e000), 4096, 4, ) == 0x0
 02135  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 476, {928, 432}, ) == 0x0
 02136  1740   NtQueryInformationThread  (476, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=928,Tid=432,}, 0x0, ) == 0x0
 02137  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58021, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\240\3\0\0\260\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\240\3\0\0\260\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58022, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\240\3\0\0\260\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\240\3\0\0\260\1\0\0" )  ) == 0x0
 02138  1740   NtResumeThread  (476, ... 1, ) == 0x0
 02139  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02140   432   NtTestAlert  (... ) == 0x0
 02141   432   NtContinue  (77659440, 1, ...
 02142   432   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02143   432   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02139  1740   NtAllocateVirtualMemory  ... 77660160, 1048576, ) == 0x0
 02144  1740   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ... 78700544, 8192, ) == 0x0
 02145  1740   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ... (0x4b0e000), 4096, 4, ) == 0x0
 02146  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 480, {928, 1332}, ) == 0x0
 02147  1740   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=928,Tid=1332,}, 0x0, ) == 0x0
 02148  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58022, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\240\3\0\04\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\240\3\0\04\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58023, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\240\3\0\04\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\240\3\0\04\5\0\0" )  ) == 0x0
 02149  1740   NtResumeThread  (480, ... 1, ) == 0x0
 02150  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02151  1740   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02152  1332   NtTestAlert  (... ) == 0x0
 02153  1332   NtContinue  (78708016, 1, ...
 02154  1332   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02155  1332   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02156  1740   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ... (0x4c0e000), 4096, 4, ) == 0x0
 02157  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 484, {928, 1328}, ) == 0x0
 02158  1740   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=928,Tid=1328,}, 0x0, ) == 0x0
 02159  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58023, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\240\3\0\00\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\240\3\0\00\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58024, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\240\3\0\00\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\240\3\0\00\5\0\0" )  ) == 0x0
 02160  1740   NtResumeThread  (484, ... 1, ) == 0x0
 02161  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02162  1328   NtTestAlert  (... ) == 0x0
 02163  1328   NtContinue  (79756592, 1, ...
 02164  1328   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02165  1328   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02161  1740   NtAllocateVirtualMemory  ... 79757312, 1048576, ) == 0x0
 02166  1740   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02167  1740   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ... (0x4d0e000), 4096, 4, ) == 0x0
 02168  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 488, {928, 752}, ) == 0x0
 02169  1740   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=928,Tid=752,}, 0x0, ) == 0x0
 02170  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58024, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\240\3\0\0\360\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\240\3\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58025, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\240\3\0\0\360\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\240\3\0\0\360\2\0\0" )  ) == 0x0
 02171  1740   NtResumeThread  (488, ... 1, ) == 0x0
 02172  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80805888, 1048576, ) == 0x0
 02173  1740   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ... 81846272, 8192, ) == 0x0
 02174   752   NtTestAlert  (... ) == 0x0
 02175   752   NtContinue  (80805168, 1, ...
 02176   752   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02177   752   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02178  1740   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 02179  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {928, 120}, ) == 0x0
 02180  1740   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=928,Tid=120,}, 0x0, ) == 0x0
 02181  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58025, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\240\3\0\0x\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\240\3\0\0x\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58026, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\240\3\0\0x\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\240\3\0\0x\0\0\0" )  ) == 0x0
 02182  1740   NtResumeThread  (492, ... 1, ) == 0x0
 02183  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02184   120   NtTestAlert  (... ) == 0x0
 02185   120   NtContinue  (81853744, 1, ...
 02186   120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02187   120   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02183  1740   NtAllocateVirtualMemory  ... 81854464, 1048576, ) == 0x0
 02188  1740   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ... 82894848, 8192, ) == 0x0
 02189  1740   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ... (0x4f0e000), 4096, 4, ) == 0x0
 02190  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 496, {928, 1732}, ) == 0x0
 02191  1740   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=928,Tid=1732,}, 0x0, ) == 0x0
 02192  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58026, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\240\3\0\0\304\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\240\3\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58027, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\240\3\0\0\304\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\240\3\0\0\304\6\0\0" )  ) == 0x0
 02193  1740   NtResumeThread  (496, ... 1, ) == 0x0
 02194  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82903040, 1048576, ) == 0x0
 02195  1740   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ... 83943424, 8192, ) == 0x0
 02196  1732   NtTestAlert  (... ) == 0x0
 02197  1732   NtContinue  (82902320, 1, ...
 02198  1732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02199  1732   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02200  1740   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ... (0x500e000), 4096, 4, ) == 0x0
 02201  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 500, {928, 188}, ) == 0x0
 02202  1740   NtQueryInformationThread  (500, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=928,Tid=188,}, 0x0, ) == 0x0
 02203  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58027, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\240\3\0\0\274\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\240\3\0\0\274\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58028, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\240\3\0\0\274\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\240\3\0\0\274\0\0\0" )  ) == 0x0
 02204  1740   NtResumeThread  (500, ... 1, ) == 0x0
 02205  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02206   188   NtTestAlert  (... ) == 0x0
 02207   188   NtContinue  (83950896, 1, ...
 02208   188   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02209   188   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02205  1740   NtAllocateVirtualMemory  ... 83951616, 1048576, ) == 0x0
 02210  1740   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ... 84992000, 8192, ) == 0x0
 02211  1740   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ... (0x510e000), 4096, 4, ) == 0x0
 02212  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 504, {928, 1636}, ) == 0x0
 02213  1740   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=928,Tid=1636,}, 0x0, ) == 0x0
 02214  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58028, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\240\3\0\0d\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\240\3\0\0d\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58029, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\240\3\0\0d\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\240\3\0\0d\6\0\0" )  ) == 0x0
 02215  1740   NtResumeThread  (504, ... 1, ) == 0x0
 02216  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85000192, 1048576, ) == 0x0
 02217  1740   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ... 86040576, 8192, ) == 0x0
 02218  1636   NtTestAlert  (... ) == 0x0
 02219  1636   NtContinue  (84999472, 1, ...
 02220  1636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02221  1636   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02222  1740   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ... (0x520e000), 4096, 4, ) == 0x0
 02223  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 508, {928, 624}, ) == 0x0
 02224  1740   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=928,Tid=624,}, 0x0, ) == 0x0
 02225  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58029, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\240\3\0\0p\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\240\3\0\0p\2\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58030, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\240\3\0\0p\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\240\3\0\0p\2\0\0" )  ) == 0x0
 02226  1740   NtResumeThread  (508, ... 1, ) == 0x0
 02227  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02228   624   NtTestAlert  (... ) == 0x0
 02229   624   NtContinue  (86048048, 1, ...
 02230   624   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02231   624   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02227  1740   NtAllocateVirtualMemory  ... 86048768, 1048576, ) == 0x0
 02232  1740   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ... 87089152, 8192, ) == 0x0
 02233  1740   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ... (0x530e000), 4096, 4, ) == 0x0
 02234  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 512, {928, 1948}, ) == 0x0
 02235  1740   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=928,Tid=1948,}, 0x0, ) == 0x0
 02236  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58030, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\240\3\0\0\234\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\240\3\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58031, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\240\3\0\0\234\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\240\3\0\0\234\7\0\0" )  ) == 0x0
 02237  1740   NtResumeThread  (512, ... 1, ) == 0x0
 02238  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87097344, 1048576, ) == 0x0
 02239  1740   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ... 88137728, 8192, ) == 0x0
 02240  1948   NtTestAlert  (... ) == 0x0
 02241  1948   NtContinue  (87096624, 1, ...
 02242  1948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02243  1948   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02244  1740   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ... (0x540e000), 4096, 4, ) == 0x0
 02245  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 516, {928, 988}, ) == 0x0
 02246  1740   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=928,Tid=988,}, 0x0, ) == 0x0
 02247  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58031, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\240\3\0\0\334\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\240\3\0\0\334\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58032, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\240\3\0\0\334\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\240\3\0\0\334\3\0\0" )  ) == 0x0
 02248  1740   NtResumeThread  (516, ... 1, ) == 0x0
 02249  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02250   988   NtTestAlert  (... ) == 0x0
 02251   988   NtContinue  (88145200, 1, ...
 02252   988   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02253   988   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02249  1740   NtAllocateVirtualMemory  ... 88145920, 1048576, ) == 0x0
 02254  1740   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ... 89186304, 8192, ) == 0x0
 02255  1740   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ... (0x550e000), 4096, 4, ) == 0x0
 02256  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 520, {928, 468}, ) == 0x0
 02257  1740   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=928,Tid=468,}, 0x0, ) == 0x0
 02258  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58032, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\240\3\0\0\324\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\240\3\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58033, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\240\3\0\0\324\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\240\3\0\0\324\1\0\0" )  ) == 0x0
 02259  1740   NtResumeThread  (520, ... 1, ) == 0x0
 02260  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89194496, 1048576, ) == 0x0
 02261  1740   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ... 90234880, 8192, ) == 0x0
 02262   468   NtTestAlert  (... ) == 0x0
 02263   468   NtContinue  (89193776, 1, ...
 02264   468   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02265   468   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02266  1740   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ... (0x560e000), 4096, 4, ) == 0x0
 02267  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 524, {928, 380}, ) == 0x0
 02268  1740   NtQueryInformationThread  (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=928,Tid=380,}, 0x0, ) == 0x0
 02269  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58033, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\240\3\0\0|\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\240\3\0\0|\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58034, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\240\3\0\0|\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\240\3\0\0|\1\0\0" )  ) == 0x0
 02270  1740   NtResumeThread  (524, ... 1, ) == 0x0
 02271  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02272   380   NtTestAlert  (... ) == 0x0
 02273   380   NtContinue  (90242352, 1, ...
 02274   380   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02275   380   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02271  1740   NtAllocateVirtualMemory  ... 90243072, 1048576, ) == 0x0
 02276  1740   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ... 91283456, 8192, ) == 0x0
 02277  1740   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ... (0x570e000), 4096, 4, ) == 0x0
 02278  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 528, {928, 1692}, ) == 0x0
 02279  1740   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=928,Tid=1692,}, 0x0, ) == 0x0
 02280  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58034, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\240\3\0\0\234\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\240\3\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58035, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\240\3\0\0\234\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\240\3\0\0\234\6\0\0" )  ) == 0x0
 02281  1740   NtResumeThread  (528, ... 1, ) == 0x0
 02282  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91291648, 1048576, ) == 0x0
 02283  1740   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ... 92332032, 8192, ) == 0x0
 02284  1692   NtTestAlert  (... ) == 0x0
 02285  1692   NtContinue  (91290928, 1, ...
 02286  1692   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02287  1692   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02288  1740   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ... (0x580e000), 4096, 4, ) == 0x0
 02289  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {928, 1792}, ) == 0x0
 02290  1740   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=928,Tid=1792,}, 0x0, ) == 0x0
 02291  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58035, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\240\3\0\0\0\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\240\3\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58036, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\240\3\0\0\0\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\240\3\0\0\0\7\0\0" )  ) == 0x0
 02292  1740   NtResumeThread  (532, ... 1, ) == 0x0
 02293  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02294  1792   NtTestAlert  (... ) == 0x0
 02295  1792   NtContinue  (92339504, 1, ...
 02296  1792   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02297  1792   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02293  1740   NtAllocateVirtualMemory  ... 92340224, 1048576, ) == 0x0
 02298  1740   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ... 93380608, 8192, ) == 0x0
 02299  1740   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ... (0x590e000), 4096, 4, ) == 0x0
 02300  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 536, {928, 784}, ) == 0x0
 02301  1740   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=928,Tid=784,}, 0x0, ) == 0x0
 02302  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58036, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\240\3\0\0\20\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\240\3\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58037, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\240\3\0\0\20\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\240\3\0\0\20\3\0\0" )  ) == 0x0
 02303  1740   NtResumeThread  (536, ... 1, ) == 0x0
 02304  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93388800, 1048576, ) == 0x0
 02305  1740   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ... 94429184, 8192, ) == 0x0
 02306   784   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ... 8810496, 4096, ) == 0x0
 02307   784   NtTestAlert  (... ) == 0x0
 02308   784   NtContinue  (93388080, 1, ...
 02309   784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02310   784   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02311  1740   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ... (0x5a0e000), 4096, 4, ) == 0x0
 02312  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 540, {928, 1520}, ) == 0x0
 02313  1740   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=928,Tid=1520,}, 0x0, ) == 0x0
 02314  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58037, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\240\3\0\0\360\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\240\3\0\0\360\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58038, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\240\3\0\0\360\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\240\3\0\0\360\5\0\0" )  ) == 0x0
 02315  1740   NtResumeThread  (540, ... 1, ) == 0x0
 02316  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02317  1520   NtTestAlert  (... ) == 0x0
 02318  1520   NtContinue  (94436656, 1, ...
 02319  1520   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02320  1520   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02316  1740   NtAllocateVirtualMemory  ... 94437376, 1048576, ) == 0x0
 02321  1740   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ... 95477760, 8192, ) == 0x0
 02322  1740   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ... (0x5b0e000), 4096, 4, ) == 0x0
 02323  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 544, {928, 1696}, ) == 0x0
 02324  1740   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=928,Tid=1696,}, 0x0, ) == 0x0
 02325  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58038, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\240\3\0\0\240\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\240\3\0\0\240\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58039, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\240\3\0\0\240\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\240\3\0\0\240\6\0\0" )  ) == 0x0
 02326  1740   NtResumeThread  (544, ... 1, ) == 0x0
 02327  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95485952, 1048576, ) == 0x0
 02328  1740   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ... 96526336, 8192, ) == 0x0
 02329  1696   NtTestAlert  (... ) == 0x0
 02330  1696   NtContinue  (95485232, 1, ...
 02331  1696   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02332  1696   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02333  1740   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ... (0x5c0e000), 4096, 4, ) == 0x0
 02334  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 548, {928, 1744}, ) == 0x0
 02335  1740   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=928,Tid=1744,}, 0x0, ) == 0x0
 02336  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58039, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\240\3\0\0\320\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\240\3\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58040, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\240\3\0\0\320\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\240\3\0\0\320\6\0\0" )  ) == 0x0
 02337  1740   NtResumeThread  (548, ... 1, ) == 0x0
 02338  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02339  1744   NtTestAlert  (... ) == 0x0
 02340  1744   NtContinue  (96533808, 1, ...
 02341  1744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02342  1744   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02338  1740   NtAllocateVirtualMemory  ... 96534528, 1048576, ) == 0x0
 02343  1740   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ... 97574912, 8192, ) == 0x0
 02344  1740   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ... (0x5d0e000), 4096, 4, ) == 0x0
 02345  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 552, {928, 1124}, ) == 0x0
 02346  1740   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=928,Tid=1124,}, 0x0, ) == 0x0
 02347  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58040, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\240\3\0\0d\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\240\3\0\0d\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58041, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\240\3\0\0d\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\240\3\0\0d\4\0\0" )  ) == 0x0
 02348  1740   NtResumeThread  (552, ... 1, ) == 0x0
 02349  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97583104, 1048576, ) == 0x0
 02350  1740   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ... 98623488, 8192, ) == 0x0
 02351  1124   NtTestAlert  (... ) == 0x0
 02352  1124   NtContinue  (97582384, 1, ...
 02353  1124   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02354  1124   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02355  1740   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ... (0x5e0e000), 4096, 4, ) == 0x0
 02356  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 556, {928, 1496}, ) == 0x0
 02357  1740   NtQueryInformationThread  (556, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=928,Tid=1496,}, 0x0, ) == 0x0
 02358  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58041, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\240\3\0\0\330\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\240\3\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58042, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\240\3\0\0\330\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\240\3\0\0\330\5\0\0" )  ) == 0x0
 02359  1740   NtResumeThread  (556, ... 1, ) == 0x0
 02360  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02361  1496   NtTestAlert  (... ) == 0x0
 02362  1496   NtContinue  (98630960, 1, ...
 02363  1496   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02364  1496   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02360  1740   NtAllocateVirtualMemory  ... 98631680, 1048576, ) == 0x0
 02365  1740   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ... 99672064, 8192, ) == 0x0
 02366  1740   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ... (0x5f0e000), 4096, 4, ) == 0x0
 02367  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 560, {928, 168}, ) == 0x0
 02368  1740   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=928,Tid=168,}, 0x0, ) == 0x0
 02369  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58042, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\240\3\0\0\250\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\240\3\0\0\250\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58043, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\240\3\0\0\250\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\240\3\0\0\250\0\0\0" )  ) == 0x0
 02370  1740   NtResumeThread  (560, ... 1, ) == 0x0
 02371  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99680256, 1048576, ) == 0x0
 02372  1740   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ... 100720640, 8192, ) == 0x0
 02373   168   NtTestAlert  (... ) == 0x0
 02374   168   NtContinue  (99679536, 1, ...
 02375   168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02376   168   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02377  1740   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ... (0x600e000), 4096, 4, ) == 0x0
 02378  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 564, {928, 1284}, ) == 0x0
 02379  1740   NtQueryInformationThread  (564, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=928,Tid=1284,}, 0x0, ) == 0x0
 02380  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58043, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\240\3\0\0\4\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\240\3\0\0\4\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58044, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\240\3\0\0\4\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\240\3\0\0\4\5\0\0" )  ) == 0x0
 02381  1740   NtResumeThread  (564, ... 1, ) == 0x0
 02382  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02383  1284   NtTestAlert  (... ) == 0x0
 02384  1284   NtContinue  (100728112, 1, ...
 02385  1284   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02386  1284   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02382  1740   NtAllocateVirtualMemory  ... 100728832, 1048576, ) == 0x0
 02387  1740   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ... 101769216, 8192, ) == 0x0
 02388  1740   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ... (0x610e000), 4096, 4, ) == 0x0
 02389  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {928, 1268}, ) == 0x0
 02390  1740   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=928,Tid=1268,}, 0x0, ) == 0x0
 02391  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58044, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\240\3\0\0\364\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\240\3\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58045, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\240\3\0\0\364\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\240\3\0\0\364\4\0\0" )  ) == 0x0
 02392  1740   NtResumeThread  (568, ... 1, ) == 0x0
 02393  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101777408, 1048576, ) == 0x0
 02394  1740   NtAllocateVirtualMemory  (-1, 102817792, 0, 8192, 4096, 4, ... 102817792, 8192, ) == 0x0
 02395  1268   NtTestAlert  (... ) == 0x0
 02396  1268   NtContinue  (101776688, 1, ...
 02397  1268   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02398  1268   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02399  1740   NtProtectVirtualMemory  (-1, (0x620e000), 4096, 260, ... (0x620e000), 4096, 4, ) == 0x0
 02400  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 572, {928, 840}, ) == 0x0
 02401  1740   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=928,Tid=840,}, 0x0, ) == 0x0
 02402  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58045, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\240\3\0\0H\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\240\3\0\0H\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58046, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\240\3\0\0H\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\240\3\0\0H\3\0\0" )  ) == 0x0
 02403  1740   NtResumeThread  (572, ... 1, ) == 0x0
 02404  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02405   840   NtTestAlert  (... ) == 0x0
 02406   840   NtContinue  (102825264, 1, ...
 02407   840   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02408   840   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02404  1740   NtAllocateVirtualMemory  ... 102825984, 1048576, ) == 0x0
 02409  1740   NtAllocateVirtualMemory  (-1, 103866368, 0, 8192, 4096, 4, ... 103866368, 8192, ) == 0x0
 02410  1740   NtProtectVirtualMemory  (-1, (0x630e000), 4096, 260, ... (0x630e000), 4096, 4, ) == 0x0
 02411  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {928, 1336}, ) == 0x0
 02412  1740   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=928,Tid=1336,}, 0x0, ) == 0x0
 02413  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58046, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\240\3\0\08\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\240\3\0\08\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58047, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\240\3\0\08\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\240\3\0\08\5\0\0" )  ) == 0x0
 02414  1740   NtResumeThread  (576, ... 1, ) == 0x0
 02415  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103874560, 1048576, ) == 0x0
 02416  1740   NtAllocateVirtualMemory  (-1, 104914944, 0, 8192, 4096, 4, ... 104914944, 8192, ) == 0x0
 02417  1336   NtTestAlert  (... ) == 0x0
 02418  1336   NtContinue  (103873840, 1, ...
 02419  1336   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02420  1336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02421  1740   NtProtectVirtualMemory  (-1, (0x640e000), 4096, 260, ... (0x640e000), 4096, 4, ) == 0x0
 02422  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 580, {928, 1200}, ) == 0x0
 02423  1740   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=928,Tid=1200,}, 0x0, ) == 0x0
 02424  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58047, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\240\3\0\0\260\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\240\3\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58048, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\240\3\0\0\260\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\240\3\0\0\260\4\0\0" )  ) == 0x0
 02425  1740   NtResumeThread  (580, ... 1, ) == 0x0
 02426  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02427  1200   NtTestAlert  (... ) == 0x0
 02428  1200   NtContinue  (104922416, 1, ...
 02429  1200   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02430  1200   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02426  1740   NtAllocateVirtualMemory  ... 104923136, 1048576, ) == 0x0
 02431  1740   NtAllocateVirtualMemory  (-1, 105963520, 0, 8192, 4096, 4, ... 105963520, 8192, ) == 0x0
 02432  1740   NtProtectVirtualMemory  (-1, (0x650e000), 4096, 260, ... (0x650e000), 4096, 4, ) == 0x0
 02433  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {928, 1920}, ) == 0x0
 02434  1740   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=928,Tid=1920,}, 0x0, ) == 0x0
 02435  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58048, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\240\3\0\0\200\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\240\3\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58049, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\240\3\0\0\200\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\240\3\0\0\200\7\0\0" )  ) == 0x0
 02436  1740   NtResumeThread  (584, ... 1, ) == 0x0
 02437  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 105971712, 1048576, ) == 0x0
 02438  1740   NtAllocateVirtualMemory  (-1, 107012096, 0, 8192, 4096, 4, ... 107012096, 8192, ) == 0x0
 02439  1920   NtTestAlert  (... ) == 0x0
 02440  1920   NtContinue  (105970992, 1, ...
 02441  1920   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02442  1920   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02443  1740   NtProtectVirtualMemory  (-1, (0x660e000), 4096, 260, ... (0x660e000), 4096, 4, ) == 0x0
 02444  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {928, 896}, ) == 0x0
 02445  1740   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=928,Tid=896,}, 0x0, ) == 0x0
 02446  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58049, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\240\3\0\0\200\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\240\3\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58050, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\240\3\0\0\200\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\240\3\0\0\200\3\0\0" )  ) == 0x0
 02447  1740   NtResumeThread  (588, ... 1, ) == 0x0
 02448  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02449   896   NtTestAlert  (... ) == 0x0
 02450   896   NtContinue  (107019568, 1, ...
 02451   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02452   896   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02448  1740   NtAllocateVirtualMemory  ... 107020288, 1048576, ) == 0x0
 02453  1740   NtAllocateVirtualMemory  (-1, 108060672, 0, 8192, 4096, 4, ... 108060672, 8192, ) == 0x0
 02454  1740   NtProtectVirtualMemory  (-1, (0x670e000), 4096, 260, ... (0x670e000), 4096, 4, ) == 0x0
 02455  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {928, 2016}, ) == 0x0
 02456  1740   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=928,Tid=2016,}, 0x0, ) == 0x0
 02457  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58050, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\240\3\0\0\340\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\240\3\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58051, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\240\3\0\0\340\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\240\3\0\0\340\7\0\0" )  ) == 0x0
 02458  1740   NtResumeThread  (592, ... 1, ) == 0x0
 02459  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108068864, 1048576, ) == 0x0
 02460  1740   NtAllocateVirtualMemory  (-1, 109109248, 0, 8192, 4096, 4, ... 109109248, 8192, ) == 0x0
 02461  2016   NtTestAlert  (... ) == 0x0
 02462  2016   NtContinue  (108068144, 1, ...
 02463  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02464  2016   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02465  1740   NtProtectVirtualMemory  (-1, (0x680e000), 4096, 260, ... (0x680e000), 4096, 4, ) == 0x0
 02466  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {928, 2012}, ) == 0x0
 02467  1740   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=928,Tid=2012,}, 0x0, ) == 0x0
 02468  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58051, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\240\3\0\0\334\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\240\3\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58052, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\240\3\0\0\334\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\240\3\0\0\334\7\0\0" )  ) == 0x0
 02469  1740   NtResumeThread  (596, ... 1, ) == 0x0
 02470  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02471  2012   NtTestAlert  (... ) == 0x0
 02472  2012   NtContinue  (109116720, 1, ...
 02473  2012   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02474  2012   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02470  1740   NtAllocateVirtualMemory  ... 109117440, 1048576, ) == 0x0
 02475  1740   NtAllocateVirtualMemory  (-1, 110157824, 0, 8192, 4096, 4, ... 110157824, 8192, ) == 0x0
 02476  1740   NtProtectVirtualMemory  (-1, (0x690e000), 4096, 260, ... (0x690e000), 4096, 4, ) == 0x0
 02477  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {928, 1604}, ) == 0x0
 02478  1740   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=928,Tid=1604,}, 0x0, ) == 0x0
 02479  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58052, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\240\3\0\0D\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\240\3\0\0D\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58053, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\240\3\0\0D\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\240\3\0\0D\6\0\0" )  ) == 0x0
 02480  1740   NtResumeThread  (600, ... 1, ) == 0x0
 02481  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110166016, 1048576, ) == 0x0
 02482  1740   NtAllocateVirtualMemory  (-1, 111206400, 0, 8192, 4096, 4, ... 111206400, 8192, ) == 0x0
 02483  1604   NtTestAlert  (... ) == 0x0
 02484  1604   NtContinue  (110165296, 1, ...
 02485  1604   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02486  1604   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02487  1740   NtProtectVirtualMemory  (-1, (0x6a0e000), 4096, 260, ... (0x6a0e000), 4096, 4, ) == 0x0
 02488  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {928, 1572}, ) == 0x0
 02489  1740   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=928,Tid=1572,}, 0x0, ) == 0x0
 02490  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58053, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\240\3\0\0$\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\240\3\0\0$\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58054, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\240\3\0\0$\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\240\3\0\0$\6\0\0" )  ) == 0x0
 02491  1740   NtResumeThread  (604, ... 1, ) == 0x0
 02492  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 111214592, 1048576, ) == 0x0
 02493  1740   NtAllocateVirtualMemory  (-1, 112254976, 0, 8192, 4096, 4, ... 112254976, 8192, ) == 0x0
 02494  1572   NtTestAlert  (... ) == 0x0
 02495  1572   NtContinue  (111213872, 1, ...
 02496  1572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02497  1572   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02498  1740   NtProtectVirtualMemory  (-1, (0x6b0e000), 4096, 260, ... (0x6b0e000), 4096, 4, ) == 0x0
 02499  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {928, 596}, ) == 0x0
 02500  1740   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=928,Tid=596,}, 0x0, ) == 0x0
 02501  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58054, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\240\3\0\0T\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\240\3\0\0T\2\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58055, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\240\3\0\0T\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\240\3\0\0T\2\0\0" )  ) == 0x0
 02502  1740   NtResumeThread  (608, ... 1, ) == 0x0
 02503  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02504   596   NtTestAlert  (... ) == 0x0
 02505   596   NtContinue  (112262448, 1, ...
 02506   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02507   596   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02503  1740   NtAllocateVirtualMemory  ... 112263168, 1048576, ) == 0x0
 02508  1740   NtAllocateVirtualMemory  (-1, 113303552, 0, 8192, 4096, 4, ... 113303552, 8192, ) == 0x0
 02509  1740   NtProtectVirtualMemory  (-1, (0x6c0e000), 4096, 260, ... (0x6c0e000), 4096, 4, ) == 0x0
 02510  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {928, 376}, ) == 0x0
 02511  1740   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=928,Tid=376,}, 0x0, ) == 0x0
 02512  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58055, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\240\3\0\0x\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\240\3\0\0x\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58056, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\240\3\0\0x\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\240\3\0\0x\1\0\0" )  ) == 0x0
 02513  1740   NtResumeThread  (612, ... 1, ) == 0x0
 02514  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 113311744, 1048576, ) == 0x0
 02515  1740   NtAllocateVirtualMemory  (-1, 114352128, 0, 8192, 4096, 4, ... 114352128, 8192, ) == 0x0
 02516   376   NtTestAlert  (... ) == 0x0
 02517   376   NtContinue  (113311024, 1, ...
 02518   376   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02519   376   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02520  1740   NtProtectVirtualMemory  (-1, (0x6d0e000), 4096, 260, ... (0x6d0e000), 4096, 4, ) == 0x0
 02521  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {928, 1168}, ) == 0x0
 02522  1740   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=928,Tid=1168,}, 0x0, ) == 0x0
 02523  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58056, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\240\3\0\0\220\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\240\3\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58057, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\240\3\0\0\220\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\240\3\0\0\220\4\0\0" )  ) == 0x0
 02524  1740   NtResumeThread  (616, ... 1, ) == 0x0
 02525  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02526  1168   NtTestAlert  (... ) == 0x0
 02527  1168   NtContinue  (114359600, 1, ...
 02528  1168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02529  1168   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02525  1740   NtAllocateVirtualMemory  ... 114360320, 1048576, ) == 0x0
 02530  1740   NtAllocateVirtualMemory  (-1, 115400704, 0, 8192, 4096, 4, ... 115400704, 8192, ) == 0x0
 02531  1740   NtProtectVirtualMemory  (-1, (0x6e0e000), 4096, 260, ... (0x6e0e000), 4096, 4, ) == 0x0
 02532  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {928, 428}, ) == 0x0
 02533  1740   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=928,Tid=428,}, 0x0, ) == 0x0
 02534  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58057, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\240\3\0\0\254\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\240\3\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58058, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\240\3\0\0\254\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\240\3\0\0\254\1\0\0" )  ) == 0x0
 02535  1740   NtResumeThread  (620, ... 1, ) == 0x0
 02536  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 115408896, 1048576, ) == 0x0
 02537  1740   NtAllocateVirtualMemory  (-1, 116449280, 0, 8192, 4096, 4, ... 116449280, 8192, ) == 0x0
 02538   428   NtTestAlert  (... ) == 0x0
 02539   428   NtContinue  (115408176, 1, ...
 02540   428   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02541   428   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02542  1740   NtProtectVirtualMemory  (-1, (0x6f0e000), 4096, 260, ... (0x6f0e000), 4096, 4, ) == 0x0
 02543  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {928, 1344}, ) == 0x0
 02544  1740   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=928,Tid=1344,}, 0x0, ) == 0x0
 02545  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58058, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\240\3\0\0@\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\240\3\0\0@\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58059, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\240\3\0\0@\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\240\3\0\0@\5\0\0" )  ) == 0x0
 02546  1740   NtResumeThread  (624, ... 1, ) == 0x0
 02547  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02548  1344   NtTestAlert  (... ) == 0x0
 02549  1344   NtContinue  (116456752, 1, ...
 02550  1344   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02551  1344   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02547  1740   NtAllocateVirtualMemory  ... 116457472, 1048576, ) == 0x0
 02552  1740   NtAllocateVirtualMemory  (-1, 117497856, 0, 8192, 4096, 4, ... 117497856, 8192, ) == 0x0
 02553  1740   NtProtectVirtualMemory  (-1, (0x700e000), 4096, 260, ... (0x700e000), 4096, 4, ) == 0x0
 02554  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {928, 1300}, ) == 0x0
 02555  1740   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=928,Tid=1300,}, 0x0, ) == 0x0
 02556  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58059, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\240\3\0\0\24\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\240\3\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58060, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\240\3\0\0\24\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\240\3\0\0\24\5\0\0" )  ) == 0x0
 02557  1740   NtResumeThread  (628, ... 1, ) == 0x0
 02558  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 117506048, 1048576, ) == 0x0
 02559  1740   NtAllocateVirtualMemory  (-1, 118546432, 0, 8192, 4096, 4, ... 118546432, 8192, ) == 0x0
 02560  1300   NtTestAlert  (... ) == 0x0
 02561  1300   NtContinue  (117505328, 1, ...
 02562  1300   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02563  1300   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02564  1740   NtProtectVirtualMemory  (-1, (0x710e000), 4096, 260, ... (0x710e000), 4096, 4, ) == 0x0
 02565  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {928, 1096}, ) == 0x0
 02566  1740   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=928,Tid=1096,}, 0x0, ) == 0x0
 02567  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58060, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\240\3\0\0H\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\240\3\0\0H\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58061, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\240\3\0\0H\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\240\3\0\0H\4\0\0" )  ) == 0x0
 02568  1740   NtResumeThread  (632, ... 1, ) == 0x0
 02569  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02570  1096   NtTestAlert  (... ) == 0x0
 02571  1096   NtContinue  (118553904, 1, ...
 02572  1096   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02573  1096   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02569  1740   NtAllocateVirtualMemory  ... 118554624, 1048576, ) == 0x0
 02574  1740   NtAllocateVirtualMemory  (-1, 119595008, 0, 8192, 4096, 4, ... 119595008, 8192, ) == 0x0
 02575  1740   NtProtectVirtualMemory  (-1, (0x720e000), 4096, 260, ... (0x720e000), 4096, 4, ) == 0x0
 02576  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {928, 252}, ) == 0x0
 02577  1740   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=928,Tid=252,}, 0x0, ) == 0x0
 02578  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58061, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\240\3\0\0\374\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\240\3\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58062, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\240\3\0\0\374\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\240\3\0\0\374\0\0\0" )  ) == 0x0
 02579  1740   NtResumeThread  (636, ... 1, ) == 0x0
 02580  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 119603200, 1048576, ) == 0x0
 02581  1740   NtAllocateVirtualMemory  (-1, 120643584, 0, 8192, 4096, 4, ... 120643584, 8192, ) == 0x0
 02582   252   NtTestAlert  (... ) == 0x0
 02583   252   NtContinue  (119602480, 1, ...
 02584   252   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02585   252   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02586  1740   NtProtectVirtualMemory  (-1, (0x730e000), 4096, 260, ... (0x730e000), 4096, 4, ) == 0x0
 02587  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {928, 500}, ) == 0x0
 02588  1740   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=928,Tid=500,}, 0x0, ) == 0x0
 02589  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58062, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\240\3\0\0\364\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\240\3\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58063, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\240\3\0\0\364\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\240\3\0\0\364\1\0\0" )  ) == 0x0
 02590  1740   NtResumeThread  (640, ... 1, ) == 0x0
 02591  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02592   500   NtTestAlert  (... ) == 0x0
 02593   500   NtContinue  (120651056, 1, ...
 02594   500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02595   500   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02591  1740   NtAllocateVirtualMemory  ... 120651776, 1048576, ) == 0x0
 02596  1740   NtAllocateVirtualMemory  (-1, 121692160, 0, 8192, 4096, 4, ... 121692160, 8192, ) == 0x0
 02597  1740   NtProtectVirtualMemory  (-1, (0x740e000), 4096, 260, ... (0x740e000), 4096, 4, ) == 0x0
 02598  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {928, 1132}, ) == 0x0
 02599  1740   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=928,Tid=1132,}, 0x0, ) == 0x0
 02600  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58063, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\240\3\0\0l\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\240\3\0\0l\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58064, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\240\3\0\0l\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\240\3\0\0l\4\0\0" )  ) == 0x0
 02601  1740   NtResumeThread  (644, ... 1, ) == 0x0
 02602  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 121700352, 1048576, ) == 0x0
 02603  1740   NtAllocateVirtualMemory  (-1, 122740736, 0, 8192, 4096, 4, ... 122740736, 8192, ) == 0x0
 02604  1132   NtTestAlert  (... ) == 0x0
 02605  1132   NtContinue  (121699632, 1, ...
 02606  1132   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02607  1132   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02608  1740   NtProtectVirtualMemory  (-1, (0x750e000), 4096, 260, ... (0x750e000), 4096, 4, ) == 0x0
 02609  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {928, 1024}, ) == 0x0
 02610  1740   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=928,Tid=1024,}, 0x0, ) == 0x0
 02611  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58064, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\240\3\0\0\0\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\240\3\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58065, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\240\3\0\0\0\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\240\3\0\0\0\4\0\0" )  ) == 0x0
 02612  1740   NtResumeThread  (648, ... 1, ) == 0x0
 02613  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02614  1024   NtAllocateVirtualMemory  (-1, 8814592, 0, 4096, 4096, 4, ... 8814592, 4096, ) == 0x0
 02615  1024   NtTestAlert  (... ) == 0x0
 02616  1024   NtContinue  (122748208, 1, ...
 02617  1024   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02618  1024   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02613  1740   NtAllocateVirtualMemory  ... 122748928, 1048576, ) == 0x0
 02619  1740   NtAllocateVirtualMemory  (-1, 123789312, 0, 8192, 4096, 4, ... 123789312, 8192, ) == 0x0
 02620  1740   NtProtectVirtualMemory  (-1, (0x760e000), 4096, 260, ... (0x760e000), 4096, 4, ) == 0x0
 02621  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {928, 948}, ) == 0x0
 02622  1740   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=928,Tid=948,}, 0x0, ) == 0x0
 02623  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58065, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\240\3\0\0\264\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\240\3\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58066, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\240\3\0\0\264\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\240\3\0\0\264\3\0\0" )  ) == 0x0
 02624  1740   NtResumeThread  (652, ... 1, ) == 0x0
 02625  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 123797504, 1048576, ) == 0x0
 02626  1740   NtAllocateVirtualMemory  (-1, 124837888, 0, 8192, 4096, 4, ... 124837888, 8192, ) == 0x0
 02627   948   NtTestAlert  (... ) == 0x0
 02628   948   NtContinue  (123796784, 1, ...
 02629   948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02630   948   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02631  1740   NtProtectVirtualMemory  (-1, (0x770e000), 4096, 260, ... (0x770e000), 4096, 4, ) == 0x0
 02632  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {928, 1388}, ) == 0x0
 02633  1740   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=928,Tid=1388,}, 0x0, ) == 0x0
 02634  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58066, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\240\3\0\0l\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\240\3\0\0l\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58067, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\240\3\0\0l\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\240\3\0\0l\5\0\0" )  ) == 0x0
 02635  1740   NtResumeThread  (656, ... 1, ) == 0x0
 02636  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02637  1388   NtTestAlert  (... ) == 0x0
 02638  1388   NtContinue  (124845360, 1, ...
 02639  1388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02640  1388   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02636  1740   NtAllocateVirtualMemory  ... 124846080, 1048576, ) == 0x0
 02641  1740   NtAllocateVirtualMemory  (-1, 125886464, 0, 8192, 4096, 4, ... 125886464, 8192, ) == 0x0
 02642  1740   NtProtectVirtualMemory  (-1, (0x780e000), 4096, 260, ... (0x780e000), 4096, 4, ) == 0x0
 02643  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {928, 520}, ) == 0x0
 02644  1740   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=928,Tid=520,}, 0x0, ) == 0x0
 02645  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58067, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\240\3\0\0\10\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\240\3\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58068, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\240\3\0\0\10\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\240\3\0\0\10\2\0\0" )  ) == 0x0
 02646  1740   NtResumeThread  (660, ... 1, ) == 0x0
 02647  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125894656, 1048576, ) == 0x0
 02648  1740   NtAllocateVirtualMemory  (-1, 126935040, 0, 8192, 4096, 4, ... 126935040, 8192, ) == 0x0
 02649   520   NtTestAlert  (... ) == 0x0
 02650   520   NtContinue  (125893936, 1, ...
 02651   520   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02652   520   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02653  1740   NtProtectVirtualMemory  (-1, (0x790e000), 4096, 260, ... (0x790e000), 4096, 4, ) == 0x0
 02654  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {928, 276}, ) == 0x0
 02655  1740   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=928,Tid=276,}, 0x0, ) == 0x0
 02656  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58068, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\240\3\0\0\24\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\240\3\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58069, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\240\3\0\0\24\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\240\3\0\0\24\1\0\0" )  ) == 0x0
 02657  1740   NtResumeThread  (664, ... 1, ) == 0x0
 02658  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02659   276   NtTestAlert  (... ) == 0x0
 02660   276   NtContinue  (126942512, 1, ...
 02661   276   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02662   276   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02658  1740   NtAllocateVirtualMemory  ... 126943232, 1048576, ) == 0x0
 02663  1740   NtAllocateVirtualMemory  (-1, 127983616, 0, 8192, 4096, 4, ... 127983616, 8192, ) == 0x0
 02664  1740   NtProtectVirtualMemory  (-1, (0x7a0e000), 4096, 260, ... (0x7a0e000), 4096, 4, ) == 0x0
 02665  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {928, 996}, ) == 0x0
 02666  1740   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=928,Tid=996,}, 0x0, ) == 0x0
 02667  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58069, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\240\3\0\0\344\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\240\3\0\0\344\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58070, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\240\3\0\0\344\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\240\3\0\0\344\3\0\0" )  ) == 0x0
 02668  1740   NtResumeThread  (668, ... 1, ) == 0x0
 02669  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 127991808, 1048576, ) == 0x0
 02670  1740   NtAllocateVirtualMemory  (-1, 129032192, 0, 8192, 4096, 4, ... 129032192, 8192, ) == 0x0
 02671   996   NtTestAlert  (... ) == 0x0
 02672   996   NtContinue  (127991088, 1, ...
 02673   996   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02674   996   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02675  1740   NtProtectVirtualMemory  (-1, (0x7b0e000), 4096, 260, ... (0x7b0e000), 4096, 4, ) == 0x0
 02676  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {928, 1064}, ) == 0x0
 02677  1740   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=928,Tid=1064,}, 0x0, ) == 0x0
 02678  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58070, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\240\3\0\0(\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\240\3\0\0(\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58071, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\240\3\0\0(\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\240\3\0\0(\4\0\0" )  ) == 0x0
 02679  1740   NtResumeThread  (672, ... 1, ) == 0x0
 02680  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02681  1064   NtTestAlert  (... ) == 0x0
 02682  1064   NtContinue  (129039664, 1, ...
 02683  1064   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02684  1064   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02680  1740   NtAllocateVirtualMemory  ... 129040384, 1048576, ) == 0x0
 02685  1740   NtAllocateVirtualMemory  (-1, 130080768, 0, 8192, 4096, 4, ... 130080768, 8192, ) == 0x0
 02686  1740   NtProtectVirtualMemory  (-1, (0x7c0e000), 4096, 260, ... (0x7c0e000), 4096, 4, ) == 0x0
 02687  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {928, 1600}, ) == 0x0
 02688  1740   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=928,Tid=1600,}, 0x0, ) == 0x0
 02689  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58071, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\240\3\0\0@\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\240\3\0\0@\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58072, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\240\3\0\0@\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\240\3\0\0@\6\0\0" )  ) == 0x0
 02690  1740   NtResumeThread  (676, ... 1, ) == 0x0
 02691  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 130088960, 1048576, ) == 0x0
 02692  1740   NtAllocateVirtualMemory  (-1, 131129344, 0, 8192, 4096, 4, ... 131129344, 8192, ) == 0x0
 02693  1600   NtTestAlert  (... ) == 0x0
 02694  1600   NtContinue  (130088240, 1, ...
 02695  1600   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02696  1600   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02697  1740   NtProtectVirtualMemory  (-1, (0x7d0e000), 4096, 260, ... (0x7d0e000), 4096, 4, ) == 0x0
 02698  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {928, 1372}, ) == 0x0
 02699  1740   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=928,Tid=1372,}, 0x0, ) == 0x0
 02700  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58072, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\240\3\0\0\\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\240\3\0\0\\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58073, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\240\3\0\0\\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\240\3\0\0\\5\0\0" )  ) == 0x0
 02701  1740   NtResumeThread  (680, ... 1, ) == 0x0
 02702  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02703  1372   NtTestAlert  (... ) == 0x0
 02704  1372   NtContinue  (131136816, 1, ...
 02705  1372   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02706  1372   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02702  1740   NtAllocateVirtualMemory  ... 131137536, 1048576, ) == 0x0
 02707  1740   NtAllocateVirtualMemory  (-1, 132177920, 0, 8192, 4096, 4, ... 132177920, 8192, ) == 0x0
 02708  1740   NtProtectVirtualMemory  (-1, (0x7e0e000), 4096, 260, ... (0x7e0e000), 4096, 4, ) == 0x0
 02709  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {928, 2040}, ) == 0x0
 02710  1740   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=928,Tid=2040,}, 0x0, ) == 0x0
 02711  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58073, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\240\3\0\0\370\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\240\3\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58074, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\240\3\0\0\370\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\240\3\0\0\370\7\0\0" )  ) == 0x0
 02712  1740   NtResumeThread  (684, ... 1, ) == 0x0
 02713  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 132186112, 1048576, ) == 0x0
 02714  1740   NtAllocateVirtualMemory  (-1, 133226496, 0, 8192, 4096, 4, ... 133226496, 8192, ) == 0x0
 02715  2040   NtTestAlert  (... ) == 0x0
 02716  2040   NtContinue  (132185392, 1, ...
 02717  2040   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02718  2040   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02719  1740   NtProtectVirtualMemory  (-1, (0x7f0e000), 4096, 260, ... (0x7f0e000), 4096, 4, ) == 0x0
 02720  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {928, 216}, ) == 0x0
 02721  1740   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=928,Tid=216,}, 0x0, ) == 0x0
 02722  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58074, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\240\3\0\0\330\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\240\3\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58075, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\240\3\0\0\330\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\240\3\0\0\330\0\0\0" )  ) == 0x0
 02723  1740   NtResumeThread  (688, ... 1, ) == 0x0
 02724  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02725   216   NtTestAlert  (... ) == 0x0
 02726   216   NtContinue  (133233968, 1, ...
 02727   216   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02728   216   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02724  1740   NtAllocateVirtualMemory  ... 133234688, 1048576, ) == 0x0
 02729  1740   NtAllocateVirtualMemory  (-1, 134275072, 0, 8192, 4096, 4, ... 134275072, 8192, ) == 0x0
 02730  1740   NtProtectVirtualMemory  (-1, (0x800e000), 4096, 260, ... (0x800e000), 4096, 4, ) == 0x0
 02731  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {928, 152}, ) == 0x0
 02732  1740   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=928,Tid=152,}, 0x0, ) == 0x0
 02733  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58075, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\240\3\0\0\230\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\240\3\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58076, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\240\3\0\0\230\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\240\3\0\0\230\0\0\0" )  ) == 0x0
 02734  1740   NtResumeThread  (692, ... 1, ) == 0x0
 02735  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 134283264, 1048576, ) == 0x0
 02736  1740   NtAllocateVirtualMemory  (-1, 135323648, 0, 8192, 4096, 4, ... 135323648, 8192, ) == 0x0
 02737   152   NtTestAlert  (... ) == 0x0
 02738   152   NtContinue  (134282544, 1, ...
 02739   152   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02740   152   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02741  1740   NtProtectVirtualMemory  (-1, (0x810e000), 4096, 260, ... (0x810e000), 4096, 4, ) == 0x0
 02742  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {928, 900}, ) == 0x0
 02743  1740   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=928,Tid=900,}, 0x0, ) == 0x0
 02744  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58076, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\240\3\0\0\204\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\240\3\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58077, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\240\3\0\0\204\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\240\3\0\0\204\3\0\0" )  ) == 0x0
 02745  1740   NtResumeThread  (696, ... 1, ) == 0x0
 02746  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 135331840, 1048576, ) == 0x0
 02747  1740   NtAllocateVirtualMemory  (-1, 136372224, 0, 8192, 4096, 4, ... 136372224, 8192, ) == 0x0
 02748   900   NtTestAlert  (... ) == 0x0
 02749   900   NtContinue  (135331120, 1, ...
 02750   900   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02751   900   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02752  1740   NtProtectVirtualMemory  (-1, (0x820e000), 4096, 260, ... (0x820e000), 4096, 4, ) == 0x0
 02753  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {928, 1272}, ) == 0x0
 02754  1740   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=928,Tid=1272,}, 0x0, ) == 0x0
 02755  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58077, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\240\3\0\0\370\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\240\3\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58078, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\240\3\0\0\370\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\240\3\0\0\370\4\0\0" )  ) == 0x0
 02756  1740   NtResumeThread  (700, ... 1, ) == 0x0
 02757  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02758  1272   NtTestAlert  (... ) == 0x0
 02759  1272   NtContinue  (136379696, 1, ...
 02760  1272   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02761  1272   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02757  1740   NtAllocateVirtualMemory  ... 136380416, 1048576, ) == 0x0
 02762  1740   NtAllocateVirtualMemory  (-1, 137420800, 0, 8192, 4096, 4, ... 137420800, 8192, ) == 0x0
 02763  1740   NtProtectVirtualMemory  (-1, (0x830e000), 4096, 260, ... (0x830e000), 4096, 4, ) == 0x0
 02764  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {928, 1240}, ) == 0x0
 02765  1740   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=928,Tid=1240,}, 0x0, ) == 0x0
 02766  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58078, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\240\3\0\0\330\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\240\3\0\0\330\4\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58079, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\240\3\0\0\330\4\0\0" ... {28, 56, reply, 0, 928, 1740, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\240\3\0\0\330\4\0\0" )  ) == 0x0
 02767  1740   NtResumeThread  (704, ... 1, ) == 0x0
 02768  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 137428992, 1048576, ) == 0x0
 02769  1740   NtAllocateVirtualMemory  (-1, 138469376, 0, 8192, 4096, 4, ... 138469376, 8192, ) == 0x0
 02770  1240   NtTestAlert  (... ) == 0x0
 02771  1240   NtContinue  (137428272, 1, ...
 02772  1240   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02773  1240   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02774  1740   NtProtectVirtualMemory  (-1, (0x840e000), 4096, 260, ... (0x840e000), 4096, 4, ) == 0x0
 02775  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {928, 1776}, ) == 0x0
 02776  1740   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=928,Tid=1776,}, 0x0, ) == 0x0
 02777  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58079, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\240\3\0\0\360\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\240\3\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58080, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\240\3\0\0\360\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\240\3\0\0\360\6\0\0" )  ) == 0x0
 02778  1740   NtResumeThread  (708, ... 1, ) == 0x0
 02779  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02780  1776   NtTestAlert  (... ) == 0x0
 02781  1776   NtContinue  (138476848, 1, ...
 02782  1776   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02783  1776   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02779  1740   NtAllocateVirtualMemory  ... 138477568, 1048576, ) == 0x0
 02784  1740   NtAllocateVirtualMemory  (-1, 139517952, 0, 8192, 4096, 4, ... 139517952, 8192, ) == 0x0
 02785  1740   NtProtectVirtualMemory  (-1, (0x850e000), 4096, 260, ... (0x850e000), 4096, 4, ) == 0x0
 02786  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {928, 1324}, ) == 0x0
 02787  1740   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=928,Tid=1324,}, 0x0, ) == 0x0
 02788  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58080, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\240\3\0\0,\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\240\3\0\0,\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58081, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\240\3\0\0,\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\240\3\0\0,\5\0\0" )  ) == 0x0
 02789  1740   NtResumeThread  (712, ... 1, ) == 0x0
 02790  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 139526144, 1048576, ) == 0x0
 02791  1740   NtAllocateVirtualMemory  (-1, 140566528, 0, 8192, 4096, 4, ... 140566528, 8192, ) == 0x0
 02792  1324   NtTestAlert  (... ) == 0x0
 02793  1324   NtContinue  (139525424, 1, ...
 02794  1324   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02795  1324   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02796  1740   NtProtectVirtualMemory  (-1, (0x860e000), 4096, 260, ... (0x860e000), 4096, 4, ) == 0x0
 02797  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {928, 1884}, ) == 0x0
 02798  1740   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=928,Tid=1884,}, 0x0, ) == 0x0
 02799  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58081, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\240\3\0\0\\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\240\3\0\0\\7\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58082, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\240\3\0\0\\7\0\0" ... {28, 56, reply, 0, 928, 1740, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\240\3\0\0\\7\0\0" )  ) == 0x0
 02800  1740   NtResumeThread  (716, ... 1, ) == 0x0
 02801  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02802  1884   NtTestAlert  (... ) == 0x0
 02803  1884   NtContinue  (140574000, 1, ...
 02804  1884   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02805  1884   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02801  1740   NtAllocateVirtualMemory  ... 140574720, 1048576, ) == 0x0
 02806  1740   NtAllocateVirtualMemory  (-1, 141615104, 0, 8192, 4096, 4, ... 141615104, 8192, ) == 0x0
 02807  1740   NtProtectVirtualMemory  (-1, (0x870e000), 4096, 260, ... (0x870e000), 4096, 4, ) == 0x0
 02808  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {928, 248}, ) == 0x0
 02809  1740   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=928,Tid=248,}, 0x0, ) == 0x0
 02810  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58082, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\240\3\0\0\370\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\240\3\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58083, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\240\3\0\0\370\0\0\0" ... {28, 56, reply, 0, 928, 1740, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\240\3\0\0\370\0\0\0" )  ) == 0x0
 02811  1740   NtResumeThread  (720, ... 1, ) == 0x0
 02812  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 141623296, 1048576, ) == 0x0
 02813  1740   NtAllocateVirtualMemory  (-1, 142663680, 0, 8192, 4096, 4, ... 142663680, 8192, ) == 0x0
 02814   248   NtTestAlert  (... ) == 0x0
 02815   248   NtContinue  (141622576, 1, ...
 02816   248   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02817   248   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02818  1740   NtProtectVirtualMemory  (-1, (0x880e000), 4096, 260, ... (0x880e000), 4096, 4, ) == 0x0
 02819  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {928, 1652}, ) == 0x0
 02820  1740   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=928,Tid=1652,}, 0x0, ) == 0x0
 02821  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58083, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\240\3\0\0t\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\240\3\0\0t\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58084, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\240\3\0\0t\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\240\3\0\0t\6\0\0" )  ) == 0x0
 02822  1740   NtResumeThread  (724, ... 1, ) == 0x0
 02823  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02824  1652   NtTestAlert  (... ) == 0x0
 02825  1652   NtContinue  (142671152, 1, ...
 02826  1652   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02827  1652   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02823  1740   NtAllocateVirtualMemory  ... 142671872, 1048576, ) == 0x0
 02828  1740   NtAllocateVirtualMemory  (-1, 143712256, 0, 8192, 4096, 4, ... 143712256, 8192, ) == 0x0
 02829  1740   NtProtectVirtualMemory  (-1, (0x890e000), 4096, 260, ... (0x890e000), 4096, 4, ) == 0x0
 02830  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {928, 588}, ) == 0x0
 02831  1740   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=928,Tid=588,}, 0x0, ) == 0x0
 02832  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58084, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\240\3\0\0L\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\240\3\0\0L\2\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58085, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\240\3\0\0L\2\0\0" ... {28, 56, reply, 0, 928, 1740, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\240\3\0\0L\2\0\0" )  ) == 0x0
 02833  1740   NtResumeThread  (728, ... 1, ) == 0x0
 02834  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 143720448, 1048576, ) == 0x0
 02835  1740   NtAllocateVirtualMemory  (-1, 144760832, 0, 8192, 4096, 4, ... 144760832, 8192, ) == 0x0
 02836   588   NtTestAlert  (... ) == 0x0
 02837   588   NtContinue  (143719728, 1, ...
 02838   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02839   588   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02840  1740   NtProtectVirtualMemory  (-1, (0x8a0e000), 4096, 260, ... (0x8a0e000), 4096, 4, ) == 0x0
 02841  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {928, 440}, ) == 0x0
 02842  1740   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=928,Tid=440,}, 0x0, ) == 0x0
 02843  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58085, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\240\3\0\0\270\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\240\3\0\0\270\1\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58086, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\240\3\0\0\270\1\0\0" ... {28, 56, reply, 0, 928, 1740, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\240\3\0\0\270\1\0\0" )  ) == 0x0
 02844  1740   NtResumeThread  (732, ... 1, ) == 0x0
 02845  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02846   440   NtTestAlert  (... ) == 0x0
 02847   440   NtContinue  (144768304, 1, ...
 02848   440   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02849   440   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02845  1740   NtAllocateVirtualMemory  ... 144769024, 1048576, ) == 0x0
 02850  1740   NtAllocateVirtualMemory  (-1, 145809408, 0, 8192, 4096, 4, ... 145809408, 8192, ) == 0x0
 02851  1740   NtProtectVirtualMemory  (-1, (0x8b0e000), 4096, 260, ... (0x8b0e000), 4096, 4, ) == 0x0
 02852  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {928, 1296}, ) == 0x0
 02853  1740   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=928,Tid=1296,}, 0x0, ) == 0x0
 02854  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58086, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\240\3\0\0\20\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\240\3\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58087, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\240\3\0\0\20\5\0\0" ... {28, 56, reply, 0, 928, 1740, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\240\3\0\0\20\5\0\0" )  ) == 0x0
 02855  1740   NtResumeThread  (736, ... 1, ) == 0x0
 02856  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 145817600, 1048576, ) == 0x0
 02857  1740   NtAllocateVirtualMemory  (-1, 146857984, 0, 8192, 4096, 4, ... 146857984, 8192, ) == 0x0
 02858  1296   NtTestAlert  (... ) == 0x0
 02859  1296   NtContinue  (145816880, 1, ...
 02860  1296   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02861  1296   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02862  1740   NtProtectVirtualMemory  (-1, (0x8c0e000), 4096, 260, ... (0x8c0e000), 4096, 4, ) == 0x0
 02863  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {928, 1612}, ) == 0x0
 02864  1740   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=928,Tid=1612,}, 0x0, ) == 0x0
 02865  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58087, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\240\3\0\0L\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\240\3\0\0L\6\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58088, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\240\3\0\0L\6\0\0" ... {28, 56, reply, 0, 928, 1740, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\240\3\0\0L\6\0\0" )  ) == 0x0
 02866  1740   NtResumeThread  (740, ... 1, ) == 0x0
 02867  1740   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02868  1612   NtTestAlert  (... ) == 0x0
 02869  1612   NtContinue  (146865456, 1, ...
 02870  1612   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02871  1612   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02867  1740   NtAllocateVirtualMemory  ... 146866176, 1048576, ) == 0x0
 02872  1740   NtAllocateVirtualMemory  (-1, 147906560, 0, 8192, 4096, 4, ... 147906560, 8192, ) == 0x0
 02873  1740   NtProtectVirtualMemory  (-1, (0x8d0e000), 4096, 260, ... (0x8d0e000), 4096, 4, ) == 0x0
 02874  1740   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {928, 876}, ) == 0x0
 02875  1740   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=928,Tid=876,}, 0x0, ) == 0x0
 02876  1740   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 928, 1740, 58088, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\240\3\0\0l\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\240\3\0\0l\3\0\0" )  ... {28, 56, reply, 0, 928, 1740, 58089, 0}  (24, {28, 56, new_msg, 0, 928, 1740, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\240\3\0\0l\3\0\0" ... {28, 56, reply, 0, 928, 1740, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\240\3\0\0l\3\0\0" )  ) == 0x0
 02877  1740   NtResumeThread  (744, ... 1, ) == 0x0
 02878  1740   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 748, ) == 0x0
 02879  1740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 752, ) == 0x0
 02880   876   NtTestAlert  (... ) == 0x0
 02881   876   NtContinue  (147914032, 1, ...
 02882   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02883   876   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02884  1740   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02885  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 756, ) == 0x0
 02886  1740   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02887  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02888  1740   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243192,  (0xc0100080, {24, 0, 0x40, 0, 1243192, "\??\PIPE\InitShutdown"}, 0x0, 0, 3, 1, 64, 0, 0, ... 760, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 760, {status=0x0, info=1}, ) == 0x0
 02889  1740   NtSetInformationFile  (760, 1243248, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02890  1740   NtSetInformationFile  (760, 1243236, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02891  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02892  1740   NtWriteFile  (760, 749, 0, 0,  (760, 749, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\300\340M\211U\15\323\21\243"\0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02893  1740   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 02894  1740   NtReadFile  (760, 749, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (760, 749, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02895  1740   NtFsControlFile  (760, 749, 0x0, 0x0, 0x11c017,  (760, 749, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0\260\375", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=76},  (760, 749, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\330\376\22\0\260\375", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\232(\0\0\23\0\PIPE\InitShutdown\0\37`\300\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02896  1740   NtWaitForSingleObject  (749, 0, 0x0, ... ) == 0x0
 02897  1740   NtClose  (756, ... ) == 0x0
 02898  1740   NtClose  (760, ... ) == 0x0
 02899  1128   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 02900  1740   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02901  1740   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 760, ) == 0x0
 02902  1740   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02903  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02904  1740   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243188,  (0xc0100080, {24, 0, 0x40, 0, 1243188, "\??\PIPE\winreg"}, 0x0, 0, 3, 1, 64, 0, 0, ... 756, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 756, {status=0x0, info=1}, ) == 0x0
 02905  1740   NtSetInformationFile  (756, 1243244, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02906  1740   NtSetInformationFile  (756, 1243232, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02907  1740   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02908  1740   NtWriteFile  (756, 749, 0, 0,  (756, 749, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\1\320\2143D"\3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02909  1740   NtReadFile  (756, 749, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (756, 749, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02910  1740   NtFsControlFile  (756, 749, 0x0, 0x0, 0x11c017,  (756, 749, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0\260\375", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 30, 1024, ... {status=0x103, info=68},  (756, 749, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\314\376\22\0\260\375", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\2019\0\0\15\0\PIPE\winreg\0\177\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02911  1740   NtWaitForSingleObject  (749, 0, 0x0, ...
 02899  1128   NtOpenKey  ... 764, ) == 0x0
 02912  1128   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 02911  1740   NtWaitForSingleObject  ... ) == 0x0
 02913  1740   NtClose  (760, ... ) == 0x0
 02914  1740   NtClose  (756, ... ) == 0x0
 02915  1740   NtDelayExecution  (0, {-10000000, -1}, ...
 02912  1128   NtOpenKey  ... 756, ) == 0x0
 02916  1128   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software"}, ... 760, ) }, ... 760, ) == 0x0
 01516  1156   NtSetInformationThread  ... ) == 0x0
 01517  1700   NtSetInformationThread  ... ) == 0x0
 01518  1808   NtSetInformationThread  ... ) == 0x0
 01527  1796   NtSetInformationThread  ... ) == 0x0
 01920   164   NtSetInformationThread  ... ) == 0x0
 01934  1564   NtSetInformationThread  ... ) == 0x0
 01944  1592   NtSetInformationThread  ... ) == 0x0
 01956  2032   NtSetInformationThread  ... ) == 0x0
 01966  1500   NtSetInformationThread  ... ) == 0x0
 01978   932   NtSetInformationThread  ... ) == 0x0
 01989  1528   NtSetInformationThread  ... ) == 0x0
 02001  1780   NtSetInformationThread  ... ) == 0x0
 02011  1804   NtSetInformationThread  ... ) == 0x0
 02023  1644   NtSetInformationThread  ... ) == 0x0
 02033   336   NtSetInformationThread  ... ) == 0x0
 02045   800   NtSetInformationThread  ... ) == 0x0
 02055   504   NtSetInformationThread  ... ) == 0x0
 02067   888   NtSetInformationThread  ... ) == 0x0
 02077  1392   NtSetInformationThread  ... ) == 0x0
 02089  2020   NtSetInformationThread  ... ) == 0x0
 02099   740   NtSetInformationThread  ... ) == 0x0
 02111  1676   NtSetInformationThread  ... ) == 0x0
 02121   496   NtSetInformationThread  ... ) == 0x0
 02133  1020   NtSetInformationThread  ... ) == 0x0
 02143   432   NtSetInformationThread  ... ) == 0x0
 02155  1332   NtSetInformationThread  ... ) == 0x0
 02165  1328   NtSetInformationThread  ... ) == 0x0
 02177   752   NtSetInformationThread  ... ) == 0x0
 02187   120   NtSetInformationThread  ... ) == 0x0
 02199  1732   NtSetInformationThread  ... ) == 0x0
 02209   188   NtSetInformationThread  ... ) == 0x0
 02221  1636   NtSetInformationThread  ... ) == 0x0
 02231   624   NtSetInformationThread  ... ) == 0x0
 02243  1948   NtSetInformationThread  ... ) == 0x0
 02253   988   NtSetInformationThread  ... ) == 0x0
 02265   468   NtSetInformationThread  ... ) == 0x0
 02275   380   NtSetInformationThread  ... ) == 0x0
 02287  1692   NtSetInformationThread  ... ) == 0x0
 02297  1792   NtSetInformationThread  ... ) == 0x0
 02310   784   NtSetInformationThread  ... ) == 0x0
 02320  1520   NtSetInformationThread  ... ) == 0x0
 02332  1696   NtSetInformationThread  ... ) == 0x0
 02342  1744   NtSetInformationThread  ... ) == 0x0
 02354  1124   NtSetInformationThread  ... ) == 0x0
 02364  1496   NtSetInformationThread  ... ) == 0x0
 02376   168   NtSetInformationThread  ... ) == 0x0
 02386  1284   NtSetInformationThread  ... ) == 0x0
 02398  1268   NtSetInformationThread  ... ) == 0x0
 02408   840   NtSetInformationThread  ... ) == 0x0
 02420  1336   NtSetInformationThread  ... ) == 0x0
 02430  1200   NtSetInformationThread  ... ) == 0x0
 02442  1920   NtSetInformationThread  ... ) == 0x0
 02452   896   NtSetInformationThread  ... ) == 0x0
 02464  2016   NtSetInformationThread  ... ) == 0x0
 02474  2012   NtSetInformationThread  ... ) == 0x0
 02486  1604   NtSetInformationThread  ... ) == 0x0
 02497  1572   NtSetInformationThread  ... ) == 0x0
 02507   596   NtSetInformationThread  ... ) == 0x0
 02519   376   NtSetInformationThread  ... ) == 0x0
 02529  1168   NtSetInformationThread  ... ) == 0x0
 02541   428   NtSetInformationThread  ... ) == 0x0
 02551  1344   NtSetInformationThread  ... ) == 0x0
 02563  1300   NtSetInformationThread  ... ) == 0x0
 02573  1096   NtSetInformationThread  ... ) == 0x0
 02585   252   NtSetInformationThread  ... ) == 0x0
 02595   500   NtSetInformationThread  ... ) == 0x0
 02607  1132   NtSetInformationThread  ... ) == 0x0
 02618  1024   NtSetInformationThread  ... ) == 0x0
 02630   948   NtSetInformationThread  ... ) == 0x0
 02640  1388   NtSetInformationThread  ... ) == 0x0
 02652   520   NtSetInformationThread  ... ) == 0x0
 02662   276   NtSetInformationThread  ... ) == 0x0
 02674   996   NtSetInformationThread  ... ) == 0x0
 02684  1064   NtSetInformationThread  ... ) == 0x0
 02696  1600   NtSetInformationThread  ... ) == 0x0
 02706  1372   NtSetInformationThread  ... ) == 0x0
 02718  2040   NtSetInformationThread  ... ) == 0x0
 02728   216   NtSetInformationThread  ... ) == 0x0
 02740   152   NtSetInformationThread  ... ) == 0x0
 02751   900   NtSetInformationThread  ... ) == 0x0
 02761  1272   NtSetInformationThread  ... ) == 0x0
 02773  1240   NtSetInformationThread  ... ) == 0x0
 02783  1776   NtSetInformationThread  ... ) == 0x0
 02795  1324   NtSetInformationThread  ... ) == 0x0
 02805  1884   NtSetInformationThread  ... ) == 0x0
 02817   248   NtSetInformationThread  ... ) == 0x0
 02827  1652   NtSetInformationThread  ... ) == 0x0
 02839   588   NtSetInformationThread  ... ) == 0x0
 02849   440   NtSetInformationThread  ... ) == 0x0
 02861  1296   NtSetInformationThread  ... ) == 0x0
 02871  1612   NtSetInformationThread  ... ) == 0x0
 02883   876   NtSetInformationThread  ... ) == 0x0
 02917  1156   NtWaitForSingleObject  (244, 0, 0x0, ...
 02918  1700   NtWaitForSingleObject  (244, 0, 0x0, ...
 02919  1808   NtWaitForSingleObject  (244, 0, 0x0, ...
 02920  1796   NtWaitForSingleObject  (244, 0, 0x0, ...
 02921   164   NtWaitForSingleObject  (244, 0, 0x0, ...
 02922  1564   NtWaitForSingleObject  (244, 0, 0x0, ...
 02923  1592   NtWaitForSingleObject  (244, 0, 0x0, ...
 02924  2032   NtWaitForSingleObject  (244, 0, 0x0, ...
 02925  1500   NtWaitForSingleObject  (244, 0, 0x0, ...
 02926   932   NtWaitForSingleObject  (244, 0, 0x0, ...
 02927  1528   NtWaitForSingleObject  (244, 0, 0x0, ...
 02928  1780   NtWaitForSingleObject  (244, 0, 0x0, ...
 02929  1804   NtWaitForSingleObject  (244, 0, 0x0, ...
 02930  1644   NtWaitForSingleObject  (244, 0, 0x0, ...
 02931   336   NtWaitForSingleObject  (244, 0, 0x0, ...
 02932   800   NtWaitForSingleObject  (244, 0, 0x0, ...
 02933   504   NtWaitForSingleObject  (244, 0, 0x0, ...
 02934   888   NtWaitForSingleObject  (244, 0, 0x0, ...
 02935  1392   NtWaitForSingleObject  (244, 0, 0x0, ...
 02936  2020   NtWaitForSingleObject  (244, 0, 0x0, ...
 02937   740   NtWaitForSingleObject  (244, 0, 0x0, ...
 02938  1676   NtWaitForSingleObject  (244, 0, 0x0, ...
 02939   496   NtWaitForSingleObject  (244, 0, 0x0, ...
 02940  1020   NtWaitForSingleObject  (244, 0, 0x0, ...
 02941   432   NtWaitForSingleObject  (244, 0, 0x0, ...
 02942  1332   NtWaitForSingleObject  (244, 0, 0x0, ...
 02943  1328   NtWaitForSingleObject  (244, 0, 0x0, ...
 02944   752   NtWaitForSingleObject  (244, 0, 0x0, ...
 02945   120   NtWaitForSingleObject  (244, 0, 0x0, ...
 02946  1732   NtWaitForSingleObject  (244, 0, 0x0, ...
 02947   188   NtWaitForSingleObject  (244, 0, 0x0, ...
 02948  1636   NtWaitForSingleObject  (244, 0, 0x0, ...
 02949   624   NtWaitForSingleObject  (244, 0, 0x0, ...
 02950  1948   NtWaitForSingleObject  (244, 0, 0x0, ...
 02951   988   NtWaitForSingleObject  (244, 0, 0x0, ...
 02952   468   NtWaitForSingleObject  (244, 0, 0x0, ...
 02953   380   NtWaitForSingleObject  (244, 0, 0x0, ...
 02954  1692   NtWaitForSingleObject  (244, 0, 0x0, ...
 02955  1792   NtWaitForSingleObject  (244, 0, 0x0, ...
 02956   784   NtWaitForSingleObject  (244, 0, 0x0, ...
 02957  1520   NtWaitForSingleObject  (244, 0, 0x0, ...
 02958  1696   NtWaitForSingleObject  (244, 0, 0x0, ...
 02959  1744   NtWaitForSingleObject  (244, 0, 0x0, ...
 02960  1124   NtWaitForSingleObject  (244, 0, 0x0, ...
 02961  1496   NtWaitForSingleObject  (244, 0, 0x0, ...
 02962   168   NtWaitForSingleObject  (244, 0, 0x0, ...
 02963  1284   NtWaitForSingleObject  (244, 0, 0x0, ...
 02964  1268   NtWaitForSingleObject  (244, 0, 0x0, ...
 02965   840   NtWaitForSingleObject  (244, 0, 0x0, ...
 02966  1336   NtWaitForSingleObject  (244, 0, 0x0, ...
 02967  1200   NtWaitForSingleObject  (244, 0, 0x0, ...
 02968  1920   NtWaitForSingleObject  (244, 0, 0x0, ...
 02969   896   NtWaitForSingleObject  (244, 0, 0x0, ...
 02970  2016   NtWaitForSingleObject  (244, 0, 0x0, ...
 02971  2012   NtWaitForSingleObject  (244, 0, 0x0, ...
 02972  1604   NtWaitForSingleObject  (244, 0, 0x0, ...
 02973  1572   NtWaitForSingleObject  (244, 0, 0x0, ...
 02974   596   NtWaitForSingleObject  (244, 0, 0x0, ...
 02975   376   NtWaitForSingleObject  (244, 0, 0x0, ...
 02976  1168   NtWaitForSingleObject  (244, 0, 0x0, ...
 02977   428   NtWaitForSingleObject  (244, 0, 0x0, ...
 02978  1344   NtWaitForSingleObject  (244, 0, 0x0, ...
 02979  1300   NtWaitForSingleObject  (244, 0, 0x0, ...
 02980  1096   NtWaitForSingleObject  (244, 0, 0x0, ...
 02981   252   NtWaitForSingleObject  (244, 0, 0x0, ...
 02982   500   NtWaitForSingleObject  (244, 0, 0x0, ...
 02983  1132   NtWaitForSingleObject  (244, 0, 0x0, ...
 02984  1024   NtWaitForSingleObject  (244, 0, 0x0, ...
 02985   948   NtWaitForSingleObject  (244, 0, 0x0, ...
 02986  1388   NtWaitForSingleObject  (244, 0, 0x0, ...
 02987   520   NtWaitForSingleObject  (244, 0, 0x0, ...
 02988   276   NtWaitForSingleObject  (244, 0, 0x0, ...
 02989   996   NtWaitForSingleObject  (244, 0, 0x0, ...
 02990  1064   NtWaitForSingleObject  (244, 0, 0x0, ...
 02991  1600   NtWaitForSingleObject  (244, 0, 0x0, ...
 02992  1372   NtWaitForSingleObject  (244, 0, 0x0, ...
 02993  2040   NtWaitForSingleObject  (244, 0, 0x0, ...
 02994   216   NtWaitForSingleObject  (244, 0, 0x0, ...
 02995   152   NtWaitForSingleObject  (244, 0, 0x0, ...
 02996   900   NtWaitForSingleObject  (244, 0, 0x0, ...
 02997  1272   NtWaitForSingleObject  (244, 0, 0x0, ...
 02998  1240   NtWaitForSingleObject  (244, 0, 0x0, ...
 02999  1776   NtWaitForSingleObject  (244, 0, 0x0, ...
 03000  1324   NtWaitForSingleObject  (244, 0, 0x0, ...
 03001  1884   NtWaitForSingleObject  (244, 0, 0x0, ...
 03002   248   NtWaitForSingleObject  (244, 0, 0x0, ...
 03003  1652   NtWaitForSingleObject  (244, 0, 0x0, ...
 03004   588   NtWaitForSingleObject  (244, 0, 0x0, ...
 03005   440   NtWaitForSingleObject  (244, 0, 0x0, ...
 03006  1296   NtWaitForSingleObject  (244, 0, 0x0, ...
 03007  1612   NtWaitForSingleObject  (244, 0, 0x0, ...
 03008   876   NtWaitForSingleObject  (244, 0, 0x0, ...
 03009  1128   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software"}, ... 768, ) }, ... 768, ) == 0x0
 03010  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03011  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03012  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03013  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 772, ) }, ... 772, ) == 0x0
 03014  1128   NtQueryValueKey  (772,  (772, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (772, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03015  1128   NtClose  (772, ... ) == 0x0
 03016  1128   NtQueryValueKey  (96,  (96, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03017  1128   NtQueryValueKey  (96,  (96, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03018  1128   NtQueryValueKey  (96,  (96, "IdnEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03019  1128   NtQueryValueKey  (96,  (96, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03020  1128   NtQueryValueKey  (96,  (96, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03021  1128   NtQueryValueKey  (96,  (96, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03022  1128   NtQueryValueKey  (96,  (96, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03023  1128   NtQueryValueKey  (96,  (96, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03024  1128   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03025  1128   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03026  1128   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03027  1128   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 772, ) }, ... 772, ) == 0x0
 03028  1128   NtQueryValueKey  (772,  (772, "Feature_ClientAuthCertFilter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03029  1128   NtClose  (772, ... ) == 0x0
 03030  1128   NtAllocateVirtualMemory  (-1, 26267648, 0, 4096, 4096, 260, ... 26267648, 4096, ) == 0x0
 03031  1128   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03032  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 26275472, ... ) }, 26275472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03033  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 26275472, ... ) }, 26275472, ... ) == 0x0
 03034  1128   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 772, {status=0x0, info=1}, ) }, 5, 96, ... 772, {status=0x0, info=1}, ) == 0x0
 03035  1128   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 772, ... 776, ) == 0x0
 03036  1128   NtQuerySection  (776, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03037  1128   NtClose  (772, ... ) == 0x0
 03038  1128   NtMapViewOfSection  (776, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0
 03039  1128   NtClose  (776, ... ) == 0x0
 03040  1128   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 03041  1128   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 03042  1128   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 03043  1128   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03044  1128   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 776, ) == 0x0
 03045  1128   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 772, ) == 0x0
 03046  1128   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 780, ) }, ... 780, ) == 0x0
 03047  1128   NtQueryEvent  (780, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 03048  1128   NtClose  (780, ... ) == 0x0
 03049  1128   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 26277044, 140, ... 780, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 26277044, 140, ... 780, 0x0, 0x0, 256, 140, ) == 0x0
 03050  1128   NtRequestWaitReplyPort  (780, {28, 52, new_msg, 0, 0, 0, 0, 0}  (780, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\340\347\24\0" ... {188, 212, reply, 0, 928, 1128, 58091, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ... {188, 212, reply, 0, 928, 1128, 58091, 0}  (780, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\340\347\24\0" ... {188, 212, reply, 0, 928, 1128, 58091, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 03051  1128   NtQueryValueKey  (96,  (96, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03052  1128   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 784, ) }, ... 784, ) == 0x0
 03053  1128   NtQueryValueKey  (784,  (784, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03054  1128   NtClose  (784, ... ) == 0x0
 03055  1128   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 784, ) }, ... 784, ) == 0x0
 03056  1128   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 788, ) }, ... 788, ) == 0x0
 03057  1128   NtOpenKey  (0x9, {24, 100, 0x40, 0, 0,  (0x9, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 792, ) }, ... 792, ) == 0x0
 03058  1128   NtQueryValueKey  (792,  (792, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03059  1128   NtQueryValueKey  (792,  (792, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 03060  1128   NtClose  (792, ... ) == 0x0
 03061  1128   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "Content"}, ... 792, ) }, ... 792, ) == 0x0
 03062  1128   NtQueryValueKey  (792,  (792, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03063  1128   NtOpenKey  (0xf, {24, 784, 0x40, 0, 0,  (0xf, {24, 784, 0x40, 0, 0, "Content"}, ... 796, ) }, ... 796, ) == 0x0
 03064  1128   NtQueryValueKey  (796,  (796, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (796, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03065  1128   NtClose  (796, ... ) == 0x0
 03066  1128   NtClose  (792, ... ) == 0x0
 03067  1128   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "Content"}, ... 792, ) }, ... 792, ) == 0x0
 03068  1128   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 796, ) }, ... 796, ) == 0x0
 03069  1128   NtMapViewOfSection  (796, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 03070  1128   NtClose  (796, ... ) == 0x0
 03071  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03072  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03073  1128   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03074  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03075  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03076  1128   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03077  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03078  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03079  1128   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03080  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03081  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03082  1128   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03083  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03084  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03085  1128   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03086  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03087  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03088  1128   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03089  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03090  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03091  1128   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03092  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 03093  1128   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 03094  1128   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 03095  1128   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03096  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 796, ) }, ... 796, ) == 0x0
 03097  1128   NtQueryValueKey  (796,  (796, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (796, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03098  1128   NtAllocateVirtualMemory  (-1, 26263552, 0, 4096, 4096, 260, ... 26263552, 4096, ) == 0x0
 03099  1128   NtClose  (796, ... ) == 0x0
 03100  1128   NtQueryDefaultUILanguage  (26272068, ...
 03101  1128   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03102  1128   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481344, ) == 0x0
 03103  1128   NtQueryInformationToken  (-2147481344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03104  1128   NtClose  (-2147481344, ... ) == 0x0
 03105  1128   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481344, ) }, ... -2147481344, ) == 0x0
 03106  1128   NtOpenKey  (0x80000000, {24, -2147481344, 0x240, 0, 0,  (0x80000000, {24, -2147481344, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03107  1128   NtOpenKey  (0x80000000, {24, -2147481344, 0x640, 0, 0,  (0x80000000, {24, -2147481344, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 03108  1128   NtQueryValueKey  (-2147482132,  (-2147482132, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03109  1128   NtClose  (-2147482132, ... ) == 0x0
 03110  1128   NtClose  (-2147481344, ... ) == 0x0
 03100  1128   NtQueryDefaultUILanguage  ... ) == 0x0
 03111  1128   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 796, {status=0x0, info=1}, ) }, 1, 96, ... 796, {status=0x0, info=1}, ) == 0x0
 03112  1128   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 796, ... 800, ) == 0x0
 03113  1128   NtMapViewOfSection  (800, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8d10000), 0x0, 8462336, ) == 0x0
 03114  1128   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03115  1128   NtAllocateVirtualMemory  (-1, 26259456, 0, 4096, 4096, 260, ... 26259456, 4096, ) == 0x0
 03116  1128   NtQueryDefaultLocale  (1, 26270164, ... ) == 0x0
 03117  1128   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03118  1128   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 26271200, 1179817, 26270924}  (24, {128, 156, new_msg, 0, 2088850039, 26271200, 1179817, 26270924} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\220\1\0\0\0\0" ... {128, 156, reply, 0, 928, 1128, 58092, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\220\1\0\0\0\0" )  ... {128, 156, reply, 0, 928, 1128, 58092, 0}  (24, {128, 156, new_msg, 0, 2088850039, 26271200, 1179817, 26270924} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\220\1\0\0\0\0" ... {128, 156, reply, 0, 928, 1128, 58092, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\34\3\0\0\377\377\377\377\0\0\0\0@ \364\10\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\324\341\220\1\0\0\0\0" )  ) == 0x0
 03119  1128   NtClose  (796, ... ) == 0x0
 03120  1128   NtClose  (800, ... ) == 0x0
 03121  1128   NtUnmapViewOfSection  (-1, 0x8d10000, ... ) == 0x0
 03122  1128   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03123  1128   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03124  1128   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03125  1128   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03126  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 26269356, ... ) }, 26269356, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03127  1128   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03128  1128   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03129  1128   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03130  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 26269420, ... ) }, 26269420, ... ) == 0x0
 03131  1128   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 800, {status=0x0, info=1}, ) }, 3, 33, ... 800, {status=0x0, info=1}, ) == 0x0
 03132  1128   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03133  1128   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 796, {status=0x0, info=1}, ) }, 5, 96, ... 796, {status=0x0, info=1}, ) == 0x0
 03134  1128   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 796, ... 804, ) == 0x0
 03135  1128   NtClose  (796, ... ) == 0x0
 03136  1128   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8d10000), 0x0, 1056768, ) == 0x0
 03137  1128   NtClose  (804, ... ) == 0x0
 03138  1128   NtUnmapViewOfSection  (-1, 0x8d10000, ... ) == 0x0
 03139  1128   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 804, {status=0x0, info=1}, ) }, 5, 96, ... 804, {status=0x0, info=1}, ) == 0x0
 03140  1128   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 804, ... 796, ) == 0x0
 03141  1128   NtQuerySection  (796, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03142  1128   NtClose  (804, ... ) == 0x0
 03143  1128   NtMapViewOfSection  (796, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 03144  1128   NtClose  (796, ... ) == 0x0
 03145  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03146  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03147  1128   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03148  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03149  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03150  1128   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03151  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03152  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03153  1128   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03154  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03155  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03156  1128   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03157  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03158  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03159  1128   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03160  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03161  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03162  1128   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03163  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 03164  1128   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 03165  1128   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 03166  1128   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03167  1128   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 26270900, ... ) , 42, 26270900, ... ) == 0x0
 03168  1128   NtQueryDefaultUILanguage  (26269584, ...
 03169  1128   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03170  1128   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481344, ) == 0x0
 03171  1128   NtQueryInformationToken  (-2147481344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03172  1128   NtClose  (-2147481344, ... ) == 0x0
 03173  1128   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481344, ) }, ... -2147481344, ) == 0x0
 03174  1128   NtOpenKey  (0x80000000, {24, -2147481344, 0x240, 0, 0,  (0x80000000, {24, -2147481344, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03175  1128   NtOpenKey  (0x80000000, {24, -2147481344, 0x640, 0, 0,  (0x80000000, {24, -2147481344, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482132, ) }, ... -2147482132, ) == 0x0
 03176  1128   NtQueryValueKey  (-2147482132,  (-2147482132, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03177  1128   NtClose  (-2147482132, ... ) == 0x0
 03178  1128   NtClose  (-2147481344, ... ) == 0x0
 03168  1128   NtQueryDefaultUILanguage  ... ) == 0x0
 03179  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 26268424, ... ) }, 26268424, ... ) == 0x0
 03180  1128   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 796, {status=0x0, info=1}, ) }, 5, 96, ... 796, {status=0x0, info=1}, ) == 0x0
 03181  1128   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 796, ... 804, ) == 0x0
 03182  1128   NtClose  (796, ... ) == 0x0
 03183  1128   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xdd0000), 0x0, 4096, ) == 0x0
 03184  1128   NtClose  (804, ... ) == 0x0
 03185  1128   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 03186  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 26268020, ... ) }, 26268020, ... ) == 0x0
 03187  1128   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 26268764,  (0x80100080, {24, 0, 0x40, 0, 26268764, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 804, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 804, {status=0x0, info=1}, ) == 0x0
 03188  1128   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 804, ... 796, ) == 0x0
 03189  1128   NtClose  (804, ... ) == 0x0
 03190  1128   NtMapViewOfSection  (796, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xdd0000), {0, 0}, 4096, ) == 0x0
 03191  1128   NtClose  (796, ... ) == 0x0
 03192  1128   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 03193  1128   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 796, {status=0x0, info=1}, ) }, 1, 96, ... 796, {status=0x0, info=1}, ) == 0x0
 03194  1128   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 796, ... 804, ) == 0x0
 03195  1128   NtMapViewOfSection  (804, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xdd0000), 0x0, 4096, ) == 0x0
 03196  1128   NtQueryInformationFile  (796, 26268416, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03197  1128   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03198  1128   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 26268716, 1179817, 26268440}  (24, {128, 156, new_msg, 0, 2088850039, 26268716, 1179817, 26268440} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\3\0\0$\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\220\1\0\0\0\0" ... {128, 156, reply, 0, 928, 1128, 58093, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\3\0\0$\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\220\1\0\0\0\0" )  ... {128, 156, reply, 0, 928, 1128, 58093, 0}  (24, {128, 156, new_msg, 0, 2088850039, 26268716, 1179817, 26268440} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\3\0\0$\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\220\1\0\0\0\0" ... {128, 156, reply, 0, 928, 1128, 58093, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\34\3\0\0$\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0 \330\220\1\0\0\0\0" )  ) == 0x0
 03199  1128   NtClose  (796, ... ) == 0x0
 03200  1128   NtClose  (804, ... ) == 0x0
 03201  1128   NtUnmapViewOfSection  (-1, 0xdd0000, ... ) == 0x0
 03202  1128   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03203  1128   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 804, ) == 0x0
 03204  1128   NtCallbackReturn  (0, 0, 0, ...
 03205  1128   NtUserGetThreadState  (18, ... ) == 0x1
 03206  1128   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 03207  1128   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 03208  1128   NtUserGetDC  (0, ... ) == 0x1010052
 03209  1128   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 03210  1128   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 03211  1128   NtUserSystemParametersInfo  (66, 12, 26270416, 0, ... ) == 0x1
 03212  1128   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03213  1128   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 796, ) == 0x0
 03214  1128   NtQueryInformationToken  (796, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03215  1128   NtClose  (796, ... ) == 0x0
 03216  1128   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 796, ) }, ... 796, ) == 0x0
 03217  1128   NtOpenProcessToken  (-1, 0x8, ... 808, ) == 0x0
 03218  1128   NtAccessCheck  (1336312, 808, 0x1, 26270248, 26270300, 56, 26270280, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 03219  1128   NtClose  (808, ... ) == 0x0
 03220  1128   NtOpenKey  (0x20019, {24, 796, 0x40, 0, 0,  (0x20019, {24, 796, 0x40, 0, 0, "Control Panel\Desktop"}, ... 808, ) }, ... 808, ) == 0x0
 03221  1128   NtQueryValueKey  (808,  (808, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03222  1128   NtClose  (808, ... ) == 0x0
 03223  1128   NtUserSystemParametersInfo  (41, 500, 26270444, 0, ... ) == 0x1
 03224  1128   NtOpenProcessToken  (-1, 0x8, ... 808, ) == 0x0
 03225  1128   NtAccessCheck  (1336312, 808, 0x1, 26270248, 26270300, 56, 26270280, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 03226  1128   NtClose  (808, ... ) == 0x0
 03227  1128   NtOpenKey  (0x20019, {24, 796, 0x40, 0, 0,  (0x20019, {24, 796, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 808, ) }, ... 808, ) == 0x0
 03228  1128   NtQueryValueKey  (808,  (808, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03229  1128   NtClose  (808, ... ) == 0x0
 03230  1128   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 03231  1128   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 03232  1128   NtClose  (796, ... ) == 0x0
 03233  1128   NtUserSystemParametersInfo  (4130, 0, 26270948, 0, ... ) == 0x1
 03234  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 796, ) }, ... 796, ) == 0x0
 03235  1128   NtEnumerateValueKey  (796, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03236  1128   NtClose  (796, ... ) == 0x0
 03237  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03238  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c03b
 03239  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c03d
 03240  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03241  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c03f
 03242  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03243  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c041
 03244  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03245  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c043
 03246  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c045
 03247  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03248  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c047
 03249  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03250  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c049
 03251  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03252  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c04b
 03253  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03254  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c04d
 03255  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03256  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c04f
 03257  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c051
 03258  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03259  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c053
 03260  1128   NtUserFindExistingCursorIcon  (26270192, 26270208, 26270256, ... ) == 0x10011
 03261  1128   NtUserRegisterClassExWOW  (26270136, 26270204, 26270220, 26270236, 0, 384, 0, ... ) == 0x81a1c055
 03262  1128   NtUserFindExistingCursorIcon  (26270192, 26270208, 26270256, ... ) == 0x10011
 03263  1128   NtUserRegisterClassExWOW  (26270136, 26270204, 26270220, 26270236, 0, 384, 0, ... ) == 0x81a1c057
 03264  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03265  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c059
 03266  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10013
 03267  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c05b
 03268  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03269  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c05d
 03270  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03271  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c05f
 03272  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03273  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c017
 03274  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03275  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c019
 03276  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10013
 03277  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c018
 03278  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03279  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c01a
 03280  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03281  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c01c
 03282  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03283  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c01e
 03284  1128   NtUserFindExistingCursorIcon  (26270188, 26270204, 26270252, ... ) == 0x10011
 03285  1128   NtUserRegisterClassExWOW  (26270188, 26270256, 26270272, 26270288, 0, 384, 0, ... ) == 0x81a1c01b
 03286  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03287  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c068
 03288  1128   NtUserFindExistingCursorIcon  (26270196, 26270212, 26270260, ... ) == 0x10011
 03289  1128   NtUserRegisterClassExWOW  (26270140, 26270208, 26270224, 26270240, 0, 384, 0, ... ) == 0x81a1c06a
 03290  1128   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03291  1128   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1330488, 0,  (0x1f0003, {24, 44, 0x80, 1330488, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 796, ) }, 0, 2147483647, ... 796, ) == STATUS_OBJECT_NAME_EXISTS
 03292  1128   NtReleaseSemaphore  (796, 1, ... 0, ) == 0x0
 03293  1128   NtWaitForSingleObject  (796, 0, {0, 0}, ... ) == 0x0
 03294  1128   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03295  1128   NtQueryValueKey  (808,  (808, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (808, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 03296  1128   NtClose  (808, ... ) == 0x0
 03297  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 26275140, ... ) }, 26275140, ... ) == 0x0
 03298  1128   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03299  1128   NtSetValueKey  (808,  (808, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1,  (808, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0
 03300  1128   NtClose  (808, ... ) == 0x0
 03301  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 26275832, ... ) }, 26275832, ... ) == 0x0
 03302  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 26275040, ... ) }, 26275040, ... ) == 0x0
 03303  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 808, {status=0x0, info=1}, ) }, 7, 2113568, ... 808, {status=0x0, info=1}, ) == 0x0
 03304  1128   NtSetInformationFile  (808, 26275012, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03305  1128   NtClose  (808, ... ) == 0x0
 03306  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 26275036, ... ) }, 26275036, ... ) == 0x0
 03307  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 26275832, ... ) }, 26275832, ... ) == 0x0
 03308  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 26275040, ... ) }, 26275040, ... ) == 0x0
 03309  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... 808, {status=0x0, info=1}, ) }, 7, 2113568, ... 808, {status=0x0, info=1}, ) == 0x0
 03310  1128   NtSetInformationFile  (808, 26275012, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03311  1128   NtClose  (808, ... ) == 0x0
 03312  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 26275036, ... ) }, 26275036, ... ) == 0x0
 03313  1128   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03314  1128   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03315  1128   NtQueryValueKey  (792,  (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 03316  1128   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "Cookies"}, ... 808, ) }, ... 808, ) == 0x0
 03317  1128   NtQueryValueKey  (808,  (808, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03318  1128   NtOpenKey  (0xf, {24, 784, 0x40, 0, 0,  (0xf, {24, 784, 0x40, 0, 0, "Cookies"}, ... 812, ) }, ... 812, ) == 0x0
 03319  1128   NtQueryValueKey  (812,  (812, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (812, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03320  1128   NtClose  (812, ... ) == 0x0
 03321  1128   NtClose  (808, ... ) == 0x0
 03322  1128   NtClose  (792, ... ) == 0x0
 03323  1128   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "Cookies"}, ... 792, ) }, ... 792, ) == 0x0
 03324  1128   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03325  1128   NtReleaseSemaphore  (796, 1, ... 0, ) == 0x0
 03326  1128   NtWaitForSingleObject  (796, 0, {0, 0}, ... ) == 0x0
 03327  1128   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03328  1128   NtQueryValueKey  (808,  (808, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (808, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 03329  1128   NtClose  (808, ... ) == 0x0
 03330  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 26275140, ... ) }, 26275140, ... ) == 0x0
 03331  1128   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03332  1128   NtSetValueKey  (808,  (808, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 0, 1,  (808, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 98, ... ) == 0x0
 03333  1128   NtClose  (808, ... ) == 0x0
 03334  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 26275832, ... ) }, 26275832, ... ) == 0x0
 03335  1128   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 03336  1128   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 03337  1128   NtQueryValueKey  (792,  (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03338  1128   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "History"}, ... 808, ) }, ... 808, ) == 0x0
 03339  1128   NtQueryValueKey  (808,  (808, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03340  1128   NtOpenKey  (0xf, {24, 784, 0x40, 0, 0,  (0xf, {24, 784, 0x40, 0, 0, "History"}, ... 812, ) }, ... 812, ) == 0x0
 03341  1128   NtQueryValueKey  (812,  (812, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (812, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03342  1128   NtClose  (812, ... ) == 0x0
 03343  1128   NtClose  (808, ... ) == 0x0
 03344  1128   NtClose  (792, ... ) == 0x0
 03345  1128   NtOpenKey  (0xf, {24, 788, 0x40, 0, 0,  (0xf, {24, 788, 0x40, 0, 0, "History"}, ... 792, ) }, ... 792, ) == 0x0
 03346  1128   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03347  1128   NtReleaseSemaphore  (796, 1, ... 0, ) == 0x0
 03348  1128   NtWaitForSingleObject  (796, 0, {0, 0}, ... ) == 0x0
 03349  1128   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03350  1128   NtQueryValueKey  (808,  (808, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (808, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 03351  1128   NtClose  (808, ... ) == 0x0
 03352  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 26275140, ... ) }, 26275140, ... ) == 0x0
 03353  1128   NtCreateKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 808, 2, ) }, 0, 0x0, 0, ... 808, 2, ) == 0x0
 03354  1128   NtSetValueKey  (808,  (808, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 0, 1,  (808, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 128, ... ) == 0x0
 03355  1128   NtClose  (808, ... ) == 0x0
 03356  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 26275832, ... ) }, 26275832, ... ) == 0x0
 03357  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 26275040, ... ) }, 26275040, ... ) == 0x0
 03358  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... 808, {status=0x0, info=1}, ) }, 7, 2113568, ... 808, {status=0x0, info=1}, ) == 0x0
 03359  1128   NtSetInformationFile  (808, 26275012, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03360  1128   NtClose  (808, ... ) == 0x0
 03361  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 26275036, ... ) }, 26275036, ... ) == 0x0
 03362  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 26275832, ... ) }, 26275832, ... ) == 0x0
 03363  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 26275040, ... ) }, 26275040, ... ) == 0x0
 03364  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... 808, {status=0x0, info=1}, ) }, 7, 2113568, ... 808, {status=0x0, info=1}, ) == 0x0
 03365  1128   NtSetInformationFile  (808, 26275012, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03366  1128   NtClose  (808, ... ) == 0x0
 03367  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 26275036, ... ) }, 26275036, ... ) == 0x0
 03368  1128   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 03369  1128   NtQueryValueKey  (792,  (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (792, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 03370  1128   NtQueryValueKey  (792,  (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (792, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03371  1128   NtClose  (792, ... ) == 0x0
 03372  1128   NtClose  (788, ... ) == 0x0
 03373  1128   NtClose  (784, ... ) == 0x0
 03374  1128   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... 784, ) }, ... 784, ) == 0x0
 03375  1128   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... 788, ) }, ... 788, ) == 0x0
 03376  1128   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03377  1128   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 03378  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 26277140, ... ) }, 26277140, ... ) == 0x0
 03379  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 792, {status=0x0, info=1}, ) }, 7, 2113568, ... 792, {status=0x0, info=1}, ) == 0x0
 03380  1128   NtSetInformationFile  (792, 26277116, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03381  1128   NtClose  (792, ... ) == 0x0
 03382  1128   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 26277056,  (0xc0100080, {24, 0, 0x40, 0, 26277056, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 792, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 792, {status=0x0, info=1}, ) == 0x0
 03383  1128   NtSetInformationFile  (792, 26277108, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03384  1128   NtQueryInformationFile  (792, 26277108, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03385  1128   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... 808, ) }, ... 808, ) == 0x0
 03386  1128   NtMapViewOfSection  (808, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8d10000), {0, 0}, 802816, ) == 0x0
 03387  1128   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03388  1128   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... 812, ) }, ... 812, ) == 0x0
 03389  1128   NtWaitForSingleObject  (812, 0, 0x0, ... ) == 0x0
 03390  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 26277140, ... ) }, 26277140, ... ) == 0x0
 03391  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... 816, {status=0x0, info=1}, ) }, 7, 2113568, ... 816, {status=0x0, info=1}, ) == 0x0
 03392  1128   NtSetInformationFile  (816, 26277116, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03393  1128   NtClose  (816, ... ) == 0x0
 03394  1128   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 26277056,  (0xc0100080, {24, 0, 0x40, 0, 26277056, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 816, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 816, {status=0x0, info=1}, ) == 0x0
 03395  1128   NtSetInformationFile  (816, 26277108, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03396  1128   NtQueryInformationFile  (816, 26277108, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03397  1128   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... 820, ) }, ... 820, ) == 0x0
 03398  1128   NtMapViewOfSection  (820, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xdd0000), {0, 0}, 32768, ) == 0x0
 03399  1128   NtReleaseMutant  (812, ... 0x0, ) == 0x0
 03400  1128   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... 824, ) }, ... 824, ) == 0x0
 03401  1128   NtWaitForSingleObject  (824, 0, 0x0, ... ) == 0x0
 03402  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 26277140, ... ) }, 26277140, ... ) == 0x0
 03403  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 828, {status=0x0, info=1}, ) }, 7, 2113568, ... 828, {status=0x0, info=1}, ) == 0x0
 03404  1128   NtSetInformationFile  (828, 26277116, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03405  1128   NtClose  (828, ... ) == 0x0
 03406  1128   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 26277056,  (0xc0100080, {24, 0, 0x40, 0, 26277056, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 828, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 828, {status=0x0, info=1}, ) == 0x0
 03407  1128   NtSetInformationFile  (828, 26277108, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03408  1128   NtQueryInformationFile  (828, 26277108, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03409  1128   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... 832, ) }, ... 832, ) == 0x0
 03410  1128   NtMapViewOfSection  (832, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xdf0000), {0, 0}, 81920, ) == 0x0
 03411  1128   NtReleaseMutant  (824, ... 0x0, ) == 0x0
 03412  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 26276716, ... ) }, 26276716, ... ) == 0x0
 03413  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 836, {status=0x0, info=1}, ) }, 7, 2113568, ... 836, {status=0x0, info=1}, ) == 0x0
 03414  1128   NtSetInformationFile  (836, 26276688, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03415  1128   NtClose  (836, ... ) == 0x0
 03416  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 26276712, ... ) }, 26276712, ... ) == 0x0
 03417  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 26276716, ... ) }, 26276716, ... ) == 0x0
 03418  1128   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 836, {status=0x0, info=1}, ) }, 7, 2113568, ... 836, {status=0x0, info=1}, ) == 0x0
 03419  1128   NtSetInformationFile  (836, 26276688, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 03420  1128   NtClose  (836, ... ) == 0x0
 03421  1128   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 26276712, ... ) }, 26276712, ... ) == 0x0
 03422  1128   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03423  1128   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03424  1128   NtOpenKey  (0xf, {24, 100, 0x40, 0, 0,  (0xf, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 836, ) }, ... 836, ) == 0x0
 03425  1128   NtOpenKey  (0xf, {24, 836, 0x40, 0, 0,  (0xf, {24, 836, 0x40, 0, 0, "Extensible Cache"}, ... 840, ) }, ... 840, ) == 0x0
 03426  1128   NtClose  (836, ... ) == 0x0
 03427  1128   NtWaitForSingleObject  (784, 0, {-600000000, -1}, ... ) == 0x0
 03428  1128   NtEnumerateKey  (840, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= (840, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 03429  1128   NtOpenKey  (0xf, {24, 840, 0x40, 0, 0,  (0xf, {24, 840, 0x40, 0, 0, "feedplat"}, ... 836, ) }, ... 836, ) == 0x0
 03430  1128   NtQueryValueKey  (836,  (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03431  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03432  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 03433  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03434  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 03435  1128   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 03436  1128   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 03437  1128   NtQueryValueKey  (836,  (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03438  1128   NtQueryValueKey  (836,  (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03439  1128   NtClose  (836, ... ) == 0x0
 03440  1128   NtEnumerateKey  (840, 1, Basic, 288, ... {LastWrite={0x3124e1e0,0x1c877f6}, TitleIdx=0, Name= (840, 1, Basic, 288, ... {LastWrite={0x3124e1e0,0x1c877f6}, TitleIdx=0, Name="MSHist012008022520080226"}, 64, ) }, 64, ) == 0x0
 03441  1128   NtOpenKey  (0xf, {24, 840, 0x40, 0, 0,  (0xf, {24, 840, 0x40, 0, 0, "MSHist012008022520080226"}, ... 836, ) }, ... 836, ) == 0x0
 03442  1128   NtQueryValueKey  (836,  (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03443  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03444  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) }, 160, ) == 0x0
 03445  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03446  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0\0\0"}, 160, ) }, 160, ) == 0x0
 03447  1128   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03448  1128   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\02\02\05\02\00\00\08\00\02\02\06\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03449  1128   NtQueryValueKey  (836,  (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03450  1128   NtQueryValueKey  (836,  (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 03451  1128   NtClose  (836, ... ) == 0x0
 03452  1128   NtEnumerateKey  (840, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (840, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 03453  1128   NtOpenKey  (0xf, {24, 840, 0x40, 0, 0,  (0xf, {24, 840, 0x40, 0, 0, "UserData"}, ... 836, ) }, ... 836, ) == 0x0
 03454  1128   NtQueryValueKey  (836,  (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03455  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03456  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 03457  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03458  1128   NtQueryValueKey  (836,  (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (836, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 03459  1128   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 03460  1128   NtQueryValueKey  (836,  (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (836, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 03461  1128   NtQueryValueKey  (836,  (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 03462  1128   NtQueryValueKey  (836,  (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 03463  1128   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 03464  1128   NtClose  (836, ... ) == 0x0
 03465  1128   NtEnumerateKey  (840, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03466  1128   NtReleaseMutant  (784, ... 0x0, ) == 0x0
 03467  1128   NtClose  (840, ... ) == 0x0
 03468  1128   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03469  1128   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03470  1128   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03471  1128   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03472  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03473  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03474  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03475  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03476  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03477  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03478  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 840, ) }, ... 840, ) == 0x0
 03480  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03481  1128   NtOpenKey  (0x1, {24, 840, 0x40, 0, 0,  (0x1, {24, 840, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03482  1128   NtClose  (840, ... ) == 0x0
 03483  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03484  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03485  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 840, ) }, ... 840, ) == 0x0
 03486  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03487  1128   NtOpenKey  (0x1, {24, 840, 0x40, 0, 0,  (0x1, {24, 840, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03488  1128   NtClose  (840, ... ) == 0x0
 03489  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03490  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03491  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 840, ) }, ... 840, ) == 0x0
 03492  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03493  1128   NtOpenKey  (0x1, {24, 840, 0x40, 0, 0,  (0x1, {24, 840, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03494  1128   NtClose  (840, ... ) == 0x0
 03495  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03496  1128   NtQueryValueKey  (96,  (96, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03497  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03498  1128   NtQueryValueKey  (840,  (840, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03499  1128   NtClose  (840, ... ) == 0x0
 03500  1128   NtQueryValueKey  (96,  (96, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03501  1128   NtQueryValueKey  (96,  (96, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03502  1128   NtQueryValueKey  (96,  (96, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03503  1128   NtQueryValueKey  (96,  (96, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03504  1128   NtQueryValueKey  (96,  (96, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03505  1128   NtQueryValueKey  (96,  (96, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03506  1128   NtQueryValueKey  (96,  (96, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03507  1128   NtQueryValueKey  (96,  (96, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03508  1128   NtQueryValueKey  (96,  (96, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03509  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03510  1128   NtQueryValueKey  (840,  (840, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03511  1128   NtClose  (840, ... ) == 0x0
 03512  1128   NtQueryValueKey  (96,  (96, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03513  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03514  1128   NtQueryValueKey  (840,  (840, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03515  1128   NtClose  (840, ... ) == 0x0
 03516  1128   NtQueryValueKey  (96,  (96, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03517  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03518  1128   NtQueryValueKey  (840,  (840, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03519  1128   NtClose  (840, ... ) == 0x0
 03520  1128   NtQueryValueKey  (96,  (96, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03521  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03522  1128   NtQueryValueKey  (840,  (840, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03523  1128   NtClose  (840, ... ) == 0x0
 03524  1128   NtQueryValueKey  (96,  (96, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03525  1128   NtQueryValueKey  (96,  (96, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03526  1128   NtQueryValueKey  (96,  (96, "CertCacheNoValidate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03527  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 840, ) }, ... 840, ) == 0x0
 03528  1128   NtQueryValueKey  (840,  (840, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03529  1128   NtClose  (840, ... ) == 0x0
 03530  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03531  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03532  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03533  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 840, ) }, ... 840, ) == 0x0
 03534  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 836, ) }, ... 836, ) == 0x0
 03535  1128   NtQueryValueKey  (836,  (836, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03536  1128   NtQueryValueKey  (840,  (840, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03537  1128   NtClose  (840, ... ) == 0x0
 03538  1128   NtClose  (836, ... ) == 0x0
 03539  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03540  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03541  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03542  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03543  1128   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03544  1128   NtClose  (836, ... ) == 0x0
 03545  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03546  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03547  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03548  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03549  1128   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03550  1128   NtClose  (836, ... ) == 0x0
 03551  1128   NtQueryValueKey  (96,  (96, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03552  1128   NtQueryValueKey  (96,  (96, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03553  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03554  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03555  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03556  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03557  1128   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03558  1128   NtClose  (836, ... ) == 0x0
 03559  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03560  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03561  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03562  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03563  1128   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 840, ) }, ... 840, ) == 0x0
 03564  1128   NtQueryValueKey  (840,  (840, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03565  1128   NtQueryValueKey  (840,  (840, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03566  1128   NtClose  (840, ... ) == 0x0
 03567  1128   NtClose  (836, ... ) == 0x0
 03568  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03569  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03570  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 836, ) }, ... 836, ) == 0x0
 03571  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03572  1128   NtOpenKey  (0x1, {24, 836, 0x40, 0, 0,  (0x1, {24, 836, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03573  1128   NtClose  (836, ... ) == 0x0
 03574  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03575  1128   NtQueryValueKey  (836,  (836, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (836, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03576  1128   NtClose  (836, ... ) == 0x0
 03577  1128   NtQueryValueKey  (96,  (96, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03578  1128   NtQueryValueKey  (96,  (96, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03579  1128   NtQueryValueKey  (96,  (96, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03580  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03581  1128   NtQueryValueKey  (836,  (836, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03582  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03583  1128   NtQueryValueKey  (840,  (840, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03584  1128   NtClose  (836, ... ) == 0x0
 03585  1128   NtClose  (840, ... ) == 0x0
 03586  1128   NtQueryValueKey  (96,  (96, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03587  1128   NtQueryValueKey  (96,  (96, "BypassFtpTimeCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03588  1128   NtQueryValueKey  (96,  (96, "ReleaseSocketDuringAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03589  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03590  1128   NtQueryValueKey  (840,  (840, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03591  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03592  1128   NtQueryValueKey  (836,  (836, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03593  1128   NtClose  (840, ... ) == 0x0
 03594  1128   NtClose  (836, ... ) == 0x0
 03595  1128   NtQueryValueKey  (96,  (96, "WpadSearchAllDomains", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03596  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03597  1128   NtQueryValueKey  (836,  (836, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03598  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03599  1128   NtQueryValueKey  (840,  (840, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03600  1128   NtClose  (836, ... ) == 0x0
 03601  1128   NtClose  (840, ... ) == 0x0
 03602  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03603  1128   NtQueryValueKey  (840,  (840, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03604  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03605  1128   NtQueryValueKey  (836,  (836, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03606  1128   NtClose  (840, ... ) == 0x0
 03607  1128   NtClose  (836, ... ) == 0x0
 03608  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03609  1128   NtQueryValueKey  (836,  (836, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03610  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03611  1128   NtQueryValueKey  (840,  (840, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03612  1128   NtClose  (836, ... ) == 0x0
 03613  1128   NtClose  (840, ... ) == 0x0
 03614  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03615  1128   NtQueryValueKey  (840,  (840, "EnableHttpTrace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03616  1128   NtClose  (840, ... ) == 0x0
 03617  1128   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 840, ) }, ... 840, ) == 0x0
 03618  1128   NtQueryValueKey  (840,  (840, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03619  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03620  1128   NtQueryValueKey  (836,  (836, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03621  1128   NtClose  (840, ... ) == 0x0
 03622  1128   NtClose  (836, ... ) == 0x0
 03623  1128   NtQueryValueKey  (96,  (96, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03624  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03625  1128   NtQueryValueKey  (836,  (836, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03626  1128   NtClose  (836, ... ) == 0x0
 03627  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 836, ) }, ... 836, ) == 0x0
 03628  1128   NtQueryValueKey  (836,  (836, "ShareCredsWithWinHttp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03629  1128   NtClose  (836, ... ) == 0x0
 03630  1128   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03631  1128   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03632  1128   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03633  1128   NtQueryValueKey  (96,  (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 03634  1128   NtQueryValueKey  (96,  (96, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03635  1128   NtQueryValueKey  (96,  (96, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03636  1128   NtQueryValueKey  (96,  (96, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03637  1128   NtQueryValueKey  (96,  (96, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03638  1128   NtQueryValueKey  (96,  (96, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (96, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03639  1128   NtQueryValueKey  (96,  (96, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03640  1128   NtQueryValueKey  (96,  (96, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03641  1128   NtQueryValueKey  (96,  (96, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03642  1128   NtQueryValueKey  (96,  (96, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03643  1128   NtQueryValueKey  (96,  (96, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03644  1128   NtQueryValueKey  (96,  (96, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03645  1128   NtQueryValueKey  (96,  (96, "WarnOnHTTPSToHTTPRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03646  1128   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetStartupMutex"}, ... 836, ) }, ... 836, ) == 0x0
 03647  1128   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 840, ) == 0x0
 03648  1128   NtQueryValueKey  (96,  (96, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03649  1128   NtWaitForSingleObject  (788, 0, 0x0, ... ) == 0x0
 03650  1128   NtReleaseMutant  (788, ... 0x0, ) == 0x0
 03651  1128   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetConnectionMutex"}, ... 844, ) }, ... 844, ) == 0x0
 03652  1128   NtOpenMutant  (0x100000, {24, 44, 0x0, 0, 0,  (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetProxyRegistryMutex"}, ... 848, ) }, ... 848, ) == 0x0
 03653  1128   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 852, ) == 0x0
 03654  1128   NtQueryValueKey  (96,  (96, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03655  1128   NtQueryValueKey  (96,  (96, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03656  1128   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 856, ) == 0x0
 03657  1128   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 860, ) }, ... 860, ) == 0x0
 03658  1128   NtQueryValueKey  (860,  (860, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (860, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 03659  1128   NtQueryValueKey  (860,  (860, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (860, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 03660  1128   NtClose  (860, ... ) == 0x0
 03661  1128   NtQueryValueKey  (96,  (96, "TruncateFileName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03662  1128   NtQueryValueKey  (96,  (96, "BadProxyExpiresTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03663  1128   NtSetEventBoostPriority  (244, ...
 01383  1256   NtWaitForSingleObject  ... ) == 0x0
 03664  1256   NtSetEventBoostPriority  (244, ...
 01384  1480   NtWaitForSingleObject  ... ) == 0x0
 03665  1480   NtSetEventBoostPriority  (244, ...
 01387  1756   NtWaitForSingleObject  ... ) == 0x0
 03666  1756   NtSetEventBoostPriority  (244, ...
 01388  1292   NtWaitForSingleObject  ... ) == 0x0
 03667  1292   NtSetEventBoostPriority  (244, ...
 01389  1956   NtWaitForSingleObject  ... ) == 0x0
 03668  1956   NtSetEventBoostPriority  (244, ...
 01390  1980   NtWaitForSingleObject  ... ) == 0x0
 03669  1980   NtSetEventBoostPriority  (244, ...
 01391  1784   NtWaitForSingleObject  ... ) == 0x0
 03670  1784   NtSetEventBoostPriority  (244, ...
 01392  1556   NtWaitForSingleObject  ... ) == 0x0
 03671  1556   NtSetEventBoostPriority  (244, ...
 01393   460   NtWaitForSingleObject  ... ) == 0x0
 03672   460   NtSetEventBoostPriority  (244, ...
 01394  1068   NtWaitForSingleObject  ... ) == 0x0
 03673  1068   NtSetEventBoostPriority  (244, ...
 01395  1856   NtWaitForSingleObject  ... ) == 0x0
 03674  1856   NtSetEventBoostPriority  (244, ...
 01396  1596   NtWaitForSingleObject  ... ) == 0x0
 03675  1596   NtSetEventBoostPriority  (244, ...
 01422   220   NtWaitForSingleObject  ... ) == 0x0
 03676   220   NtSetEventBoostPriority  (244, ...
 01441  1800   NtWaitForSingleObject  ... ) == 0x0
 03677  1800   NtSetEventBoostPriority  (244, ...
 01534   712   NtWaitForSingleObject  ... ) == 0x0
 03678   712   NtSetEventBoostPriority  (244, ...
 01562  1728   NtWaitForSingleObject  ... ) == 0x0
 03679  1728   NtSetEventBoostPriority  (244, ...
 01583  1356   NtWaitForSingleObject  ... ) == 0x0
 03680  1356   NtSetEventBoostPriority  (244, ...
 01599  1536   NtWaitForSingleObject  ... ) == 0x0
 03681  1536   NtSetEventBoostPriority  (244, ...
 01619   444   NtWaitForSingleObject  ... ) == 0x0
 03682   444   NtSetEventBoostPriority  (244, ...
 01638  1904   NtWaitForSingleObject  ... ) == 0x0
 03683  1904   NtSetEventBoostPriority  (244, ...
 01667  1648   NtWaitForSingleObject  ... ) == 0x0
 03684  1648   NtSetEventBoostPriority  (244, ...
 01683   148   NtWaitForSingleObject  ... ) == 0x0
 03685   148   NtSetEventBoostPriority  (244, ...
 01697  1828   NtWaitForSingleObject  ... ) == 0x0
 03686  1828   NtSetEventBoostPriority  (244, ...
 01716  1864   NtWaitForSingleObject  ... ) == 0x0
 03687  1864   NtSetEventBoostPriority  (244, ...
 01745  1896   NtWaitForSingleObject  ... ) == 0x0
 03688  1896   NtSetEventBoostPriority  (244, ...
 01761  1524   NtWaitForSingleObject  ... ) == 0x0
 03689  1524   NtSetEventBoostPriority  (244, ...
 01775  1944   NtWaitForSingleObject  ... ) == 0x0
 03690  1944   NtSetEventBoostPriority  (244, ...
 01794  2044   NtWaitForSingleObject  ... ) == 0x0
 03691  2044   NtSetEventBoostPriority  (244, ...
 01822   240   NtWaitForSingleObject  ... ) == 0x0
 03692   240   NtSetEventBoostPriority  (244, ...
 01837   968   NtWaitForSingleObject  ... ) == 0x0
 03693   968   NtSetEventBoostPriority  (244, ...
 01851   308   NtWaitForSingleObject  ... ) == 0x0
 03694   308   NtSetEventBoostPriority  (244, ...
 01870   764   NtWaitForSingleObject  ... ) == 0x0
 03695   764   NtSetEventBoostPriority  (244, ...
 01901  2000   NtWaitForSingleObject  ... ) == 0x0
 03696  2000   NtSetEventBoostPriority  (244, ...
 01904  1852   NtWaitForSingleObject  ... ) == 0x0
 03697  1852   NtSetEventBoostPriority  (244, ...
 01913  1420   NtWaitForSingleObject  ... ) == 0x0
 03698  1420   NtSetEventBoostPriority  (244, ...
 02917  1156   NtWaitForSingleObject  ... ) == 0x0
 03699  1156   NtSetEventBoostPriority  (244, ...
 02918  1700   NtWaitForSingleObject  ... ) == 0x0
 03700  1700   NtSetEventBoostPriority  (244, ...
 02919  1808   NtWaitForSingleObject  ... ) == 0x0
 03701  1808   NtSetEventBoostPriority  (244, ...
 02920  1796   NtWaitForSingleObject  ... ) == 0x0
 03702  1796   NtSetEventBoostPriority  (244, ...
 02921   164   NtWaitForSingleObject  ... ) == 0x0
 03703   164   NtSetEventBoostPriority  (244, ...
 02922  1564   NtWaitForSingleObject  ... ) == 0x0
 03704  1564   NtSetEventBoostPriority  (244, ...
 02923  1592   NtWaitForSingleObject  ... ) == 0x0
 03705  1592   NtSetEventBoostPriority  (244, ...
 02924  2032   NtWaitForSingleObject  ... ) == 0x0
 03706  2032   NtSetEventBoostPriority  (244, ...
 02925  1500   NtWaitForSingleObject  ... ) == 0x0
 03707  1500   NtSetEventBoostPriority  (244, ...
 02926   932   NtWaitForSingleObject  ... ) == 0x0
 03708   932   NtSetEventBoostPriority  (244, ...
 02927  1528   NtWaitForSingleObject  ... ) == 0x0
 03709  1528   NtSetEventBoostPriority  (244, ...
 02928  1780   NtWaitForSingleObject  ... ) == 0x0
 03710  1780   NtSetEventBoostPriority  (244, ...
 02929  1804   NtWaitForSingleObject  ... ) == 0x0
 03711  1804   NtSetEventBoostPriority  (244, ...
 02930  1644   NtWaitForSingleObject  ... ) == 0x0
 03712  1644   NtSetEventBoostPriority  (244, ...
 02931   336   NtWaitForSingleObject  ... ) == 0x0
 03713   336   NtSetEventBoostPriority  (244, ...
 02932   800   NtWaitForSingleObject  ... ) == 0x0
 03714   800   NtSetEventBoostPriority  (244, ...
 02933   504   NtWaitForSingleObject  ... ) == 0x0
 03715   504   NtSetEventBoostPriority  (244, ...
 02934   888   NtWaitForSingleObject  ... ) == 0x0
 03716   888   NtSetEventBoostPriority  (244, ...
 02935  1392   NtWaitForSingleObject  ... ) == 0x0
 03717  1392   NtSetEventBoostPriority  (244, ...
 02936  2020   NtWaitForSingleObject  ... ) == 0x0
 03718  2020   NtSetEventBoostPriority  (244, ...
 02937   740   NtWaitForSingleObject  ... ) == 0x0
 03719   740   NtSetEventBoostPriority  (244, ...
 02938  1676   NtWaitForSingleObject  ... ) == 0x0
 03720  1676   NtSetEventBoostPriority  (244, ...
 02939   496   NtWaitForSingleObject  ... ) == 0x0
 03721   496   NtSetEventBoostPriority  (244, ...
 02940  1020   NtWaitForSingleObject  ... ) == 0x0
 03722  1020   NtSetEventBoostPriority  (244, ...
 02941   432   NtWaitForSingleObject  ... ) == 0x0
 03723   432   NtSetEventBoostPriority  (244, ...
 02942  1332   NtWaitForSingleObject  ... ) == 0x0
 03724  1332   NtSetEventBoostPriority  (244, ...
 02943  1328   NtWaitForSingleObject  ... ) == 0x0
 03725  1328   NtSetEventBoostPriority  (244, ...
 02944   752   NtWaitForSingleObject  ... ) == 0x0
 03726   752   NtSetEventBoostPriority  (244, ...
 02945   120   NtWaitForSingleObject  ... ) == 0x0
 03727   120   NtSetEventBoostPriority  (244, ...
 02946  1732   NtWaitForSingleObject  ... ) == 0x0
 03728  1732   NtSetEventBoostPriority  (244, ...
 02947   188   NtWaitForSingleObject  ... ) == 0x0
 03729   188   NtSetEventBoostPriority  (244, ...
 02948  1636   NtWaitForSingleObject  ... ) == 0x0
 03730  1636   NtSetEventBoostPriority  (244, ...
 02949   624   NtWaitForSingleObject  ... ) == 0x0
 03731   624   NtSetEventBoostPriority  (244, ...
 02950  1948   NtWaitForSingleObject  ... ) == 0x0
 03732  1948   NtSetEventBoostPriority  (244, ...
 02951   988   NtWaitForSingleObject  ... ) == 0x0
 03733   988   NtSetEventBoostPriority  (244, ...
 02952   468   NtWaitForSingleObject  ... ) == 0x0
 03734   468   NtSetEventBoostPriority  (244, ...
 02953   380   NtWaitForSingleObject  ... ) == 0x0
 03735   380   NtSetEventBoostPriority  (244, ...
 02954  1692   NtWaitForSingleObject  ... ) == 0x0
 03736  1692   NtSetEventBoostPriority  (244, ...
 02955  1792   NtWaitForSingleObject  ... ) == 0x0
 03737  1792   NtSetEventBoostPriority  (244, ...
 02956   784   NtWaitForSingleObject  ... ) == 0x0
 03738   784   NtSetEventBoostPriority  (244, ...
 02957  1520   NtWaitForSingleObject  ... ) == 0x0
 03739  1520   NtSetEventBoostPriority  (244, ...
 02958  1696   NtWaitForSingleObject  ... ) == 0x0
 03740  1696   NtSetEventBoostPriority  (244, ...
 02959  1744   NtWaitForSingleObject  ... ) == 0x0
 03741  1744   NtSetEventBoostPriority  (244, ...
 02960  1124   NtWaitForSingleObject  ... ) == 0x0
 03742  1124   NtSetEventBoostPriority  (244, ...
 02961  1496   NtWaitForSingleObject  ... ) == 0x0
 03743  1496   NtSetEventBoostPriority  (244, ...
 02962   168   NtWaitForSingleObject  ... ) == 0x0
 03744   168   NtSetEventBoostPriority  (244, ...
 02963  1284   NtWaitForSingleObject  ... ) == 0x0
 03745  1284   NtSetEventBoostPriority  (244, ...
 02964  1268   NtWaitForSingleObject  ... ) == 0x0
 03746  1268   NtSetEventBoostPriority  (244, ...
 02965   840   NtWaitForSingleObject  ... ) == 0x0
 03747   840   NtSetEventBoostPriority  (244, ...
 02966  1336   NtWaitForSingleObject  ... ) == 0x0
 03748  1336   NtSetEventBoostPriority  (244, ...
 02967  1200   NtWaitForSingleObject  ... ) == 0x0
 03749  1200   NtSetEventBoostPriority  (244, ...
 02968  1920   NtWaitForSingleObject  ... ) == 0x0
 03750  1920   NtSetEventBoostPriority  (244, ...
 02969   896   NtWaitForSingleObject  ... ) == 0x0
 03751   896   NtSetEventBoostPriority  (244, ...
 02970  2016   NtWaitForSingleObject  ... ) == 0x0
 03752  2016   NtSetEventBoostPriority  (244, ...
 02971  2012   NtWaitForSingleObject  ... ) == 0x0
 03753  2012   NtSetEventBoostPriority  (244, ...
 02972  1604   NtWaitForSingleObject  ... ) == 0x0
 03754  1604   NtSetEventBoostPriority  (244, ...
 02973  1572   NtWaitForSingleObject  ... ) == 0x0
 03755  1572   NtSetEventBoostPriority  (244, ...
 02974   596   NtWaitForSingleObject  ... ) == 0x0
 03756   596   NtSetEventBoostPriority  (244, ...
 02975   376   NtWaitForSingleObject  ... ) == 0x0
 03757   376   NtSetEventBoostPriority  (244, ...
 02976  1168   NtWaitForSingleObject  ... ) == 0x0
 03758  1168   NtSetEventBoostPriority  (244, ...
 02977   428   NtWaitForSingleObject  ... ) == 0x0
 03759   428   NtSetEventBoostPriority  (244, ...
 02978  1344   NtWaitForSingleObject  ... ) == 0x0
 03760  1344   NtSetEventBoostPriority  (244, ...
 02979  1300   NtWaitForSingleObject  ... ) == 0x0
 03761  1300   NtSetEventBoostPriority  (244, ...
 02980  1096   NtWaitForSingleObject  ... ) == 0x0
 03762  1096   NtSetEventBoostPriority  (244, ...
 02981   252   NtWaitForSingleObject  ... ) == 0x0
 03763   252   NtSetEventBoostPriority  (244, ...
 02982   500   NtWaitForSingleObject  ... ) == 0x0
 03764   500   NtSetEventBoostPriority  (244, ...
 02983  1132   NtWaitForSingleObject  ... ) == 0x0
 03765  1132   NtSetEventBoostPriority  (244, ...
 02984  1024   NtWaitForSingleObject  ... ) == 0x0
 03766  1024   NtSetEventBoostPriority  (244, ...
 02985   948   NtWaitForSingleObject  ... ) == 0x0
 03767   948   NtSetEventBoostPriority  (244, ...
 02986  1388   NtWaitForSingleObject  ... ) == 0x0
 03768  1388   NtSetEventBoostPriority  (244, ...
 02987   520   NtWaitForSingleObject  ... ) == 0x0
 03769   520   NtSetEventBoostPriority  (244, ...
 02988   276   NtWaitForSingleObject  ... ) == 0x0
 03770   276   NtSetEventBoostPriority  (244, ...
 02989   996   NtWaitForSingleObject  ... ) == 0x0
 03771   996   NtSetEventBoostPriority  (244, ...
 02990  1064   NtWaitForSingleObject  ... ) == 0x0
 03772  1064   NtSetEventBoostPriority  (244, ...
 02991  1600   NtWaitForSingleObject  ... ) == 0x0
 03773  1600   NtSetEventBoostPriority  (244, ...
 02992  1372   NtWaitForSingleObject  ... ) == 0x0
 03774  1372   NtSetEventBoostPriority  (244, ...
 02993  2040   NtWaitForSingleObject  ... ) == 0x0
 03775  2040   NtSetEventBoostPriority  (244, ...
 02994   216   NtWaitForSingleObject  ... ) == 0x0
 03776   216   NtSetEventBoostPriority  (244, ...
 02995   152   NtWaitForSingleObject  ... ) == 0x0
 03777   152   NtSetEventBoostPriority  (244, ...
 02996   900   NtWaitForSingleObject  ... ) == 0x0
 03778   900   NtSetEventBoostPriority  (244, ...
 02997  1272   NtWaitForSingleObject  ... ) == 0x0
 03779  1272   NtSetEventBoostPriority  (244, ...
 02998  1240   NtWaitForSingleObject  ... ) == 0x0
 03780  1240   NtSetEventBoostPriority  (244, ...
 02999  1776   NtWaitForSingleObject  ... ) == 0x0
 03781  1776   NtSetEventBoostPriority  (244, ...
 03000  1324   NtWaitForSingleObject  ... ) == 0x0
 03782  1324   NtSetEventBoostPriority  (244, ...
 03001  1884   NtWaitForSingleObject  ... ) == 0x0
 03783  1884   NtSetEventBoostPriority  (244, ...
 03002   248   NtWaitForSingleObject  ... ) == 0x0
 03784   248   NtSetEventBoostPriority  (244, ...
 03003  1652   NtWaitForSingleObject  ... ) == 0x0
 03785  1652   NtSetEventBoostPriority  (244, ...
 03004   588   NtWaitForSingleObject  ... ) == 0x0
 03786   588   NtSetEventBoostPriority  (244, ...
 03005   440   NtWaitForSingleObject  ... ) == 0x0
 03787   440   NtSetEventBoostPriority  (244, ...
 03006  1296   NtWaitForSingleObject  ... ) == 0x0
 03788  1296   NtSetEventBoostPriority  (244, ...
 03007  1612   NtWaitForSingleObject  ... ) == 0x0
 03789  1612   NtSetEventBoostPriority  (244, ...
 03008   876   NtWaitForSingleObject  ... ) == 0x0
 03790   876   NtWaitForSingleObject  (848, 0, 0x0, ...
 03789  1612   NtSetEventBoostPriority  ... ) == 0x0
 03788  1296   NtSetEventBoostPriority  ... ) == 0x0
 03787   440   NtSetEventBoostPriority  ... ) == 0x0
 03786   588   NtSetEventBoostPriority  ... ) == 0x0
 03785  1652   NtSetEventBoostPriority  ... ) == 0x0
 03784   248   NtSetEventBoostPriority  ... ) == 0x0
 03783  1884   NtSetEventBoostPriority  ... ) == 0x0
 03782  1324   NtSetEventBoostPriority  ... ) == 0x0
 03781  1776   NtSetEventBoostPriority  ... ) == 0x0
 03780  1240   NtSetEventBoostPriority  ... ) == 0x0
 03779  1272   NtSetEventBoostPriority  ... ) == 0x0
 03778   900   NtSetEventBoostPriority  ... ) == 0x0
 03777   152   NtSetEventBoostPriority  ... ) == 0x0
 03776   216   NtSetEventBoostPriority  ... ) == 0x0
 03775  2040   NtSetEventBoostPriority  ... ) == 0x0
 03774  1372   NtSetEventBoostPriority  ... ) == 0x0
 03773  1600   NtSetEventBoostPriority  ... ) == 0x0
 03772  1064   NtSetEventBoostPriority  ... ) == 0x0
 03771   996   NtSetEventBoostPriority  ... ) == 0x0
 03770   276   NtSetEventBoostPriority  ... ) == 0x0
 03769   520   NtSetEventBoostPriority  ... ) == 0x0
 03768  1388   NtSetEventBoostPriority  ... ) == 0x0
 03767   948   NtSetEventBoostPriority  ... ) == 0x0
 03766  1024   NtSetEventBoostPriority  ... ) == 0x0
 03765  1132   NtSetEventBoostPriority  ... ) == 0x0
 03764   500   NtSetEventBoostPriority  ... ) == 0x0
 03763   252   NtSetEventBoostPriority  ... ) == 0x0
 03762  1096   NtSetEventBoostPriority  ... ) == 0x0
 03761  1300   NtSetEventBoostPriority  ... ) == 0x0
 03760  1344   NtSetEventBoostPriority  ... ) == 0x0
 03759   428   NtSetEventBoostPriority  ... ) == 0x0
 03758  1168   NtSetEventBoostPriority  ... ) == 0x0
 03757   376   NtSetEventBoostPriority  ... ) == 0x0
 03756   596   NtSetEventBoostPriority  ... ) == 0x0
 03755  1572   NtSetEventBoostPriority  ... ) == 0x0
 03754  1604   NtSetEventBoostPriority  ... ) == 0x0
 03753  2012   NtSetEventBoostPriority  ... ) == 0x0
 03752  2016   NtSetEventBoostPriority  ... ) == 0x0
 03751   896   NtSetEventBoostPriority  ... ) == 0x0
 03750  1920   NtSetEventBoostPriority  ... ) == 0x0
 03749  1200   NtSetEventBoostPriority  ... ) == 0x0
 03748  1336   NtSetEventBoostPriority  ... ) == 0x0
 03747   840   NtSetEventBoostPriority  ... ) == 0x0
 03746  1268   NtSetEventBoostPriority  ... ) == 0x0
 03745  1284   NtSetEventBoostPriority  ... ) == 0x0
 03744   168   NtSetEventBoostPriority  ... ) == 0x0
 03743  1496   NtSetEventBoostPriority  ... ) == 0x0
 03742  1124   NtSetEventBoostPriority  ... ) == 0x0
 03741  1744   NtSetEventBoostPriority  ... ) == 0x0
 03740  1696   NtSetEventBoostPriority  ... ) == 0x0
 03739  1520   NtSetEventBoostPriority  ... ) == 0x0
 03738   784   NtSetEventBoostPriority  ... ) == 0x0
 03737  1792   NtSetEventBoostPriority  ... ) == 0x0
 03736  1692   NtSetEventBoostPriority  ... ) == 0x0
 03735   380   NtSetEventBoostPriority  ... ) == 0x0
 03734   468   NtSetEventBoostPriority  ... ) == 0x0
 03733   988   NtSetEventBoostPriority  ... ) == 0x0
 03732  1948   NtSetEventBoostPriority  ... ) == 0x0
 03731   624   NtSetEventBoostPriority  ... ) == 0x0
 03730  1636   NtSetEventBoostPriority  ... ) == 0x0
 03729   188   NtSetEventBoostPriority  ... ) == 0x0
 03728  1732   NtSetEventBoostPriority  ... ) == 0x0
 03727   120   NtSetEventBoostPriority  ... ) == 0x0
 03726   752   NtSetEventBoostPriority  ... ) == 0x0
 03725  1328   NtSetEventBoostPriority  ... ) == 0x0
 03724  1332   NtSetEventBoostPriority  ... ) == 0x0
 03723   432   NtSetEventBoostPriority  ... ) == 0x0
 03722  1020   NtSetEventBoostPriority  ... ) == 0x0
 03721   496   NtSetEventBoostPriority  ... ) == 0x0
 03720  1676   NtSetEventBoostPriority  ... ) == 0x0
 03719   740   NtSetEventBoostPriority  ... ) == 0x0
 03718  2020   NtSetEventBoostPriority  ... ) == 0x0
 03717  1392   NtSetEventBoostPriority  ... ) == 0x0
 03716   888   NtSetEventBoostPriority  ... ) == 0x0
 03715   504   NtSetEventBoostPriority  ... ) == 0x0
 03714   800   NtSetEventBoostPriority  ... ) == 0x0
 03713   336   NtSetEventBoostPriority  ... ) == 0x0
 03712  1644   NtSetEventBoostPriority  ... ) == 0x0
 03711  1804   NtSetEventBoostPriority  ... ) == 0x0
 03710  1780   NtSetEventBoostPriority  ... ) == 0x0
 03709  1528   NtSetEventBoostPriority  ... ) == 0x0
 03708   932   NtSetEventBoostPriority  ... ) == 0x0
 03707  1500   NtSetEventBoostPriority  ... ) == 0x0
 03706  2032   NtSetEventBoostPriority  ... ) == 0x0
 03705  1592   NtSetEventBoostPriority  ... ) == 0x0
 03704  1564   NtSetEventBoostPriority  ... ) == 0x0
 03703   164   NtSetEventBoostPriority  ... ) == 0x0
 03702  1796   NtSetEventBoostPriority  ... ) == 0x0
 03701  1808   NtSetEventBoostPriority  ... ) == 0x0
 03700  1700   NtSetEventBoostPriority  ... ) == 0x0
 03699  1156   NtSetEventBoostPriority  ... ) == 0x0
 03698  1420   NtSetEventBoostPriority  ... ) == 0x0
 03697  1852   NtSetEventBoostPriority  ... ) == 0x0
 03696  2000   NtSetEventBoostPriority  ... ) == 0x0
 03695   764   NtSetEventBoostPriority  ... ) == 0x0
 03694   308   NtSetEventBoostPriority  ... ) == 0x0
 03693   968   NtSetEventBoostPriority  ... ) == 0x0
 03692   240   NtSetEventBoostPriority  ... ) == 0x0
 03691  2044   NtSetEventBoostPriority  ... ) == 0x0
 03690  1944   NtSetEventBoostPriority  ... ) == 0x0
 03689  1524   NtSetEventBoostPriority  ... ) == 0x0
 03688  1896   NtSetEventBoostPriority  ... ) == 0x0
 03687  1864   NtSetEventBoostPriority  ... ) == 0x0
 03686  1828   NtSetEventBoostPriority  ... ) == 0x0
 03685   148   NtSetEventBoostPriority  ... ) == 0x0
 03684  1648   NtSetEventBoostPriority  ... ) == 0x0
 03683  1904   NtSetEventBoostPriority  ... ) == 0x0
 03682   444   NtSetEventBoostPriority  ... ) == 0x0
 03681  1536   NtSetEventBoostPriority  ... ) == 0x0
 03680  1356   NtSetEventBoostPriority  ... ) == 0x0
 03679  1728   NtSetEventBoostPriority  ... ) == 0x0
 03678   712   NtSetEventBoostPriority  ... ) == 0x0
 03677  1800   NtSetEventBoostPriority  ... ) == 0x0
 03676   220   NtSetEventBoostPriority  ... ) == 0x0
 03675  1596   NtSetEventBoostPriority  ... ) == 0x0
 03674  1856   NtSetEventBoostPriority  ... ) == 0x0
 03673  1068   NtSetEventBoostPriority  ... ) == 0x0
 03672   460   NtSetEventBoostPriority  ... ) == 0x0
 03671  1556   NtSetEventBoostPriority  ... ) == 0x0
 03670  1784   NtSetEventBoostPriority  ... ) == 0x0
 03669  1980   NtSetEventBoostPriority  ... ) == 0x0
 03668  1956   NtSetEventBoostPriority  ... ) == 0x0
 03667  1292   NtSetEventBoostPriority  ... ) == 0x0
 03666  1756   NtSetEventBoostPriority  ... ) == 0x0
 03665  1480   NtSetEventBoostPriority  ... ) == 0x0
 03664  1256   NtSetEventBoostPriority  ... ) == 0x0
 03663  1128   NtSetEventBoostPriority  ... ) == 0x0
 03790   876   NtWaitForSingleObject  ... ) == 0x0
 03791  1612   NtWaitForSingleObject  (848, 0, 0x0, ...
 03792  1296   NtWaitForSingleObject  (848, 0, 0x0, ...
 03793   440   NtWaitForSingleObject  (848, 0, 0x0, ...
 03794   588   NtWaitForSingleObject  (848, 0, 0x0, ...
 03795  1652   NtWaitForSingleObject  (848, 0, 0x0, ...
 03796   248   NtWaitForSingleObject  (848, 0, 0x0, ...
 03797  1884   NtWaitForSingleObject  (848, 0, 0x0, ...
 03798  1324   NtWaitForSingleObject  (848, 0, 0x0, ...
 03799  1776   NtWaitForSingleObject  (848, 0, 0x0, ...
 03800  1240   NtWaitForSingleObject  (848, 0, 0x0, ...
 03801  1272   NtWaitForSingleObject  (848, 0, 0x0, ...
 03802   900   NtWaitForSingleObject  (848, 0, 0x0, ...
 03803   152   NtWaitForSingleObject  (848, 0, 0x0, ...
 03804   216   NtWaitForSingleObject  (848, 0, 0x0, ...
 03805  2040   NtWaitForSingleObject  (848, 0, 0x0, ...
 03806  1372   NtWaitForSingleObject  (848, 0, 0x0, ...
 03807  1600   NtWaitForSingleObject  (848, 0, 0x0, ...
 03808  1064   NtWaitForSingleObject  (848, 0, 0x0, ...
 03809   996   NtWaitForSingleObject  (848, 0, 0x0, ...
 03810   276   NtWaitForSingleObject  (848, 0, 0x0, ...
 03811   520   NtWaitForSingleObject  (848, 0, 0x0, ...
 03812  1388   NtWaitForSingleObject  (848, 0, 0x0, ...
 03813   948   NtWaitForSingleObject  (848, 0, 0x0, ...
 03814  1024   NtWaitForSingleObject  (848, 0, 0x0, ...
 03815  1132   NtWaitForSingleObject  (848, 0, 0x0, ...
 03816   500   NtWaitForSingleObject  (848, 0, 0x0, ...
 03817   252   NtWaitForSingleObject  (848, 0, 0x0, ...
 03818  1096   NtWaitForSingleObject  (848, 0, 0x0, ...
 03819  1300   NtWaitForSingleObject  (848, 0, 0x0, ...
 03820  1344   NtWaitForSingleObject  (848, 0, 0x0, ...
 03821   428   NtWaitForSingleObject  (848, 0, 0x0, ...
 03822  1168   NtWaitForSingleObject  (848, 0, 0x0, ...
 03823   376   NtWaitForSingleObject  (848, 0, 0x0, ...
 03824   596   NtWaitForSingleObject  (848, 0, 0x0, ...
 03825  1572   NtWaitForSingleObject  (848, 0, 0x0, ...
 03826  1604   NtWaitForSingleObject  (848, 0, 0x0, ...
 03827  2012   NtWaitForSingleObject  (848, 0, 0x0, ...
 03828  2016   NtWaitForSingleObject  (848, 0, 0x0, ...
 03829   896   NtWaitForSingleObject  (848, 0, 0x0, ...
 03830  1920   NtWaitForSingleObject  (848, 0, 0x0, ...
 03831  1200   NtWaitForSingleObject  (848, 0, 0x0, ...
 03832  1336   NtWaitForSingleObject  (848, 0, 0x0, ...
 03833   840   NtWaitForSingleObject  (848, 0, 0x0, ...
 03834  1268   NtWaitForSingleObject  (848, 0, 0x0, ...
 03835  1284   NtWaitForSingleObject  (848, 0, 0x0, ...
 03836   168   NtWaitForSingleObject  (848, 0, 0x0, ...
 03837  1496   NtWaitForSingleObject  (848, 0, 0x0, ...
 03838  1124   NtWaitForSingleObject  (848, 0, 0x0, ...
 03839  1744   NtWaitForSingleObject  (848, 0, 0x0, ...
 03840  1696   NtWaitForSingleObject  (848, 0, 0x0, ...
 03841  1520   NtWaitForSingleObject  (848, 0, 0x0, ...
 03842   784   NtWaitForSingleObject  (848, 0, 0x0, ...
 03843  1792   NtWaitForSingleObject  (848, 0, 0x0, ...
 03844  1692   NtWaitForSingleObject  (848, 0, 0x0, ...
 03845   380   NtWaitForSingleObject  (848, 0, 0x0, ...
 03846   468   NtWaitForSingleObject  (848, 0, 0x0, ...
 03847   988   NtWaitForSingleObject  (848, 0, 0x0, ...
 03848  1948   NtWaitForSingleObject  (848, 0, 0x0, ...
 03849   624   NtWaitForSingleObject  (848, 0, 0x0, ...
 03850  1636   NtWaitForSingleObject  (848, 0, 0x0, ...
 03851   188   NtWaitForSingleObject  (848, 0, 0x0, ...
 03852  1732   NtWaitForSingleObject  (848, 0, 0x0, ...
 03853   120   NtWaitForSingleObject  (848, 0, 0x0, ...
 03854   752   NtWaitForSingleObject  (848, 0, 0x0, ...
 03855  1328   NtWaitForSingleObject  (848, 0, 0x0, ...
 03856  1332   NtWaitForSingleObject  (848, 0, 0x0, ...
 03857   432   NtWaitForSingleObject  (848, 0, 0x0, ...
 03858  1020   NtWaitForSingleObject  (848, 0, 0x0, ...
 03859   496   NtWaitForSingleObject  (848, 0, 0x0, ...
 03860  1676   NtWaitForSingleObject  (848, 0, 0x0, ...
 03861   740   NtWaitForSingleObject  (848, 0, 0x0, ...
 03862  2020   NtWaitForSingleObject  (848, 0, 0x0, ...
 03863  1392   NtWaitForSingleObject  (848, 0, 0x0, ...
 03864   888   NtWaitForSingleObject  (848, 0, 0x0, ...
 03865   504   NtWaitForSingleObject  (848, 0, 0x0, ...
 03866   800   NtWaitForSingleObject  (848, 0, 0x0, ...
 03867   336   NtWaitForSingleObject  (848, 0, 0x0, ...
 03868  1644   NtWaitForSingleObject  (848, 0, 0x0, ...
 03869  1804   NtWaitForSingleObject  (848, 0, 0x0, ...
 03870  1780   NtWaitForSingleObject  (848, 0, 0x0, ...
 03871  1528   NtWaitForSingleObject  (848, 0, 0x0, ...
 03872   932   NtWaitForSingleObject  (848, 0, 0x0, ...
 03873  1500   NtWaitForSingleObject  (848, 0, 0x0, ...
 03874  2032   NtWaitForSingleObject  (848, 0, 0x0, ...
 03875  1592   NtWaitForSingleObject  (848, 0, 0x0, ...
 03876  1564   NtWaitForSingleObject  (848, 0, 0x0, ...
 03877   164   NtWaitForSingleObject  (848, 0, 0x0, ...
 03878  1796   NtWaitForSingleObject  (848, 0, 0x0, ...
 03879  1808   NtWaitForSingleObject  (848, 0, 0x0, ...
 03880  1700   NtWaitForSingleObject  (848, 0, 0x0, ...
 03881  1156   NtWaitForSingleObject  (848, 0, 0x0, ...
 03882  1420   NtWaitForSingleObject  (848, 0, 0x0, ...
 03883  1852   NtWaitForSingleObject  (848, 0, 0x0, ...
 03884  2000   NtWaitForSingleObject  (848, 0, 0x0, ...
 03885   764   NtWaitForSingleObject  (848, 0, 0x0, ...
 03886   308   NtWaitForSingleObject  (848, 0, 0x0, ...
 03887   968   NtWaitForSingleObject  (848, 0, 0x0, ...
 03888   240   NtWaitForSingleObject  (848, 0, 0x0, ...
 03889  2044   NtWaitForSingleObject  (848, 0, 0x0, ...
 03890  1944   NtWaitForSingleObject  (848, 0, 0x0, ...
 03891  1524   NtWaitForSingleObject  (848, 0, 0x0, ...
 03892  1896   NtWaitForSingleObject  (848, 0, 0x0, ...
 03893  1864   NtWaitForSingleObject  (848, 0, 0x0, ...
 03894  1828   NtWaitForSingleObject  (848, 0, 0x0, ...
 03895   148   NtWaitForSingleObject  (848, 0, 0x0, ...
 03896  1648   NtWaitForSingleObject  (848, 0, 0x0, ...
 03897  1904   NtWaitForSingleObject  (848, 0, 0x0, ...
 03898   444   NtWaitForSingleObject  (848, 0, 0x0, ...
 03899  1536   NtWaitForSingleObject  (848, 0, 0x0, ...
 03900  1356   NtWaitForSingleObject  (848, 0, 0x0, ...
 03901  1728   NtWaitForSingleObject  (848, 0, 0x0, ...
 03902   712   NtWaitForSingleObject  (848, 0, 0x0, ...
 03903  1800   NtWaitForSingleObject  (848, 0, 0x0, ...
 03904   220   NtWaitForSingleObject  (848, 0, 0x0, ...
 03905  1596   NtWaitForSingleObject  (848, 0, 0x0, ...
 03906  1856   NtWaitForSingleObject  (848, 0, 0x0, ...
 03907  1068   NtWaitForSingleObject  (848, 0, 0x0, ...
 03908   460   NtWaitForSingleObject  (848, 0, 0x0, ...
 03909  1556   NtWaitForSingleObject  (848, 0, 0x0, ...
 03910  1784   NtWaitForSingleObject  (848, 0, 0x0, ...
 03911  1980   NtWaitForSingleObject  (848, 0, 0x0, ...
 03912  1956   NtWaitForSingleObject  (848, 0, 0x0, ...
 03913  1292   NtWaitForSingleObject  (848, 0, 0x0, ...
 03914  1480   NtWaitForSingleObject  (848, 0, 0x0, ...
 03915  1756   NtWaitForSingleObject  (848, 0, 0x0, ...
 03916  1128   NtWaitForSingleObject  (848, 0, 0x0, ...
 03917   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03918  1256   NtWaitForSingleObject  (848, 0, 0x0, ...
 03917   876   NtCreateEvent  ... 860, ) == 0x0
 03919   876   NtAllocateVirtualMemory  (-1, 147902464, 0, 4096, 4096, 260, ... 147902464, 4096, ) == 0x0
 03920   876   NtCreateTimer  (0x1f0003, 0x0, 0, ... 864, ) == 0x0
 03921   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 868, ) == 0x0
 03922   876   NtSetInformationObject  (868, Handle, {Inherit=0,ProtectFromClose=1,}, -65280, ... ) == 0x0
 03923   876   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 148766720, 1048576, ) == 0x0
 03924   876   NtAllocateVirtualMemory  (-1, 149807104, 0, 8192, 4096, 4, ... 149807104, 8192, ) == 0x0
 03925   876   NtProtectVirtualMemory  (-1, (0x8ede000), 4096, 260, ... (0x8ede000), 4096, 4, ) == 0x0
 03926   876   NtCreateThread  (0x1f03ff, 0x0, -1, 147911556, 147911500, 1, ... 872, {928, 1368}, ) == 0x0
 03927   876   NtQueryInformationThread  (872, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff37000,Pid=928,Tid=1368,}, 0x0, ) == 0x0
 03928   876   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 147912300, 2, 2089878984}  (24, {28, 56, new_msg, 0, 0, 147912300, 2, 2089878984} "\0\0\0\0\1\0\1\0Q\5\221|(\33\24\0h\3\0\0\240\3\0\0X\5\0\0" ... {28, 56, reply, 0, 928, 876, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\33\24\0h\3\0\0\240\3\0\0X\5\0\0" )  ... {28, 56, reply, 0, 928, 876, 58094, 0}  (24, {28, 56, new_msg, 0, 0, 147912300, 2, 2089878984} "\0\0\0\0\1\0\1\0Q\5\221|(\33\24\0h\3\0\0\240\3\0\0X\5\0\0" ... {28, 56, reply, 0, 928, 876, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\33\24\0h\3\0\0\240\3\0\0X\5\0\0" )  ) == 0x0
 03929   876   NtResumeThread  (872, ...
 03930  1368   NtTestAlert  (... ) == 0x0
 03931  1368   NtContinue  (149814576, 1, ...
 03932  1368   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03933  1368   NtCancelTimer  (864, 0, ... ) == 0x0
 03934  1368   NtSetTimer  (864, {0, -2147483648}, 0x7c927c75, 0x0, 0, 0, 0, ... ) == 0x0
 03935  1368   NtSetEvent  (868, ... 0x0, ) == 0x0
 03936  1368   NtDelayExecution  (1, {0, -2147483648}, ...
 03929   876   NtResumeThread  ... 0x0, ) == 0x0
 03937   876   NtWaitForSingleObject  (868, 0, 0x0, ... ) == 0x0
 03938   876   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03939   876   NtCreateIoCompletion  (0x1f0003, 0x0, 1, ... 876, ) == 0x0
 03940   876   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 149815296, 1048576, ) == 0x0
 03941   876   NtAllocateVirtualMemory  (-1, 150855680, 0, 8192, 4096, 4, ... 150855680, 8192, ) == 0x0
 03942   876   NtProtectVirtualMemory  (-1, (0x8fde000), 4096, 260, ... (0x8fde000), 4096, 4, ) == 0x0
 03943   876   NtCreateThread  (0x1f03ff, 0x0, -1, 147911640, 147911584, 1, ... 880, {928, 1620}, ) == 0x0
 03944   876   NtQueryInformationThread  (880, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff36000,Pid=928,Tid=1620,}, 0x0, ) == 0x0
 03945   876   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089879886, 76, 0, 1}  (24, {28, 56, new_msg, 0, 2089879886, 76, 0, 1} "\0\0\0\0\1\0\1\0\0\4\24\0\5\20\220|p\3\0\0\240\3\0\0T\6\0\0" ... {28, 56, reply, 0, 928, 876, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\5\20\220|p\3\0\0\240\3\0\0T\6\0\0" )  ... {28, 56, reply, 0, 928, 876, 58095, 0}  (24, {28, 56, new_msg, 0, 2089879886, 76, 0, 1} "\0\0\0\0\1\0\1\0\0\4\24\0\5\20\220|p\3\0\0\240\3\0\0T\6\0\0" ... {28, 56, reply, 0, 928, 876, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\5\20\220|p\3\0\0\240\3\0\0T\6\0\0" )  ) == 0x0
 03946   876   NtResumeThread  (880, ...
 03947  1620   NtTestAlert  (... ) == 0x0
 03948  1620   NtContinue  (150863152, 1, ...
 03949  1620   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03950  1620   NtRemoveIoCompletion  (876, {-400000000, -1}, ...
 03946   876   NtResumeThread  ... 0x0, ) == 0x0
 03951   876   NtClose  (880, ... ) == 0x0
 03952   876   NtSetIoCompletion  (876, 2089973097, 1396232, 0, 1396072, ...
 03950  1620   NtRemoveIoCompletion  ... 2089973097, 1396232, {status=0x0, info=1396072}, ) == 0x0
 03953  1620   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03954  1620   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 03955  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 150861364, ... }, 150861364, ...
 03952   876   NtSetIoCompletion  ... ) == 0x0
 03956   876   NtAllocateVirtualMemory  (-1, 1400832, 0, 20480, 4096, 4, ...
 03955  1620   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03957  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\RASAPI32.dll"}, 150861364, ... ) }, 150861364, ... ) == 0x0
 03958  1620   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 880, ) == 0x0
 03959  1620   NtWaitForSingleObject  (880, 0, 0x0, ...
 03956   876   NtAllocateVirtualMemory  ... 1400832, 20480, ) == 0x0
 03960   876   NtSetEventBoostPriority  (880, ...
 03959  1620   NtWaitForSingleObject  ... ) == 0x0
 03961  1620   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\RASAPI32.dll"}, 5, 96, ... 884, {status=0x0, info=1}, ) }, 5, 96, ... 884, {status=0x0, info=1}, ) == 0x0
 03962  1620   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 884, ... 888, ) == 0x0
 03963  1620   NtQuerySection  (888, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03964  1620   NtClose  (884, ... ) == 0x0
 03965  1620   NtMapViewOfSection  (888, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 245760, ) == 0x0
 03966  1620   NtClose  (888, ... ) == 0x0
 03967  1620   NtProtectVirtualMemory  (-1, (0x76ee1000), 860, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 03960   876   NtSetEventBoostPriority  ... ) == 0x0
 03968  1620   NtProtectVirtualMemory  (-1, (0x76ee1000), 4096, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 03969  1620   NtFlushInstructionCache  (-1, 1995313152, 860, ... ) == 0x0
 03970  1620   NtProtectVirtualMemory  (-1, (0x76ee1000), 860, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 03971  1620   NtProtectVirtualMemory  (-1, (0x76ee1000), 4096, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 03972  1620   NtFlushInstructionCache  (-1, 1995313152, 860, ... ) == 0x0
 03973  1620   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03974  1620   NtAllocateVirtualMemory  (-1, 150851584, 0, 4096, 4096, 260, ... 150851584, 4096, ) == 0x0
 03975  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 150860548, ... ) }, 150860548, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03976  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasman.dll"}, 150860548, ... ) }, 150860548, ... ) == 0x0
 03977  1620   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasman.dll"}, 5, 96, ... 888, {status=0x0, info=1}, ) }, 5, 96, ... 888, {status=0x0, info=1}, ) == 0x0
 03978  1620   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 888, ... 884, ) == 0x0
 03979  1620   NtQuerySection  (884, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03980  1620   NtClose  (888, ... ) == 0x0
 03981  1620   NtMapViewOfSection  (884, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 73728, ) == 0x0
 03982  1620   NtClose  (884, ... ) == 0x0
 03983  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 03984  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 03985  1620   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 03986  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 03987  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 03988  1620   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 03989  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 03990  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 03991  1620   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 03992  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 03993  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 03994  1620   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 03995  1620   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 884, ) }, ... 884, ) == 0x0
 03996  1620   NtMapViewOfSection  (884, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 03997  1620   NtClose  (884, ... ) == 0x0
 03998  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 03999  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 04000  1620   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04001  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 04002  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 04003  1620   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04004  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 04005  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 04006  1620   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04007  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 04008  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 04009  1620   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04010  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 04011  1620   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 04012  1620   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 04013  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 408, 4, ... (0x76e91000), 4096, 32, ) == 0x0
 04014  1620   NtProtectVirtualMemory  (-1, (0x76e91000), 4096, 32, ... (0x76e91000), 4096, 4, ) == 0x0
 04015  1620   NtFlushInstructionCache  (-1, 1994985472, 408, ... ) == 0x0
 04016  1620   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04017  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 150860548, ... }, 150860548, ...
 04018   876   NtWaitForSingleObject  (92, 0, 0x0, ...
 04017  1620   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04019  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\TAPI32.dll"}, 150860548, ... ) }, 150860548, ... ) == 0x0
 04020  1620   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\TAPI32.dll"}, 5, 96, ... 884, {status=0x0, info=1}, ) }, 5, 96, ... 884, {status=0x0, info=1}, ) == 0x0
 04021  1620   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 884, ... 888, ) == 0x0
 04022  1620   NtQuerySection  (888, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04023  1620   NtClose  (884, ... ) == 0x0
 04024  1620   NtMapViewOfSection  (888, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 192512, ) == 0x0
 04025  1620   NtClose  (888, ... ) == 0x0
 04026  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04027  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04028  1620   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04029  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04030  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04031  1620   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04032  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04033  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04034  1620   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04035  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04036  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04037  1620   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04038  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04039  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04040  1620   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04041  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 908, 4, ... (0x76eb1000), 4096, 32, ) == 0x0
 04042  1620   NtProtectVirtualMemory  (-1, (0x76eb1000), 4096, 32, ... (0x76eb1000), 4096, 4, ) == 0x0
 04043  1620   NtFlushInstructionCache  (-1, 1995116544, 908, ... ) == 0x0
 04044  1620   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04045  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 150859732, ... ) }, 150859732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04046  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rtutils.dll"}, 150859732, ... ) }, 150859732, ... ) == 0x0
 04047  1620   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rtutils.dll"}, 5, 96, ... 888, {status=0x0, info=1}, ) }, 5, 96, ... 888, {status=0x0, info=1}, ) == 0x0
 04048  1620   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 888, ... 884, ) == 0x0
 04049  1620   NtQuerySection  (884, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04050  1620   NtClose  (888, ... ) == 0x0
 04051  1620   NtMapViewOfSection  (884, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 57344, ) == 0x0
 04052  1620   NtClose  (884, ... ) == 0x0
 04053  1620   NtProtectVirtualMemory  (-1, (0x76e81000), 528, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 04054  1620   NtProtectVirtualMemory  (-1, (0x76e81000), 4096, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 04055  1620   NtFlushInstructionCache  (-1, 1994919936, 528, ... ) == 0x0
 04056  1620   NtProtectVirtualMemory  (-1, (0x76e81000), 528, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 04057  1620   NtProtectVirtualMemory  (-1, (0x76e81000), 4096, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 04058  1620   NtFlushInstructionCache  (-1, 1994919936, 528, ... ) == 0x0
 04059  1620   NtProtectVirtualMemory  (-1, (0x76e81000), 528, 4, ... (0x76e81000), 4096, 32, ) == 0x0
 04060  1620   NtProtectVirtualMemory  (-1, (0x76e81000), 4096, 32, ... (0x76e81000), 4096, 4, ) == 0x0
 04061  1620   NtFlushInstructionCache  (-1, 1994919936, 528, ... ) == 0x0
 04062  1620   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04063  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 150859732, ... ) }, 150859732, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04064  1620   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 150859732, ... ) }, 150859732, ... ) == 0x0
 04065  1620   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINMM.dll"}, 5, 96, ... 884, {status=0x0, info=1}, ) }, 5, 96, ... 884, {status=0x0, info=1}, ) == 0x0
 04066  1620   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 884, ... 888, ) == 0x0
 04067  1620   NtQuerySection  (888, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04068  1620   NtClose  (884, ... ) == 0x0
 04069  1620   NtMapViewOfSection  (888, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 184320, ) == 0x0
 04070  1620   NtClose  (888, ... ) == 0x0
 04071  1620   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 04072  1620   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 04073  1620   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 04074  1620   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 04075  1620   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 04076  1620   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 04077  1620   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 04078  1620   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 04079  1620   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 04080  1620   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 04081  1620   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 04082  1620   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 04083  1620   NtProtectVirtualMemory  (-1, (0x76ee1000), 860, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 04084  1620   NtProtectVirtualMemory  (-1, (0x76ee1000), 4096, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 04085  1620   NtFlushInstructionCache  (-1, 1995313152, 860, ... ) == 0x0
 04086  1620   NtProtectVirtualMemory  (-1, (0x76ee1000), 860, 4, ... (0x76ee1000), 4096, 32, ) == 0x0
 04087  1620   NtProtectVirtualMemory  (-1, (0x76ee1000), 4096, 32, ... (0x76ee1000), 4096, 4, ) == 0x0
 04088  1620   NtFlushInstructionCache  (-1, 1995313152, 860, ... ) == 0x0
 04089  1620   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04090  1620   NtAllocateVirtualMemory  (-1, 8818688, 0, 4096, 4096, 4, ... 8818688, 4096, ) == 0x0
 04091  1620   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04092  1620   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04093  1620   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04094  1620   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 888, ) == 0x0
 04095  1620   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 884, ) == 0x0
 04096  1620   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 892, ) == 0x0
 04097  1620   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 896, ) }, ... 896, ) == 0x0
 04098  1620   NtQueryValueKey  (896,  (896, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04099  1620   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 150863872, 524288, ) == 0x0
 04100  1620   NtAllocateVirtualMemory  (-1, 150863872, 0, 4096, 4096, 4, ... 150863872, 4096, ) == 0x0
 04101  1620   NtQueryValueKey  (896,  (896, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04102  1620   NtQueryValueKey  (896,  (896, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04103  1620   NtQueryValueKey  (896,  (896, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04104  1620   NtQueryValueKey  (896,  (896, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04105  1620   NtQueryValueKey  (896,  (896, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04106  1620   NtQueryValueKey  (896,  (896, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04107  1620   NtQueryValueKey  (896,  (896, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04108  1620   NtQueryValueKey  (896,  (896, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04109  1620   NtQueryValueKey  (896,  (896, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04110  1620   NtQueryValueKey  (896,  (896, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04111  1620   NtQueryValueKey  (896,  (896, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04112  1620   NtQueryValueKey  (896,  (896, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04113  1620   NtQueryValueKey  (896,  (896, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04114  1620   NtQueryValueKey  (896,  (896, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04115  1620   NtQueryValueKey  (896,  (896, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04116  1620   NtQueryValueKey  (896,  (896, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04117  1620   NtQueryValueKey  (896,  (896, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04118  1620   NtQueryValueKey  (896,  (896, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04119  1620   NtQueryValueKey  (896,  (896, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04120  1620   NtQueryValueKey  (896,  (896, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04121  1620   NtQueryValueKey  (896,  (896, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04122  1620   NtQueryValueKey  (896,  (896, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04123  1620   NtQueryValueKey  (896,  (896, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04124  1620   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 04125  1620   NtQueryValueKey  (896,  (896, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04126  1620   NtQueryValueKey  (896,  (896, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04127  1620   NtQueryValueKey  (896,  (896, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04128  1620   NtQueryValueKey  (896,  (896, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04129  1620   NtQueryValueKey  (896,  (896, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04130  1620   NtQueryValueKey  (896,  (896, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04131  1620   NtQueryValueKey  (896,  (896, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04132  1620   NtQueryValueKey  (896,  (896, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04133  1620   NtQueryValueKey  (896,  (896, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04134  1620   NtQueryValueKey  (896,  (896, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04135  1620   NtQueryValueKey  (896,  (896, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04136  1620   NtQueryValueKey  (896,  (896, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04137  1620   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 900, ) == 0x0
 04138  1620   NtCallbackReturn  (0, 0, 0, ...
 04139  1620   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc076
 04140  1620   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 904, ) }, ... 904, ) == 0x0
 04141  1620   NtQueryValueKey  (904,  (904, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (904, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04142  1620   NtClose  (904, ... ) == 0x0
 04143  1620   NtCreateEvent  (0x1f0003, {24, 44, 0x80, 0, 0,  (0x1f0003, {24, 44, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 04144  1620   NtQueryValueKey  (896,  (896, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04145  1620   NtQueryValueKey  (896,  (896, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04146  1620   NtQueryValueKey  (896,  (896, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04147  1620   NtQueryValueKey  (896,  (896, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (896, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 04148  1620   NtQueryValueKey  (896,  (896, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04149  1620   NtQueryValueKey  (896,  (896, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04150  1620   NtQueryValueKey  (896,  (896, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04151  1620   NtQueryValueKey  (896,  (896, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04152  1620   NtQueryValueKey  (896,  (896, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04153  1620   NtQueryValueKey  (896,  (896, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04154  1620   NtQueryValueKey  (896,  (896, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04155  1620   NtQueryValueKey  (896,  (896, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
NtCancelTimer(>)	1	NtConnectPort(>)	2	NtFsControlFile(>)	6	NtCreateEvent(>)	46
NtCreateMutant(>)	1	NtDelayExecution(>)	2	NtOpenProcessToken(>)	6	NtUserFindExistingCursorIcon(>)	50
NtCreateTimer(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryDefaultLocale(>)	6	NtOpenFile(>)	51
NtDuplicateToken(>)	1	NtNotifyChangeKey(>)	2	NtOpenMutant(>)	7	NtMapViewOfSection(>)	54
NtEnumerateValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtCreateSemaphore(>)	8	NtQueryVirtualMemory(>)	59
NtGdiCreateBitmap(>)	1	NtQueryPerformanceCounter(>)	2	NtReleaseMutant(>)	8	NtUserRegisterClassExWOW(>)	61
NtGdiInit(>)	1	NtQuerySystemTime(>)	2	NtDuplicateObject(>)	9	NtQueryAttributesFile(>)	66
NtGdiQueryFontAssocInfo(>)	1	NtRemoveIoCompletion(>)	2	NtQueryInformationProcess(>)	9	NtFlushInstructionCache(>)	114
NtGdiSelectBitmap(>)	1	NtSetIoCompletion(>)	2	NtOpenProcessTokenEx(>)	11	NtQuerySystemInformation(>)	117
NtOpenEvent(>)	1	NtUserGetDC(>)	2	NtOpenThreadTokenEx(>)	11	NtContinue(>)	136
NtOpenKeyedEvent(>)	1	NtWaitForMultipleObjects(>)	2	NtQueryDefaultUILanguage(>)	12	NtQueryInformationThread(>)	152
NtOpenProcess(>)	1	NtCallbackReturn(>)	3	NtQueryInformationFile(>)	12	NtResumeThread(>)	153
NtOpenSymbolicLinkObject(>)	1	NtDeleteValueKey(>)	3	NtUserSystemParametersInfo(>)	12	NtCreateThread(>)	155
NtQueryEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtOpenThreadToken(>)	14	NtRegisterThreadTerminatePort(>)	172
NtQueryInstallUILanguage(>)	1	NtQueryVolumeInformationFile(>)	3	NtQueryInformationToken(>)	14	NtTestAlert(>)	173
NtQueryObject(>)	1	NtReadFile(>)	3	NtQuerySection(>)	17	NtRequestWaitReplyPort(>)	184
NtQuerySymbolicLinkObject(>)	1	NtReleaseSemaphore(>)	3	NtSetValueKey(>)	18	NtOpenKey(>)	242
NtQueryTimerResolution(>)	1	NtSecureConnectPort(>)	3	NtUnmapViewOfSection(>)	19	NtSetInformationThread(>)	267
NtRaiseException(>)	1	NtAccessCheck(>)	4	NtCreateFile(>)	21	NtClose(>)	288
NtSetInformationProcess(>)	1	NtEnumerateKey(>)	4	NtCreateKey(>)	21	NtSetEventBoostPriority(>)	290
NtSetTimer(>)	1	NtSetInformationObject(>)	4	NtQueryDebugFilterState(>)	21	NtQueryValueKey(>)	354
NtUserCallNoParam(>)	1	NtUserRegisterWindowMessage(>)	4	NtSetInformationFile(>)	25	NtProtectVirtualMemory(>)	383
NtUserCallOneParam(>)	1	NtCreateIoCompletion(>)	5	NtFreeVirtualMemory(>)	28	NtWaitForSingleObject(>)	441
NtUserGetThreadDesktop(>)	1	NtGdiGetStockObject(>)	5	NtCreateSection(>)	31	NtAllocateVirtualMemory(>)	464
NtUserGetThreadState(>)	1	NtSetEvent(>)	5	NtOpenSection(>)	34
NtAddAtom(>)	2	NtWriteFile(>)	5