Summary:


NtAdjustPrivilegesToken(>)  1 
NtNotifyChangeKey(>)  2 
NtOpenMutant(>)  8 
NtOpenFile(>)  60 

NtDelayExecution(>)  1 
NtOpenDirectoryObject(>)  2 
NtFsControlFile(>)  10 
NtOpenSection(>)  62 

NtDuplicateToken(>)  1 
NtOpenEvent(>)  2 
NtSetInformationThread(>)  10 
NtUserRegisterClassExWOW(>)  66 

NtEnumerateValueKey(>)  1 
NtQueryEvent(>)  2 
NtOpenThreadTokenEx(>)  12 
NtQueryAttributesFile(>)  83 

NtGdiCreateBitmap(>)  1 
NtQueryPerformanceCounter(>)  2 
NtQueryDefaultUILanguage(>)  12 
NtFlushInstructionCache(>)  88 

NtGdiInit(>)  1 
NtUserGetDC(>)  2 
NtQuerySection(>)  12 
NtWriteVirtualMemory(>)  116 

NtGdiQueryFontAssocInfo(>)  1 
NtWaitForMultipleObjects(>)  2 
NtOpenProcessTokenEx(>)  13 
NtContinue(>)  119 

NtGdiSelectBitmap(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUserSystemParametersInfo(>)  13 
NtMapViewOfSection(>)  120 

NtOpenKeyedEvent(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtQueryInformationToken(>)  14 
NtSetEventBoostPriority(>)  122 

NtOpenSymbolicLinkObject(>)  1 
NtReadFile(>)  3 
NtReleaseMutant(>)  14 
NtQuerySystemInformation(>)  124 

NtQueryInstallUILanguage(>)  1 
NtSecureConnectPort(>)  3 
NtQueryInformationFile(>)  15 
NtResumeThread(>)  148 

NtQueryObject(>)  1 
NtSetInformationObject(>)  3 
NtOpenThreadToken(>)  18 
NtCreateThread(>)  157 

NtQuerySymbolicLinkObject(>)  1 
NtConnectPort(>)  4 
NtSetValueKey(>)  20 
NtQueryInformationThread(>)  166 

NtQuerySystemTime(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtCreateFile(>)  22 
NtRequestWaitReplyPort(>)  196 

NtRaiseException(>)  1 
NtWriteFile(>)  4 
NtQueryDebugFilterState(>)  22 
NtTestAlert(>)  228 

NtSetInformationProcess(>)  1 
NtAccessCheck(>)  5 
NtCreateKey(>)  26 
NtRegisterThreadTerminatePort(>)  229 

NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtFreeVirtualMemory(>)  29 
NtWaitForSingleObject(>)  259 

NtUserCallOneParam(>)  1 
NtSetEvent(>)  5 
NtCreateSection(>)  30 
NtOpenKey(>)  277 

NtUserGetThreadDesktop(>)  1 
NtEnumerateKey(>)  6 
NtOpenProcess(>)  30 
NtQueryValueKey(>)  344 

NtUserGetThreadState(>)  1 
NtQueryDefaultLocale(>)  6 
NtSetInformationFile(>)  35 
NtClose(>)  378 

NtAddAtom(>)  2 
NtReleaseSemaphore(>)  6 
NtCreateEvent(>)  39 
NtAllocateVirtualMemory(>)  448 

NtCallbackReturn(>)  2 
NtOpenProcessToken(>)  7 
NtDeviceIoControlFile(>)  48 
NtProtectVirtualMemory(>)  458 

NtCreateIoCompletion(>)  2 
NtQueryInformationProcess(>)  7 
NtUserFindExistingCursorIcon(>)  53 

NtCreateMutant(>)  2 
NtCreateSemaphore(>)  8 
NtUnmapViewOfSection(>)  54 

NtGdiCreateSolidBrush(>)  2 

Trace:
 00001  1744   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1744   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1744   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1744   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1744   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1744   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1744   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1744   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1744   NtClose  (12, ... ) == 0x0
 00015  1744   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1744   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1744   NtClose  (16, ... ) == 0x0
 00021  1744   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1744   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1744   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1744   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1744   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1744   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1744   NtClose  (16, ... ) == 0x0
 00030  1744   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1744   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1744   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1744   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1744   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1744   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1744   NtClose  (16, ... ) == 0x0
 00041  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1744   NtClose  (16, ... ) == 0x0
 00044  1744   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1744   NtClose  (16, ... ) == 0x0
 00048  1744   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1744   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1744   NtClose  (16, ... ) == 0x0
 00052  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1744   NtClose  (16, ... ) == 0x0
 00055  1744   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1744   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1744   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1736, 1744, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1736, 1744, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1736, 1744, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1744   NtProtectVirtualMemory  (-1, (0x409000), 94224, 4, ... (0x409000), 98304, 128, ) == 0x0
 00062  1744   NtProtectVirtualMemory  (-1, (0x409000), 98304, 128, ... (0x409000), 98304, 4, ) == 0x0
 00063  1744   NtFlushInstructionCache  (-1, 4231168, 94224, ... ) == 0x0
 00064  1744   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1744   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1744   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1744   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1744   NtClose  (16, ... ) == 0x0
 00069  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1744   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1744   NtClose  (16, ... ) == 0x0
 00072  1744   NtTestAlert  (... ) == 0x0
 00073  1744   NtContinue  (1244464, 1, ...
 00074  1744   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x409a00,}, 4, ... ) == 0x0
 00075  1744   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 16, ) }, ... 16, ) == 0x0
 00076  1744   NtCreateEvent  (0x1f0003, {24, 16, 0x80, 1245092, 0,  (0x1f0003, {24, 16, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 28, ) }, 1, 0, ... 28, ) == 0x0
 00077  1744   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 32, ) }, {27086, 0}, 64, 134217728, 0, ... 32, ) == 0x0
 00078  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x320000), 0x0, 28672, ) == 0x0
 00079  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 36, ) }, ... 36, ) == 0x0
 00080  1744   NtQueryValueKey  (36,  (36, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081  1744   NtClose  (36, ... ) == 0x0
 00082  1744   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00083  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00084  1744   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00085  1744   NtClose  (36, ... ) == 0x0
 00086  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00087  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00088  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00089  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00090  1744   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00091  1744   NtClose  (36, ... ) == 0x0
 00092  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00093  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00094  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00095  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00096  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00097  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00098  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00099  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00100  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00101  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00102  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00103  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00104  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105  1744   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00106  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00108  1744   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00109  1744   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00110  1744   NtClose  (36, ... ) == 0x0
 00111  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00112  1744   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113  1744   NtClose  (36, ... ) == 0x0
 00114  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00115  1744   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00116  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119  1744   NtOpenProcessToken  (-1, 0x20, ... 40, ) == 0x0
 00120  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00121  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00123  1744   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124  1744   NtClose  (44, ... ) == 0x0
 00125  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00127  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00128  1744   NtQuerySystemTime  (... {-1616228540, 29926489}, ) == 0x0
 00129  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00130  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00132  1744   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00133  1744   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00134  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00135  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00136  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00137  1744   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00138  1744   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00139  1744   NtClose  (68, ... ) == 0x0
 00140  1744   NtClose  (64, ... ) == 0x0
 00141  1744   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00142  1744   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00143  1744   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00144  1744   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00145  1744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00146  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00147  1744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00148  1744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00149  1744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243252,  (0xc0100080, {24, 0, 0x40, 0, 1243252, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00150  1744   NtSetInformationFile  (80, 1243308, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00151  1744   NtSetInformationFile  (80, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00152  1744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00153  1744   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00154  1744   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00155  1744   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00156  1744   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340 \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) \0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340 \0"\0X@\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) == 0x103
 00157  1744   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00158  1744   NtClose  (76, ... ) == 0x0
 00159  1744   NtClose  (80, ... ) == 0x0
 00160  1744   NtAdjustPrivilegesToken  (40, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00161  1744   NtClose  (40, ... ) == 0x0
 00162  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3342336, 65536, ) == 0x0
 00163  1744   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00164  1744   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 40, ) == 0x0
 00165  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00166  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00167  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x340000), {0, 0}, 20480, ) == 0x0
 00168  1744   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 65536, ) == 0x0
 00169  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00170  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00171  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00172  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00173  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00174  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00175  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00176  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00177  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00178  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00179  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00180  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 80, ) == 0x0
 00181  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 76, ) }, ... 76, ) == 0x0
 00182  1744   NtMapViewOfSection  (76, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00183  1744   NtClose  (76, ... ) == 0x0
 00184  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00185  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00186  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00187  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00188  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00189  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00190  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00191  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00192  1744   NtAllocateVirtualMemory  (80, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00193  1744   NtAllocateVirtualMemory  (80, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00194  1744   NtProtectVirtualMemory  (80, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00195  1744   NtCreateThread  (0x1f03ff, 0x0, 80, 1243840, 1243784, 1, ... 76, {580, 1268}, ) == 0x0
 00196  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\364\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75472, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\364\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0L\0\0\0D\2\0\0\364\4\0\0" )  ) == 0x0
 00197  1744   NtResumeThread  (76, ... 1, ) == 0x0
 00198  1744   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00199  1744   NtClose  (80, ... ) == 0x0
 00200  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00201  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00202  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 80, ) == 0x0
 00203  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00204  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00205  1744   NtClose  (84, ... ) == 0x0
 00206  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00207  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00208  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00209  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00210  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00211  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00212  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00213  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00214  1744   NtClose  (80, ... ) == 0x0
 00215  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00216  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00217  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 80, ) == 0x0
 00218  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00219  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00220  1744   NtClose  (84, ... ) == 0x0
 00221  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00222  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00223  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00224  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00225  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00226  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00227  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00228  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00229  1744   NtClose  (80, ... ) == 0x0
 00230  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00231  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00232  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 80, ) == 0x0
 00233  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00234  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00235  1744   NtClose  (84, ... ) == 0x0
 00236  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00237  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00238  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00239  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00240  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00241  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00242  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00243  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00244  1744   NtClose  (80, ... ) == 0x0
 00245  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00246  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00247  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 80, ) == 0x0
 00248  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00249  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00250  1744   NtClose  (84, ... ) == 0x0
 00251  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00252  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00253  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00254  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00255  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00256  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00257  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00258  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00259  1744   NtClose  (80, ... ) == 0x0
 00260  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00261  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00262  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 80, ) == 0x0
 00263  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00264  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00265  1744   NtClose  (84, ... ) == 0x0
 00266  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00267  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00268  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00269  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00270  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00271  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00272  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00273  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00274  1744   NtClose  (80, ... ) == 0x0
 00275  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00276  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00277  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 80, ) == 0x0
 00278  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00279  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00280  1744   NtClose  (84, ... ) == 0x0
 00281  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00282  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00283  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00284  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00285  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00286  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00287  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00288  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00289  1744   NtClose  (80, ... ) == 0x0
 00290  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00291  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00292  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 80, ) == 0x0
 00293  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00294  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00295  1744   NtClose  (84, ... ) == 0x0
 00296  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00297  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00298  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00299  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00300  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00301  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00302  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00303  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00304  1744   NtClose  (80, ... ) == 0x0
 00305  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00306  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00307  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 80, ) == 0x0
 00308  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00309  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00310  1744   NtClose  (84, ... ) == 0x0
 00311  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00312  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00313  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00314  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00315  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00316  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00317  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00318  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00319  1744   NtClose  (80, ... ) == 0x0
 00320  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00321  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00322  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 80, ) == 0x0
 00323  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00324  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00325  1744   NtClose  (84, ... ) == 0x0
 00326  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00327  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00328  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00329  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00330  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00331  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00332  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00333  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00334  1744   NtClose  (80, ... ) == 0x0
 00335  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00336  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00337  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 80, ) == 0x0
 00338  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00339  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00340  1744   NtClose  (84, ... ) == 0x0
 00341  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00342  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00343  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00344  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00345  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00346  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00347  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00348  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00349  1744   NtClose  (80, ... ) == 0x0
 00350  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00351  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00352  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 80, ) == 0x0
 00353  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00354  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00355  1744   NtClose  (84, ... ) == 0x0
 00356  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00357  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00358  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00359  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00360  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00361  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00362  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00363  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00364  1744   NtClose  (80, ... ) == 0x0
 00365  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00366  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00367  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {180, 0}, ... 80, ) == 0x0
 00368  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00369  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00370  1744   NtClose  (84, ... ) == 0x0
 00371  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00372  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00373  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00374  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00375  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00376  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00377  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00378  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00379  1744   NtClose  (80, ... ) == 0x0
 00380  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00381  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00382  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 80, ) == 0x0
 00383  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00384  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00385  1744   NtClose  (84, ... ) == 0x0
 00386  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00387  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00388  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00389  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00390  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00391  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00392  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00393  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00394  1744   NtClose  (80, ... ) == 0x0
 00395  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00396  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00397  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 80, ) == 0x0
 00398  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00399  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00400  1744   NtClose  (84, ... ) == 0x0
 00401  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00402  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00403  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00404  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00405  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00406  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00407  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00408  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00409  1744   NtClose  (80, ... ) == 0x0
 00410  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00411  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00412  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 80, ) == 0x0
 00413  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00414  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00415  1744   NtClose  (84, ... ) == 0x0
 00416  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00417  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00418  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00419  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00420  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00421  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00422  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00423  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00424  1744   NtClose  (80, ... ) == 0x0
 00425  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00426  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00427  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 80, ) == 0x0
 00428  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00429  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00430  1744   NtClose  (84, ... ) == 0x0
 00431  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00432  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00433  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00434  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00435  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00436  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00437  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00438  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00439  1744   NtClose  (80, ... ) == 0x0
 00440  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00441  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00442  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 80, ) == 0x0
 00443  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00444  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00445  1744   NtClose  (84, ... ) == 0x0
 00446  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00447  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00448  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00449  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00450  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00451  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00452  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00453  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00454  1744   NtClose  (80, ... ) == 0x0
 00455  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00456  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00457  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 80, ) == 0x0
 00458  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00459  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00460  1744   NtClose  (84, ... ) == 0x0
 00461  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00462  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00463  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00464  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00465  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00466  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00467  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00468  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00469  1744   NtClose  (80, ... ) == 0x0
 00470  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00471  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00472  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 80, ) == 0x0
 00473  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00474  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00475  1744   NtClose  (84, ... ) == 0x0
 00476  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00477  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00478  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00479  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00480  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00481  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00482  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00483  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00484  1744   NtClose  (80, ... ) == 0x0
 00485  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00486  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00487  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 80, ) == 0x0
 00488  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00489  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00490  1744   NtClose  (84, ... ) == 0x0
 00491  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00492  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00493  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00494  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00495  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00496  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00497  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00498  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00499  1744   NtClose  (80, ... ) == 0x0
 00500  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00501  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00502  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 80, ) == 0x0
 00503  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00504  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00505  1744   NtClose  (84, ... ) == 0x0
 00506  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00507  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00508  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00509  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00510  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00511  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00512  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00513  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00514  1744   NtClose  (80, ... ) == 0x0
 00515  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00516  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00517  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1200, 0}, ... 80, ) == 0x0
 00518  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00519  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00520  1744   NtClose  (84, ... ) == 0x0
 00521  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00522  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00523  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00524  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00525  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00526  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00527  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00528  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00529  1744   NtClose  (80, ... ) == 0x0
 00530  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00531  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00532  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {164, 0}, ... 80, ) == 0x0
 00533  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00534  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00535  1744   NtClose  (84, ... ) == 0x0
 00536  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00537  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00538  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00539  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00540  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00541  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00542  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00543  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00544  1744   NtClose  (80, ... ) == 0x0
 00545  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00546  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00547  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {888, 0}, ... 80, ) == 0x0
 00548  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00549  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00550  1744   NtClose  (84, ... ) == 0x0
 00551  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00552  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00553  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00554  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00555  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00556  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00557  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00558  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00559  1744   NtClose  (80, ... ) == 0x0
 00560  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00561  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00562  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1512, 0}, ... 80, ) == 0x0
 00563  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00564  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00565  1744   NtClose  (84, ... ) == 0x0
 00566  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00567  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00568  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00569  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00570  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00571  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00572  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00573  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00574  1744   NtClose  (80, ... ) == 0x0
 00575  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00576  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00577  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1284, 0}, ... 80, ) == 0x0
 00578  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00579  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00580  1744   NtClose  (84, ... ) == 0x0
 00581  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00582  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00583  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00584  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00585  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00586  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00587  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00588  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00589  1744   NtClose  (80, ... ) == 0x0
 00590  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00591  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00592  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1328, 0}, ... 80, ) == 0x0
 00593  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00594  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00595  1744   NtClose  (84, ... ) == 0x0
 00596  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00597  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00598  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00599  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00600  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00601  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00602  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00603  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00604  1744   NtClose  (80, ... ) == 0x0
 00605  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00606  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00607  1744   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1736, 0}, ... 80, ) == 0x0
 00608  1744   NtOpenSection  (0xe, {24, 16, 0x0, 0, 0,  (0xe, {24, 16, 0x0, 0, 0, "W32_Virtu"}, ... 84, ) }, ... 84, ) == 0x0
 00609  1744   NtMapViewOfSection  (84, 80, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00610  1744   NtClose  (84, ... ) == 0x0
 00611  1744   NtProtectVirtualMemory  (80, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00612  1744   NtWriteVirtualMemory  (80, 0x7c90d682,  (80, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00613  1744   NtProtectVirtualMemory  (80, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00614  1744   NtWriteVirtualMemory  (80, 0x7c90dcfd,  (80, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00615  1744   NtProtectVirtualMemory  (80, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00616  1744   NtWriteVirtualMemory  (80, 0x7c90d754,  (80, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00617  1744   NtProtectVirtualMemory  (80, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00618  1744   NtWriteVirtualMemory  (80, 0x7c90d769,  (80, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00619  1744   NtClose  (80, ... ) == 0x0
 00620  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x330000), {0, 0}, 20480, ) == 0x0
 00621  1744   NtUnmapViewOfSection  (-1, 0x330000, ... ) == 0x0
 00622  1744   NtClose  (40, ... ) == 0x0
 00623  1744   NtClose  (28, ... ) == 0x0
 00624  1744   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x4000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00625  1744   NtContinue  (1244400, 0, ...
 00626  1744   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3342336, 4096, ) == 0x0
 00627  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00628  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00629  1744   NtClose  (28, ... ) == 0x0
 00630  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00631  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00632  1744   NtClose  (28, ... ) == 0x0
 00633  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00634  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00635  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00636  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00637  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00638  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00639  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00640  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00641  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00642  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00643  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00644  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00645  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00646  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00647  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00648  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00649  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00650  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00651  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00652  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00654  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75536, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75536, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75536, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00655  1744   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00656  1744   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00657  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00658  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00659  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 40, ) == 0x0
 00660  1744   NtClose  (28, ... ) == 0x0
 00661  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00662  1744   NtClose  (40, ... ) == 0x0
 00663  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00664  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00665  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00666  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 28, ) == 0x0
 00667  1744   NtClose  (40, ... ) == 0x0
 00668  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00669  1744   NtClose  (28, ... ) == 0x0
 00670  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00671  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00672  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00673  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 40, ) == 0x0
 00674  1744   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00675  1744   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00676  1744   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00677  1744   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00679  1744   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00680  1744   NtClose  (84, ... ) == 0x0
 00681  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00682  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00683  1744   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00684  1744   NtClose  (84, ... ) == 0x0
 00685  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686  1744   NtClose  (80, ... ) == 0x0
 00687  1744   NtClose  (28, ... ) == 0x0
 00688  1744   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00689  1744   NtClose  (40, ... ) == 0x0
 00690  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00691  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00692  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00693  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00694  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00695  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00696  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00697  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00698  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00699  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00701  1744   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00702  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00703  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00704  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 40, ) }, ... 40, ) == 0x0
 00706  1744   NtQueryValueKey  (40,  (40, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707  1744   NtClose  (40, ... ) == 0x0
 00708  1744   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00709  1744   NtClose  (-2147482576, ... ) == 0x0
 00710  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00711  1744   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00712  1744   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00713  1744   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00714  1744   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00715  1744   NtClose  (-2147482576, ... ) == 0x0
 00716  1744   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00717  1744   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00718  1744   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 84, ) == 0x0
 00719  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00720  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00721  1744   NtClose  (-2147482576, ... ) == 0x0
 00722  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00723  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724  1744   NtClose  (-2147482576, ... ) == 0x0
 00725  1744   NtQueryDefaultLocale  (0, -138397364, ... ) == 0x0
 00726  1744   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00727  1744   NtUserCallNoParam  (24, ... ) == 0x0
 00728  1744   NtGdiCreateCompatibleDC  (0, ...
 00729  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00728  1744   NtGdiCreateCompatibleDC  ... ) == 0xf3010663
 00730  1744   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00731  1744   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00732  1744   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00733  1744   NtGdiCreateSolidBrush  (0, 0, ...
 00734  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00733  1744   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00735  1744   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00736  1744   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00737  1744   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00738  1744   NtUserGetThreadDesktop  (1744, 0, ... ) == 0x50
 00739  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 88, ) }, ... 88, ) == 0x0
 00740  1744   NtQueryValueKey  (88,  (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (88, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00741  1744   NtClose  (88, ... ) == 0x0
 00742  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00743  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00744  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00745  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00746  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00747  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00748  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00749  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00750  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00751  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00752  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00753  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00754  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00755  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00756  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00757  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00758  1744   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00759  1744   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00760  1744   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00761  1744   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00762  1744   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00763  1744   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00764  1744   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00765  1744   NtCallbackReturn  (0, 0, 0, ...
 00766  1744   NtGdiInit  (... ) == 0x1
 00767  1744   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00768  1744   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00769  1744   NtAllocateVirtualMemory  (-1, 0, 0, 26624, 4096, 64, ... 3538944, 28672, ) == 0x0
 00770  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00772  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00773  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00774  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00775  1744   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00776  1744   NtClose  (88, ... ) == 0x0
 00777  1744   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00778  1744   NtClose  (92, ... ) == 0x0
 00779  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00780  1744   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00781  1744   NtClose  (92, ... ) == 0x0
 00782  1744   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00783  1744   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00784  1744   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00785  1744   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00786  1744   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00787  1744   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00788  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00791  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00792  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 88, ) == 0x0
 00793  1744   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00794  1744   NtClose  (92, ... ) == 0x0
 00795  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00796  1744   NtClose  (88, ... ) == 0x0
 00797  1744   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00798  1744   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00799  1744   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00800  1744   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00801  1744   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00802  1744   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00803  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00805  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00806  1744   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00807  1744   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00808  1744   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00809  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 88, ) }, ... 88, ) == 0x0
 00810  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 00811  1744   NtClose  (88, ... ) == 0x0
 00812  1744   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00813  1744   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00814  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00815  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00816  1744   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00817  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00820  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00821  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00822  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 00823  1744   NtClose  (88, ... ) == 0x0
 00824  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00825  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00826  1744   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00827  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00828  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00829  1744   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00830  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00831  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00832  1744   NtClose  (88, ... ) == 0x0
 00833  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00834  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00835  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00836  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00837  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00838  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00839  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00840  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00841  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00842  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00843  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00844  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00845  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00846  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00847  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00848  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00849  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00850  1744   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00851  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00852  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00853  1744   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00854  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00855  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00856  1744   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00857  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00858  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00859  1744   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00860  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00861  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x390000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE
 00862  1744   NtProtectVirtualMemory  (-1, (0x391000), 18944, 4, ... (0x391000), 20480, 32, ) == 0x0
 00863  1744   NtProtectVirtualMemory  (-1, (0x397000), 1024, 4, ... (0x397000), 4096, 2, ) == 0x0
 00864  1744   NtProtectVirtualMemory  (-1, (0x398000), 1536, 4, ... (0x398000), 4096, 2, ) == 0x0
 00865  1744   NtMapViewOfSection  (88, -1, (0x390000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00866  1744   NtProtectVirtualMemory  (-1, (0x391000), 18944, 16, ... (0x391000), 20480, 4, ) == 0x0
 00867  1744   NtProtectVirtualMemory  (-1, (0x397000), 1024, 2, ... (0x397000), 4096, 8, ) == 0x0
 00868  1744   NtProtectVirtualMemory  (-1, (0x398000), 1536, 2, ... (0x398000), 4096, 8, ) == 0x0
 00869  1744   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00870  1744   NtClose  (88, ... ) == 0x0
 00871  1744   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 00872  1744   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 00873  1744   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 00874  1744   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 00875  1744   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 00876  1744   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 00877  1744   NtProtectVirtualMemory  (-1, (0x391000), 160, 4, ... (0x391000), 4096, 16, ) == 0x0
 00878  1744   NtProtectVirtualMemory  (-1, (0x391000), 4096, 16, ... (0x391000), 4096, 4, ) == 0x0
 00879  1744   NtFlushInstructionCache  (-1, 3739648, 160, ... ) == 0x0
 00880  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00881  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00882  1744   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00883  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 88, ) }, ... 88, ) == 0x0
 00884  1744   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00885  1744   NtClose  (88, ... ) == 0x0
 00886  1744   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00887  1744   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00888  1744   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00889  1744   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00890  1744   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00891  1744   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00892  1744   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00893  1744   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00894  1744   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00895  1744   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00896  1744   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00897  1744   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00898  1744   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00899  1744   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00900  1744   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00901  1744   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00902  1744   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00903  1744   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00904  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00905  1744   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00906  1744   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00907  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908  1744   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909  1744   NtCreateSemaphore  (0x1f0003, {24, 16, 0x80, 1338216, 0,  (0x1f0003, {24, 16, 0x80, 1338216, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 88, ) }, 0, 2147483647, ... 88, ) == STATUS_OBJECT_NAME_EXISTS
 00910  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912  1744   NtQueryPerformanceCounter  (... {1109269497, 16}, {3579545, 0}, ) == 0x0
 00913  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914  1744   NtQueryPerformanceCounter  (... {1109269814, 16}, {3579545, 0}, ) == 0x0
 00915  1744   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00916  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00917  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9502720, 1048576, ) == 0x0
 00918  1744   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00919  1744   NtAllocateVirtualMemory  (-1, 9506816, 0, 8192, 4096, 4, ... 9506816, 8192, ) == 0x0
 00920  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00921  1744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242348,  (0xc0100080, {24, 0, 0x40, 0, 1242348, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 96, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 96, {status=0x0, info=0}, ) == 0x0
 00922  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0
 00923  1744   NtDeviceIoControlFile  (96, 100, 0x0, 0x12f54c, 0x22414c,  (96, 100, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00924  1744   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00925  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927  1744   NtClose  (-2147482576, ... ) == 0x0
 00928  1744   NtClose  (1072, ... ) == 0x0
 00923  1744   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\310\332(\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#u\0l\0t\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00929  1744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242564,  (0xc0100080, {24, 0, 0x40, 0, 1242564, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 108, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 108, {status=0x0, info=0}, ) == 0x0
 00930  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00931  1744   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 116, ) == 0x0
 00932  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00933  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00934  1744   NtAllocateVirtualMemory  (-1, 9515008, 0, 8192, 4096, 4, ... 9515008, 8192, ) == 0x0
 00935  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10551296, 1048576, ) == 0x0
 00936  1744   NtAllocateVirtualMemory  (-1, 11591680, 0, 8192, 4096, 4, ... 11591680, 8192, ) == 0x0
 00937  1744   NtProtectVirtualMemory  (-1, (0xb0e000), 4096, 260, ... (0xb0e000), 4096, 4, ) == 0x0
 00938  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1241648, 1241592, 1, ... 128, {1736, 2040}, ) == 0x0
 00939  1744   NtQueryInformationThread  (128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1736,Tid=2040,}, 0x0, ) == 0x0
 00940  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9503096}  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9503096} "\0\0\0\0\1\0\1\0\200\0\0\0(\2\0\0\200\0\0\0\310\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\200\0\0\0\310\6\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75537, 0}  (24, {28, 56, new_msg, 0, 17, 1242416, 1319072, 9503096} "\0\0\0\0\1\0\1\0\200\0\0\0(\2\0\0\200\0\0\0\310\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0\200\0\0\0\310\6\0\0\370\7\0\0" )  ) == 0x0
 00941  1744   NtResumeThread  (128, ... 1, ) == 0x0
 00942  1744   NtClose  (128, ... ) == 0x0
 00943  1744   NtSetEvent  (112, ... 0x0, ) == 0x0
 00944  1744   NtSetEvent  (92, ...
 00945  2040   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 128, ) == 0x0
 00946  2040   NtWaitForSingleObject  (128, 0, 0x0, ...
 00944  1744   NtSetEvent  ... 0x0, ) == 0x0
 00947  1744   NtClose  (92, ... ) == 0x0
 00948  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00949  1744   NtAllocateVirtualMemory  (-1, 9523200, 0, 4096, 4096, 4, ... 9523200, 4096, ) == 0x0
 00950  1744   NtDeviceIoControlFile  (96, 100, 0x0, 0x12f54c, 0x22414c,  (96, 100, 0x0, 0x12f54c, 0x22414c, "\224\365\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00951  1744   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00952  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954  1744   NtClose  (-2147482576, ... ) == 0x0
 00955  1744   NtClose  (1072, ... ) == 0x0
 00950  1744   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\350H\316\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\34432\0\00\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00956  1744   NtSetEvent  (112, ... 0x0, ) == 0x0
 00957  1744   NtSetEvent  (92, ... 0x0, ) == 0x0
 00958  1744   NtClose  (92, ... ) == 0x0
 00959  1744   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00960  1744   NtOpenProcessToken  (-1, 0xa, ... 92, ) == 0x0
 00961  1744   NtDuplicateToken  (92, 0xc, {24, 0, 0x0, 0, 1242832, 0x0}, 0, 2, ... 136, ) == 0x0
 00962  1744   NtClose  (92, ... ) == 0x0
 00963  1744   NtAccessCheck  (1344040, 136, 0x1, 1242908, 1242960, 56, 1242940, ... (0x1), ) == 0x0
 00964  1744   NtClose  (136, ... ) == 0x0
 00965  1744   NtQueryDefaultUILanguage  (1241712, ...
 00966  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00967  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00968  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00969  1744   NtClose  (-2147482576, ... ) == 0x0
 00970  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00971  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00973  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974  1744   NtClose  (-2147481400, ... ) == 0x0
 00975  1744   NtClose  (-2147482576, ... ) == 0x0
 00965  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 00976  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977  1744   NtQueryDefaultUILanguage  (2090319928, ...
 00978  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00979  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00980  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00981  1744   NtClose  (-2147482576, ... ) == 0x0
 00982  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00983  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00985  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986  1744   NtClose  (-2147481400, ... ) == 0x0
 00987  1744   NtClose  (-2147482576, ... ) == 0x0
 00977  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 00988  1744   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00989  1744   NtQueryDefaultLocale  (1, 1239808, ... ) == 0x0
 00990  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75538, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1736, 1744, 75538, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240844, 1179817, 1240568} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75538, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\0\363\22\0\0\0\0\0" )  ) == 0x0
 00992  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00993  1744   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00995  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00996  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239036, ... ) }, 1239036, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00998  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00999  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01000  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239100, ... ) }, 1239100, ... ) == 0x0
 01001  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 136, {status=0x0, info=1}, ) }, 3, 33, ... 136, {status=0x0, info=1}, ) == 0x0
 01002  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01003  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01004  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 140, ) == 0x0
 01005  1744   NtClose  (92, ... ) == 0x0
 01006  1744   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb10000), 0x0, 1056768, ) == 0x0
 01007  1744   NtClose  (140, ... ) == 0x0
 01008  1744   NtUnmapViewOfSection  (-1, 0xb10000, ... ) == 0x0
 01009  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01010  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 140, ... 92, ) == 0x0
 01011  1744   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01012  1744   NtClose  (140, ... ) == 0x0
 01013  1744   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01014  1744   NtClose  (92, ... ) == 0x0
 01015  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01016  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01017  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01018  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01019  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01020  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01021  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01022  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01023  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01024  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01025  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01026  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01027  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01028  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01029  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01030  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01031  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01032  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01033  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01034  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01035  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01036  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01037  1744   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240580, ... ) , 42, 1240580, ... ) == 0x0
 01038  1744   NtQueryDefaultUILanguage  (1239264, ...
 01039  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01040  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01041  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01042  1744   NtClose  (-2147482576, ... ) == 0x0
 01043  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01044  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 01046  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047  1744   NtClose  (-2147481400, ... ) == 0x0
 01048  1744   NtClose  (-2147482576, ... ) == 0x0
 01038  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 01049  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238104, ... ) }, 1238104, ... ) == 0x0
 01050  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01051  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 140, ) == 0x0
 01052  1744   NtClose  (92, ... ) == 0x0
 01053  1744   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 4096, ) == 0x0
 01054  1744   NtClose  (140, ... ) == 0x0
 01055  1744   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01056  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237700, ... ) }, 1237700, ... ) == 0x0
 01057  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238444,  (0x80100080, {24, 0, 0x40, 0, 1238444, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 140, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 140, {status=0x0, info=1}, ) == 0x0
 01058  1744   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 140, ... 92, ) == 0x0
 01059  1744   NtClose  (140, ... ) == 0x0
 01060  1744   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3b0000), {0, 0}, 4096, ) == 0x0
 01061  1744   NtClose  (92, ... ) == 0x0
 01062  1744   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01063  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 92, {status=0x0, info=1}, ) }, 1, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01064  1744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 92, ... 140, ) == 0x0
 01065  1744   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3b0000), 0x0, 4096, ) == 0x0
 01066  1744   NtQueryInformationFile  (92, 1238096, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01067  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01068  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75539, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1736, 1744, 75539, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238396, 1179817, 1238120} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75539, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1\\0\0\0\214\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0p\351\22\0\0\0\0\0" )  ) == 0x0
 01069  1744   NtClose  (92, ... ) == 0x0
 01070  1744   NtClose  (140, ... ) == 0x0
 01071  1744   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01072  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01073  1744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01074  1744   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01075  1744   NtUserGetDC  (0, ... ) == 0x1010054
 01076  1744   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01077  1744   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01078  1744   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01079  1744   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01080  1744   NtContinue  (1238304, 0, ...
 01081  1744   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01082  1744   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 01083  1744   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01084  1744   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01085  1744   NtClose  (136, ... ) == 0x0
 01086  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 136, ) }, ... 136, ) == 0x0
 01087  1744   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 01088  1744   NtClose  (136, ... ) == 0x0
 01089  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01090  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01091  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01092  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01093  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01094  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01095  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01096  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01097  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01098  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01099  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01100  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01101  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 01102  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 01103  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 01104  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01106  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3801088, 65536, ) == 0x0
 01107  1744   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 01108  1744   NtAllocateVirtualMemory  (-1, 3805184, 0, 8192, 4096, 4, ... 3805184, 8192, ) == 0x0
 01109  1744   NtAllocateVirtualMemory  (-1, 3813376, 0, 4096, 4096, 4, ... 3813376, 4096, ) == 0x0
 01110  1744   NtAllocateVirtualMemory  (-1, 3817472, 0, 4096, 4096, 4, ... 3817472, 4096, ) == 0x0
 01111  1744   NtQueryDefaultUILanguage  (1238736, ...
 01112  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01113  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01114  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01115  1744   NtClose  (-2147482576, ... ) == 0x0
 01116  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01117  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 01119  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120  1744   NtClose  (-2147481400, ... ) == 0x0
 01121  1744   NtClose  (-2147482576, ... ) == 0x0
 01111  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 01122  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 136, {status=0x0, info=1}, ) }, 1, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01123  1744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 136, ... 140, ) == 0x0
 01124  1744   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb10000), 0x0, 618496, ) == 0x0
 01125  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126  1744   NtQueryDefaultLocale  (1, 1236832, ... ) == 0x0
 01127  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\270\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75540, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\270\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1736, 1744, 75540, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237868, 1179817, 1237592} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\270\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75540, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1\210\0\0\0\377\377\377\377\0\0\0\0\340q\270\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0`\347\22\0\0\0\0\0" )  ) == 0x0
 01129  1744   NtClose  (136, ... ) == 0x0
 01130  1744   NtClose  (140, ... ) == 0x0
 01131  1744   NtUnmapViewOfSection  (-1, 0xb10000, ... ) == 0x0
 01132  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01133  1744   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1736, 0}, ... 140, ) == 0x0
 01134  1744   NtQueryInformationProcess  (140, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01135  1744   NtClose  (140, ... ) == 0x0
 01136  1744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01137  1744   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 01138  1744   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 01139  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01140  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 01141  1744   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01142  1744   NtClose  (140, ... ) == 0x0
 01143  1744   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 140, ) }, ... 140, ) == 0x0
 01144  1744   NtOpenProcessToken  (-1, 0x8, ... 136, ) == 0x0
 01145  1744   NtAccessCheck  (1344040, 136, 0x1, 1239928, 1239980, 56, 1239960, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 01146  1744   NtClose  (136, ... ) == 0x0
 01147  1744   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Control Panel\Desktop"}, ... 136, ) }, ... 136, ) == 0x0
 01148  1744   NtQueryValueKey  (136,  (136, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149  1744   NtClose  (136, ... ) == 0x0
 01150  1744   NtUserSystemParametersInfo  (41, 500, 1240108, 0, ... ) == 0x1
 01151  1744   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 01152  1744   NtClose  (140, ... ) == 0x0
 01153  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01154  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c03b
 01155  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c03d
 01156  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01157  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c03f
 01158  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01159  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c041
 01160  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01161  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c043
 01162  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c045
 01163  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01164  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c047
 01165  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01166  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c049
 01167  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01168  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c04b
 01169  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01170  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c04d
 01171  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01172  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c04f
 01173  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c051
 01174  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01175  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c053
 01176  1744   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 01177  1744   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x8173c055
 01178  1744   NtUserFindExistingCursorIcon  (1239856, 1239872, 1239920, ... ) == 0x10011
 01179  1744   NtUserRegisterClassExWOW  (1239800, 1239868, 1239884, 1239900, 0, 384, 0, ... ) == 0x8173c057
 01180  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01181  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c059
 01182  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10013
 01183  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c05b
 01184  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01185  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c05d
 01186  1744   NtUserFindExistingCursorIcon  (1239860, 1239876, 1239924, ... ) == 0x10011
 01187  1744   NtUserRegisterClassExWOW  (1239804, 1239872, 1239888, 1239904, 0, 384, 0, ... ) == 0x8173c05f
 01188  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01189  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 140, ) == 0x0
 01190  1744   NtQueryInformationToken  (140, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01191  1744   NtClose  (140, ... ) == 0x0
 01192  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 140, ) }, ... 140, ) == 0x0
 01193  1744   NtSetInformationObject  (140, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01194  1744   NtCreateKey  (0x2001f, {24, 140, 0x40, 0, 0,  (0x2001f, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 136, 2, ) }, 0, 0x0, 0, ... 136, 2, ) == 0x0
 01195  1744   NtSetEventBoostPriority  (128, ...
 00946  2040   NtWaitForSingleObject  ... ) == 0x0
 01196  2040   NtTestAlert  (... ) == 0x0
 01197  2040   NtContinue  (11599152, 1, ...
 01198  2040   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01199  2040   NtDeviceIoControlFile  (108, 120, 0x0, 0x77e466a0, 0x228144,  (108, 120, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0t\0\0\0\0\0\0\0\204\0\0\0\0\0\0\0h\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01195  1744   NtSetEventBoostPriority  ... ) == 0x0
 01200  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242908, ... }, 1242908, ...
 01202  2040   NtWaitForMultipleObjects  (2, (112, 120, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 01203  2040   NtDeviceIoControlFile  (108, 124, 0x0, 0x77e46680, 0x228144,  (108, 124, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0t\0\0\0\0\0\0\0\204\0\0\0\0\0\0\0h\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 01204  2040   NtWaitForMultipleObjects  (2, (112, 124, ), 1, 1, {1294967296, -1}, ...
 01201  1744   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 01206  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01207  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 144, ) == 0x0
 01208  1744   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01209  1744   NtClose  (92, ... ) == 0x0
 01210  1744   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 01211  1744   NtClose  (144, ... ) == 0x0
 01212  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01213  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01214  1744   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01215  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01216  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01217  1744   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01218  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01219  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01220  1744   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01221  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01222  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01223  1744   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01224  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01225  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01226  1744   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01227  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01228  1744   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01229  1744   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01230  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01231  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01232  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3997696, 65536, ) == 0x0
 01233  1744   NtAllocateVirtualMemory  (-1, 3997696, 0, 4096, 4096, 4, ... 3997696, 4096, ) == 0x0
 01234  1744   NtAllocateVirtualMemory  (-1, 4001792, 0, 8192, 4096, 4, ... 4001792, 8192, ) == 0x0
 01235  1744   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 144, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 144, {status=0x0, info=0}, ) == 0x0
 01236  1744   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 92, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 92, {status=0x0, info=0}, ) == 0x0
 01237  1744   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 148, {status=0x0, info=0}, ) == 0x0
 01238  1744   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 152, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 152, {status=0x0, info=0}, ) == 0x0
 01239  1744   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242836,  (0x20100080, {24, 0, 0x40, 0, 1242836, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=0}, ) == 0x0
 01240  1744   NtAllocateVirtualMemory  (-1, 4009984, 0, 36864, 4096, 4, ... 4009984, 36864, ) == 0x0
 01241  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01242  1744   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01243  1744   NtClose  (160, ... ) == 0x0
 01244  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01245  1744   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01246  1744   NtClose  (160, ... ) == 0x0
 01247  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01248  1744   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363z\201\1\0\0\0\5\0\0\0\232A\250\25\266?C\3N\303\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\321\22,\0\200J\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (144, 160, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363z\201\1\0\0\0\5\0\0\0\232A\250\25\266?C\3N\303\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\321\22,\0\200J\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01249  1744   NtClose  (160, ... ) == 0x0
 01250  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01251  1744   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (144, 160, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01252  1744   NtClose  (160, ... ) == 0x0
 01253  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01254  1744   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01255  1744   NtClose  (160, ... ) == 0x0
 01256  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01257  1744   NtDeviceIoControlFile  (144, 160, 0x0, 0x0, 0x120003,  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (144, 160, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01258  1744   NtClose  (160, ... ) == 0x0
 01259  1744   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 160, ) == 0x0
 01260  1744   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 164, ) == 0x0
 01261  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01262  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01263  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01264  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01265  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01266  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01267  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01268  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01269  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01270  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01271  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01272  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01273  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01274  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01275  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01276  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01277  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01278  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01279  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01280  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01281  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01282  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01283  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01284  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01285  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01286  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01287  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01288  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01289  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01290  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01291  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01292  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01293  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01294  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01295  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01296  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01297  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01298  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01299  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01300  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01301  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01302  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01303  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01304  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01305  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01306  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01307  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01308  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01309  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01310  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01311  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01312  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01313  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01314  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01315  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01316  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01317  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01318  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01319  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01320  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01321  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01322  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01323  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01324  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01325  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01326  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01327  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01328  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01329  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01330  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01331  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01332  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01333  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01334  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01335  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01336  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01337  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01338  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01339  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01340  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01341  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01342  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01343  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01344  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01345  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01346  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01347  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01348  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01349  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01350  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01351  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01352  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01353  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01354  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01355  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01356  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01357  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01358  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01359  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01360  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01361  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01362  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01363  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01364  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01365  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01366  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01367  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01368  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01369  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01370  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01371  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01372  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01373  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01374  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01375  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01376  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01377  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01378  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01379  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01380  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01381  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01382  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01383  1744   NtAllocateVirtualMemory  (-1, 4063232, 0, 1, 4096, 4, ... 4063232, 4096, ) == 0x0
 01384  1744   NtQueryVirtualMemory  (-1, 0x3e0000, Basic, 28, ... {BaseAddress=0x3e0000,AllocationBase=0x3e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01385  1744   NtFreeVirtualMemory  (-1, (0x3e0000), 0, 32768, ... (0x3e0000), 65536, ) == 0x0
 01386  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 168, ) }, ... 168, ) == 0x0
 01387  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 172, ) }, ... 172, ) == 0x0
 01388  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 176, ) }, ... 176, ) == 0x0
 01389  1744   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 180, ) }, ... 180, ) == 0x0
 01390  1744   NtQueryDefaultLocale  (1, 1242816, ... ) == 0x0
 01391  1744   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 01392  1744   NtFreeVirtualMemory  (-1, (0x330144), 0, 32768, ... (0x330000), 4096, ) == 0x0
 01393  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01394  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 01395  1744   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 01396  1744   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 01397  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11599872, 1048576, ) == 0x0
 01398  1744   NtAllocateVirtualMemory  (-1, 11599872, 0, 32768, 4096, 4, ... 11599872, 32768, ) == 0x0
 01399  1744   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "Jobaka3"}, 0, ... 184, ) }, 0, ... 184, ) == 0x0
 01400  1744   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 188, ) }, ... 188, ) == 0x0
 01401  1744   NtQueryValueKey  (188,  (188, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (188, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01402  1744   NtQueryValueKey  (188,  (188, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (188, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01403  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01404  1744   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "Protocol_Catalog9"}, ... 196, ) }, ... 196, ) == 0x0
 01405  1744   NtQueryValueKey  (196,  (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01406  1744   NtNotifyChangeKey  (196, 192, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01407  1744   NtQueryValueKey  (196,  (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 01408  1744   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409  1744   NtQueryValueKey  (196,  (196, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 01410  1744   NtQueryValueKey  (196,  (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 01411  1744   NtOpenKey  (0x2000000, {24, 196, 0x40, 0, 0,  (0x2000000, {24, 196, 0x40, 0, 0, "Catalog_Entries"}, ... 200, ) }, ... 200, ) == 0x0
 01412  1744   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01413  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000001"}, ... 204, ) }, ... 204, ) == 0x0
 01414  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01415  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01416  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\211\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\212\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\213\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\211\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\212\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\213\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\211\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\212\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\213\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01417  1744   NtClose  (204, ... ) == 0x0
 01418  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000002"}, ... 204, ) }, ... 204, ) == 0x0
 01419  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01420  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01421  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\216\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\216\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\217\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\220\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\216\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\216\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\217\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\220\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\216\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\216\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\217\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\220\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01422  1744   NtClose  (204, ... ) == 0x0
 01423  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000003"}, ... 204, ) }, ... 204, ) == 0x0
 01424  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01425  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01426  1744   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01427  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\224\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\224\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\225\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\226\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\224\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\224\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\225\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\226\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\224\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\224\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\225\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\226\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01428  1744   NtClose  (204, ... ) == 0x0
 01429  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000004"}, ... 204, ) }, ... 204, ) == 0x0
 01430  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01431  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01432  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\231\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\231\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\232\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\233\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\231\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\231\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\232\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\233\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\231\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\231\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\232\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\233\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01433  1744   NtClose  (204, ... ) == 0x0
 01434  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000005"}, ... 204, ) }, ... 204, ) == 0x0
 01435  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01436  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01437  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\236\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\236\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\237\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\240\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\236\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\236\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\237\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\240\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\236\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\236\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\237\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\240\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01438  1744   NtClose  (204, ... ) == 0x0
 01439  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000006"}, ... 204, ) }, ... 204, ) == 0x0
 01440  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01441  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01442  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\243\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\243\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\244\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\245\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\243\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\243\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\244\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\245\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\243\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\243\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\244\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\245\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\245\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\246\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01443  1744   NtClose  (204, ... ) == 0x0
 01444  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000007"}, ... 204, ) }, ... 204, ) == 0x0
 01445  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01446  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01447  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\250\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\250\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\251\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\252\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\250\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\250\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\251\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\252\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\250\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\250\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\251\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\251\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\252\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\252\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\253\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01448  1744   NtClose  (204, ... ) == 0x0
 01449  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000008"}, ... 204, ) }, ... 204, ) == 0x0
 01450  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01451  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01452  1744   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01453  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\256\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\256\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\257\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\257\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\260\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\260\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\261\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\256\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\256\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\257\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\257\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\260\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\260\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\261\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\260\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\261\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\256\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\256\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\257\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\257\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\260\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\260\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\261\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01454  1744   NtClose  (204, ... ) == 0x0
 01455  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000009"}, ... 204, ) }, ... 204, ) == 0x0
 01456  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01457  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01458  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\263\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\263\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\264\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\265\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\265\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\266\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\263\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\263\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\264\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\265\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\265\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\266\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\265\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\266\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\263\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\263\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\264\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\264\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\265\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\265\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\266\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01459  1744   NtClose  (204, ... ) == 0x0
 01460  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000010"}, ... 204, ) }, ... 204, ) == 0x0
 01461  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01462  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01463  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\270\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\270\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\271\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\272\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\270\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\270\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\271\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\272\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\270\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\270\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\271\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\272\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\272\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\273\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01464  1744   NtClose  (204, ... ) == 0x0
 01465  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000011"}, ... 204, ) }, ... 204, ) == 0x0
 01466  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01467  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01468  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\275\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\275\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\276\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\277\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\275\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\275\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\276\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\277\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\275\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\275\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\276\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\277\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\277\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\300\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01469  1744   NtClose  (204, ... ) == 0x0
 01470  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000012"}, ... 204, ) }, ... 204, ) == 0x0
 01471  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01472  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01473  1744   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01474  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\303\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\303\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\304\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\304\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\305\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\305\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\306\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\303\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\303\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\304\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\304\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\305\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\305\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\306\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\305\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\306\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\303\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\303\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\304\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\304\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\305\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\305\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\306\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01475  1744   NtClose  (204, ... ) == 0x0
 01476  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000013"}, ... 204, ) }, ... 204, ) == 0x0
 01477  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01478  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01479  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\310\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\310\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\311\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\311\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\312\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\312\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\313\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\310\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\310\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\311\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\311\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\312\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\312\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\313\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\312\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\313\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\310\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\310\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\311\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\311\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\312\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\312\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\313\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01480  1744   NtClose  (204, ... ) == 0x0
 01481  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000014"}, ... 204, ) }, ... 204, ) == 0x0
 01482  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01483  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01484  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\315\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\315\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\316\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\316\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\317\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\317\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\320\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\315\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\315\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\316\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\316\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\317\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\317\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\320\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\317\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\320\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\315\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\315\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\316\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\316\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\317\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\317\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\320\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01485  1744   NtClose  (204, ... ) == 0x0
 01486  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000015"}, ... 204, ) }, ... 204, ) == 0x0
 01487  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01488  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01489  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\322\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\322\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\323\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\323\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\324\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\324\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\325\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\322\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\322\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\323\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\323\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\324\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\324\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\325\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\324\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\325\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\322\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\322\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\323\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\323\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\324\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\324\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\325\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01490  1744   NtClose  (204, ... ) == 0x0
 01491  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000016"}, ... 204, ) }, ... 204, ) == 0x0
 01492  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01493  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01494  1744   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01495  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\330\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\330\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\331\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\332\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\332\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\330\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\330\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\331\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\332\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\332\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\332\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\330\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\330\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\331\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\332\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\332\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01496  1744   NtClose  (204, ... ) == 0x0
 01497  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000017"}, ... 204, ) }, ... 204, ) == 0x0
 01498  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01499  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01500  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\335\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\335\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\336\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\336\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\337\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\337\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\340\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\335\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\335\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\336\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\336\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\337\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\337\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\340\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\337\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\340\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\335\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\335\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\336\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\336\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\337\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\337\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\340\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01501  1744   NtClose  (204, ... ) == 0x0
 01502  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000018"}, ... 204, ) }, ... 204, ) == 0x0
 01503  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01504  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01505  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\342\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\342\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\343\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\344\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\344\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\345\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\342\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\342\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\343\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\344\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\344\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\345\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\344\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\345\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\342\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\342\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\343\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\344\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\344\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\345\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01506  1744   NtClose  (204, ... ) == 0x0
 01507  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000019"}, ... 204, ) }, ... 204, ) == 0x0
 01508  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01509  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01510  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\347\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\347\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\350\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\351\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\347\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\347\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\350\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\351\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\347\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\347\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\350\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\351\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\351\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01511  1744   NtClose  (204, ... ) == 0x0
 01512  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000020"}, ... 204, ) }, ... 204, ) == 0x0
 01513  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01514  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01515  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\354\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\354\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\355\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\355\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\356\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\356\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\357\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\354\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\354\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\355\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\355\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\356\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\356\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\357\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\356\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\357\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\354\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\354\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\355\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\355\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\356\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\356\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\357\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01516  1744   NtClose  (204, ... ) == 0x0
 01517  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000021"}, ... 204, ) }, ... 204, ) == 0x0
 01518  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01519  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01520  1744   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01521  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\362\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\362\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\363\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\364\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\362\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\362\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\363\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\364\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0 (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\362\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\362\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\310\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\240\207\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\363\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\314\0\0\0\364\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\364\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\5\0\0\310\6\0\0\320\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\314\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01522  1744   NtClose  (204, ... ) == 0x0
 01523  1744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "000000000022"}, ... 204, ) }, ... 204, ) == 0x0
 01524  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01525  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01526  1744   NtQueryValueKey  (204,  (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\367\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\367\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\370\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\5\0\0\310\6\0\0\320\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\371\5\0\0\310\6\0\0\320\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\372\5\0\0\310\6\0\0\320\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\372\5\0\0\310\6\0\0\320\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\373\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\274\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (204, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\367\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\367\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\370\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\5\0\0\310\6\0\0\320\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\371\5\0\0\310\6\0\0\320\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\372\5\0\0\310\6\0\0\320\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\372\5\0\0\310\6\0\0\320\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\373\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\274\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\367\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\367\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\310\0\0\0\370\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\5\0\0\310\6\0\0\320\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\371\5\0\0\310\6\0\0\320\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\372\5\0\0\310\6\0\0\320\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\372\5\0\0\310\6\0\0\320\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\310\0\0\0\373\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\274\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X@\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01527  1744   NtClose  (204, ... ) == 0x0
 01528  1744   NtClose  (200, ... ) == 0x0
 01529  1744   NtWaitForSingleObject  (192, 0, {0, 0}, ... ) == 0x102
 01530  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 200, ) == 0x0
 01531  1744   NtOpenKey  (0x2000000, {24, 188, 0x40, 0, 0,  (0x2000000, {24, 188, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 204, ) }, ... 204, ) == 0x0
 01532  1744   NtQueryValueKey  (204,  (204, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01533  1744   NtNotifyChangeKey  (204, 200, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01534  1744   NtQueryValueKey  (204,  (204, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01535  1744   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536  1744   NtQueryValueKey  (204,  (204, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01537  1744   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "Catalog_Entries"}, ... 208, ) }, ... 208, ) == 0x0
 01538  1744   NtOpenKey  (0x20019, {24, 208, 0x40, 0, 0,  (0x20019, {24, 208, 0x40, 0, 0, "000000000001"}, ... 212, ) }, ... 212, ) == 0x0
 01539  1744   NtQueryValueKey  (212,  (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01540  1744   NtQueryValueKey  (212,  (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01541  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01542  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01543  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01544  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01545  1744   NtQueryValueKey  (212,  (212, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (212, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01546  1744   NtQueryValueKey  (212,  (212, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547  1744   NtQueryValueKey  (212,  (212, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01548  1744   NtQueryValueKey  (212,  (212, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01549  1744   NtQueryValueKey  (212,  (212, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01550  1744   NtQueryValueKey  (212,  (212, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01551  1744   NtClose  (212, ... ) == 0x0
 01552  1744   NtOpenKey  (0x20019, {24, 208, 0x40, 0, 0,  (0x20019, {24, 208, 0x40, 0, 0, "000000000002"}, ... 212, ) }, ... 212, ) == 0x0
 01553  1744   NtQueryValueKey  (212,  (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01554  1744   NtQueryValueKey  (212,  (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01555  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01556  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01557  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01558  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01559  1744   NtQueryValueKey  (212,  (212, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (212, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01560  1744   NtQueryValueKey  (212,  (212, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561  1744   NtQueryValueKey  (212,  (212, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01562  1744   NtQueryValueKey  (212,  (212, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01563  1744   NtQueryValueKey  (212,  (212, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01564  1744   NtQueryValueKey  (212,  (212, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01565  1744   NtClose  (212, ... ) == 0x0
 01566  1744   NtOpenKey  (0x20019, {24, 208, 0x40, 0, 0,  (0x20019, {24, 208, 0x40, 0, 0, "000000000003"}, ... 212, ) }, ... 212, ) == 0x0
 01567  1744   NtQueryValueKey  (212,  (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01568  1744   NtQueryValueKey  (212,  (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01569  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01570  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01571  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01572  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01573  1744   NtQueryValueKey  (212,  (212, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (212, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01574  1744   NtQueryValueKey  (212,  (212, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575  1744   NtQueryValueKey  (212,  (212, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01576  1744   NtQueryValueKey  (212,  (212, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01577  1744   NtQueryValueKey  (212,  (212, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01578  1744   NtQueryValueKey  (212,  (212, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01579  1744   NtClose  (212, ... ) == 0x0
 01580  1744   NtOpenKey  (0x20019, {24, 208, 0x40, 0, 0,  (0x20019, {24, 208, 0x40, 0, 0, "000000000004"}, ... 212, ) }, ... 212, ) == 0x0
 01581  1744   NtQueryValueKey  (212,  (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01582  1744   NtQueryValueKey  (212,  (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01583  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01584  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01585  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01586  1744   NtQueryValueKey  (212,  (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01587  1744   NtQueryValueKey  (212,  (212, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (212, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01588  1744   NtQueryValueKey  (212,  (212, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589  1744   NtQueryValueKey  (212,  (212, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01590  1744   NtQueryValueKey  (212,  (212, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01591  1744   NtQueryValueKey  (212,  (212, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01592  1744   NtQueryValueKey  (212,  (212, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01593  1744   NtClose  (212, ... ) == 0x0
 01594  1744   NtClose  (208, ... ) == 0x0
 01595  1744   NtWaitForSingleObject  (200, 0, {0, 0}, ... ) == 0x102
 01596  1744   NtClose  (188, ... ) == 0x0
 01597  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01598  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01599  1744   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 188, ) }, ... 188, ) == 0x0
 01600  1744   NtQueryValueKey  (188,  (188, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601  1744   NtClose  (188, ... ) == 0x0
 01602  1744   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01603  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 188, ) == 0x0
 01604  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1241400, ... ) }, 1241400, ... ) == 0x0
 01605  1744   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 208, {status=0x0, info=1}, ) }, 7, 2113568, ... 208, {status=0x0, info=1}, ) == 0x0
 01606  1744   NtSetInformationFile  (208, 1241376, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01607  1744   NtClose  (208, ... ) == 0x0
 01608  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 208, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 208, {status=0x0, info=1}, ) == 0x0
 01609  1744   NtQueryInformationFile  (208, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01610  1744   NtQueryInformationFile  (208, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01611  1744   NtQueryInformationFile  (208, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01612  1744   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 01613  1744   NtQueryInformationFile  (208, 1373096, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01614  1744   NtQueryInformationFile  (208, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01615  1744   NtQueryInformationFile  (208, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01616  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SKYNETAVE.EXE"}, 1239736, ... ) }, 1239736, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617  1744   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\skynetave.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01618  1744   NtClose  (-2147482576, ... ) == 0x0
 01617  1744   NtCreateFile  ... 212, {status=0x0, info=2}, ) == 0x0
 01619  1744   NtQueryVolumeInformationFile  (212, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01620  1744   NtQueryInformationFile  (212, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01621  1744   NtQueryVolumeInformationFile  (208, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01622  1744   NtSetInformationFile  (212, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01623  1744   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 208, ... 216, ) == 0x0
 01624  1744   NtMapViewOfSection  (216, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 28672, ) == 0x0
 01625  1744   NtClose  (216, ... ) == 0x0
 01626  1744   NtWriteFile  (212, 0, 0, 0,  (212, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\330\7\312\202\234f\244\321\234f\244\321\234f\244\321\37n\371\321\236f\244\321\234f\244\321\237f\244\321ty\256\321\206f\244\321\37z\252\321\227f\244\321\234f\245\321\320f\244\321\376y\267\321\225f\244\321ty\257\321\230f\244\321$`\242\321\235f\244\321Rich\234f\244\321\0\0\0\0\0\0\0\0PE\0\0L\1\2\0w\13\225@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0$\0\0\0\0\0\0\0\232\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\02\0\0\0\4\0\02CEP", 26112, 0x0, 0, ... {status=0x0, info=26112}, ) , 26112, 0x0, 0, ... {status=0x0, info=26112}, ) == 0x0
 01627  1744   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 01628  1744   NtSetInformationFile  (212, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01629  1744   NtClose  (208, ... ) == 0x0
 01630  1744   NtClose  (212, ... ) == 0x0
 01631  1744   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 212, ) }, ... 212, ) == 0x0
 01632  1744   NtSetValueKey  (212,  (212, "skynetave.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0k\0y\0n\0e\0t\0a\0v\0e\0.\0e\0x\0e\0\0\0", 50, ... , 0, 1,  (212, "skynetave.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0k\0y\0n\0e\0t\0a\0v\0e\0.\0e\0x\0e\0\0\0", 50, ... , 50, ...
 01633  1744   NtSetInformationFile  (-2147482448, -138397904, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01634  1744   NtSetInformationFile  (-2147482448, -138397996, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01635  1744   NtSetInformationFile  (-2147482448, -138398304, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01632  1744   NtSetValueKey  ... ) == 0x0
 01636  1744   NtClose  (212, ... ) == 0x0
 01637  1744   NtCreateMutant  (0x1f0001, {24, 16, 0x80, 0, 0,  (0x1f0001, {24, 16, 0x80, 0, 0, "SkynetSasserVersionWithPingFast"}, 0, ... 212, ) }, 0, ... 212, ) == 0x0
 01638  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12648448, 1048576, ) == 0x0
 01639  1744   NtAllocateVirtualMemory  (-1, 13688832, 0, 8192, 4096, 4, ... 13688832, 8192, ) == 0x0
 01640  1744   NtProtectVirtualMemory  (-1, (0xd0e000), 4096, 260, ... (0xd0e000), 4096, 4, ) == 0x0
 01641  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1736, 752}, ) == 0x0
 01642  1744   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1736,Tid=752,}, 0x0, ) == 0x0
 01643  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\310\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\310\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75542, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\310\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\310\6\0\0\360\2\0\0" )  ) == 0x0
 01644  1744   NtResumeThread  (208, ... 1, ) == 0x0
 01645  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 01646  1744   NtAllocateVirtualMemory  (-1, 14737408, 0, 8192, 4096, 4, ...
 01647   752   NtTestAlert  (... ) == 0x0
 01648   752   NtContinue  (13696304, 1, ...
 01649   752   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01650   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 216, ) == 0x0
 01651   752   NtWaitForSingleObject  (192, 0, {0, 0}, ... ) == 0x102
 01652   752   NtAllocateVirtualMemory  (-1, 13684736, 0, 4096, 4096, 260, ...
 01646  1744   NtAllocateVirtualMemory  ... 14737408, 8192, ) == 0x0
 01653  1744   NtProtectVirtualMemory  (-1, (0xe0e000), 4096, 260, ...
 01652   752   NtAllocateVirtualMemory  ... 13684736, 4096, ) == 0x0
 01653  1744   NtProtectVirtualMemory  ... (0xe0e000), 4096, 4, ) == 0x0
 01654   752   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13693428, ... }, 13693428, ...
 01655  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01654   752   NtQueryAttributesFile  ... ) == 0x0
 01655  1744   NtCreateThread  ... 220, {1736, 380}, ) == 0x0
 01656   752   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01657  1744   NtQueryInformationThread  (220, Basic, 28, ...
 01656   752   NtOpenFile  ... 224, {status=0x0, info=1}, ) == 0x0
 01658   752   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 228, ) == 0x0
 01659   752   NtClose  (224, ... ) == 0x0
 01660   752   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe10000), 0x0, 245760, ) == 0x0
 01661   752   NtClose  (228, ...
 01657  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1736,Tid=380,}, 0x0, ) == 0x0
 01662  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75542, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\310\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\310\6\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75543, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\310\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\310\6\0\0|\1\0\0" )  ) == 0x0
 01663  1744   NtResumeThread  (220, ... 1, ) == 0x0
 01664  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15007744, 1048576, ) == 0x0
 01665  1744   NtAllocateVirtualMemory  (-1, 16048128, 0, 8192, 4096, 4, ... 16048128, 8192, ) == 0x0
 01666  1744   NtProtectVirtualMemory  (-1, (0xf4e000), 4096, 260, ... (0xf4e000), 4096, 4, ) == 0x0
 01661   752   NtClose  ... ) == 0x0
 01667   380   NtWaitForSingleObject  (128, 0, 0x0, ...
 01668   752   NtUnmapViewOfSection  (-1, 0xe10000, ... ) == 0x0
 01669   752   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13693736, ... ) }, 13693736, ... ) == 0x0
 01670   752   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 01671   752   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 224, ) == 0x0
 01672   752   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01673   752   NtClose  (228, ...
 01674  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1736, 312}, ) == 0x0
 01675  1744   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1736,Tid=312,}, 0x0, ) == 0x0
 01676  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75543, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\310\6\0\08\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\310\6\0\08\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75544, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\310\6\0\08\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\310\6\0\08\1\0\0" )  ) == 0x0
 01677  1744   NtResumeThread  (232, ... 1, ) == 0x0
 01678  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16056320, 1048576, ) == 0x0
 01679  1744   NtAllocateVirtualMemory  (-1, 17096704, 0, 8192, 4096, 4, ...
 01673   752   NtClose  ... ) == 0x0
 01680   312   NtWaitForSingleObject  (128, 0, 0x0, ...
 01681   752   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01682   752   NtClose  (224, ... ) == 0x0
 01683   752   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01684   752   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01685   752   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01686   752   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01679  1744   NtAllocateVirtualMemory  ... 17096704, 8192, ) == 0x0
 01687  1744   NtProtectVirtualMemory  (-1, (0x104e000), 4096, 260, ... (0x104e000), 4096, 4, ) == 0x0
 01688  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1736, 1404}, ) == 0x0
 01689  1744   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1736,Tid=1404,}, 0x0, ) == 0x0
 01690  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75544, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\310\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\310\6\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75545, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\310\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\310\6\0\0|\5\0\0" )  ) == 0x0
 01691  1744   NtResumeThread  (224, ... 1, ) == 0x0
 01686   752   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01692  1404   NtWaitForSingleObject  (128, 0, 0x0, ...
 01693   752   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01694   752   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01695   752   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01696   752   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01697   752   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01698   752   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... }, ...
 01699  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17104896, 1048576, ) == 0x0
 01700  1744   NtAllocateVirtualMemory  (-1, 18145280, 0, 8192, 4096, 4, ... 18145280, 8192, ) == 0x0
 01701  1744   NtProtectVirtualMemory  (-1, (0x114e000), 4096, 260, ... (0x114e000), 4096, 4, ) == 0x0
 01702  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1736, 476}, ) == 0x0
 01703  1744   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1736,Tid=476,}, 0x0, ) == 0x0
 01704  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75545, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\310\6\0\0\334\1\0\0" ...  ...
 01698   752   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01705   752   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01706   752   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01707   752   NtSetEventBoostPriority  (128, ...
 01704  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75546, 0}  ... {28, 56, reply, 0, 1736, 1744, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\310\6\0\0\334\1\0\0" )  ) == 0x0
 01708  1744   NtResumeThread  (228, ... 1, ) == 0x0
 01709  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18153472, 1048576, ) == 0x0
 01710  1744   NtAllocateVirtualMemory  (-1, 19193856, 0, 8192, 4096, 4, ... 19193856, 8192, ) == 0x0
 01711  1744   NtProtectVirtualMemory  (-1, (0x124e000), 4096, 260, ... (0x124e000), 4096, 4, ) == 0x0
 01712  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1736, 1964}, ) == 0x0
 01713  1744   NtQueryInformationThread  (236, Basic, 28, ...
 01667   380   NtWaitForSingleObject  ... ) == 0x0
 01707   752   NtSetEventBoostPriority  ... ) == 0x0
 01714   476   NtWaitForSingleObject  (128, 0, 0x0, ...
 01715   380   NtSetEventBoostPriority  (128, ...
 01716   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 01680   312   NtWaitForSingleObject  ... ) == 0x0
 01715   380   NtSetEventBoostPriority  ... ) == 0x0
 01717   312   NtSetEventBoostPriority  (128, ...
 01713  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1736,Tid=1964,}, 0x0, ) == 0x0
 01692  1404   NtWaitForSingleObject  ... ) == 0x0
 01717   312   NtSetEventBoostPriority  ... ) == 0x0
 01718  1404   NtSetEventBoostPriority  (128, ...
 01719  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75546, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\310\6\0\0\254\7\0\0" ...  ...
 01720   380   NtTestAlert  (...
 01714   476   NtWaitForSingleObject  ... ) == 0x0
 01718  1404   NtSetEventBoostPriority  ... ) == 0x0
 01719  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75547, 0}  ... {28, 56, reply, 0, 1736, 1744, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\310\6\0\0\254\7\0\0" )  ) == 0x0
 01721   476   NtSetEventBoostPriority  (128, ...
 01720   380   NtTestAlert  ... ) == 0x0
 01722   312   NtTestAlert  (...
 01716   752   NtWaitForSingleObject  ... ) == 0x0
 01721   476   NtSetEventBoostPriority  ... ) == 0x0
 01723  1744   NtResumeThread  (236, ...
 01724   380   NtContinue  (14744880, 1, ...
 01725   752   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01722   312   NtTestAlert  ... ) == 0x0
 01726  1404   NtTestAlert  (...
 01723  1744   NtResumeThread  ... 1, ) == 0x0
 01725   752   NtCreateEvent  ... 240, ) == 0x0
 01727   380   NtRegisterThreadTerminatePort  (24, ...
 01728   312   NtContinue  (16055600, 1, ...
 01726  1404   NtTestAlert  ... ) == 0x0
 01729   476   NtTestAlert  (...
 01730  1964   NtTestAlert  (...
 01731  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01727   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 01732   312   NtRegisterThreadTerminatePort  (24, ...
 01733  1404   NtContinue  (17104176, 1, ...
 01729   476   NtTestAlert  ... ) == 0x0
 01730  1964   NtTestAlert  ... ) == 0x0
 01731  1744   NtAllocateVirtualMemory  ... 19202048, 1048576, ) == 0x0
 01734   380   NtQueryValueKey  (136,  (136, "FromCacheTimeout", Partial, 144, ... , Partial, 144, ...
 01732   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 01735  1404   NtRegisterThreadTerminatePort  (24, ...
 01736   476   NtContinue  (18152752, 1, ...
 01737  1964   NtContinue  (19201328, 1, ...
 01738  1744   NtAllocateVirtualMemory  (-1, 20242432, 0, 8192, 4096, 4, ...
 01739   752   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01740   312   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01735  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 01741   476   NtRegisterThreadTerminatePort  (24, ...
 01742  1964   NtRegisterThreadTerminatePort  (24, ...
 01738  1744   NtAllocateVirtualMemory  ... 20242432, 8192, ) == 0x0
 01739   752   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01734   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01743  1404   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01741   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 01742  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 01744  1744   NtProtectVirtualMemory  (-1, (0x134e000), 4096, 260, ...
 01745   752   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 13693348, ... }, 13693348, ...
 01746   380   NtQueryValueKey  (136,  (136, "SecureProtocols", Partial, 144, ... , Partial, 144, ...
 01740   312   NtCreateEvent  ... 244, ) == 0x0
 01747   476   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01743  1404   NtCreateEvent  ... 248, ) == 0x0
 01744  1744   NtProtectVirtualMemory  ... (0x134e000), 4096, 4, ) == 0x0
 01746   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0
 01748   312   NtWaitForSingleObject  (244, 0, 0x0, ...
 01749  1964   NtWaitForSingleObject  (244, 0, 0x0, ...
 01750  1404   NtClose  (248, ...
 01747   476   NtCreateEvent  ... 252, ) == 0x0
 01751   380   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 01750  1404   NtClose  ... ) == 0x0
 01752   476   NtClose  (252, ...
 01751   380   NtOpenKey  ... 248, ) == 0x0
 01753  1404   NtWaitForSingleObject  (244, 0, 0x0, ...
 01752   476   NtClose  ... ) == 0x0
 01754   380   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Policies"}, ... }, ...
 01755   476   NtWaitForSingleObject  (244, 0, 0x0, ...
 01756  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1736, 1624}, ) == 0x0
 01757  1744   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1736,Tid=1624,}, 0x0, ) == 0x0
 01758  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75547, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\310\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\310\6\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75548, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\310\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\310\6\0\0X\6\0\0" )  ) == 0x0
 01759  1744   NtResumeThread  (252, ... 1, ) == 0x0
 01760  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20250624, 1048576, ) == 0x0
 01761  1744   NtAllocateVirtualMemory  (-1, 21291008, 0, 8192, 4096, 4, ...
 01754   380   NtOpenKey  ... 256, ) == 0x0
 01762  1624   NtWaitForSingleObject  (128, 0, 0x0, ...
 01763   380   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software"}, ... 260, ) }, ... 260, ) == 0x0
 01764   380   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software"}, ... 264, ) }, ... 264, ) == 0x0
 01765   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01766   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01767   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01768   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 01761  1744   NtAllocateVirtualMemory  ... 21291008, 8192, ) == 0x0
 01745   752   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01769  1744   NtProtectVirtualMemory  (-1, (0x144e000), 4096, 260, ...
 01770   752   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 13693348, ... }, 13693348, ...
 01769  1744   NtProtectVirtualMemory  ... (0x144e000), 4096, 4, ) == 0x0
 01770   752   NtQueryAttributesFile  ... ) == 0x0
 01771  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01768   380   NtOpenKey  ... 268, ) == 0x0
 01771  1744   NtCreateThread  ... 272, {1736, 1516}, ) == 0x0
 01772   380   NtQueryValueKey  (268,  (268, "CertificateRevocation", Partial, 144, ... , Partial, 144, ...
 01773  1744   NtQueryInformationThread  (272, Basic, 28, ...
 01772   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01774   752   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01775   380   NtClose  (268, ...
 01774   752   NtOpenFile  ... 276, {status=0x0, info=1}, ) == 0x0
 01775   380   NtClose  ... ) == 0x0
 01776   752   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ...
 01777   380   NtQueryValueKey  (136,  (136, "DisableKeepAlive", Partial, 144, ... , Partial, 144, ...
 01776   752   NtCreateSection  ... 268, ) == 0x0
 01773  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1736,Tid=1516,}, 0x0, ) == 0x0
 01778   752   NtQuerySection  (268, Image, 48, ...
 01779  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75548, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\310\6\0\0\354\5\0\0" ...  ...
 01778   752   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01779  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75549, 0}  ... {28, 56, reply, 0, 1736, 1744, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0\310\6\0\0\354\5\0\0" )  ) == 0x0
 01777   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780  1744   NtResumeThread  (272, ...
 01781   380   NtQueryValueKey  (136,  (136, "DisablePassport", Partial, 144, ... , Partial, 144, ...
 01780  1744   NtResumeThread  ... 1, ) == 0x0
 01781   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01782   752   NtClose  (276, ...
 01783  1516   NtWaitForSingleObject  (128, 0, 0x0, ...
 01784   380   NtQueryValueKey  (136,  (136, "IdnEnabled", Partial, 144, ... , Partial, 144, ...
 01782   752   NtClose  ... ) == 0x0
 01784   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01785   752   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01786   380   NtQueryValueKey  (136,  (136, "CacheMode", Partial, 144, ... , Partial, 144, ...
 01785   752   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 01787  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01788   752   NtClose  (268, ...
 01787  1744   NtAllocateVirtualMemory  ... 21299200, 1048576, ) == 0x0
 01788   752   NtClose  ... ) == 0x0
 01789  1744   NtAllocateVirtualMemory  (-1, 22339584, 0, 8192, 4096, 4, ...
 01786   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789  1744   NtAllocateVirtualMemory  ... 22339584, 8192, ) == 0x0
 01790   380   NtQueryValueKey  (136,  (136, "EnableHttp1_1", Partial, 144, ... , Partial, 144, ...
 01791  1744   NtProtectVirtualMemory  (-1, (0x154e000), 4096, 260, ...
 01790   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01791  1744   NtProtectVirtualMemory  ... (0x154e000), 4096, 4, ) == 0x0
 01792   380   NtQueryValueKey  (136,  (136, "ProxyHttp1.1", Partial, 144, ... , Partial, 144, ...
 01793   752   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01792   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01793   752   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01794   380   NtQueryValueKey  (136,  (136, "EnableNegotiate", Partial, 144, ... , Partial, 144, ...
 01795   752   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01796  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01795   752   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01796  1744   NtCreateThread  ... 268, {1736, 1664}, ) == 0x0
 01797   752   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01798  1744   NtQueryInformationThread  (268, Basic, 28, ...
 01797   752   NtFlushInstructionCache  ... ) == 0x0
 01798  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1736,Tid=1664,}, 0x0, ) == 0x0
 01794   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01799  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75549, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\310\6\0\0\200\6\0\0" ...  ...
 01800   380   NtQueryValueKey  (136,  (136, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01801   380   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01802   380   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803   380   NtOpenKey  (0x20019, {24, 140, 0x40, 0, 0,  (0x20019, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01804   380   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 276, ) }, ... 276, ) == 0x0
 01805   380   NtQueryValueKey  (276,  (276, "Feature_ClientAuthCertFilter", Partial, 144, ... , Partial, 144, ...
 01806   752   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01799  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75550, 0}  ... {28, 56, reply, 0, 1736, 1744, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\1\0\0\310\6\0\0\200\6\0\0" )  ) == 0x0
 01806   752   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01807  1744   NtResumeThread  (268, ...
 01808   752   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01807  1744   NtResumeThread  ... 1, ) == 0x0
 01808   752   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01809  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01810   752   NtFlushInstructionCache  (-1, 1714098176, 932, ...
 01809  1744   NtAllocateVirtualMemory  ... 22347776, 1048576, ) == 0x0
 01810   752   NtFlushInstructionCache  ... ) == 0x0
 01811  1744   NtAllocateVirtualMemory  (-1, 23388160, 0, 8192, 4096, 4, ...
 01805   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01812  1664   NtWaitForSingleObject  (128, 0, 0x0, ...
 01813   752   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01814   380   NtClose  (276, ...
 01813   752   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01814   380   NtClose  ... ) == 0x0
 01815   752   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01816   380   NtWaitForSingleObject  (128, 0, 0x0, ...
 01815   752   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01817   752   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01818   752   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01819   752   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01820   752   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01811  1744   NtAllocateVirtualMemory  ... 23388160, 8192, ) == 0x0
 01821  1744   NtProtectVirtualMemory  (-1, (0x164e000), 4096, 260, ... (0x164e000), 4096, 4, ) == 0x0
 01822  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 276, {1736, 1656}, ) == 0x0
 01823  1744   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1736,Tid=1656,}, 0x0, ) == 0x0
 01824  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75550, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\310\6\0\0x\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\310\6\0\0x\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75551, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\310\6\0\0x\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\1\0\0\310\6\0\0x\6\0\0" )  ) == 0x0
 01825  1744   NtResumeThread  (276, ... 1, ) == 0x0
 01826   752   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 01827  1656   NtWaitForSingleObject  (128, 0, 0x0, ...
 01826   752   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 01828   752   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01829   752   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01830   752   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01831   752   NtSetEventBoostPriority  (128, ...
 01762  1624   NtWaitForSingleObject  ... ) == 0x0
 01832  1624   NtSetEventBoostPriority  (128, ...
 01783  1516   NtWaitForSingleObject  ... ) == 0x0
 01833  1516   NtSetEventBoostPriority  (128, ...
 01812  1664   NtWaitForSingleObject  ... ) == 0x0
 01834  1664   NtSetEventBoostPriority  (128, ...
 01816   380   NtWaitForSingleObject  ... ) == 0x0
 01835   380   NtAllocateVirtualMemory  (-1, 14733312, 0, 4096, 4096, 260, ... 14733312, 4096, ) == 0x0
 01834  1664   NtSetEventBoostPriority  ... ) == 0x0
 01833  1516   NtSetEventBoostPriority  ... ) == 0x0
 01832  1624   NtSetEventBoostPriority  ... ) == 0x0
 01831   752   NtSetEventBoostPriority  ... ) == 0x0
 01836  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01837   380   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... }, ...
 01838  1664   NtTestAlert  (...
 01839  1516   NtTestAlert  (...
 01840   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 01836  1744   NtAllocateVirtualMemory  ... 23396352, 1048576, ) == 0x0
 01837   380   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838  1664   NtTestAlert  ... ) == 0x0
 01839  1516   NtTestAlert  ... ) == 0x0
 01841  1744   NtAllocateVirtualMemory  (-1, 24436736, 0, 8192, 4096, 4, ...
 01842   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 14741136, ... }, 14741136, ...
 01843  1664   NtContinue  (22347056, 1, ...
 01844  1516   NtContinue  (21298480, 1, ...
 01841  1744   NtAllocateVirtualMemory  ... 24436736, 8192, ) == 0x0
 01845  1664   NtRegisterThreadTerminatePort  (24, ...
 01846  1516   NtRegisterThreadTerminatePort  (24, ...
 01847  1744   NtProtectVirtualMemory  (-1, (0x174e000), 4096, 260, ...
 01845  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 01846  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 01847  1744   NtProtectVirtualMemory  ... (0x174e000), 4096, 4, ) == 0x0
 01848  1664   NtWaitForSingleObject  (244, 0, 0x0, ...
 01849  1516   NtWaitForSingleObject  (244, 0, 0x0, ...
 01850  1624   NtTestAlert  (...
 01851  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01850  1624   NtTestAlert  ... ) == 0x0
 01851  1744   NtCreateThread  ... 280, {1736, 760}, ) == 0x0
 01852  1624   NtContinue  (20249904, 1, ...
 01853  1744   NtQueryInformationThread  (280, Basic, 28, ...
 01854  1624   NtRegisterThreadTerminatePort  (24, ...
 01853  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1736,Tid=760,}, 0x0, ) == 0x0
 01854  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 01855  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75551, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\1\0\0\310\6\0\0\370\2\0\0" ...  ...
 01856  1624   NtWaitForSingleObject  (244, 0, 0x0, ...
 01855  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75552, 0}  ... {28, 56, reply, 0, 1736, 1744, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\1\0\0\310\6\0\0\370\2\0\0" )  ) == 0x0
 01857  1744   NtResumeThread  (280, ... 1, ) == 0x0
 01858  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24444928, 1048576, ) == 0x0
 01859  1744   NtAllocateVirtualMemory  (-1, 25485312, 0, 8192, 4096, 4, ... 25485312, 8192, ) == 0x0
 01860  1744   NtProtectVirtualMemory  (-1, (0x184e000), 4096, 260, ... (0x184e000), 4096, 4, ) == 0x0
 01861  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 284, {1736, 860}, ) == 0x0
 01862  1744   NtQueryInformationThread  (284, Basic, 28, ...
 01842   380   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01863   760   NtWaitForSingleObject  (128, 0, 0x0, ...
 01864   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 14741136, ... ) }, 14741136, ... ) == 0x0
 01865   380   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 01866   380   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ... 292, ) == 0x0
 01867   380   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01868   380   NtClose  (288, ... ) == 0x0
 01869   380   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01862  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1736,Tid=860,}, 0x0, ) == 0x0
 01870  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75552, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\310\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\310\6\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75553, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\310\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\310\6\0\0\\3\0\0" )  ) == 0x0
 01871  1744   NtResumeThread  (284, ... 1, ) == 0x0
 01872  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25493504, 1048576, ) == 0x0
 01873  1744   NtAllocateVirtualMemory  (-1, 26533888, 0, 8192, 4096, 4, ... 26533888, 8192, ) == 0x0
 01874  1744   NtProtectVirtualMemory  (-1, (0x194e000), 4096, 260, ... (0x194e000), 4096, 4, ) == 0x0
 01869   380   NtMapViewOfSection  ... (0x77fe0000), 0x0, 69632, ) == 0x0
 01875   860   NtWaitForSingleObject  (128, 0, 0x0, ...
 01876   380   NtClose  (292, ... ) == 0x0
 01877   380   NtProtectVirtualMemory  (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0
 01878   380   NtProtectVirtualMemory  (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0
 01879   380   NtFlushInstructionCache  (-1, 2013138944, 388, ... ) == 0x0
 01880   380   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   380   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ...
 01882  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 292, {1736, 1580}, ) == 0x0
 01883  1744   NtQueryInformationThread  (292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1736,Tid=1580,}, 0x0, ) == 0x0
 01884  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75553, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\310\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\310\6\0\0,\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75554, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\310\6\0\0,\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\1\0\0\310\6\0\0,\6\0\0" )  ) == 0x0
 01885  1744   NtResumeThread  (292, ... 1, ) == 0x0
 01886  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26542080, 1048576, ) == 0x0
 01887  1744   NtAllocateVirtualMemory  (-1, 27582464, 0, 8192, 4096, 4, ...
 01881   380   NtCreateSemaphore  ... 288, ) == 0x0
 01888  1580   NtWaitForSingleObject  (128, 0, 0x0, ...
 01889   380   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 296, ) == 0x0
 01890   380   NtSetEventBoostPriority  (128, ...
 01827  1656   NtWaitForSingleObject  ... ) == 0x0
 01891  1656   NtSetEventBoostPriority  (128, ...
 01840   752   NtWaitForSingleObject  ... ) == 0x0
 01892   752   NtSetEventBoostPriority  (128, ...
 01863   760   NtWaitForSingleObject  ... ) == 0x0
 01893   760   NtSetEventBoostPriority  (128, ...
 01875   860   NtWaitForSingleObject  ... ) == 0x0
 01894   860   NtSetEventBoostPriority  (128, ...
 01888  1580   NtWaitForSingleObject  ... ) == 0x0
 01895  1580   NtTestAlert  (... ) == 0x0
 01894   860   NtSetEventBoostPriority  ... ) == 0x0
 01893   760   NtSetEventBoostPriority  ... ) == 0x0
 01892   752   NtSetEventBoostPriority  ... ) == 0x0
 01891  1656   NtSetEventBoostPriority  ... ) == 0x0
 01890   380   NtSetEventBoostPriority  ... ) == 0x0
 01887  1744   NtAllocateVirtualMemory  ... 27582464, 8192, ) == 0x0
 01896  1580   NtContinue  (26541360, 1, ...
 01897   860   NtTestAlert  (...
 01898   760   NtTestAlert  (...
 01899   752   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01900  1744   NtProtectVirtualMemory  (-1, (0x1a4e000), 4096, 260, ...
 01901  1580   NtRegisterThreadTerminatePort  (24, ...
 01897   860   NtTestAlert  ... ) == 0x0
 01898   760   NtTestAlert  ... ) == 0x0
 01899   752   NtCreateEvent  ... 300, ) == 0x0
 01900  1744   NtProtectVirtualMemory  ... (0x1a4e000), 4096, 4, ) == 0x0
 01901  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 01902   860   NtContinue  (25492784, 1, ...
 01903   760   NtContinue  (24444208, 1, ...
 01904   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01905  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01906  1580   NtWaitForSingleObject  (244, 0, 0x0, ...
 01907   860   NtRegisterThreadTerminatePort  (24, ...
 01908   760   NtRegisterThreadTerminatePort  (24, ...
 01904   752   NtDuplicateObject  ... 304, ) == 0x0
 01905  1744   NtCreateThread  ... 308, {1736, 1304}, ) == 0x0
 01907   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 01908   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 01909   752   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01910  1744   NtQueryInformationThread  (308, Basic, 28, ...
 01911   860   NtWaitForSingleObject  (244, 0, 0x0, ...
 01912   760   NtWaitForSingleObject  (244, 0, 0x0, ...
 01909   752   NtOpenKey  ... 312, ) == 0x0
 01913  1656   NtTestAlert  (...
 01914   380   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... }, ...
 01910  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1736,Tid=1304,}, 0x0, ) == 0x0
 01913  1656   NtTestAlert  ... ) == 0x0
 01914   380   NtOpenEvent  ... 316, ) == 0x0
 01915  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75554, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\310\6\0\0\30\5\0\0" ...  ...
 01916  1656   NtContinue  (23395632, 1, ...
 01917   380   NtQueryEvent  (316, Basic, 8, ...
 01915  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75555, 0}  ... {28, 56, reply, 0, 1736, 1744, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\310\6\0\0\30\5\0\0" )  ) == 0x0
 01918  1656   NtRegisterThreadTerminatePort  (24, ...
 01917   380   NtQueryEvent  ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01919  1744   NtResumeThread  (308, ...
 01918  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 01920   380   NtClose  (316, ...
 01919  1744   NtResumeThread  ... 1, ) == 0x0
 01921  1656   NtWaitForSingleObject  (244, 0, 0x0, ...
 01920   380   NtClose  ... ) == 0x0
 01922   752   NtQueryValueKey  (312,  (312, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01923  1304   NtTestAlert  (...
 01924  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01922   752   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923  1304   NtTestAlert  ... ) == 0x0
 01924  1744   NtAllocateVirtualMemory  ... 27590656, 1048576, ) == 0x0
 01925   752   NtClose  (312, ...
 01926  1304   NtContinue  (27589936, 1, ...
 01927  1744   NtAllocateVirtualMemory  (-1, 28631040, 0, 8192, 4096, 4, ...
 01925   752   NtClose  ... ) == 0x0
 01928  1304   NtRegisterThreadTerminatePort  (24, ...
 01927  1744   NtAllocateVirtualMemory  ... 28631040, 8192, ) == 0x0
 01929   752   NtOpenThreadToken  (-2, 0xc, 1, ...
 01928  1304   NtRegisterThreadTerminatePort  ... ) == 0x0
 01930  1744   NtProtectVirtualMemory  (-1, (0x1b4e000), 4096, 260, ...
 01929   752   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01931   380   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 14742708, 140, ... , {12, 2, 1, 0}, 0x0, 0x0, 14742708, 140, ...
 01930  1744   NtProtectVirtualMemory  ... (0x1b4e000), 4096, 4, ) == 0x0
 01932  1304   NtWaitForSingleObject  (244, 0, 0x0, ...
 01931   380   NtConnectPort  ... 312, 0x0, 0x0, 256, 140, ) == 0x0
 01933   752   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01934   380   NtRequestWaitReplyPort  (312, {28, 52, new_msg, 0, 0, 0, 0, 0}  (312, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\220\36\24\0" ...  ...
 01933   752   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01934   380   NtRequestWaitReplyPort  ... {188, 212, reply, 0, 1736, 380, 75557, 0}  ... {188, 212, reply, 0, 1736, 380, 75557, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" )  ) == 0x0
 01935   752   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 13693040, ... }, 13693040, ...
 01936  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01935   752   NtQueryAttributesFile  ... ) == 0x0
 01936  1744   NtCreateThread  ... 316, {1736, 1956}, ) == 0x0
 01937   752   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01938  1744   NtQueryInformationThread  (316, Basic, 28, ...
 01937   752   NtOpenKey  ... 320, ) == 0x0
 01938  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1736,Tid=1956,}, 0x0, ) == 0x0
 01939   380   NtQueryValueKey  (136,  (136, "SyncMode5", Partial, 144, ... , Partial, 144, ...
 01940  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75555, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\310\6\0\0\244\7\0\0" ...  ...
 01939   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01941   380   NtOpenKey  (0x9, {24, 36, 0x40, 0, 0,  (0x9, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 324, ) }, ... 324, ) == 0x0
 01942   380   NtQueryValueKey  (324,  (324, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01943   380   NtClose  (324, ... ) == 0x0
 01944   380   NtOpenKey  (0xf, {24, 36, 0x40, 0, 0,  (0xf, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 324, ) }, ... 324, ) == 0x0
 01945   380   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 328, ) }, ... 328, ) == 0x0
 01946   752   NtQueryValueKey  (320,  (320, "Transports", Partial, 144, ... , Partial, 144, ...
 01940  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75558, 0}  ... {28, 56, reply, 0, 1736, 1744, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\310\6\0\0\244\7\0\0" )  ) == 0x0
 01946   752   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01947  1744   NtResumeThread  (316, ...
 01948   752   NtQueryValueKey  (320,  (320, "Transports", Partial, 144, ... , Partial, 144, ...
 01947  1744   NtResumeThread  ... 1, ) == 0x0
 01948   752   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01949  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01950   752   NtClose  (320, ...
 01949  1744   NtAllocateVirtualMemory  ... 28639232, 1048576, ) == 0x0
 01950   752   NtClose  ... ) == 0x0
 01951  1744   NtAllocateVirtualMemory  (-1, 29679616, 0, 8192, 4096, 4, ...
 01952   380   NtOpenKey  (0x9, {24, 140, 0x40, 0, 0,  (0x9, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 01953  1956   NtTestAlert  (...
 01954   752   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01952   380   NtOpenKey  ... 320, ) == 0x0
 01953  1956   NtTestAlert  ... ) == 0x0
 01954   752   NtOpenKey  ... 332, ) == 0x0
 01955   380   NtQueryValueKey  (320,  (320, "Signature", Partial, 144, ... , Partial, 144, ...
 01956  1956   NtContinue  (28638512, 1, ...
 01957   752   NtQueryValueKey  (332,  (332, "Mapping", Partial, 144, ... , Partial, 144, ...
 01955   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01958  1956   NtRegisterThreadTerminatePort  (24, ...
 01957   752   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01959   380   NtQueryValueKey  (320,  (320, "Signature", Partial, 144, ... , Partial, 144, ...
 01958  1956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01960   752   NtQueryValueKey  (332,  (332, "Mapping", Partial, 144, ... , Partial, 144, ...
 01959   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01951  1744   NtAllocateVirtualMemory  ... 29679616, 8192, ) == 0x0
 01960   752   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01961  1956   NtWaitForSingleObject  (244, 0, 0x0, ...
 01962  1744   NtProtectVirtualMemory  (-1, (0x1c4e000), 4096, 260, ...
 01963   380   NtClose  (320, ...
 01962  1744   NtProtectVirtualMemory  ... (0x1c4e000), 4096, 4, ) == 0x0
 01963   380   NtClose  ... ) == 0x0
 01964  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01965   380   NtOpenKey  (0xf, {24, 328, 0x40, 0, 0,  (0xf, {24, 328, 0x40, 0, 0, "Content"}, ... }, ...
 01964  1744   NtCreateThread  ... 320, {1736, 1980}, ) == 0x0
 01965   380   NtOpenKey  ... 336, ) == 0x0
 01966  1744   NtQueryInformationThread  (320, Basic, 28, ...
 01967   380   NtQueryValueKey  (336,  (336, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 01968   752   NtQueryValueKey  (332,  (332, "Mapping", Partial, 152, ... , Partial, 152, ...
 01967   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01968   752   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01966  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1736,Tid=1980,}, 0x0, ) == 0x0
 01969   752   NtClose  (332, ...
 01970  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75558, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\310\6\0\0\274\7\0\0" ...  ...
 01969   752   NtClose  ... ) == 0x0
 01970  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75559, 0}  ... {28, 56, reply, 0, 1736, 1744, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\1\0\0\310\6\0\0\274\7\0\0" )  ) == 0x0
 01971   752   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01972  1744   NtResumeThread  (320, ...
 01971   752   NtOpenKey  ... 332, ) == 0x0
 01972  1744   NtResumeThread  ... 1, ) == 0x0
 01973   380   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "Content"}, ... }, ...
 01974   752   NtQueryValueKey  (332,  (332, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01975  1980   NtTestAlert  (...
 01973   380   NtOpenKey  ... 340, ) == 0x0
 01974   752   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01975  1980   NtTestAlert  ... ) == 0x0
 01976   380   NtQueryValueKey  (340,  (340, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 01977   752   NtQueryValueKey  (332,  (332, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01978  1980   NtContinue  (29687088, 1, ...
 01976   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01977   752   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01979  1980   NtRegisterThreadTerminatePort  (24, ...
 01980   380   NtClose  (340, ...
 01981   752   NtQueryValueKey  (332,  (332, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01979  1980   NtRegisterThreadTerminatePort  ... ) == 0x0
 01980   380   NtClose  ... ) == 0x0
 01981   752   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01982  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01983  1980   NtWaitForSingleObject  (244, 0, 0x0, ...
 01984   380   NtClose  (336, ...
 01982  1744   NtAllocateVirtualMemory  ... 29687808, 1048576, ) == 0x0
 01984   380   NtClose  ... ) == 0x0
 01985  1744   NtAllocateVirtualMemory  (-1, 30728192, 0, 8192, 4096, 4, ...
 01986   380   NtOpenKey  (0xf, {24, 328, 0x40, 0, 0,  (0xf, {24, 328, 0x40, 0, 0, "Content"}, ... }, ...
 01985  1744   NtAllocateVirtualMemory  ... 30728192, 8192, ) == 0x0
 01986   380   NtOpenKey  ... 336, ) == 0x0
 01987  1744   NtProtectVirtualMemory  (-1, (0x1d4e000), 4096, 260, ...
 01988   380   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... }, ...
 01987  1744   NtProtectVirtualMemory  ... (0x1d4e000), 4096, 4, ) == 0x0
 01988   380   NtOpenSection  ... 340, ) == 0x0
 01989   752   NtQueryValueKey  (332,  (332, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01990  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01989   752   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01990  1744   NtCreateThread  ... 344, {1736, 1784}, ) == 0x0
 01991   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 01992  1744   NtQueryInformationThread  (344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1736,Tid=1784,}, 0x0, ) == 0x0
 01993  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75559, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\310\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\310\6\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75560, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\310\6\0\0\370\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0\310\6\0\0\370\6\0\0" )  ) == 0x0
 01994  1744   NtResumeThread  (344, ... 1, ) == 0x0
 01995  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30736384, 1048576, ) == 0x0
 01996  1744   NtAllocateVirtualMemory  (-1, 31776768, 0, 8192, 4096, 4, ...
 01997   380   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01998  1784   NtWaitForSingleObject  (128, 0, 0x0, ...
 01997   380   NtMapViewOfSection  ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 01999   380   NtClose  (340, ... ) == 0x0
 02000   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 02001   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 02002   380   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 02003   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01996  1744   NtAllocateVirtualMemory  ... 31776768, 8192, ) == 0x0
 02004  1744   NtProtectVirtualMemory  (-1, (0x1e4e000), 4096, 260, ... (0x1e4e000), 4096, 4, ) == 0x0
 02005  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 340, {1736, 1480}, ) == 0x0
 02006  1744   NtQueryInformationThread  (340, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1736,Tid=1480,}, 0x0, ) == 0x0
 02007  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75560, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\310\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\310\6\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75561, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\310\6\0\0\310\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\310\6\0\0\310\5\0\0" )  ) == 0x0
 02008  1744   NtResumeThread  (340, ... 1, ) == 0x0
 02009   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 02010  1480   NtWaitForSingleObject  (128, 0, 0x0, ...
 02009   380   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 02011   380   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 02012   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 02013   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 02014   380   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 02015   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 02016  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31784960, 1048576, ) == 0x0
 02017  1744   NtAllocateVirtualMemory  (-1, 32825344, 0, 8192, 4096, 4, ... 32825344, 8192, ) == 0x0
 02018  1744   NtProtectVirtualMemory  (-1, (0x1f4e000), 4096, 260, ... (0x1f4e000), 4096, 4, ) == 0x0
 02019  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 348, {1736, 1556}, ) == 0x0
 02020  1744   NtQueryInformationThread  (348, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1736,Tid=1556,}, 0x0, ) == 0x0
 02021  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75561, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\310\6\0\0\24\6\0\0" ...  ...
 02022   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 02023   380   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 02024   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 02021  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75562, 0}  ... {28, 56, reply, 0, 1736, 1744, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\310\6\0\0\24\6\0\0" )  ) == 0x0
 02025  1744   NtResumeThread  (348, ... 1, ) == 0x0
 02026  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32833536, 1048576, ) == 0x0
 02027  1744   NtAllocateVirtualMemory  (-1, 33873920, 0, 8192, 4096, 4, ... 33873920, 8192, ) == 0x0
 02028  1744   NtProtectVirtualMemory  (-1, (0x204e000), 4096, 260, ... (0x204e000), 4096, 4, ) == 0x0
 02029  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 352, {1736, 1068}, ) == 0x0
 02030  1744   NtQueryInformationThread  (352, Basic, 28, ...
 02031   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 02032  1556   NtWaitForSingleObject  (128, 0, 0x0, ...
 02031   380   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 02033   380   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 02034   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 02035   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 02036   380   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 02037   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 02030  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1736,Tid=1068,}, 0x0, ) == 0x0
 02038  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75562, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\310\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\310\6\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75563, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\310\6\0\0,\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\1\0\0\310\6\0\0,\4\0\0" )  ) == 0x0
 02039  1744   NtResumeThread  (352, ... 1, ) == 0x0
 02040  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33882112, 1048576, ) == 0x0
 02041  1744   NtAllocateVirtualMemory  (-1, 34922496, 0, 8192, 4096, 4, ... 34922496, 8192, ) == 0x0
 02042  1744   NtProtectVirtualMemory  (-1, (0x214e000), 4096, 260, ... (0x214e000), 4096, 4, ) == 0x0
 02043   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ...
 02044  1068   NtWaitForSingleObject  (128, 0, 0x0, ...
 02043   380   NtProtectVirtualMemory  ... (0x7c9c1000), 8192, 4, ) == 0x0
 02045   380   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 02046   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 02047   380   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 02048   380   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 02049   380   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 356, {1736, 1572}, ) == 0x0
 02051  1744   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1736,Tid=1572,}, 0x0, ) == 0x0
 02052  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75563, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\310\6\0\0$\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\310\6\0\0$\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75564, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\310\6\0\0$\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\310\6\0\0$\6\0\0" )  ) == 0x0
 02053  1744   NtResumeThread  (356, ... 1, ) == 0x0
 02054  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34930688, 1048576, ) == 0x0
 02055  1744   NtAllocateVirtualMemory  (-1, 35971072, 0, 8192, 4096, 4, ...
 02056   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... }, ...
 02057  1572   NtWaitForSingleObject  (128, 0, 0x0, ...
 02056   380   NtOpenKey  ... 360, ) == 0x0
 02058   380   NtQueryValueKey  (360,  (360, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (360, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02059   380   NtAllocateVirtualMemory  (-1, 14729216, 0, 4096, 4096, 260, ... 14729216, 4096, ) == 0x0
 02060   380   NtClose  (360, ... ) == 0x0
 02061   380   NtQueryDefaultUILanguage  (14737732, ...
 02062   380   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02063   380   NtOpenProcessTokenEx  (-1, 0x20008, 512, ...
 02055  1744   NtAllocateVirtualMemory  ... 35971072, 8192, ) == 0x0
 02064  1744   NtProtectVirtualMemory  (-1, (0x224e000), 4096, 260, ... (0x224e000), 4096, 4, ) == 0x0
 02065  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 360, {1736, 1604}, ) == 0x0
 02066  1744   NtQueryInformationThread  (360, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1736,Tid=1604,}, 0x0, ) == 0x0
 02067  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75564, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\310\6\0\0D\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\310\6\0\0D\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75565, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\310\6\0\0D\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\310\6\0\0D\6\0\0" )  ) == 0x0
 02068  1744   NtResumeThread  (360, ... 1, ) == 0x0
 02063   380   NtOpenProcessTokenEx  ... -2147482576, ) == 0x0
 02069  1604   NtWaitForSingleObject  (128, 0, 0x0, ...
 02070   380   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02071   380   NtClose  (-2147482576, ... ) == 0x0
 02072   380   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 02073   380   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02074   380   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 02075   380   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... , Partial, 256, ...
 02076  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35979264, 1048576, ) == 0x0
 02077  1744   NtAllocateVirtualMemory  (-1, 37019648, 0, 8192, 4096, 4, ... 37019648, 8192, ) == 0x0
 02078  1744   NtProtectVirtualMemory  (-1, (0x234e000), 4096, 260, ... (0x234e000), 4096, 4, ) == 0x0
 02079  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 364, {1736, 1240}, ) == 0x0
 02080  1744   NtQueryInformationThread  (364, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1736,Tid=1240,}, 0x0, ) == 0x0
 02081  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75565, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\310\6\0\0\330\4\0\0" ...  ...
 02075   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02082   380   NtClose  (-2147481400, ... ) == 0x0
 02083   380   NtClose  (-2147482576, ... ) == 0x0
 02061   380   NtQueryDefaultUILanguage  ... ) == 0x0
 02081  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75566, 0}  ... {28, 56, reply, 0, 1736, 1744, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\310\6\0\0\330\4\0\0" )  ) == 0x0
 02084  1744   NtResumeThread  (364, ... 1, ) == 0x0
 02085  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37027840, 1048576, ) == 0x0
 02086  1744   NtAllocateVirtualMemory  (-1, 38068224, 0, 8192, 4096, 4, ... 38068224, 8192, ) == 0x0
 02087  1744   NtProtectVirtualMemory  (-1, (0x244e000), 4096, 260, ... (0x244e000), 4096, 4, ) == 0x0
 02088  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 368, {1736, 1272}, ) == 0x0
 02089  1744   NtQueryInformationThread  (368, Basic, 28, ...
 02090   380   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... }, 1, 96, ...
 02091  1240   NtWaitForSingleObject  (128, 0, 0x0, ...
 02090   380   NtOpenFile  ... 372, {status=0x0, info=1}, ) == 0x0
 02092   380   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 372, ... 376, ) == 0x0
 02093   380   NtMapViewOfSection  (376, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2450000), 0x0, 8462336, ) == 0x0
 02094   380   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   380   NtAllocateVirtualMemory  (-1, 14725120, 0, 4096, 4096, 260, ... 14725120, 4096, ) == 0x0
 02096   380   NtQueryDefaultLocale  (1, 14735828, ... ) == 0x0
 02089  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1736,Tid=1272,}, 0x0, ) == 0x0
 02097  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75566, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\310\6\0\0\370\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\310\6\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75567, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\310\6\0\0\370\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\310\6\0\0\370\4\0\0" )  ) == 0x0
 02098  1744   NtResumeThread  (368, ... 1, ) == 0x0
 02099  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 46596096, 1048576, ) == 0x0
 02100  1744   NtAllocateVirtualMemory  (-1, 47636480, 0, 8192, 4096, 4, ... 47636480, 8192, ) == 0x0
 02101  1744   NtProtectVirtualMemory  (-1, (0x2d6e000), 4096, 260, ... (0x2d6e000), 4096, 4, ) == 0x0
 02102   380   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... }, 1, 96, ...
 02103  1272   NtWaitForSingleObject  (128, 0, 0x0, ...
 02102   380   NtOpenFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02104   380   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 14736864, 1179817, 14736588}  (24, {128, 156, new_msg, 0, 2088850039, 14736864, 1179817, 14736588} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1t\1\0\0\377\377\377\377\0\0\0\0@ h\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\324\341\340\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 380, 75568, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1t\1\0\0\377\377\377\377\0\0\0\0@ h\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\324\341\340\0\0\0\0\0" )  ... {128, 156, reply, 0, 1736, 380, 75568, 0}  (24, {128, 156, new_msg, 0, 2088850039, 14736864, 1179817, 14736588} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1t\1\0\0\377\377\377\377\0\0\0\0@ h\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\324\341\340\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 380, 75568, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\1t\1\0\0\377\377\377\377\0\0\0\0@ h\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\324\341\340\0\0\0\0\0" )  ) == 0x0
 02105   380   NtClose  (372, ... ) == 0x0
 02106   380   NtClose  (376, ... ) == 0x0
 02107   380   NtUnmapViewOfSection  (-1, 0x2450000, ... ) == 0x0
 02108   380   NtQueryDebugFilterState  (53, 2, ...
 02109  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 376, {1736, 1156}, ) == 0x0
 02110  1744   NtQueryInformationThread  (376, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1736,Tid=1156,}, 0x0, ) == 0x0
 02111  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75567, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\310\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\310\6\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75569, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\310\6\0\0\204\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\310\6\0\0\204\4\0\0" )  ) == 0x0
 02112  1744   NtResumeThread  (376, ... 1, ) == 0x0
 02113  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38076416, 1048576, ) == 0x0
 02114  1744   NtAllocateVirtualMemory  (-1, 39116800, 0, 8192, 4096, 4, ...
 02108   380   NtQueryDebugFilterState  ... ) == 0x0
 02115  1156   NtWaitForSingleObject  (128, 0, 0x0, ...
 02116   380   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   380   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02118   380   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02119   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 14735020, ... }, 14735020, ...
 02114  1744   NtAllocateVirtualMemory  ... 39116800, 8192, ) == 0x0
 02120  1744   NtProtectVirtualMemory  (-1, (0x254e000), 4096, 260, ... (0x254e000), 4096, 4, ) == 0x0
 02121  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 372, {1736, 1700}, ) == 0x0
 02122  1744   NtQueryInformationThread  (372, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1736,Tid=1700,}, 0x0, ) == 0x0
 02123  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75569, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\310\6\0\0\244\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\310\6\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75570, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\310\6\0\0\244\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0\310\6\0\0\244\6\0\0" )  ) == 0x0
 02124  1744   NtResumeThread  (372, ... 1, ) == 0x0
 02125  1700   NtWaitForSingleObject  (128, 0, 0x0, ...
 02126  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39124992, 1048576, ) == 0x0
 02127  1744   NtAllocateVirtualMemory  (-1, 40165376, 0, 8192, 4096, 4, ... 40165376, 8192, ) == 0x0
 02128  1744   NtProtectVirtualMemory  (-1, (0x264e000), 4096, 260, ... (0x264e000), 4096, 4, ) == 0x0
 02119   380   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   380   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02130   380   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02131   380   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02132   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 14735084, ... ) }, 14735084, ... ) == 0x0
 02133  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 380, {1736, 1728}, ) == 0x0
 02134  1744   NtQueryInformationThread  (380, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1736,Tid=1728,}, 0x0, ) == 0x0
 02135  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75570, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\310\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\310\6\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75571, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\310\6\0\0\300\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\310\6\0\0\300\6\0\0" )  ) == 0x0
 02136  1744   NtResumeThread  (380, ... 1, ) == 0x0
 02137  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40173568, 1048576, ) == 0x0
 02138  1744   NtAllocateVirtualMemory  (-1, 41213952, 0, 8192, 4096, 4, ...
 02139   380   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... }, 3, 33, ...
 02140  1728   NtWaitForSingleObject  (128, 0, 0x0, ...
 02139   380   NtOpenFile  ... 384, {status=0x0, info=1}, ) == 0x0
 02141   380   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02142   380   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 388, {status=0x0, info=1}, ) }, 5, 96, ... 388, {status=0x0, info=1}, ) == 0x0
 02143   380   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 388, ... 392, ) == 0x0
 02144   380   NtClose  (388, ... ) == 0x0
 02145   380   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2750000), 0x0, 1056768, ) == 0x0
 02138  1744   NtAllocateVirtualMemory  ... 41213952, 8192, ) == 0x0
 02146  1744   NtProtectVirtualMemory  (-1, (0x274e000), 4096, 260, ... (0x274e000), 4096, 4, ) == 0x0
 02147  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 388, {1736, 212}, ) == 0x0
 02148  1744   NtQueryInformationThread  (388, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1736,Tid=212,}, 0x0, ) == 0x0
 02149  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75571, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\310\6\0\0\324\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\310\6\0\0\324\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75572, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\310\6\0\0\324\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\310\6\0\0\324\0\0\0" )  ) == 0x0
 02150  1744   NtResumeThread  (388, ... 1, ) == 0x0
 02151   380   NtClose  (392, ...
 02152   212   NtWaitForSingleObject  (128, 0, 0x0, ...
 02151   380   NtClose  ... ) == 0x0
 02153   380   NtUnmapViewOfSection  (-1, 0x2750000, ... ) == 0x0
 02154   380   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 392, {status=0x0, info=1}, ) }, 5, 96, ... 392, {status=0x0, info=1}, ) == 0x0
 02155   380   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 392, ... 396, ) == 0x0
 02156   380   NtQuerySection  (396, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02157   380   NtClose  (392, ... ) == 0x0
 02158  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 41222144, 1048576, ) == 0x0
 02159  1744   NtAllocateVirtualMemory  (-1, 42262528, 0, 8192, 4096, 4, ... 42262528, 8192, ) == 0x0
 02160  1744   NtProtectVirtualMemory  (-1, (0x284e000), 4096, 260, ... (0x284e000), 4096, 4, ) == 0x0
 02161  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 392, {1736, 1764}, ) == 0x0
 02162  1744   NtQueryInformationThread  (392, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1736,Tid=1764,}, 0x0, ) == 0x0
 02163  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75572, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\310\6\0\0\344\6\0\0" ...  ...
 02164   380   NtMapViewOfSection  (396, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 02165   380   NtClose  (396, ... ) == 0x0
 02166   380   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 02163  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75573, 0}  ... {28, 56, reply, 0, 1736, 1744, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\310\6\0\0\344\6\0\0" )  ) == 0x0
 02167  1744   NtResumeThread  (392, ... 1, ) == 0x0
 02168  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42270720, 1048576, ) == 0x0
 02169  1744   NtAllocateVirtualMemory  (-1, 43311104, 0, 8192, 4096, 4, ... 43311104, 8192, ) == 0x0
 02170  1744   NtProtectVirtualMemory  (-1, (0x294e000), 4096, 260, ... (0x294e000), 4096, 4, ) == 0x0
 02171  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 396, {1736, 464}, ) == 0x0
 02172  1744   NtQueryInformationThread  (396, Basic, 28, ...
 02173   380   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ...
 02174  1764   NtWaitForSingleObject  (128, 0, 0x0, ...
 02173   380   NtProtectVirtualMemory  ... (0x773d1000), 4096, 4, ) == 0x0
 02175   380   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 02176   380   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 02177   380   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 02178   380   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 02179   380   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 02172  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1736,Tid=464,}, 0x0, ) == 0x0
 02180  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75573, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\310\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\310\6\0\0\320\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75574, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\310\6\0\0\320\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\310\6\0\0\320\1\0\0" )  ) == 0x0
 02181  1744   NtResumeThread  (396, ... 1, ) == 0x0
 02182  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43319296, 1048576, ) == 0x0
 02183  1744   NtAllocateVirtualMemory  (-1, 44359680, 0, 8192, 4096, 4, ... 44359680, 8192, ) == 0x0
 02184  1744   NtProtectVirtualMemory  (-1, (0x2a4e000), 4096, 260, ... (0x2a4e000), 4096, 4, ) == 0x0
 02185   380   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ...
 02186   464   NtWaitForSingleObject  (128, 0, 0x0, ...
 02185   380   NtProtectVirtualMemory  ... (0x773d1000), 4096, 4, ) == 0x0
 02187   380   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 02188   380   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 02189   380   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 02190   380   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 02191   380   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 02192  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 400, {1736, 1536}, ) == 0x0
 02193  1744   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1736,Tid=1536,}, 0x0, ) == 0x0
 02194  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75574, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\310\6\0\0\0\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\310\6\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75575, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\310\6\0\0\0\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\310\6\0\0\0\6\0\0" )  ) == 0x0
 02195  1744   NtResumeThread  (400, ... 1, ) == 0x0
 02196  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44367872, 1048576, ) == 0x0
 02197  1744   NtAllocateVirtualMemory  (-1, 45408256, 0, 8192, 4096, 4, ...
 02198   380   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ...
 02199  1536   NtWaitForSingleObject  (128, 0, 0x0, ...
 02198   380   NtProtectVirtualMemory  ... (0x773d1000), 4096, 4, ) == 0x0
 02200   380   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 02201   380   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 02202   380   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 02203   380   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 02204   380   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 02197  1744   NtAllocateVirtualMemory  ... 45408256, 8192, ) == 0x0
 02205  1744   NtProtectVirtualMemory  (-1, (0x2b4e000), 4096, 260, ... (0x2b4e000), 4096, 4, ) == 0x0
 02206  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 404, {1736, 1904}, ) == 0x0
 02207  1744   NtQueryInformationThread  (404, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1736,Tid=1904,}, 0x0, ) == 0x0
 02208  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75575, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\310\6\0\0p\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\310\6\0\0p\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75576, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\310\6\0\0p\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\310\6\0\0p\7\0\0" )  ) == 0x0
 02209  1744   NtResumeThread  (404, ... 1, ) == 0x0
 02210   380   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ...
 02211  1904   NtWaitForSingleObject  (128, 0, 0x0, ...
 02210   380   NtProtectVirtualMemory  ... (0x773d1000), 4096, 4, ) == 0x0
 02212   380   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 02213   380   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   380   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 14736564, ... ) , 42, 14736564, ... ) == 0x0
 02215   380   NtQueryDefaultUILanguage  (14735248, ...
 02216   380   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02217   380   NtOpenProcessTokenEx  (-1, 0x20008, 512, ...
 02218  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45416448, 1048576, ) == 0x0
 02219  1744   NtAllocateVirtualMemory  (-1, 46456832, 0, 8192, 4096, 4, ... 46456832, 8192, ) == 0x0
 02220  1744   NtProtectVirtualMemory  (-1, (0x2c4e000), 4096, 260, ... (0x2c4e000), 4096, 4, ) == 0x0
 02221  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {1736, 1648}, ) == 0x0
 02222  1744   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1736,Tid=1648,}, 0x0, ) == 0x0
 02223  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75576, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\310\6\0\0p\6\0\0" ...  ...
 02217   380   NtOpenProcessTokenEx  ... -2147482576, ) == 0x0
 02224   380   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02225   380   NtClose  (-2147482576, ... ) == 0x0
 02226   380   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... }, ...
 02223  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75577, 0}  ... {28, 56, reply, 0, 1736, 1744, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\310\6\0\0p\6\0\0" )  ) == 0x0
 02227  1744   NtResumeThread  (408, ... 1, ) == 0x0
 02228  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47644672, 1048576, ) == 0x0
 02229  1744   NtAllocateVirtualMemory  (-1, 48685056, 0, 8192, 4096, 4, ... 48685056, 8192, ) == 0x0
 02230  1744   NtProtectVirtualMemory  (-1, (0x2e6e000), 4096, 260, ... (0x2e6e000), 4096, 4, ) == 0x0
 02231  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {1736, 148}, ) == 0x0
 02232  1744   NtQueryInformationThread  (412, Basic, 28, ...
 02226   380   NtOpenKey  ... -2147482576, ) == 0x0
 02233  1648   NtWaitForSingleObject  (128, 0, 0x0, ...
 02234   380   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02235   380   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 02236   380   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02237   380   NtClose  (-2147481400, ... ) == 0x0
 02238   380   NtClose  (-2147482576, ... ) == 0x0
 02215   380   NtQueryDefaultUILanguage  ... ) == 0x0
 02232  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1736,Tid=148,}, 0x0, ) == 0x0
 02239  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75577, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\310\6\0\0\224\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\310\6\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75578, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\310\6\0\0\224\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\310\6\0\0\224\0\0\0" )  ) == 0x0
 02240  1744   NtResumeThread  (412, ... 1, ) == 0x0
 02241  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 48693248, 1048576, ) == 0x0
 02242  1744   NtAllocateVirtualMemory  (-1, 49733632, 0, 8192, 4096, 4, ... 49733632, 8192, ) == 0x0
 02243  1744   NtProtectVirtualMemory  (-1, (0x2f6e000), 4096, 260, ... (0x2f6e000), 4096, 4, ) == 0x0
 02244   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 14734088, ... }, 14734088, ...
 02245   148   NtWaitForSingleObject  (128, 0, 0x0, ...
 02244   380   NtQueryAttributesFile  ... ) == 0x0
 02246   380   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 02247   380   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 416, ... 420, ) == 0x0
 02248   380   NtClose  (416, ... ) == 0x0
 02249   380   NtMapViewOfSection  (420, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 4096, ) == 0x0
 02250   380   NtClose  (420, ... ) == 0x0
 02251  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 420, {1736, 1896}, ) == 0x0
 02252  1744   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1736,Tid=1896,}, 0x0, ) == 0x0
 02253  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75578, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\310\6\0\0h\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\310\6\0\0h\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75579, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\310\6\0\0h\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\310\6\0\0h\7\0\0" )  ) == 0x0
 02254  1744   NtResumeThread  (420, ... 1, ) == 0x0
 02255  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 49741824, 1048576, ) == 0x0
 02256  1744   NtAllocateVirtualMemory  (-1, 50782208, 0, 8192, 4096, 4, ...
 02257   380   NtUnmapViewOfSection  (-1, 0x3e0000, ...
 02258  1896   NtWaitForSingleObject  (128, 0, 0x0, ...
 02257   380   NtUnmapViewOfSection  ... ) == 0x0
 02259   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 14733684, ... ) }, 14733684, ... ) == 0x0
 02260   380   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 14734428,  (0x80100080, {24, 0, 0x40, 0, 14734428, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 02261   380   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 416, ... 424, ) == 0x0
 02262   380   NtClose  (416, ... ) == 0x0
 02263   380   NtMapViewOfSection  (424, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 4096, ) == 0x0
 02256  1744   NtAllocateVirtualMemory  ... 50782208, 8192, ) == 0x0
 02264  1744   NtProtectVirtualMemory  (-1, (0x306e000), 4096, 260, ... (0x306e000), 4096, 4, ) == 0x0
 02265  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 416, {1736, 432}, ) == 0x0
 02266  1744   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1736,Tid=432,}, 0x0, ) == 0x0
 02267  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75579, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\310\6\0\0\260\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\310\6\0\0\260\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75580, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\310\6\0\0\260\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\310\6\0\0\260\1\0\0" )  ) == 0x0
 02268  1744   NtResumeThread  (416, ... 1, ) == 0x0
 02269   380   NtClose  (424, ...
 02270   432   NtWaitForSingleObject  (128, 0, 0x0, ...
 02269   380   NtClose  ... ) == 0x0
 02271   380   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 02272   380   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 424, {status=0x0, info=1}, ) }, 1, 96, ... 424, {status=0x0, info=1}, ) == 0x0
 02273   380   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 424, ... 428, ) == 0x0
 02274   380   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3e0000), 0x0, 4096, ) == 0x0
 02275   380   NtQueryInformationFile  (424, 14734080, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02276  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50790400, 1048576, ) == 0x0
 02277  1744   NtAllocateVirtualMemory  (-1, 51830784, 0, 8192, 4096, 4, ... 51830784, 8192, ) == 0x0
 02278  1744   NtProtectVirtualMemory  (-1, (0x316e000), 4096, 260, ... (0x316e000), 4096, 4, ) == 0x0
 02279  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {1736, 388}, ) == 0x0
 02280  1744   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1736,Tid=388,}, 0x0, ) == 0x0
 02281  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75580, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\310\6\0\0\204\1\0\0" ...  ...
 02282   380   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283   380   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 14734380, 1179817, 14734104}  (24, {128, 156, new_msg, 0, 2088850039, 14734380, 1179817, 14734104} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1\250\1\0\0\254\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0 \330\340\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 380, 75582, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1\250\1\0\0\254\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0 \330\340\0\0\0\0\0" )  ... {128, 156, reply, 0, 1736, 380, 75582, 0}  (24, {128, 156, new_msg, 0, 2088850039, 14734380, 1179817, 14734104} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1\250\1\0\0\254\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0 \330\340\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 380, 75582, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\1\250\1\0\0\254\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0 \330\340\0\0\0\0\0" )  ) == 0x0
 02284   380   NtClose  (424, ...
 02281  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75581, 0}  ... {28, 56, reply, 0, 1736, 1744, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\310\6\0\0\204\1\0\0" )  ) == 0x0
 02285  1744   NtResumeThread  (432, ... 1, ) == 0x0
 02286  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51838976, 1048576, ) == 0x0
 02287  1744   NtAllocateVirtualMemory  (-1, 52879360, 0, 8192, 4096, 4, ... 52879360, 8192, ) == 0x0
 02288  1744   NtProtectVirtualMemory  (-1, (0x326e000), 4096, 260, ... (0x326e000), 4096, 4, ) == 0x0
 02289  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {1736, 1864}, ) == 0x0
 02290  1744   NtQueryInformationThread  (436, Basic, 28, ...
 02284   380   NtClose  ... ) == 0x0
 02291   388   NtWaitForSingleObject  (128, 0, 0x0, ...
 02292   380   NtClose  (428, ... ) == 0x0
 02293   380   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 02294   380   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02295   380   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 428, ) == 0x0
 02296   380   NtCallbackReturn  (0, 0, 0, ...
 02297   380   NtUserGetThreadState  (18, ... ) == 0x1
 02290  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1736,Tid=1864,}, 0x0, ) == 0x0
 02298  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75581, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\310\6\0\0H\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\310\6\0\0H\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75583, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\310\6\0\0H\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\310\6\0\0H\7\0\0" )  ) == 0x0
 02299  1744   NtResumeThread  (436, ... 1, ) == 0x0
 02300  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52887552, 1048576, ) == 0x0
 02301  1744   NtAllocateVirtualMemory  (-1, 53927936, 0, 8192, 4096, 4, ... 53927936, 8192, ) == 0x0
 02302  1744   NtProtectVirtualMemory  (-1, (0x336e000), 4096, 260, ... (0x336e000), 4096, 4, ) == 0x0
 02303   380   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... , ...
 02304  1864   NtWaitForSingleObject  (128, 0, 0x0, ...
 02303   380   NtUserRegisterWindowMessage  ... ) == 0xc03a
 02305   380   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 02306   380   NtUserGetDC  (0, ... ) == 0x1010050
 02307   380   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 02308   380   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 02309   380   NtUserSystemParametersInfo  (66, 12, 14736080, 0, ... ) == 0x1
 02310  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 424, {1736, 1524}, ) == 0x0
 02311  1744   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1736,Tid=1524,}, 0x0, ) == 0x0
 02312  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75583, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\310\6\0\0\364\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\310\6\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75584, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\310\6\0\0\364\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\310\6\0\0\364\5\0\0" )  ) == 0x0
 02313  1744   NtResumeThread  (424, ... 1, ) == 0x0
 02314  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53936128, 1048576, ) == 0x0
 02315  1744   NtAllocateVirtualMemory  (-1, 54976512, 0, 8192, 4096, 4, ...
 02316   380   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ...
 02317  1524   NtWaitForSingleObject  (128, 0, 0x0, ...
 02316   380   NtOpenThreadTokenEx  ... ) == STATUS_NO_TOKEN
 02318   380   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 440, ) == 0x0
 02319   380   NtQueryInformationToken  (440, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02320   380   NtClose  (440, ... ) == 0x0
 02321   380   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 440, ) }, ... 440, ) == 0x0
 02322   380   NtOpenProcessToken  (-1, 0x8, ... 444, ) == 0x0
 02315  1744   NtAllocateVirtualMemory  ... 54976512, 8192, ) == 0x0
 02323  1744   NtProtectVirtualMemory  (-1, (0x346e000), 4096, 260, ... (0x346e000), 4096, 4, ) == 0x0
 02324  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {1736, 240}, ) == 0x0
 02325  1744   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1736,Tid=240,}, 0x0, ) == 0x0
 02326  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75584, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\310\6\0\0\360\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\310\6\0\0\360\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75585, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\310\6\0\0\360\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\310\6\0\0\360\0\0\0" )  ) == 0x0
 02327  1744   NtResumeThread  (448, ... 1, ) == 0x0
 02328   380   NtAccessCheck  (1344040, 444, 0x1, 14735912, 14735964, 56, 14735944, ...
 02329   240   NtWaitForSingleObject  (128, 0, 0x0, ...
 02328   380   NtAccessCheck  ... ) == STATUS_NO_IMPERSONATION_TOKEN
 02330   380   NtClose  (444, ... ) == 0x0
 02331   380   NtOpenKey  (0x20019, {24, 440, 0x40, 0, 0,  (0x20019, {24, 440, 0x40, 0, 0, "Control Panel\Desktop"}, ... 444, ) }, ... 444, ) == 0x0
 02332   380   NtQueryValueKey  (444,  (444, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333   380   NtClose  (444, ... ) == 0x0
 02334   380   NtUserSystemParametersInfo  (41, 500, 14736108, 0, ... ) == 0x1
 02335  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54984704, 1048576, ) == 0x0
 02336  1744   NtAllocateVirtualMemory  (-1, 56025088, 0, 8192, 4096, 4, ... 56025088, 8192, ) == 0x0
 02337  1744   NtProtectVirtualMemory  (-1, (0x356e000), 4096, 260, ... (0x356e000), 4096, 4, ) == 0x0
 02338  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {1736, 308}, ) == 0x0
 02339  1744   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1736,Tid=308,}, 0x0, ) == 0x0
 02340  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75585, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\310\6\0\04\1\0\0" ...  ...
 02341   380   NtOpenProcessToken  (-1, 0x8, ... 452, ) == 0x0
 02342   380   NtAccessCheck  (1344040, 452, 0x1, 14735912, 14735964, 56, 14735944, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 02343   380   NtClose  (452, ... ) == 0x0
 02340  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75586, 0}  ... {28, 56, reply, 0, 1736, 1744, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\310\6\0\04\1\0\0" )  ) == 0x0
 02344  1744   NtResumeThread  (444, ... 1, ) == 0x0
 02345  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56033280, 1048576, ) == 0x0
 02346  1744   NtAllocateVirtualMemory  (-1, 57073664, 0, 8192, 4096, 4, ... 57073664, 8192, ) == 0x0
 02347  1744   NtProtectVirtualMemory  (-1, (0x366e000), 4096, 260, ... (0x366e000), 4096, 4, ) == 0x0
 02348  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {1736, 276}, ) == 0x0
 02349  1744   NtQueryInformationThread  (452, Basic, 28, ...
 02350   380   NtOpenKey  (0x20019, {24, 440, 0x40, 0, 0,  (0x20019, {24, 440, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... }, ...
 02351   308   NtWaitForSingleObject  (128, 0, 0x0, ...
 02350   380   NtOpenKey  ... 456, ) == 0x0
 02352   380   NtQueryValueKey  (456,  (456, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02353   380   NtClose  (456, ... ) == 0x0
 02354   380   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 02355   380   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 02356   380   NtClose  (440, ... ) == 0x0
 02349  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1736,Tid=276,}, 0x0, ) == 0x0
 02357  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75586, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\310\6\0\0\24\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\310\6\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75587, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\310\6\0\0\24\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\310\6\0\0\24\1\0\0" )  ) == 0x0
 02358  1744   NtResumeThread  (452, ... 1, ) == 0x0
 02359  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57081856, 1048576, ) == 0x0
 02360  1744   NtAllocateVirtualMemory  (-1, 58122240, 0, 8192, 4096, 4, ... 58122240, 8192, ) == 0x0
 02361  1744   NtProtectVirtualMemory  (-1, (0x376e000), 4096, 260, ... (0x376e000), 4096, 4, ) == 0x0
 02362   380   NtUserSystemParametersInfo  (4130, 0, 14736612, 0, ...
 02363   276   NtWaitForSingleObject  (128, 0, 0x0, ...
 02362   380   NtUserSystemParametersInfo  ... ) == 0x1
 02364   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 440, ) }, ... 440, ) == 0x0
 02365   380   NtEnumerateValueKey  (440, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02366   380   NtClose  (440, ... ) == 0x0
 02367   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02368   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc03b
 02369  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {1736, 1496}, ) == 0x0
 02370  1744   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1736,Tid=1496,}, 0x0, ) == 0x0
 02371  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75587, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\310\6\0\0\330\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\310\6\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75588, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\310\6\0\0\330\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\310\6\0\0\330\5\0\0" )  ) == 0x0
 02372  1744   NtResumeThread  (440, ... 1, ) == 0x0
 02373  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58130432, 1048576, ) == 0x0
 02374  1744   NtAllocateVirtualMemory  (-1, 59170816, 0, 8192, 4096, 4, ...
 02375   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ...
 02376  1496   NtWaitForSingleObject  (128, 0, 0x0, ...
 02375   380   NtUserRegisterClassExWOW  ... ) == 0x819fc03d
 02377   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02378   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc03f
 02379   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02380   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc041
 02381   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02374  1744   NtAllocateVirtualMemory  ... 59170816, 8192, ) == 0x0
 02382  1744   NtProtectVirtualMemory  (-1, (0x386e000), 4096, 260, ... (0x386e000), 4096, 4, ) == 0x0
 02383  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 456, {1736, 1592}, ) == 0x0
 02384  1744   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1736,Tid=1592,}, 0x0, ) == 0x0
 02385  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75588, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\310\6\0\08\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\310\6\0\08\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75589, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\310\6\0\08\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\310\6\0\08\6\0\0" )  ) == 0x0
 02386  1744   NtResumeThread  (456, ... 1, ) == 0x0
 02387   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ...
 02388  1592   NtWaitForSingleObject  (128, 0, 0x0, ...
 02387   380   NtUserRegisterClassExWOW  ... ) == 0x819fc043
 02389   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc045
 02390   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02391   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc047
 02392   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02393   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc049
 02394  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59179008, 1048576, ) == 0x0
 02395  1744   NtAllocateVirtualMemory  (-1, 60219392, 0, 8192, 4096, 4, ... 60219392, 8192, ) == 0x0
 02396  1744   NtProtectVirtualMemory  (-1, (0x396e000), 4096, 260, ... (0x396e000), 4096, 4, ) == 0x0
 02397  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 460, {1736, 2032}, ) == 0x0
 02398  1744   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1736,Tid=2032,}, 0x0, ) == 0x0
 02399  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75589, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\310\6\0\0\360\7\0\0" ...  ...
 02400   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02401   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc04b
 02402   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02399  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75590, 0}  ... {28, 56, reply, 0, 1736, 1744, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\310\6\0\0\360\7\0\0" )  ) == 0x0
 02403  1744   NtResumeThread  (460, ... 1, ) == 0x0
 02404  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60227584, 1048576, ) == 0x0
 02405  1744   NtAllocateVirtualMemory  (-1, 61267968, 0, 8192, 4096, 4, ... 61267968, 8192, ) == 0x0
 02406  1744   NtProtectVirtualMemory  (-1, (0x3a6e000), 4096, 260, ... (0x3a6e000), 4096, 4, ) == 0x0
 02407  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {1736, 1528}, ) == 0x0
 02408  1744   NtQueryInformationThread  (464, Basic, 28, ...
 02409   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ...
 02410  2032   NtWaitForSingleObject  (128, 0, 0x0, ...
 02409   380   NtUserRegisterClassExWOW  ... ) == 0x819fc04d
 02411   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02412   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc04f
 02413   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc051
 02414   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02415   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc053
 02408  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1736,Tid=1528,}, 0x0, ) == 0x0
 02416  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75590, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\310\6\0\0\370\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\310\6\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75591, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\310\6\0\0\370\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\310\6\0\0\370\5\0\0" )  ) == 0x0
 02417  1744   NtResumeThread  (464, ... 1, ) == 0x0
 02418  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61276160, 1048576, ) == 0x0
 02419  1744   NtAllocateVirtualMemory  (-1, 62316544, 0, 8192, 4096, 4, ... 62316544, 8192, ) == 0x0
 02420  1744   NtProtectVirtualMemory  (-1, (0x3b6e000), 4096, 260, ... (0x3b6e000), 4096, 4, ) == 0x0
 02421   380   NtUserFindExistingCursorIcon  (14735856, 14735872, 14735920, ...
 02422  1528   NtWaitForSingleObject  (128, 0, 0x0, ...
 02421   380   NtUserFindExistingCursorIcon  ... ) == 0x10011
 02423   380   NtUserRegisterClassExWOW  (14735800, 14735868, 14735884, 14735900, 0, 384, 0, ... ) == 0x819fc055
 02424   380   NtUserFindExistingCursorIcon  (14735856, 14735872, 14735920, ... ) == 0x10011
 02425   380   NtUserRegisterClassExWOW  (14735800, 14735868, 14735884, 14735900, 0, 384, 0, ... ) == 0x819fc057
 02426   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02427   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc059
 02428  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 468, {1736, 932}, ) == 0x0
 02429  1744   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1736,Tid=932,}, 0x0, ) == 0x0
 02430  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75591, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\310\6\0\0\244\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\310\6\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75592, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\310\6\0\0\244\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\310\6\0\0\244\3\0\0" )  ) == 0x0
 02431  1744   NtResumeThread  (468, ... 1, ) == 0x0
 02432  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62324736, 1048576, ) == 0x0
 02433  1744   NtAllocateVirtualMemory  (-1, 63365120, 0, 8192, 4096, 4, ...
 02434   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ...
 02435   932   NtWaitForSingleObject  (128, 0, 0x0, ...
 02434   380   NtUserFindExistingCursorIcon  ... ) == 0x10013
 02436   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc05b
 02437   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02438   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc05d
 02439   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02440   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc05f
 02433  1744   NtAllocateVirtualMemory  ... 63365120, 8192, ) == 0x0
 02441  1744   NtProtectVirtualMemory  (-1, (0x3c6e000), 4096, 260, ... (0x3c6e000), 4096, 4, ) == 0x0
 02442  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 472, {1736, 1128}, ) == 0x0
 02443  1744   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1736,Tid=1128,}, 0x0, ) == 0x0
 02444  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75592, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\310\6\0\0h\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\310\6\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75593, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\310\6\0\0h\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\310\6\0\0h\4\0\0" )  ) == 0x0
 02445  1744   NtResumeThread  (472, ... 1, ) == 0x0
 02446   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ...
 02447  1128   NtWaitForSingleObject  (128, 0, 0x0, ...
 02446   380   NtUserFindExistingCursorIcon  ... ) == 0x10011
 02448   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc017
 02449   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02450   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc019
 02451   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10013
 02452   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc018
 02453  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 63373312, 1048576, ) == 0x0
 02454  1744   NtAllocateVirtualMemory  (-1, 64413696, 0, 8192, 4096, 4, ... 64413696, 8192, ) == 0x0
 02455  1744   NtProtectVirtualMemory  (-1, (0x3d6e000), 4096, 260, ... (0x3d6e000), 4096, 4, ) == 0x0
 02456  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 476, {1736, 1644}, ) == 0x0
 02457  1744   NtQueryInformationThread  (476, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1736,Tid=1644,}, 0x0, ) == 0x0
 02458  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75593, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\310\6\0\0l\6\0\0" ...  ...
 02459   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02460   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc01a
 02461   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02458  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75594, 0}  ... {28, 56, reply, 0, 1736, 1744, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\310\6\0\0l\6\0\0" )  ) == 0x0
 02462  1744   NtResumeThread  (476, ... 1, ) == 0x0
 02463  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64421888, 1048576, ) == 0x0
 02464  1744   NtAllocateVirtualMemory  (-1, 65462272, 0, 8192, 4096, 4, ... 65462272, 8192, ) == 0x0
 02465  1744   NtProtectVirtualMemory  (-1, (0x3e6e000), 4096, 260, ... (0x3e6e000), 4096, 4, ) == 0x0
 02466  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 480, {1736, 336}, ) == 0x0
 02467  1744   NtQueryInformationThread  (480, Basic, 28, ...
 02468   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ...
 02469  1644   NtWaitForSingleObject  (128, 0, 0x0, ...
 02468   380   NtUserRegisterClassExWOW  ... ) == 0x819fc01c
 02470   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02471   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc01e
 02472   380   NtUserFindExistingCursorIcon  (14735852, 14735868, 14735916, ... ) == 0x10011
 02473   380   NtUserRegisterClassExWOW  (14735852, 14735920, 14735936, 14735952, 0, 384, 0, ... ) == 0x819fc01b
 02474   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02467  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1736,Tid=336,}, 0x0, ) == 0x0
 02475  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75594, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\310\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\310\6\0\0P\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75595, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\310\6\0\0P\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\310\6\0\0P\1\0\0" )  ) == 0x0
 02476  1744   NtResumeThread  (480, ... 1, ) == 0x0
 02477  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65470464, 1048576, ) == 0x0
 02478  1744   NtAllocateVirtualMemory  (-1, 66510848, 0, 8192, 4096, 4, ... 66510848, 8192, ) == 0x0
 02479  1744   NtProtectVirtualMemory  (-1, (0x3f6e000), 4096, 260, ... (0x3f6e000), 4096, 4, ) == 0x0
 02480   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ...
 02481   336   NtWaitForSingleObject  (128, 0, 0x0, ...
 02480   380   NtUserRegisterClassExWOW  ... ) == 0x819fc068
 02482   380   NtUserFindExistingCursorIcon  (14735860, 14735876, 14735924, ... ) == 0x10011
 02483   380   NtUserRegisterClassExWOW  (14735804, 14735872, 14735888, 14735904, 0, 384, 0, ... ) == 0x819fc06a
 02484   380   NtSetEventBoostPriority  (128, ...
 01991   752   NtWaitForSingleObject  ... ) == 0x0
 02485   752   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13693996, ... ) }, 13693996, ... ) == 0x0
 02486   752   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 484, {status=0x0, info=1}, ) }, 5, 96, ... 484, {status=0x0, info=1}, ) == 0x0
 02487   752   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 484, ... 488, ) == 0x0
 02488   752   NtClose  (484, ... ) == 0x0
 02484   380   NtSetEventBoostPriority  ... ) == 0x0
 02489  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02490   380   NtWaitForSingleObject  (128, 0, 0x0, ...
 02489  1744   NtCreateThread  ... 484, {1736, 504}, ) == 0x0
 02491  1744   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1736,Tid=504,}, 0x0, ) == 0x0
 02492  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75595, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\310\6\0\0\370\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\310\6\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75596, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\310\6\0\0\370\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\310\6\0\0\370\1\0\0" )  ) == 0x0
 02493  1744   NtResumeThread  (484, ... 1, ) == 0x0
 02494  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66519040, 1048576, ) == 0x0
 02495  1744   NtAllocateVirtualMemory  (-1, 67559424, 0, 8192, 4096, 4, ...
 02496   752   NtMapViewOfSection  (488, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02497   504   NtWaitForSingleObject  (128, 0, 0x0, ...
 02496   752   NtMapViewOfSection  ... (0x3e0000), 0x0, 20480, ) == 0x0
 02498   752   NtClose  (488, ... ) == 0x0
 02495  1744   NtAllocateVirtualMemory  ... 67559424, 8192, ) == 0x0
 02499  1744   NtProtectVirtualMemory  (-1, (0x406e000), 4096, 260, ... (0x406e000), 4096, 4, ) == 0x0
 02500   752   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 02501   752   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 13694304, ... ) }, 13694304, ... ) == 0x0
 02502   752   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 488, {status=0x0, info=1}, ) }, 5, 96, ... 488, {status=0x0, info=1}, ) == 0x0
 02503  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {1736, 488}, ) == 0x0
 02504  1744   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1736,Tid=488,}, 0x0, ) == 0x0
 02505  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75596, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\310\6\0\0\350\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\310\6\0\0\350\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75597, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\310\6\0\0\350\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\310\6\0\0\350\1\0\0" )  ) == 0x0
 02506  1744   NtResumeThread  (492, ... 1, ) == 0x0
 02507   752   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 488, ...
 02508   488   NtWaitForSingleObject  (128, 0, 0x0, ...
 02507   752   NtCreateSection  ... 496, ) == 0x0
 02509   752   NtQuerySection  (496, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02510   752   NtClose  (488, ... ) == 0x0
 02511   752   NtMapViewOfSection  (496, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 02512   752   NtClose  (496, ... ) == 0x0
 02513   752   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 02514  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67567616, 1048576, ) == 0x0
 02515  1744   NtAllocateVirtualMemory  (-1, 68608000, 0, 8192, 4096, 4, ... 68608000, 8192, ) == 0x0
 02516  1744   NtProtectVirtualMemory  (-1, (0x416e000), 4096, 260, ... (0x416e000), 4096, 4, ) == 0x0
 02517  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 496, {1736, 1948}, ) == 0x0
 02518  1744   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1736,Tid=1948,}, 0x0, ) == 0x0
 02519  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75597, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\310\6\0\0\234\7\0\0" ...  ...
 02520   752   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 02521   752   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 02519  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75598, 0}  ... {28, 56, reply, 0, 1736, 1744, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\310\6\0\0\234\7\0\0" )  ) == 0x0
 02522  1744   NtResumeThread  (496, ... 1, ) == 0x0
 02523  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 68616192, 1048576, ) == 0x0
 02524  1744   NtAllocateVirtualMemory  (-1, 69656576, 0, 8192, 4096, 4, ... 69656576, 8192, ) == 0x0
 02525  1744   NtProtectVirtualMemory  (-1, (0x426e000), 4096, 260, ... (0x426e000), 4096, 4, ) == 0x0
 02526  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 488, {1736, 1692}, ) == 0x0
 02527  1744   NtQueryInformationThread  (488, Basic, 28, ...
 02528   752   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 02529  1948   NtWaitForSingleObject  (128, 0, 0x0, ...
 02528   752   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02530   752   NtSetEventBoostPriority  (128, ...
 01998  1784   NtWaitForSingleObject  ... ) == 0x0
 02531  1784   NtSetEventBoostPriority  (128, ...
 02010  1480   NtWaitForSingleObject  ... ) == 0x0
 02532  1480   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ... 3624960, 4096, ) == 0x0
 02531  1784   NtSetEventBoostPriority  ... ) == 0x0
 02530   752   NtSetEventBoostPriority  ... ) == 0x0
 02527  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1736,Tid=1692,}, 0x0, ) == 0x0
 02533  1480   NtSetEventBoostPriority  (128, ...
 02534  1784   NtTestAlert  (...
 02535  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75598, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\310\6\0\0\234\6\0\0" ...  ...
 02032  1556   NtWaitForSingleObject  ... ) == 0x0
 02533  1480   NtSetEventBoostPriority  ... ) == 0x0
 02534  1784   NtTestAlert  ... ) == 0x0
 02536  1556   NtSetEventBoostPriority  (128, ...
 02535  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75599, 0}  ... {28, 56, reply, 0, 1736, 1744, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\310\6\0\0\234\6\0\0" )  ) == 0x0
 02537  1480   NtTestAlert  (...
 02044  1068   NtWaitForSingleObject  ... ) == 0x0
 02536  1556   NtSetEventBoostPriority  ... ) == 0x0
 02538  1784   NtContinue  (30735664, 1, ...
 02539  1744   NtResumeThread  (488, ...
 02540  1068   NtSetEventBoostPriority  (128, ...
 02537  1480   NtTestAlert  ... ) == 0x0
 02541   752   NtClose  (332, ...
 02542  1784   NtRegisterThreadTerminatePort  (24, ...
 02057  1572   NtWaitForSingleObject  ... ) == 0x0
 02540  1068   NtSetEventBoostPriority  ... ) == 0x0
 02539  1744   NtResumeThread  ... 1, ) == 0x0
 02543  1480   NtContinue  (31784240, 1, ...
 02541   752   NtClose  ... ) == 0x0
 02544  1572   NtSetEventBoostPriority  (128, ...
 02542  1784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02545  1556   NtTestAlert  (...
 02546  1692   NtWaitForSingleObject  (128, 0, 0x0, ...
 02547  1068   NtTestAlert  (...
 02548  1480   NtRegisterThreadTerminatePort  (24, ...
 02069  1604   NtWaitForSingleObject  ... ) == 0x0
 02544  1572   NtSetEventBoostPriority  ... ) == 0x0
 02549   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 02550  1784   NtWaitForSingleObject  (244, 0, 0x0, ...
 02545  1556   NtTestAlert  ... ) == 0x0
 02547  1068   NtTestAlert  ... ) == 0x0
 02551  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02552  1604   NtSetEventBoostPriority  (128, ...
 02548  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 02553  1572   NtTestAlert  (...
 02554  1556   NtContinue  (32832816, 1, ...
 02555  1068   NtContinue  (33881392, 1, ...
 02091  1240   NtWaitForSingleObject  ... ) == 0x0
 02552  1604   NtSetEventBoostPriority  ... ) == 0x0
 02551  1744   NtAllocateVirtualMemory  ... 69664768, 1048576, ) == 0x0
 02556  1480   NtWaitForSingleObject  (244, 0, 0x0, ...
 02553  1572   NtTestAlert  ... ) == 0x0
 02557  1556   NtRegisterThreadTerminatePort  (24, ...
 02558  1240   NtSetEventBoostPriority  (128, ...
 02559  1068   NtRegisterThreadTerminatePort  (24, ...
 02560  1744   NtAllocateVirtualMemory  (-1, 70705152, 0, 8192, 4096, 4, ...
 02561  1572   NtContinue  (34929968, 1, ...
 02103  1272   NtWaitForSingleObject  ... ) == 0x0
 02558  1240   NtSetEventBoostPriority  ... ) == 0x0
 02557  1556   NtRegisterThreadTerminatePort  ... ) == 0x0
 02559  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 02560  1744   NtAllocateVirtualMemory  ... 70705152, 8192, ) == 0x0
 02562  1272   NtSetEventBoostPriority  (128, ...
 02563  1572   NtRegisterThreadTerminatePort  (24, ...
 02564  1604   NtTestAlert  (...
 02565  1556   NtWaitForSingleObject  (244, 0, 0x0, ...
 02566  1068   NtWaitForSingleObject  (244, 0, 0x0, ...
 02115  1156   NtWaitForSingleObject  ... ) == 0x0
 02562  1272   NtSetEventBoostPriority  ... ) == 0x0
 02567  1744   NtProtectVirtualMemory  (-1, (0x436e000), 4096, 260, ...
 02563  1572   NtRegisterThreadTerminatePort  ... ) == 0x0
 02564  1604   NtTestAlert  ... ) == 0x0
 02568  1240   NtTestAlert  (...
 02569  1156   NtSetEventBoostPriority  (128, ...
 02567  1744   NtProtectVirtualMemory  ... (0x436e000), 4096, 4, ) == 0x0
 02570  1572   NtWaitForSingleObject  (244, 0, 0x0, ...
 02571  1604   NtContinue  (35978544, 1, ...
 02125  1700   NtWaitForSingleObject  ... ) == 0x0
 02569  1156   NtSetEventBoostPriority  ... ) == 0x0
 02568  1240   NtTestAlert  ... ) == 0x0
 02572  1272   NtTestAlert  (...
 02573  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02574  1700   NtSetEventBoostPriority  (128, ...
 02575  1604   NtRegisterThreadTerminatePort  (24, ...
 02576  1240   NtContinue  (37027120, 1, ...
 02572  1272   NtTestAlert  ... ) == 0x0
 02140  1728   NtWaitForSingleObject  ... ) == 0x0
 02574  1700   NtSetEventBoostPriority  ... ) == 0x0
 02573  1744   NtCreateThread  ... 332, {1736, 1520}, ) == 0x0
 02575  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 02577  1240   NtRegisterThreadTerminatePort  (24, ...
 02578  1728   NtSetEventBoostPriority  (128, ...
 02579  1272   NtContinue  (38075696, 1, ...
 02580  1156   NtTestAlert  (...
 02581  1744   NtQueryInformationThread  (332, Basic, 28, ...
 02582  1604   NtWaitForSingleObject  (244, 0, 0x0, ...
 02152   212   NtWaitForSingleObject  ... ) == 0x0
 02578  1728   NtSetEventBoostPriority  ... ) == 0x0
 02577  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02583  1272   NtRegisterThreadTerminatePort  (24, ...
 02580  1156   NtTestAlert  ... ) == 0x0
 02581  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1736,Tid=1520,}, 0x0, ) == 0x0
 02584  1700   NtTestAlert  (...
 02585   212   NtSetEventBoostPriority  (128, ...
 02586  1240   NtWaitForSingleObject  (244, 0, 0x0, ...
 02583  1272   NtRegisterThreadTerminatePort  ... ) == 0x0
 02587  1156   NtContinue  (47643952, 1, ...
 02588  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75599, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\310\6\0\0\360\5\0\0" ...  ...
 02174  1764   NtWaitForSingleObject  ... ) == 0x0
 02585   212   NtSetEventBoostPriority  ... ) == 0x0
 02584  1700   NtTestAlert  ... ) == 0x0
 02589  1728   NtTestAlert  (...
 02590  1272   NtWaitForSingleObject  (244, 0, 0x0, ...
 02591  1156   NtRegisterThreadTerminatePort  (24, ...
 02592  1764   NtSetEventBoostPriority  (128, ...
 02588  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75600, 0}  ... {28, 56, reply, 0, 1736, 1744, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\1\0\0\310\6\0\0\360\5\0\0" )  ) == 0x0
 02593  1700   NtContinue  (39124272, 1, ...
 02589  1728   NtTestAlert  ... ) == 0x0
 02594   212   NtTestAlert  (...
 02186   464   NtWaitForSingleObject  ... ) == 0x0
 02592  1764   NtSetEventBoostPriority  ... ) == 0x0
 02591  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02595  1744   NtResumeThread  (332, ...
 02596  1700   NtRegisterThreadTerminatePort  (24, ...
 02597  1728   NtContinue  (40172848, 1, ...
 02598   464   NtSetEventBoostPriority  (128, ...
 02594   212   NtTestAlert  ... ) == 0x0
 02599  1156   NtWaitForSingleObject  (244, 0, 0x0, ...
 02595  1744   NtResumeThread  ... 1, ) == 0x0
 02596  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 02199  1536   NtWaitForSingleObject  ... ) == 0x0
 02598   464   NtSetEventBoostPriority  ... ) == 0x0
 02600  1728   NtRegisterThreadTerminatePort  (24, ...
 02601   212   NtContinue  (41221424, 1, ...
 02602  1764   NtTestAlert  (...
 02603  1520   NtWaitForSingleObject  (128, 0, 0x0, ...
 02604  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02605  1536   NtSetEventBoostPriority  (128, ...
 02606  1700   NtWaitForSingleObject  (244, 0, 0x0, ...
 02600  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 02607   212   NtRegisterThreadTerminatePort  (24, ...
 02602  1764   NtTestAlert  ... ) == 0x0
 02211  1904   NtWaitForSingleObject  ... ) == 0x0
 02605  1536   NtSetEventBoostPriority  ... ) == 0x0
 02604  1744   NtAllocateVirtualMemory  ... 70713344, 1048576, ) == 0x0
 02608   464   NtTestAlert  (...
 02609  1728   NtWaitForSingleObject  (244, 0, 0x0, ...
 02607   212   NtRegisterThreadTerminatePort  ... ) == 0x0
 02610  1904   NtSetEventBoostPriority  (128, ...
 02611  1764   NtContinue  (42270000, 1, ...
 02612  1744   NtAllocateVirtualMemory  (-1, 71753728, 0, 8192, 4096, 4, ...
 02608   464   NtTestAlert  ... ) == 0x0
 02613  1536   NtTestAlert  (...
 02233  1648   NtWaitForSingleObject  ... ) == 0x0
 02610  1904   NtSetEventBoostPriority  ... ) == 0x0
 02614   212   NtWaitForSingleObject  (244, 0, 0x0, ...
 02615  1764   NtRegisterThreadTerminatePort  (24, ...
 02616   464   NtContinue  (43318576, 1, ...
 02617  1648   NtSetEventBoostPriority  (128, ...
 02613  1536   NtTestAlert  ... ) == 0x0
 02612  1744   NtAllocateVirtualMemory  ... 71753728, 8192, ) == 0x0
 02618  1904   NtTestAlert  (...
 02615  1764   NtRegisterThreadTerminatePort  ... ) == 0x0
 02245   148   NtWaitForSingleObject  ... ) == 0x0
 02617  1648   NtSetEventBoostPriority  ... ) == 0x0
 02619   464   NtRegisterThreadTerminatePort  (24, ...
 02620  1536   NtContinue  (44367152, 1, ...
 02621  1744   NtProtectVirtualMemory  (-1, (0x446e000), 4096, 260, ...
 02618  1904   NtTestAlert  ... ) == 0x0
 02622   148   NtSetEventBoostPriority  (128, ...
 02623  1764   NtWaitForSingleObject  (244, 0, 0x0, ...
 02619   464   NtRegisterThreadTerminatePort  ... ) == 0x0
 02624  1536   NtRegisterThreadTerminatePort  (24, ...
 02621  1744   NtProtectVirtualMemory  ... (0x446e000), 4096, 4, ) == 0x0
 02258  1896   NtWaitForSingleObject  ... ) == 0x0
 02622   148   NtSetEventBoostPriority  ... ) == 0x0
 02625  1904   NtContinue  (45415728, 1, ...
 02626  1648   NtTestAlert  (...
 02627   464   NtWaitForSingleObject  (244, 0, 0x0, ...
 02624  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 02628  1896   NtSetEventBoostPriority  (128, ...
 02629  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02630  1904   NtRegisterThreadTerminatePort  (24, ...
 02626  1648   NtTestAlert  ... ) == 0x0
 02631   148   NtTestAlert  (...
 02270   432   NtWaitForSingleObject  ... ) == 0x0
 02628  1896   NtSetEventBoostPriority  ... ) == 0x0
 02632  1536   NtWaitForSingleObject  (244, 0, 0x0, ...
 02629  1744   NtCreateThread  ... 500, {1736, 168}, ) == 0x0
 02630  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 02633  1648   NtContinue  (46464304, 1, ...
 02634   432   NtSetEventBoostPriority  (128, ...
 02631   148   NtTestAlert  ... ) == 0x0
 02635  1896   NtTestAlert  (...
 02636  1744   NtQueryInformationThread  (500, Basic, 28, ...
 02637  1904   NtWaitForSingleObject  (244, 0, 0x0, ...
 02291   388   NtWaitForSingleObject  ... ) == 0x0
 02634   432   NtSetEventBoostPriority  ... ) == 0x0
 02638  1648   NtRegisterThreadTerminatePort  (24, ...
 02639   148   NtContinue  (48692528, 1, ...
 02635  1896   NtTestAlert  ... ) == 0x0
 02636  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1736,Tid=168,}, 0x0, ) == 0x0
 02640   388   NtSetEventBoostPriority  (128, ...
 02638  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 02641   148   NtRegisterThreadTerminatePort  (24, ...
 02642  1896   NtContinue  (49741104, 1, ...
 02304  1864   NtWaitForSingleObject  ... ) == 0x0
 02640   388   NtSetEventBoostPriority  ... ) == 0x0
 02643  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75600, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\310\6\0\0\250\0\0\0" ...  ...
 02644  1648   NtWaitForSingleObject  (244, 0, 0x0, ...
 02641   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 02645  1864   NtSetEventBoostPriority  (128, ...
 02646  1896   NtRegisterThreadTerminatePort  (24, ...
 02647   432   NtTestAlert  (...
 02643  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75601, 0}  ... {28, 56, reply, 0, 1736, 1744, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\310\6\0\0\250\0\0\0" )  ) == 0x0
 02648   388   NtTestAlert  (...
 02317  1524   NtWaitForSingleObject  ... ) == 0x0
 02645  1864   NtSetEventBoostPriority  ... ) == 0x0
 02649   148   NtWaitForSingleObject  (244, 0, 0x0, ...
 02646  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02647   432   NtTestAlert  ... ) == 0x0
 02650  1744   NtResumeThread  (500, ...
 02651  1524   NtSetEventBoostPriority  (128, ...
 02648   388   NtTestAlert  ... ) == 0x0
 02652  1864   NtTestAlert  (...
 02653  1896   NtWaitForSingleObject  (244, 0, 0x0, ...
 02654   432   NtContinue  (50789680, 1, ...
 02329   240   NtWaitForSingleObject  ... ) == 0x0
 02651  1524   NtSetEventBoostPriority  ... ) == 0x0
 02650  1744   NtResumeThread  ... 1, ) == 0x0
 02655   388   NtContinue  (51838256, 1, ...
 02652  1864   NtTestAlert  ... ) == 0x0
 02656   168   NtWaitForSingleObject  (128, 0, 0x0, ...
 02657   240   NtSetEventBoostPriority  (128, ...
 02658   432   NtRegisterThreadTerminatePort  (24, ...
 02659  1524   NtTestAlert  (...
 02660   388   NtRegisterThreadTerminatePort  (24, ...
 02661  1864   NtContinue  (52886832, 1, ...
 02351   308   NtWaitForSingleObject  ... ) == 0x0
 02657   240   NtSetEventBoostPriority  ... ) == 0x0
 02658   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 02659  1524   NtTestAlert  ... ) == 0x0
 02660   388   NtRegisterThreadTerminatePort  ... ) == 0x0
 02662   308   NtSetEventBoostPriority  (128, ...
 02663  1864   NtRegisterThreadTerminatePort  (24, ...
 02664  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02665   432   NtWaitForSingleObject  (244, 0, 0x0, ...
 02666  1524   NtContinue  (53935408, 1, ...
 02363   276   NtWaitForSingleObject  ... ) == 0x0
 02662   308   NtSetEventBoostPriority  ... ) == 0x0
 02667   388   NtWaitForSingleObject  (244, 0, 0x0, ...
 02663  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 02664  1744   NtAllocateVirtualMemory  ... 71761920, 1048576, ) == 0x0
 02668   240   NtTestAlert  (...
 02669   276   NtSetEventBoostPriority  (128, ...
 02670  1524   NtRegisterThreadTerminatePort  (24, ...
 02671   308   NtTestAlert  (...
 02672  1864   NtWaitForSingleObject  (244, 0, 0x0, ...
 02673  1744   NtAllocateVirtualMemory  (-1, 72802304, 0, 8192, 4096, 4, ...
 02376  1496   NtWaitForSingleObject  ... ) == 0x0
 02669   276   NtSetEventBoostPriority  ... ) == 0x0
 02668   240   NtTestAlert  ... ) == 0x0
 02670  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 02671   308   NtTestAlert  ... ) == 0x0
 02674  1496   NtSetEventBoostPriority  (128, ...
 02673  1744   NtAllocateVirtualMemory  ... 72802304, 8192, ) == 0x0
 02675   240   NtContinue  (54983984, 1, ...
 02676  1524   NtWaitForSingleObject  (244, 0, 0x0, ...
 02388  1592   NtWaitForSingleObject  ... ) == 0x0
 02674  1496   NtSetEventBoostPriority  ... ) == 0x0
 02677   308   NtContinue  (56032560, 1, ...
 02678  1744   NtProtectVirtualMemory  (-1, (0x456e000), 4096, 260, ...
 02679   240   NtRegisterThreadTerminatePort  (24, ...
 02680   276   NtTestAlert  (...
 02681  1592   NtSetEventBoostPriority  (128, ...
 02682   308   NtRegisterThreadTerminatePort  (24, ...
 02678  1744   NtProtectVirtualMemory  ... (0x456e000), 4096, 4, ) == 0x0
 02679   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02410  2032   NtWaitForSingleObject  ... ) == 0x0
 02681  1592   NtSetEventBoostPriority  ... ) == 0x0
 02680   276   NtTestAlert  ... ) == 0x0
 02682   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02683  1496   NtTestAlert  (...
 02684  2032   NtSetEventBoostPriority  (128, ...
 02685   240   NtWaitForSingleObject  (244, 0, 0x0, ...
 02686  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02687   276   NtContinue  (57081136, 1, ...
 02688   308   NtWaitForSingleObject  (244, 0, 0x0, ...
 02422  1528   NtWaitForSingleObject  ... ) == 0x0
 02684  2032   NtSetEventBoostPriority  ... ) == 0x0
 02683  1496   NtTestAlert  ... ) == 0x0
 02689  1592   NtTestAlert  (...
 02686  1744   NtCreateThread  ... 504, {1736, 1740}, ) == 0x0
 02690   276   NtRegisterThreadTerminatePort  (24, ...
 02691  1528   NtAllocateVirtualMemory  (-1, 3629056, 0, 4096, 4096, 4, ...
 02692  1496   NtContinue  (58129712, 1, ...
 02689  1592   NtTestAlert  ... ) == 0x0
 02693  1744   NtQueryInformationThread  (504, Basic, 28, ...
 02691  1528   NtAllocateVirtualMemory  ... 3629056, 4096, ) == 0x0
 02690   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 02694  1496   NtRegisterThreadTerminatePort  (24, ...
 02695  1592   NtContinue  (59178288, 1, ...
 02693  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1736,Tid=1740,}, 0x0, ) == 0x0
 02696  2032   NtTestAlert  (...
 02697   276   NtWaitForSingleObject  (244, 0, 0x0, ...
 02694  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02698  1592   NtRegisterThreadTerminatePort  (24, ...
 02699  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75601, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\310\6\0\0\314\6\0\0" ...  ...
 02696  2032   NtTestAlert  ... ) == 0x0
 02700  1528   NtSetEventBoostPriority  (128, ...
 02701  1496   NtWaitForSingleObject  (244, 0, 0x0, ...
 02698  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 02702  2032   NtContinue  (60226864, 1, ...
 02435   932   NtWaitForSingleObject  ... ) == 0x0
 02700  1528   NtSetEventBoostPriority  ... ) == 0x0
 02699  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75602, 0}  ... {28, 56, reply, 0, 1736, 1744, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\310\6\0\0\314\6\0\0" )  ) == 0x0
 02703  1592   NtWaitForSingleObject  (244, 0, 0x0, ...
 02704   932   NtSetEventBoostPriority  (128, ...
 02705  2032   NtRegisterThreadTerminatePort  (24, ...
 02706  1528   NtTestAlert  (...
 02707  1744   NtResumeThread  (504, ...
 02447  1128   NtWaitForSingleObject  ... ) == 0x0
 02704   932   NtSetEventBoostPriority  ... ) == 0x0
 02705  2032   NtRegisterThreadTerminatePort  ... ) == 0x0
 02706  1528   NtTestAlert  ... ) == 0x0
 02708  1128   NtSetEventBoostPriority  (128, ...
 02707  1744   NtResumeThread  ... 1, ) == 0x0
 02709  2032   NtWaitForSingleObject  (244, 0, 0x0, ...
 02469  1644   NtWaitForSingleObject  ... ) == 0x0
 02708  1128   NtSetEventBoostPriority  ... ) == 0x0
 02710  1528   NtContinue  (61275440, 1, ...
 02711  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02712   932   NtTestAlert  (...
 02713  1740   NtWaitForSingleObject  (128, 0, 0x0, ...
 02714  1644   NtSetEventBoostPriority  (128, ...
 02715  1528   NtRegisterThreadTerminatePort  (24, ...
 02711  1744   NtAllocateVirtualMemory  ... 72810496, 1048576, ) == 0x0
 02712   932   NtTestAlert  ... ) == 0x0
 02481   336   NtWaitForSingleObject  ... ) == 0x0
 02714  1644   NtSetEventBoostPriority  ... ) == 0x0
 02716  1128   NtTestAlert  (...
 02717  1744   NtAllocateVirtualMemory  (-1, 73850880, 0, 8192, 4096, 4, ...
 02718   336   NtSetEventBoostPriority  (128, ...
 02719   932   NtContinue  (62324016, 1, ...
 02715  1528   NtRegisterThreadTerminatePort  ... ) == 0x0
 02716  1128   NtTestAlert  ... ) == 0x0
 02720  1644   NtTestAlert  (...
 02490   380   NtWaitForSingleObject  ... ) == 0x0
 02718   336   NtSetEventBoostPriority  ... ) == 0x0
 02721   932   NtRegisterThreadTerminatePort  (24, ...
 02722  1528   NtWaitForSingleObject  (244, 0, 0x0, ...
 02723  1128   NtContinue  (63372592, 1, ...
 02724   380   NtSetEventBoostPriority  (128, ...
 02720  1644   NtTestAlert  ... ) == 0x0
 02717  1744   NtAllocateVirtualMemory  ... 73850880, 8192, ) == 0x0
 02721   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 02497   504   NtWaitForSingleObject  ... ) == 0x0
 02724   380   NtSetEventBoostPriority  ... ) == 0x0
 02725  1128   NtRegisterThreadTerminatePort  (24, ...
 02726  1644   NtContinue  (64421168, 1, ...
 02727  1744   NtProtectVirtualMemory  (-1, (0x466e000), 4096, 260, ...
 02728   504   NtSetEventBoostPriority  (128, ...
 02729   932   NtWaitForSingleObject  (244, 0, 0x0, ...
 02730   336   NtTestAlert  (...
 02725  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 02731  1644   NtRegisterThreadTerminatePort  (24, ...
 02508   488   NtWaitForSingleObject  ... ) == 0x0
 02728   504   NtSetEventBoostPriority  ... ) == 0x0
 02727  1744   NtProtectVirtualMemory  ... (0x466e000), 4096, 4, ) == 0x0
 02732   380   NtOpenThreadToken  (-2, 0xc, 1, ...
 02730   336   NtTestAlert  ... ) == 0x0
 02733  1128   NtWaitForSingleObject  (244, 0, 0x0, ...
 02734   488   NtSetEventBoostPriority  (128, ...
 02731  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02735  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02732   380   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02736   336   NtContinue  (65469744, 1, ...
 02737   504   NtTestAlert  (...
 02529  1948   NtWaitForSingleObject  ... ) == 0x0
 02734   488   NtSetEventBoostPriority  ... ) == 0x0
 02738  1644   NtWaitForSingleObject  (244, 0, 0x0, ...
 02735  1744   NtCreateThread  ... 508, {1736, 1420}, ) == 0x0
 02739   380   NtCreateSemaphore  (0x1f0003, {24, 16, 0x80, 1338216, 0,  (0x1f0003, {24, 16, 0x80, 1338216, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... }, 0, 2147483647, ...
 02740   336   NtRegisterThreadTerminatePort  (24, ...
 02741  1948   NtSetEventBoostPriority  (128, ...
 02737   504   NtTestAlert  ... ) == 0x0
 02742   488   NtTestAlert  (...
 02743  1744   NtQueryInformationThread  (508, Basic, 28, ...
 02739   380   NtCreateSemaphore  ... 512, ) == STATUS_OBJECT_NAME_EXISTS
 02546  1692   NtWaitForSingleObject  ... ) == 0x0
 02741  1948   NtSetEventBoostPriority  ... ) == 0x0
 02740   336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02744   504   NtContinue  (66518320, 1, ...
 02742   488   NtTestAlert  ... ) == 0x0
 02745  1692   NtSetEventBoostPriority  (128, ...
 02746   380   NtReleaseSemaphore  (512, 1, ...
 02743  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1736,Tid=1420,}, 0x0, ) == 0x0
 02747   336   NtWaitForSingleObject  (244, 0, 0x0, ...
 02748   504   NtRegisterThreadTerminatePort  (24, ...
 02549   752   NtWaitForSingleObject  ... ) == 0x0
 02745  1692   NtSetEventBoostPriority  ... ) == 0x0
 02749   488   NtContinue  (67566896, 1, ...
 02746   380   NtReleaseSemaphore  ... 0, ) == 0x0
 02750  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75602, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\310\6\0\0\214\5\0\0" ...  ...
 02751  1948   NtTestAlert  (...
 02752   752   NtSetEventBoostPriority  (128, ...
 02748   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 02753   488   NtRegisterThreadTerminatePort  (24, ...
 02754  1692   NtTestAlert  (...
 02750  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75603, 0}  ... {28, 56, reply, 0, 1736, 1744, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\310\6\0\0\214\5\0\0" )  ) == 0x0
 02603  1520   NtWaitForSingleObject  ... ) == 0x0
 02752   752   NtSetEventBoostPriority  ... ) == 0x0
 02751  1948   NtTestAlert  ... ) == 0x0
 02755   504   NtWaitForSingleObject  (244, 0, 0x0, ...
 02753   488   NtRegisterThreadTerminatePort  ... ) == 0x0
 02754  1692   NtTestAlert  ... ) == 0x0
 02756  1520   NtSetEventBoostPriority  (128, ...
 02757  1744   NtResumeThread  (508, ...
 02758   380   NtWaitForSingleObject  (512, 0, {0, 0}, ...
 02759  1948   NtContinue  (68615472, 1, ...
 02760   752   NtWaitForSingleObject  (128, 0, 0x0, ...
 02761   488   NtWaitForSingleObject  (244, 0, 0x0, ...
 02656   168   NtWaitForSingleObject  ... ) == 0x0
 02756  1520   NtSetEventBoostPriority  ... ) == 0x0
 02762  1692   NtContinue  (69664048, 1, ...
 02757  1744   NtResumeThread  ... 1, ) == 0x0
 02758   380   NtWaitForSingleObject  ... ) == 0x0
 02763  1948   NtRegisterThreadTerminatePort  (24, ...
 02764  1420   NtWaitForSingleObject  (128, 0, 0x0, ...
 02765   168   NtSetEventBoostPriority  (128, ...
 02766  1692   NtRegisterThreadTerminatePort  (24, ...
 02767  1520   NtTestAlert  (...
 02768   380   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02763  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02713  1740   NtWaitForSingleObject  ... ) == 0x0
 02765   168   NtSetEventBoostPriority  ... ) == 0x0
 02766  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02767  1520   NtTestAlert  ... ) == 0x0
 02768   380   NtCreateKey  ... 516, 2, ) == 0x0
 02769  1740   NtSetEventBoostPriority  (128, ...
 02770  1948   NtWaitForSingleObject  (244, 0, 0x0, ...
 02771  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02772  1692   NtWaitForSingleObject  (244, 0, 0x0, ...
 02773  1520   NtContinue  (70712624, 1, ...
 02760   752   NtWaitForSingleObject  ... ) == 0x0
 02769  1740   NtSetEventBoostPriority  ... ) == 0x0
 02774   380   NtQueryValueKey  (516,  (516, "Cache", Partial, 144, ... , Partial, 144, ...
 02775   168   NtTestAlert  (...
 02771  1744   NtAllocateVirtualMemory  ... 73859072, 1048576, ) == 0x0
 02776   752   NtSetEventBoostPriority  (128, ...
 02777  1520   NtRegisterThreadTerminatePort  (24, ...
 02778  1740   NtTestAlert  (...
 02775   168   NtTestAlert  ... ) == 0x0
 02764  1420   NtWaitForSingleObject  ... ) == 0x0
 02776   752   NtSetEventBoostPriority  ... ) == 0x0
 02779  1744   NtAllocateVirtualMemory  (-1, 74899456, 0, 8192, 4096, 4, ...
 02777  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02778  1740   NtTestAlert  ... ) == 0x0
 02780  1420   NtTestAlert  (...
 02781   168   NtContinue  (71761200, 1, ...
 02782   752   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 13696640, 67, ... }, 0x0, 0, 3, 3, 0, 13696640, 67, ...
 02779  1744   NtAllocateVirtualMemory  ... 74899456, 8192, ) == 0x0
 02783  1520   NtWaitForSingleObject  (244, 0, 0x0, ...
 02780  1420   NtTestAlert  ... ) == 0x0
 02784  1740   NtContinue  (72809776, 1, ...
 02785   168   NtRegisterThreadTerminatePort  (24, ...
 02774   380   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 02786  1744   NtProtectVirtualMemory  (-1, (0x476e000), 4096, 260, ...
 02782   752   NtCreateFile  ... 520, {status=0x0, info=0}, ) == 0x0
 02787  1740   NtRegisterThreadTerminatePort  (24, ...
 02785   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02788   380   NtClose  (516, ...
 02786  1744   NtProtectVirtualMemory  ... (0x476e000), 4096, 4, ) == 0x0
 02789   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x1207b,  (520, 240, 0x0, 0x0, 0x1207b, "\7\0\0\0\250q\250q%\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 02787  1740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02790   168   NtWaitForSingleObject  (244, 0, 0x0, ...
 02788   380   NtClose  ... ) == 0x0
 02791  1420   NtContinue  (73858352, 1, ...
 02789   752   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0X$\252\201", ) , ) == 0x0
 02792  1740   NtWaitForSingleObject  (244, 0, 0x0, ...
 02793  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02794   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 14740804, ... }, 14740804, ...
 02795  1420   NtRegisterThreadTerminatePort  (24, ...
 02796   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x1207b,  (520, 240, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0X$\252\201", 16, 16, ... , 16, 16, ...
 02793  1744   NtCreateThread  ... 516, {1736, 896}, ) == 0x0
 02795  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 02796   752   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0X$\252\201", ) , ) == 0x0
 02797  1744   NtQueryInformationThread  (516, Basic, 28, ...
 02798  1420   NtWaitForSingleObject  (244, 0, 0x0, ...
 02799   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x12047,  (520, 240, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\224\375\320\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02797  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1736,Tid=896,}, 0x0, ) == 0x0
 02794   380   NtQueryAttributesFile  ... ) == 0x0
 02800  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75603, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\310\6\0\0\200\3\0\0" ...  ...
 02801   380   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 524, 2, ) }, 0, 0x0, 0, ... 524, 2, ) == 0x0
 02802   380   NtSetValueKey  (524,  (524, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1,  (524, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0
 02803   380   NtClose  (524, ... ) == 0x0
 02804   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 14741496, ... ) }, 14741496, ... ) == 0x0
 02805   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 14740704, ... ) }, 14740704, ... ) == 0x0
 02806   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... }, 7, 2113568, ...
 02799   752   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02800  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75604, 0}  ... {28, 56, reply, 0, 1736, 1744, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\310\6\0\0\200\3\0\0" )  ) == 0x0
 02807   752   NtWaitForSingleObject  (192, 0, {0, 0}, ...
 02808  1744   NtResumeThread  (516, ...
 02807   752   NtWaitForSingleObject  ... ) == 0x102
 02808  1744   NtResumeThread  ... 1, ) == 0x0
 02809   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x12003,  (520, 240, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02810  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74907648, 1048576, ) == 0x0
 02811  1744   NtAllocateVirtualMemory  (-1, 75948032, 0, 8192, 4096, 4, ... 75948032, 8192, ) == 0x0
 02812  1744   NtProtectVirtualMemory  (-1, (0x486e000), 4096, 260, ... (0x486e000), 4096, 4, ) == 0x0
 02813  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 524, {1736, 792}, ) == 0x0
 02814  1744   NtQueryInformationThread  (524, Basic, 28, ...
 02806   380   NtOpenFile  ... 528, {status=0x0, info=1}, ) == 0x0
 02815   896   NtTestAlert  (...
 02809   752   NtDeviceIoControlFile  ... {status=0x0, info=532},  ... {status=0x0, info=532}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02816   380   NtSetInformationFile  (528, 14740676, 40, Basic, ...
 02815   896   NtTestAlert  ... ) == 0x0
 02817   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x12047,  (520, 240, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02816   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02818   896   NtContinue  (74906928, 1, ...
 02817   752   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02819   380   NtClose  (528, ...
 02820   896   NtRegisterThreadTerminatePort  (24, ...
 02821   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x12037,  (520, 240, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02819   380   NtClose  ... ) == 0x0
 02820   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02821   752   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02822   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 14740700, ... }, 14740700, ...
 02814  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1736,Tid=792,}, 0x0, ) == 0x0
 02823   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x1200b,  (520, 240, 0x0, 0x0, 0x1200b, "\0\376\320\0\5\0\0\0\0\357\24\0", 12, 0, ... , 12, 0, ...
 02824   896   NtWaitForSingleObject  (244, 0, 0x0, ...
 02825  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75604, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\310\6\0\0\30\3\0\0" ...  ...
 02822   380   NtQueryAttributesFile  ... ) == 0x0
 02825  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75605, 0}  ... {28, 56, reply, 0, 1736, 1744, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\310\6\0\0\30\3\0\0" )  ) == 0x0
 02826   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 14741496, ... }, 14741496, ...
 02827  1744   NtResumeThread  (524, ...
 02826   380   NtQueryAttributesFile  ... ) == 0x0
 02827  1744   NtResumeThread  ... 1, ) == 0x0
 02828   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 14740704, ... }, 14740704, ...
 02823   752   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02829   792   NtTestAlert  (...
 02828   380   NtQueryAttributesFile  ... ) == 0x0
 02830   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x12047,  (520, 240, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\320\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02829   792   NtTestAlert  ... ) == 0x0
 02831   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... }, 7, 2113568, ...
 02830   752   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02832   792   NtContinue  (75955504, 1, ...
 02833  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02834   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 02835   792   NtRegisterThreadTerminatePort  (24, ...
 02833  1744   NtAllocateVirtualMemory  ... 75956224, 1048576, ) == 0x0
 02834   752   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02835   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02836  1744   NtAllocateVirtualMemory  (-1, 76996608, 0, 8192, 4096, 4, ...
 02837   752   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 02831   380   NtOpenFile  ... 528, {status=0x0, info=1}, ) == 0x0
 02836  1744   NtAllocateVirtualMemory  ... 76996608, 8192, ) == 0x0
 02838   792   NtWaitForSingleObject  (244, 0, 0x0, ...
 02839   380   NtSetInformationFile  (528, 14740676, 40, Basic, ...
 02840  1744   NtProtectVirtualMemory  (-1, (0x496e000), 4096, 260, ...
 02839   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02840  1744   NtProtectVirtualMemory  ... (0x496e000), 4096, 4, ) == 0x0
 02841   380   NtClose  (528, ...
 02837   752   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 02841   380   NtClose  ... ) == 0x0
 02842   752   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 02843   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 14740700, ... }, 14740700, ...
 02842   752   NtOpenFile  ... 528, {status=0x0, info=0}, ) == 0x0
 02844  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02845   752   NtDeviceIoControlFile  (528, 0, 0x0, 0x0, 0x390008,  (528, 0, 0x0, 0x0, 0x390008, "\367\322K>\225^\225\241,\3756\\222\352\265I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02844  1744   NtCreateThread  ... 536, {1736, 1252}, ) == 0x0
 02846   752   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02847  1744   NtQueryInformationThread  (536, Basic, 28, ...
 02846   752   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02847  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1736,Tid=1252,}, 0x0, ) == 0x0
 02843   380   NtQueryAttributesFile  ... ) == 0x0
 02848  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75605, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\310\6\0\0\344\4\0\0" ...  ...
 02849   380   NtQueryValueKey  (336,  (336, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02850   380   NtQueryValueKey  (336,  (336, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02851   380   NtQueryValueKey  (336,  (336, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0
 02852   380   NtOpenKey  (0xf, {24, 328, 0x40, 0, 0,  (0xf, {24, 328, 0x40, 0, 0, "Cookies"}, ... 540, ) }, ... 540, ) == 0x0
 02853   380   NtQueryValueKey  (540,  (540, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02854   380   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "Cookies"}, ... }, ...
 02855   752   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02848  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75606, 0}  ... {28, 56, reply, 0, 1736, 1744, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\310\6\0\0\344\4\0\0" )  ) == 0x0
 02855   752   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02856  1744   NtResumeThread  (536, ...
 02857   752   NtQuerySystemInformation  (Performance, 312, ...
 02856  1744   NtResumeThread  ... 1, ) == 0x0
 02857   752   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02858  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02859   752   NtQuerySystemInformation  (Exception, 16, ...
 02858  1744   NtAllocateVirtualMemory  ... 77004800, 1048576, ) == 0x0
 02859   752   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02860  1744   NtAllocateVirtualMemory  (-1, 78045184, 0, 8192, 4096, 4, ...
 02854   380   NtOpenKey  ... 544, ) == 0x0
 02861  1252   NtTestAlert  (...
 02862   752   NtQuerySystemInformation  (Lookaside, 32, ...
 02863   380   NtQueryValueKey  (544,  (544, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 02861  1252   NtTestAlert  ... ) == 0x0
 02862   752   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02863   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02864  1252   NtContinue  (77004080, 1, ...
 02865   752   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02866   380   NtClose  (544, ...
 02867  1252   NtRegisterThreadTerminatePort  (24, ...
 02865   752   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02866   380   NtClose  ... ) == 0x0
 02867  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02868   752   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02869   380   NtClose  (540, ...
 02860  1744   NtAllocateVirtualMemory  ... 78045184, 8192, ) == 0x0
 02868   752   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02870  1252   NtWaitForSingleObject  (244, 0, 0x0, ...
 02871  1744   NtProtectVirtualMemory  (-1, (0x4a6e000), 4096, 260, ...
 02869   380   NtClose  ... ) == 0x0
 02871  1744   NtProtectVirtualMemory  ... (0x4a6e000), 4096, 4, ) == 0x0
 02872   380   NtClose  (336, ...
 02873  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02872   380   NtClose  ... ) == 0x0
 02873  1744   NtCreateThread  ... 336, {1736, 384}, ) == 0x0
 02874   380   NtOpenKey  (0xf, {24, 328, 0x40, 0, 0,  (0xf, {24, 328, 0x40, 0, 0, "Cookies"}, ... }, ...
 02875  1744   NtQueryInformationThread  (336, Basic, 28, ...
 02874   380   NtOpenKey  ... 540, ) == 0x0
 02876   752   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02877   380   NtOpenThreadToken  (-2, 0xc, 1, ...
 02876   752   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02875  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1736,Tid=384,}, 0x0, ) == 0x0
 02878   752   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\11\205\342F\260\241\7!:\346"\2332\361\254\326`\321L2\312}9\352z\324o\256\330\360\374{i&:\11\332T)\301\1\3545\3656\355hB\242\315|$e\226\263\205\233\331\217]\254\266\14\331$U\243\31\335\33\30\201\304ZRs\240\272\147", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\11\205\342F\260\241\7!:\346"\2332\361\254\326`\321L2\312}9\352z\324o\256\330\360\374{i&:\11\332T)\301\1\3545\3656\355hB\242\315|$e\226\263\205\233\331\217]\254\266\14\331$U\243\31\335\33\30\201\304ZRs\240\272\147", 80, ... \2332\361\254\326`\321L2\312}9\352z\324o\256\330\360\374{i&:\11\332T)\301\1\3545\3656\355hB\242\315|$e\226\263\205\233\331\217]\254\266\14\331$U\243\31\335\33\30\201\304ZRs\240\272\147", 80, ...
 02879  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75606, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\310\6\0\0\200\1\0\0" ...  ...
 02877   380   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02879  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75607, 0}  ... {28, 56, reply, 0, 1736, 1744, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\310\6\0\0\200\1\0\0" )  ) == 0x0
 02880   380   NtReleaseSemaphore  (512, 1, ...
 02881  1744   NtResumeThread  (336, ...
 02880   380   NtReleaseSemaphore  ... 0, ) == 0x0
 02881  1744   NtResumeThread  ... 1, ) == 0x0
 02882   380   NtWaitForSingleObject  (512, 0, {0, 0}, ...
 02878   752   NtSetValueKey  ... ) == 0x0
 02883   384   NtTestAlert  (...
 02882   380   NtWaitForSingleObject  ... ) == 0x0
 02884   752   NtClose  (-2147482564, ...
 02883   384   NtTestAlert  ... ) == 0x0
 02885  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02884   752   NtClose  ... ) == 0x0
 02886   384   NtContinue  (78052656, 1, ...
 02885  1744   NtAllocateVirtualMemory  ... 78053376, 1048576, ) == 0x0
 02845   752   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "{\177\207\20\215>\5\6\1778\6(\247\4\303\335\345_/\300K\273\224x\300\216\253\255}&+\320\341V\363\301\2604\362\25\305\362\354\210\225\353\164X\31\310\340.\270%\234\341\321r"Y\377@Gt\327T\264\266d\321\321T\306\275\341\213X\262\207\17\371\3662\364\10\275\273\351n\223\351\335#\253\207c\257^m\262\351\245\27\277\200_\377\317\16kg8\3004\31t377@Gt\327T\264\266d\321\321T\306\275\341\213X\262\207\17\371\3662\364\10\275\273\351n\223\351\335#\253\207c\257^m\262\351\245\27\277\200_\377\317\16kg8\3004\31t236\335\310{\245\304\220\251Y\25P\222w\331\306\2000\351jn\225\255\20I/\3306l\333+\217\5\227\234_\3316\225\27T\351\343q\3\350r\317\202\327\36\360?\23\1\177\232\266\206+\262\3275\357,\374\306\211\216TQ\220\231\221\345`\361\203\240\372\326\12\263c6d\5l\207\36E\340\250\267\246\364\2457DUIF\223\210M\03i\16d\215\216\373W\337s\317\354\254\362\333\311\321i&\326\356,\27%\272\357\365?\23#", ) == 0x0
 02887   384   NtRegisterThreadTerminatePort  (24, ...
 02888  1744   NtAllocateVirtualMemory  (-1, 79093760, 0, 8192, 4096, 4, ...
 02889   752   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02887   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 02888  1744   NtAllocateVirtualMemory  ... 79093760, 8192, ) == 0x0
 02889   752   NtCreateEvent  ... 544, ) == 0x0
 02890   380   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02891  1744   NtProtectVirtualMemory  (-1, (0x4b6e000), 4096, 260, ...
 02892   384   NtWaitForSingleObject  (244, 0, 0x0, ...
 02890   380   NtCreateKey  ... 548, 2, ) == 0x0
 02891  1744   NtProtectVirtualMemory  ... (0x4b6e000), 4096, 4, ) == 0x0
 02893   380   NtQueryValueKey  (548,  (548, "Cookies", Partial, 144, ... , Partial, 144, ...
 02894   752   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 13693560, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 13693560, 188, ...
 02893   380   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 02895   380   NtClose  (548, ... ) == 0x0
 02894   752   NtConnectPort  ... 548, 0x0, 0x0, 0x0, 188, ) == 0x0
 02896  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02897   752   NtRequestWaitReplyPort  (548, {200, 224, new_msg, 0, 2883626, 1375800, 12, 2}  (548, {200, 224, new_msg, 0, 2883626, 1375800, 12, 2} "\0\1\0\0\360\2\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\107\24\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\07\244\16\37\6q\26\254\210.\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\4\0\0(\0\0\0\220.\25\0\350\3\212\251\360\2\24\0\260.\25\0`\1\24\0\0\0\0\0\0\0\0\0\260.\25\0P\0\0\0\270.\25\0\360\6\221|\310\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\320\0\372\31\221|\214\370\320\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02896  1744   NtCreateThread  ... 552, {1736, 1028}, ) == 0x0
 02898  1744   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1736,Tid=1028,}, 0x0, ) == 0x0
 02899  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75607, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\310\6\0\0\4\4\0\0" ...  ...
 02897   752   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1736, 752, 75609, 0}  ... {200, 224, reply, 0, 1736, 752, 75609, 0} "\7\1\0\0\360\2\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\107\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\07\244\16\37\6q\26\254\210.\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\4\0\0(\0\0\0\220.\25\0\350\3\212\251\360\2\24\0\260.\25\0`\1\24\0\0\0\0\0\0\0\0\0\260.\25\0P\0\0\0\270.\25\0\360\6\221|\310\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\320\0\372\31\221|\214\370\320\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02900   752   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 02901   752   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 0, 0, 0, 0}  (548, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\300\25\0\322\0\0\0" ... {40, 64, reply, 0, 1736, 752, 75611, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200\323\1\0\0\350\370\14\0" )  ... {40, 64, reply, 0, 1736, 752, 75611, 0}  (548, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\300\25\0\322\0\0\0" ... {40, 64, reply, 0, 1736, 752, 75611, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02902   752   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 13693428, 1388560, 0}  (548, {64, 88, new_msg, 56, 1310720, 13693428, 1388560, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\3700\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02903   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 14740804, ... }, 14740804, ...
 02899  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75610, 0}  ... {28, 56, reply, 0, 1736, 1744, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\310\6\0\0\4\4\0\0" )  ) == 0x0
 02903   380   NtQueryAttributesFile  ... ) == 0x0
 02904  1744   NtResumeThread  (552, ...
 02905   380   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02904  1744   NtResumeThread  ... 1, ) == 0x0
 02905   380   NtCreateKey  ... 556, 2, ) == 0x0
 02906  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02907   380   NtSetValueKey  (556,  (556, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... , 0, 1,  (556, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... , 98, ...
 02906  1744   NtAllocateVirtualMemory  ... 79101952, 1048576, ) == 0x0
 02907   380   NtSetValueKey  ... ) == 0x0
 02908  1744   NtAllocateVirtualMemory  (-1, 80142336, 0, 8192, 4096, 4, ...
 02902   752   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1736, 752, 75612, 0}  ... {64, 88, reply, 56, 1736, 752, 75612, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\3700\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02909  1028   NtTestAlert  (...
 02910   380   NtClose  (556, ...
 02911   752   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 1736, 752, 75611, 0}  (548, {44, 68, new_msg, 56, 1736, 752, 75611, 0} "\1\356\0\0B\2\3\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\300\25\0\322\0\0\0" ...  ...
 02909  1028   NtTestAlert  ... ) == 0x0
 02910   380   NtClose  ... ) == 0x0
 02912  1028   NtContinue  (79101232, 1, ...
 02913   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 14741496, ... }, 14741496, ...
 02911   752   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1736, 752, 75613, 0}  ... {40, 64, reply, 0, 1736, 752, 75613, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 02914  1028   NtRegisterThreadTerminatePort  (24, ...
 02913   380   NtQueryAttributesFile  ... ) == 0x0
 02915   752   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 13693428, 13694172, 0}  (548, {64, 88, new_msg, 56, 1310720, 13693428, 13694172, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\230\27\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02914  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 02916   380   NtQueryValueKey  (540,  (540, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02908  1744   NtAllocateVirtualMemory  ... 80142336, 8192, ) == 0x0
 02915   752   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1736, 752, 75614, 0}  ... {64, 88, reply, 56, 1736, 752, 75614, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\230\27\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02916   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 02917  1744   NtProtectVirtualMemory  (-1, (0x4c6e000), 4096, 260, ...
 02918   752   NtRequestWaitReplyPort  (548, {44, 68, new_msg, 56, 1736, 752, 75613, 0}  (548, {44, 68, new_msg, 56, 1736, 752, 75613, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\300\25\0\322\0\0\0" ...  ...
 02919  1028   NtWaitForSingleObject  (244, 0, 0x0, ...
 02917  1744   NtProtectVirtualMemory  ... (0x4c6e000), 4096, 4, ) == 0x0
 02920  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 556, {1736, 596}, ) == 0x0
 02921  1744   NtQueryInformationThread  (556, Basic, 28, ...
 02918   752   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1736, 752, 75615, 0}  ... {40, 64, reply, 0, 1736, 752, 75615, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 02922   380   NtQueryValueKey  (540,  (540, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 02923   752   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 56, 1310720, 13693428, 13694172, 0}  (548, {64, 88, new_msg, 56, 1310720, 13693428, 13694172, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\220\31\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02922   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 02921  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1736,Tid=596,}, 0x0, ) == 0x0
 02924   380   NtQueryValueKey  (540,  (540, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 02925  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75610, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\310\6\0\0T\2\0\0" ...  ...
 02924   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02925  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75616, 0}  ... {28, 56, reply, 0, 1736, 1744, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\310\6\0\0T\2\0\0" )  ) == 0x0
 02926   380   NtOpenKey  (0xf, {24, 328, 0x40, 0, 0,  (0xf, {24, 328, 0x40, 0, 0, "History"}, ... }, ...
 02927  1744   NtResumeThread  (556, ...
 02926   380   NtOpenKey  ... 560, ) == 0x0
 02927  1744   NtResumeThread  ... 1, ) == 0x0
 02923   752   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1736, 752, 75617, 0}  ... {64, 88, reply, 56, 1736, 752, 75617, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\320\0\351\201\347w\214\370\320\0\30\356\220|p\5\221|\1\0\0\0\220\31\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02928   380   NtQueryValueKey  (560,  (560, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 02929   596   NtTestAlert  (...
 02930   752   NtClose  (544, ...
 02928   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02929   596   NtTestAlert  ... ) == 0x0
 02930   752   NtClose  ... ) == 0x0
 02931   380   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "History"}, ... }, ...
 02932   596   NtContinue  (80149808, 1, ...
 02933   752   NtClose  (548, ...
 02931   380   NtOpenKey  ... 544, ) == 0x0
 02934   596   NtRegisterThreadTerminatePort  (24, ...
 02933   752   NtClose  ... ) == 0x0
 02935   380   NtQueryValueKey  (544,  (544, "PerUserItem", Partial, 144, ... , Partial, 144, ...
 02934   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 02936  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02935   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02937   752   NtDeviceIoControlFile  (528, 0, 0x0, 0x0, 0x390008,  (528, 0, 0x0, 0x0, 0x390008, "\367\322K>\225^\225m\377\5\233t$\165\374*\31q\307\271\6"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02936  1744   NtAllocateVirtualMemory  ... 80150528, 1048576, ) == 0x0
 02938   596   NtWaitForSingleObject  (244, 0, 0x0, ...
 02939   752   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02940  1744   NtAllocateVirtualMemory  (-1, 81190912, 0, 8192, 4096, 4, ...
 02939   752   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02940  1744   NtAllocateVirtualMemory  ... 81190912, 8192, ) == 0x0
 02941   752   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02942  1744   NtProtectVirtualMemory  (-1, (0x4d6e000), 4096, 260, ...
 02941   752   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02942  1744   NtProtectVirtualMemory  ... (0x4d6e000), 4096, 4, ) == 0x0
 02943   752   NtQuerySystemInformation  (Performance, 312, ...
 02944   380   NtClose  (544, ...
 02945  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02944   380   NtClose  ... ) == 0x0
 02945  1744   NtCreateThread  ... 544, {1736, 376}, ) == 0x0
 02946   380   NtClose  (560, ...
 02947  1744   NtQueryInformationThread  (544, Basic, 28, ...
 02946   380   NtClose  ... ) == 0x0
 02947  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1736,Tid=376,}, 0x0, ) == 0x0
 02948   380   NtClose  (540, ...
 02949  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75616, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\310\6\0\0x\1\0\0" ...  ...
 02948   380   NtClose  ... ) == 0x0
 02949  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75619, 0}  ... {28, 56, reply, 0, 1736, 1744, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\310\6\0\0x\1\0\0" )  ) == 0x0
 02943   752   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02950  1744   NtResumeThread  (544, ...
 02951   752   NtQuerySystemInformation  (Exception, 16, ...
 02950  1744   NtResumeThread  ... 1, ) == 0x0
 02951   752   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02952  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02953   752   NtQuerySystemInformation  (Lookaside, 32, ...
 02952  1744   NtAllocateVirtualMemory  ... 81199104, 1048576, ) == 0x0
 02953   752   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02954  1744   NtAllocateVirtualMemory  (-1, 82239488, 0, 8192, 4096, 4, ...
 02955   752   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02956   380   NtOpenKey  (0xf, {24, 328, 0x40, 0, 0,  (0xf, {24, 328, 0x40, 0, 0, "History"}, ... }, ...
 02957   376   NtTestAlert  (...
 02954  1744   NtAllocateVirtualMemory  ... 82239488, 8192, ) == 0x0
 02956   380   NtOpenKey  ... 540, ) == 0x0
 02957   376   NtTestAlert  ... ) == 0x0
 02958  1744   NtProtectVirtualMemory  (-1, (0x4e6e000), 4096, 260, ...
 02959   380   NtOpenThreadToken  (-2, 0xc, 1, ...
 02960   376   NtContinue  (81198384, 1, ...
 02958  1744   NtProtectVirtualMemory  ... (0x4e6e000), 4096, 4, ) == 0x0
 02959   380   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02961   376   NtRegisterThreadTerminatePort  (24, ...
 02962  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02963   380   NtReleaseSemaphore  (512, 1, ...
 02961   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 02962  1744   NtCreateThread  ... 560, {1736, 1168}, ) == 0x0
 02963   380   NtReleaseSemaphore  ... 0, ) == 0x0
 02955   752   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02964  1744   NtQueryInformationThread  (560, Basic, 28, ...
 02965   376   NtWaitForSingleObject  (244, 0, 0x0, ...
 02966   752   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02967   380   NtWaitForSingleObject  (512, 0, {0, 0}, ...
 02966   752   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02967   380   NtWaitForSingleObject  ... ) == 0x0
 02968   752   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02969   380   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02968   752   NtCreateKey  ... -2147482564, 2, ) == 0x0
 02969   380   NtCreateKey  ... 548, 2, ) == 0x0
 02970   752   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\216G\261\201^\224\262\245\354y'\3706gt\313\371%;\12\301\334\270\6\235\252\306\217\314(j\240\6WF\37n\372\265\217\343d\356}c\230\227\205\377\231\200\362\211\257v[@\354\300\30\212\10\274\6\271\206O\234\376\25\341\233\301J\6J\244A\260y", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\216G\261\201^\224\262\245\354y'\3706gt\313\371%;\12\301\334\270\6\235\252\306\217\314(j\240\6WF\37n\372\265\217\343d\356}c\230\227\205\377\231\200\362\211\257v[@\354\300\30\212\10\274\6\271\206O\234\376\25\341\233\301J\6J\244A\260y", 80, ... , 80, ...
 02971   380   NtQueryValueKey  (548,  (548, "History", Partial, 144, ... , Partial, 144, ...
 02964  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1736,Tid=1168,}, 0x0, ) == 0x0
 02970   752   NtSetValueKey  ... ) == 0x0
 02972  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75619, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\310\6\0\0\220\4\0\0" ...  ...
 02973   752   NtClose  (-2147482564, ...
 02972  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75620, 0}  ... {28, 56, reply, 0, 1736, 1744, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\310\6\0\0\220\4\0\0" )  ) == 0x0
 02973   752   NtClose  ... ) == 0x0
 02974  1744   NtResumeThread  (560, ...
 02937   752   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "O\350bj\233Hu\16\222\21E\315t\300\23\11\200\224\202;k\0\375\260\7\314\244\203ox#\210g\313n\31\322n\376\231u"\1040\360\313Au\252\272\243]\2\177\247\272\345\306b\312\206\363M\2240\307\337\17\204?\264%\303~j\273\263\361\362t\226Slh2\310\343e\364\365\254h4\231x\206E\253[\353\340\0\277*\267\30\36\7\353\254\212\230F\245\364\240@\261\235\2100\204g\33r\26e\276~\214\266\174\252Wj\22\254H0\214\324\272\366g\353\3318\20\246\274R\366x\223\267AS\31\343\265\300e\212tc\307[\1I\30\30&3@\201z\360\305\236\336\227\3627\273Z\27/\202\270/\2057#\12\22\14^\377\34Y\234,\244\365cO\205\363T\277\375N$\3716{\320\5\367U\325N'\356d\33\371\230\32I\1vp\314\216\275\357\241F\250a\341\\330\3032\216\277", ) \1040\360\313Au\252\272\243]\2\177\247\272\345\306b\312\206\363M\2240\307\337\17\204?\264%\303~j\273\263\361\362t\226Slh2\310\343e\364\365\254h4\231x\206E\253[\353\340\0\277*\267\30\36\7\353\254\212\230F\245\364\240@\261\235\2100\204g\33r\26e\276~\214\266\174\252Wj\22\254H0\214\324\272\366g\353\3318\20\246\274R\366x\223\267AS\31\343\265\300e\212tc\307[\1I\30\30&3@\201z\360\305\236\336\227\3627\273Z\27/\202\270/\2057#\12\22\14^\377\34Y\234,\244\365cO\205\363T\277\375346\272\240>N$\3716{\320\5\367U\325N'\356d\33\371\230\32I\1vp\314\216\275\357\241F\250a\341\\330\3032\216\277", ) == 0x0
 02974  1744   NtResumeThread  ... 1, ) == 0x0
 02975   752   NtDeviceIoControlFile  (528, 0, 0x0, 0x0, 0x390008,  (528, 0, 0x0, 0x0, 0x390008, "\367\322K>\225^\225m\377\5\233t$\16\371/\322\264Yq]\206\227*\31q\307\271\6"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 02971   380   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 02976  1168   NtTestAlert  (...
 02977   752   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02978   380   NtClose  (548, ...
 02976  1168   NtTestAlert  ... ) == 0x0
 02979  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02978   380   NtClose  ... ) == 0x0
 02980  1168   NtContinue  (82246960, 1, ...
 02979  1744   NtAllocateVirtualMemory  ... 82247680, 1048576, ) == 0x0
 02981   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 14740804, ... }, 14740804, ...
 02982  1168   NtRegisterThreadTerminatePort  (24, ...
 02983  1744   NtAllocateVirtualMemory  (-1, 83288064, 0, 8192, 4096, 4, ...
 02981   380   NtQueryAttributesFile  ... ) == 0x0
 02982  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02983  1744   NtAllocateVirtualMemory  ... 83288064, 8192, ) == 0x0
 02984   380   NtCreateKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02977   752   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02985  1744   NtProtectVirtualMemory  (-1, (0x4f6e000), 4096, 260, ...
 02986  1168   NtWaitForSingleObject  (244, 0, 0x0, ...
 02987   752   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02985  1744   NtProtectVirtualMemory  ... (0x4f6e000), 4096, 4, ) == 0x0
 02987   752   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02984   380   NtCreateKey  ... 548, 2, ) == 0x0
 02988   752   NtQuerySystemInformation  (Performance, 312, ...
 02989   380   NtSetValueKey  (548,  (548, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... , 0, 1,  (548, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... , 128, ...
 02988   752   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02989   380   NtSetValueKey  ... ) == 0x0
 02990   752   NtQuerySystemInformation  (Exception, 16, ...
 02991   380   NtClose  (548, ...
 02992  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02991   380   NtClose  ... ) == 0x0
 02992  1744   NtCreateThread  ... 548, {1736, 428}, ) == 0x0
 02993   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 14741496, ... }, 14741496, ...
 02994  1744   NtQueryInformationThread  (548, Basic, 28, ...
 02990   752   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02994  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1736,Tid=428,}, 0x0, ) == 0x0
 02995   752   NtQuerySystemInformation  (Lookaside, 32, ...
 02996  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75620, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\310\6\0\0\254\1\0\0" ...  ...
 02995   752   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02997   752   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02998   752   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02999   752   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 03000   752   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "k\21a\351\330\224[\304Y\224\363"\7JP\26\311Ol_\33\321=\250\266\275[\27{?\221\30&H\351\3\216\351\335\300\331\333\355'n\203\366(\247\345^MEe\246\232\356\223\226\341*\5u\362Z\373\240F\322`W%\2631\201\312Yv.", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "k\21a\351\330\224[\304Y\224\363"\7JP\26\311Ol_\33\321=\250\266\275[\27{?\221\30&H\351\3\216\351\335\300\331\333\355'n\203\366(\247\345^MEe\246\232\356\223\226\341*\5u\362Z\373\240F\322`W%\2631\201\312Yv.", 80, ... ) \7JP\26\311Ol_\33\321=\250\266\275[\27{?\221\30&H\351\3\216\351\335\300\331\333\355'n\203\366(\247\345^MEe\246\232\356\223\226\341*\5u\362Z\373\240F\322`W%\2631\201\312Yv.", 80, ... ) == 0x0
 03001   752   NtClose  (-2147482564, ...
 02993   380   NtQueryAttributesFile  ... ) == 0x0
 02996  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75621, 0}  ... {28, 56, reply, 0, 1736, 1744, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\310\6\0\0\254\1\0\0" )  ) == 0x0
 03002   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 14740704, ... }, 14740704, ...
 03003  1744   NtResumeThread  (548, ...
 03002   380   NtQueryAttributesFile  ... ) == 0x0
 03003  1744   NtResumeThread  ... 1, ) == 0x0
 03004   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... }, 7, 2113568, ...
 03005  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03004   380   NtOpenFile  ... 564, {status=0x0, info=1}, ) == 0x0
 03005  1744   NtAllocateVirtualMemory  ... 83296256, 1048576, ) == 0x0
 03006   380   NtSetInformationFile  (564, 14740676, 40, Basic, ...
 03007  1744   NtAllocateVirtualMemory  (-1, 84336640, 0, 8192, 4096, 4, ...
 03001   752   NtClose  ... ) == 0x0
 03008   428   NtTestAlert  (...
 03006   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02975   752   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\22\14\277\355\264\37\317\333Lh\272P\317\35}Wx\267At\357'\204\244iW\345\302\331\203\223\37\212\216D\23\232\266\2517:\15\242\245WJ(\333\306\33x\271\240\36W\251\362qdb\250\265O\316B\35\20\243{\372\15\304\20~\350\263\7\244\360\251\205\371\255b\6*E\374\3255\340\367n\310\325\37\26U1O\214\262\304\250\15\247\30C\202{\11\201\20\353\332\361WP\374\354\351X\1\375\240\344\351^\266~B\13\263J\373Z\200f\372V\361<\347\234S\246\311)\352}\243h]\200\257\277\314)L\305\330\256\343\267\337h\31\353h\231\376)\377\370:\230nS\35\321)]\310\255X\262\215m\0xG\242<\3505\3023\355\371 \343\16\2\250\331\256\206\7\36\357U\240\367\306eZ]I\343\217\262\217\346\271\376Y}Z}bPG\20'>n\371\266\351'\310\231\15\346\30003\274\363\2470l\21\313\237", ) , ) == 0x0
 03008   428   NtTestAlert  ... ) == 0x0
 03009   380   NtClose  (564, ...
 03010   752   NtDeviceIoControlFile  (528, 0, 0x0, 0x0, 0x390008,  (528, 0, 0x0, 0x0, 0x390008, "\367\322K>\225^\225m\377\5\233t$\16\371/\322\264Yq]JD\322\264Yq]\206\227*\31q\307\271\6"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 03011   428   NtContinue  (83295536, 1, ...
 03009   380   NtClose  ... ) == 0x0
 03012   752   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03013   428   NtRegisterThreadTerminatePort  (24, ...
 03014   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 14740700, ... }, 14740700, ...
 03012   752   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03013   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 03014   380   NtQueryAttributesFile  ... ) == 0x0
 03015   752   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03007  1744   NtAllocateVirtualMemory  ... 84336640, 8192, ) == 0x0
 03016   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 14741496, ... }, 14741496, ...
 03017   428   NtWaitForSingleObject  (244, 0, 0x0, ...
 03018  1744   NtProtectVirtualMemory  (-1, (0x506e000), 4096, 260, ...
 03015   752   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03018  1744   NtProtectVirtualMemory  ... (0x506e000), 4096, 4, ) == 0x0
 03019   752   NtQuerySystemInformation  (Performance, 312, ...
 03020  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03019   752   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03020  1744   NtCreateThread  ... 564, {1736, 252}, ) == 0x0
 03021   752   NtQuerySystemInformation  (Exception, 16, ...
 03022  1744   NtQueryInformationThread  (564, Basic, 28, ...
 03021   752   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03016   380   NtQueryAttributesFile  ... ) == 0x0
 03023   752   NtQuerySystemInformation  (Lookaside, 32, ...
 03024   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 14740704, ... }, 14740704, ...
 03022  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1736,Tid=252,}, 0x0, ) == 0x0
 03024   380   NtQueryAttributesFile  ... ) == 0x0
 03025  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75621, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\310\6\0\0\374\0\0\0" ...  ...
 03026   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... }, 7, 2113568, ...
 03025  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75622, 0}  ... {28, 56, reply, 0, 1736, 1744, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\310\6\0\0\374\0\0\0" )  ) == 0x0
 03026   380   NtOpenFile  ... 568, {status=0x0, info=1}, ) == 0x0
 03027  1744   NtResumeThread  (564, ...
 03028   380   NtSetInformationFile  (568, 14740676, 40, Basic, ...
 03027  1744   NtResumeThread  ... 1, ) == 0x0
 03023   752   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03028   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03029   252   NtTestAlert  (...
 03030   752   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03031   380   NtClose  (568, ...
 03029   252   NtTestAlert  ... ) == 0x0
 03030   752   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03031   380   NtClose  ... ) == 0x0
 03032   252   NtContinue  (84344112, 1, ...
 03033   752   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03034   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 14740700, ... }, 14740700, ...
 03035   252   NtRegisterThreadTerminatePort  (24, ...
 03033   752   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03034   380   NtQueryAttributesFile  ... ) == 0x0
 03035   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 03036   752   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03037   380   NtQueryValueKey  (540,  (540, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 03038  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03039   252   NtWaitForSingleObject  (244, 0, 0x0, ...
 03036   752   NtCreateKey  ... -2147482564, 2, ) == 0x0
 03038  1744   NtAllocateVirtualMemory  ... 84344832, 1048576, ) == 0x0
 03037   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 03040   752   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\5\307\316e~\356\301^\30\336\370:\361\273\350 \240\347\1\376\261\264\223\12\13}2\376\3330\372\215U]\245C\2244+\34"\274\210\25\377\247[5\271\33]\246g\233\32F\323+\223\3510\372\346\15\254-\301zF>\351\279\237:\233\217r\4", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\5\307\316e~\356\301^\30\336\370:\361\273\350 \240\347\1\376\261\264\223\12\13}2\376\3330\372\215U]\245C\2244+\34"\274\210\25\377\247[5\271\33]\246g\233\32F\323+\223\3510\372\346\15\254-\301zF>\351\279\237:\233\217r\4", 80, ... \274\210\25\377\247[5\271\33]\246g\233\32F\323+\223\3510\372\346\15\254-\301zF>\351\279\237:\233\217r\4", 80, ...
 03041  1744   NtAllocateVirtualMemory  (-1, 85385216, 0, 8192, 4096, 4, ...
 03042   380   NtQueryValueKey  (540,  (540, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 03040   752   NtSetValueKey  ... ) == 0x0
 03041  1744   NtAllocateVirtualMemory  ... 85385216, 8192, ) == 0x0
 03042   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 03043   752   NtClose  (-2147482564, ...
 03044  1744   NtProtectVirtualMemory  (-1, (0x516e000), 4096, 260, ...
 03045   380   NtQueryValueKey  (540,  (540, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 03043   752   NtClose  ... ) == 0x0
 03044  1744   NtProtectVirtualMemory  ... (0x516e000), 4096, 4, ) == 0x0
 03045   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03010   752   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\365\354\25\366\13f5\231\332\231\14\222\2\21\12\2\10x\324U\201\260kDlG\6\243\341ZV\326\377q\313D\366\3248t\376'H\272\362Z\322\304\311\325\256\341[Y'U\215}\372\4\0k\337\373\312\22\246\253\312\345\13\21bF\215g$\10C\374T)[\3401\270y\230\347\30\321\306\202\227\213\270M\215y8n6!\266+\13\34\36.\223\7\11\302\352x\37\260\273o\35\301\353l@D/lcb\311$\3+\324d\207_\245\36m\261\253 #\313\372+\262\305\251*\247\243Sr+OW\334\336\220\354y\357\8\322c\305\275s\237\354P\241r\261\334H\322z\351\262\2526sK\272\177\24\30\311S>\25v\376\313\365\253\245d\6"p\267\256\321\305\350\2274\353\266Z\256$\23\263\16\203\2637\267\262\225\2304\300\3244b\354\275\10\1A\5/\23KOR\350\277\16;\3\250\240\347\0B\364\343\250", ) p\267\256\321\305\350\2274\353\266Z\256$\23\263\16\203\2637\267\262\225\2304\300\3244b\354\275\10\1A\5/\23KOR\350\277\16;\3\250\240\347\0B\364\343\250", ) == 0x0
 03046   380   NtClose  (540, ...
 03047  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03048   752   NtDeviceIoControlFile  (528, 0, 0x0, 0x0, 0x390008,  (528, 0, 0x0, 0x0, 0x390008, "\367\322K>\225^\225m\377\5\233t$\16\371/\322\264Yq]JD\322\264Yq]JD\322\264Yq]\206\227*\31q\307\271\6"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 03047  1744   NtCreateThread  ... 568, {1736, 1024}, ) == 0x0
 03049   752   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03050  1744   NtQueryInformationThread  (568, Basic, 28, ...
 03049   752   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03050  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1736,Tid=1024,}, 0x0, ) == 0x0
 03051   752   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03052  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75622, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\310\6\0\0\0\4\0\0" ...  ...
 03051   752   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03053   752   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 03054   752   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 03055   752   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 03056   752   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03046   380   NtClose  ... ) == 0x0
 03052  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75623, 0}  ... {28, 56, reply, 0, 1736, 1744, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\310\6\0\0\0\4\0\0" )  ) == 0x0
 03057   380   NtClose  (328, ...
 03058  1744   NtResumeThread  (568, ...
 03057   380   NtClose  ... ) == 0x0
 03058  1744   NtResumeThread  ... 1, ) == 0x0
 03059   380   NtClose  (324, ...
 03060  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03059   380   NtClose  ... ) == 0x0
 03060  1744   NtAllocateVirtualMemory  ... 85393408, 1048576, ) == 0x0
 03061   380   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... }, ...
 03062  1744   NtAllocateVirtualMemory  (-1, 86433792, 0, 8192, 4096, 4, ...
 03056   752   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03063  1024   NtTestAlert  (...
 03061   380   NtOpenMutant  ... 324, ) == 0x0
 03064   752   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03063  1024   NtTestAlert  ... ) == 0x0
 03065   380   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... }, ...
 03064   752   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03066  1024   NtContinue  (85392688, 1, ...
 03065   380   NtOpenMutant  ... 328, ) == 0x0
 03067   752   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03068  1024   NtRegisterThreadTerminatePort  (24, ...
 03069   380   NtWaitForSingleObject  (328, 0, 0x0, ...
 03067   752   NtCreateKey  ... -2147482564, 2, ) == 0x0
 03068  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 03069   380   NtWaitForSingleObject  ... ) == 0x0
 03070   752   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\356\33\177\237\317\333\215\37\355\270k\301\36!a\247\324\320\203K\323\272\3736\222\245\264\341\312\246\331@\21\332\37\32A\223s\357>\320\255\26\210\250\233\11\6\371\22\242}Z\212n\365X\313\22"\260\243\256\336\355\271\327>G\2362\205\325\340\357\277\200\324\23", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\356\33\177\237\317\333\215\37\355\270k\301\36!a\247\324\320\203K\323\272\3736\222\245\264\341\312\246\331@\21\332\37\32A\223s\357>\320\255\26\210\250\233\11\6\371\22\242}Z\212n\365X\313\22"\260\243\256\336\355\271\327>G\2362\205\325\340\357\277\200\324\23", 80, ... \260\243\256\336\355\271\327>G\2362\205\325\340\357\277\200\324\23", 80, ...
 03062  1744   NtAllocateVirtualMemory  ... 86433792, 8192, ) == 0x0
 03071  1024   NtWaitForSingleObject  (244, 0, 0x0, ...
 03072   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 14742804, ... }, 14742804, ...
 03073  1744   NtProtectVirtualMemory  (-1, (0x526e000), 4096, 260, ...
 03072   380   NtQueryAttributesFile  ... ) == 0x0
 03073  1744   NtProtectVirtualMemory  ... (0x526e000), 4096, 4, ) == 0x0
 03074   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... }, 7, 2113568, ...
 03075  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03074   380   NtOpenFile  ... 540, {status=0x0, info=1}, ) == 0x0
 03075  1744   NtCreateThread  ... 572, {1736, 1064}, ) == 0x0
 03076   380   NtSetInformationFile  (540, 14742780, 40, Basic, ...
 03077  1744   NtQueryInformationThread  (572, Basic, 28, ...
 03076   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03070   752   NtSetValueKey  ... ) == 0x0
 03077  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1736,Tid=1064,}, 0x0, ) == 0x0
 03078   752   NtClose  (-2147482564, ...
 03079  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75623, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\310\6\0\0(\4\0\0" ...  ...
 03078   752   NtClose  ... ) == 0x0
 03079  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75624, 0}  ... {28, 56, reply, 0, 1736, 1744, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\2\0\0\310\6\0\0(\4\0\0" )  ) == 0x0
 03048   752   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\37%O\274>q\206o\375\270\241\267\230,\247n\353\6w\331\217\362\337\5A&\314\302'h\60S\301g0g@u\244^i\201\370\202\305\27\\32W\270\253\326\327o\261\2349\14\214c\261\366\353!`\333\336Pn\376%\242B3\365\303\23\12Y\3455\343\2251\376e"\375\23\347\273\251\231\203\361\214\337\236\322\36s\243\273\201?\305\326w`R\245O\347\370"9i\243\377xp\373q\331\324\250\2767\?\334\337\255\304L\253:M\13\351K3\11IhM\214\247\253M\15V\265\343O!\304\23M\374\16]\321e\21|4\226\237Ng\227c\345\37V(\271u\232\224\263k\35\274G\231\10y;\307\256W\232$\252\337N\376\275!\13\304\217\2\31\334\215\363\14\\16\305\357y\345\232\225\214n\5\341\1]\232\216\375\222\261O]\1\356\363\257\372\372\317.\216Tv\317\302\21S|\225\372dh}I+", ) \375\23\347\273\251\231\203\361\214\337\236\322\36s\243\273\201?\305\326w`R\245O\347\370 ... {status=0x0, info=256}, "\37%O\274>q\206o\375\270\241\267\230,\247n\353\6w\331\217\362\337\5A&\314\302'h\60S\301g0g@u\244^i\201\370\202\305\27\\32W\270\253\326\327o\261\2349\14\214c\261\366\353!`\333\336Pn\376%\242B3\365\303\23\12Y\3455\343\2251\376e"\375\23\347\273\251\231\203\361\214\337\236\322\36s\243\273\201?\305\326w`R\245O\347\370"9i\243\377xp\373q\331\324\250\2767\?\334\337\255\304L\253:M\13\351K3\11IhM\214\247\253M\15V\265\343O!\304\23M\374\16]\321e\21|4\226\237Ng\227c\345\37V(\271u\232\224\263k\35\274G\231\10y;\307\256W\232$\252\337N\376\275!\13\304\217\2\31\334\215\363\14\\16\305\357y\345\232\225\214n\5\341\1]\232\216\375\222\261O]\1\356\363\257\372\372\317.\216Tv\317\302\21S|\225\372dh}I+", ) , ) == 0x0
 03080  1744   NtResumeThread  (572, ...
 03081   752   NtDeviceIoControlFile  (528, 0, 0x0, 0x0, 0x390008,  (528, 0, 0x0, 0x0, 0x390008, "\367\322K>\225^\225m\377\5\233t$\16\371/\322\264Yq]JD\322\264Yq]JD\322\264Yq]JD\322\264Yq]\206\227*\31q\307\271\6"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 03080  1744   NtResumeThread  ... 1, ) == 0x0
 03082   752   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03083   380   NtClose  (540, ...
 03084  1064   NtTestAlert  (...
 03085  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03083   380   NtClose  ... ) == 0x0
 03084  1064   NtTestAlert  ... ) == 0x0
 03085  1744   NtAllocateVirtualMemory  ... 86441984, 1048576, ) == 0x0
 03086   380   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 14742720,  (0xc0100080, {24, 0, 0x40, 0, 14742720, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... }, 0x0, 8198, 3, 3, 2144, 0, 0, ...
 03087  1064   NtContinue  (86441264, 1, ...
 03088  1744   NtAllocateVirtualMemory  (-1, 87482368, 0, 8192, 4096, 4, ...
 03086   380   NtCreateFile  ... 540, {status=0x0, info=1}, ) == 0x0
 03089  1064   NtRegisterThreadTerminatePort  (24, ...
 03088  1744   NtAllocateVirtualMemory  ... 87482368, 8192, ) == 0x0
 03090   380   NtSetInformationFile  (540, 14742772, 40, Basic, ...
 03089  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 03091  1744   NtProtectVirtualMemory  (-1, (0x536e000), 4096, 260, ...
 03090   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03082   752   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03091  1744   NtProtectVirtualMemory  ... (0x536e000), 4096, 4, ) == 0x0
 03092  1064   NtWaitForSingleObject  (244, 0, 0x0, ...
 03093   752   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03094   380   NtQueryInformationFile  (540, 14742772, 24, Standard, ...
 03093   752   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03094   380   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03095   752   NtQuerySystemInformation  (Performance, 312, ...
 03096   380   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... }, ...
 03095   752   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03096   380   NtOpenSection  ... 576, ) == 0x0
 03097   752   NtQuerySystemInformation  (Exception, 16, ...
 03098   380   NtMapViewOfSection  (576, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 03099  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03098   380   NtMapViewOfSection  ... (0x5370000), {0, 0}, 802816, ) == 0x0
 03099  1744   NtCreateThread  ... 580, {1736, 1600}, ) == 0x0
 03097   752   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03100  1744   NtQueryInformationThread  (580, Basic, 28, ...
 03101   752   NtQuerySystemInformation  (Lookaside, 32, ...
 03100  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1736,Tid=1600,}, 0x0, ) == 0x0
 03101   752   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03102  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75624, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\310\6\0\0@\6\0\0" ...  ...
 03103   752   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 03104   752   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 03105   752   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 03106   752   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "n\232\205\261\326N \374\27\35>\4\364\341\217R\235\3179\0\20\347\302+\257@\372\256\33\2704j\232\5bz\311h\15\222\23\3578'\363\266\204\17\272V\341\373\2235j\305\260\213\7J\253UC\330\275\322\3032c\264\343\335\325g\2602\355\243,m", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "n\232\205\261\326N \374\27\35>\4\364\341\217R\235\3179\0\20\347\302+\257@\372\256\33\2704j\232\5bz\311h\15\222\23\3578'\363\266\204\17\272V\341\373\2235j\305\260\213\7J\253UC\330\275\322\3032c\264\343\335\325g\2602\355\243,m", 80, ... ) , 80, ... ) == 0x0
 03107   752   NtClose  (-2147482564, ...
 03108   380   NtReleaseMutant  (328, ...
 03102  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75625, 0}  ... {28, 56, reply, 0, 1736, 1744, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\310\6\0\0@\6\0\0" )  ) == 0x0
 03108   380   NtReleaseMutant  ... 0x0, ) == 0x0
 03109  1744   NtResumeThread  (580, ...
 03110   380   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... }, ...
 03109  1744   NtResumeThread  ... 1, ) == 0x0
 03110   380   NtOpenMutant  ... 584, ) == 0x0
 03111  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03112   380   NtWaitForSingleObject  (584, 0, 0x0, ...
 03111  1744   NtAllocateVirtualMemory  ... 88342528, 1048576, ) == 0x0
 03113  1744   NtAllocateVirtualMemory  (-1, 89382912, 0, 8192, 4096, 4, ... 89382912, 8192, ) == 0x0
 03114  1744   NtProtectVirtualMemory  (-1, (0x553e000), 4096, 260, ... (0x553e000), 4096, 4, ) == 0x0
 03115  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 588, {1736, 216}, ) == 0x0
 03116  1744   NtQueryInformationThread  (588, Basic, 28, ...
 03107   752   NtClose  ... ) == 0x0
 03117  1600   NtTestAlert  (...
 03112   380   NtWaitForSingleObject  ... ) == 0x0
 03081   752   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "[\200\257+>\21048g2\277f\15\275\211\250\0N)\225|we\221\212\332\177;\33X~\372\367\346\31r\242\21\210=\267\245k"\365hAl\311\355GX\373\347\4\231U*3)\7d\342N~\262\206\323~\276\322\3\261n\353\2\354\243\345%z\341Q\32f\33\7e\305\336\373V\260H\337Aj\254\11p?G\3443\205\343\347<\3033\322\203g\346\37hL\25\25y\5j2m\232\3450\301\314\374\310U\21\236\24\355\17e0\225\332\367\3o\331q\31\202\342\334V\232$\274\311?\337\261\342\14VWy0\233\34E4\3309~\200\11\363\3\24\276\340o\233b)L\265\375\352-\320\1778\306\305\262$4\37\222\25\206{\1\323%\2\0\210\203\206\344"+\306Y\326\276\2463\231t\277`\236Jx\334\276\311bj\13\317\344\206V\365A[\263\0Sf\203\315\202\274\240\345-8y\223r\271qn\363", ) \365hAl\311\355GX\373\347\4\231U*3)\7d\342N~\262\206\323~\276\322\3\261n\353\2\354\243\345%z\341Q\32f\33\7e\305\336\373V\260H\337Aj\254\11p?G\3443\205\343\347<\3033\322\203g\346\37hL\25\25y\5j2m\232\3450\301\314\374\310U\21\236\24\355\17e0\225\332\367\3o\331q\31\202\342\334V\232$\274\311?\337\261\342\14VWy0\233\34E4\3309~\200\11\363\3\24\276\340o\233b)L\265\375\352-\320\1778\306\305\262$4\37\222\25\206{\1\323%\2\0\210\203\206\344 ... {status=0x0, info=256}, "[\200\257+>\21048g2\277f\15\275\211\250\0N)\225|we\221\212\332\177;\33X~\372\367\346\31r\242\21\210=\267\245k"\365hAl\311\355GX\373\347\4\231U*3)\7d\342N~\262\206\323~\276\322\3\261n\353\2\354\243\345%z\341Q\32f\33\7e\305\336\373V\260H\337Aj\254\11p?G\3443\205\343\347<\3033\322\203g\346\37hL\25\25y\5j2m\232\3450\301\314\374\310U\21\236\24\355\17e0\225\332\367\3o\331q\31\202\342\334V\232$\274\311?\337\261\342\14VWy0\233\34E4\3309~\200\11\363\3\24\276\340o\233b)L\265\375\352-\320\1778\306\305\262$4\37\222\25\206{\1\323%\2\0\210\203\206\344"+\306Y\326\276\2463\231t\277`\236Jx\334\276\311bj\13\317\344\206V\365A[\263\0Sf\203\315\202\274\240\345-8y\223r\271qn\363", ) , ) == 0x0
 03117  1600   NtTestAlert  ... ) == 0x0
 03118   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 14742804, ... }, 14742804, ...
 03119   752   NtDeviceIoControlFile  (528, 0, 0x0, 0x0, 0x390008,  (528, 0, 0x0, 0x0, 0x390008, "\367\322K>\225^\225m\377\5\233t$\16\371/\322\264Yq]JD\322\264Yq]JD\322\264Yq]JD\322\264Yq]JD\322\264Yq]\206\227*\31q\307\271\6"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 03120  1600   NtContinue  (87489840, 1, ...
 03118   380   NtQueryAttributesFile  ... ) == 0x0
 03121   752   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03122  1600   NtRegisterThreadTerminatePort  (24, ...
 03123   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... }, 7, 2113568, ...
 03121   752   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03122  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 03123   380   NtOpenFile  ... 592, {status=0x0, info=1}, ) == 0x0
 03124   752   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03116  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1736,Tid=216,}, 0x0, ) == 0x0
 03125   380   NtSetInformationFile  (592, 14742780, 40, Basic, ...
 03126  1600   NtWaitForSingleObject  (244, 0, 0x0, ...
 03127  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75625, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\310\6\0\0\330\0\0\0" ...  ...
 03124   752   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03127  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75626, 0}  ... {28, 56, reply, 0, 1736, 1744, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\2\0\0\310\6\0\0\330\0\0\0" )  ) == 0x0
 03128   752   NtQuerySystemInformation  (Performance, 312, ...
 03129  1744   NtResumeThread  (588, ...
 03128   752   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03129  1744   NtResumeThread  ... 1, ) == 0x0
 03130   752   NtQuerySystemInformation  (Exception, 16, ...
 03125   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03131   216   NtTestAlert  (...
 03130   752   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03132   380   NtClose  (592, ...
 03131   216   NtTestAlert  ... ) == 0x0
 03133   752   NtQuerySystemInformation  (Lookaside, 32, ...
 03132   380   NtClose  ... ) == 0x0
 03134   216   NtContinue  (89390384, 1, ...
 03135  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03136   380   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 14742720,  (0xc0100080, {24, 0, 0x40, 0, 14742720, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... }, 0x0, 8198, 3, 3, 2144, 0, 0, ...
 03137   216   NtRegisterThreadTerminatePort  (24, ...
 03135  1744   NtAllocateVirtualMemory  ... 89391104, 1048576, ) == 0x0
 03136   380   NtCreateFile  ... 592, {status=0x0, info=1}, ) == 0x0
 03137   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 03138  1744   NtAllocateVirtualMemory  (-1, 90431488, 0, 8192, 4096, 4, ...
 03139   380   NtSetInformationFile  (592, 14742772, 40, Basic, ...
 03133   752   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03138  1744   NtAllocateVirtualMemory  ... 90431488, 8192, ) == 0x0
 03140   216   NtWaitForSingleObject  (244, 0, 0x0, ...
 03141   752   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03142  1744   NtProtectVirtualMemory  (-1, (0x563e000), 4096, 260, ...
 03141   752   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03142  1744   NtProtectVirtualMemory  ... (0x563e000), 4096, 4, ) == 0x0
 03143   752   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03139   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03143   752   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03144   380   NtQueryInformationFile  (592, 14742772, 24, Standard, ...
 03145   752   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03144   380   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03146  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03147   380   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... }, ...
 03146  1744   NtCreateThread  ... 596, {1736, 152}, ) == 0x0
 03147   380   NtOpenSection  ... 600, ) == 0x0
 03148  1744   NtQueryInformationThread  (596, Basic, 28, ...
 03149   380   NtMapViewOfSection  (600, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 03148  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1736,Tid=152,}, 0x0, ) == 0x0
 03145   752   NtCreateKey  ... -2147482564, 2, ) == 0x0
 03150  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75626, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\310\6\0\0\230\0\0\0" ...  ...
 03151   752   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\271\352\3G\220\2086\251\347\215X\253[\252\\3709H\315\33\6\326^n\7+\361Dmr\36T\233J\244\316\344w\7\326:\274\345\207\336\352\363F\364\24\352#\22~/1\22\26l\266]\356\3263@\276\372$\257\264\246\275\237\254\213\353\212\236", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\271\352\3G\220\2086\251\347\215X\253[\252\\3709H\315\33\6\326^n\7+\361Dmr\36T\233J\244\316\344w\7\326:\274\345\207\336\352\363F\364\24\352#\22~/1\22\26l\266]\356\3263@\276\372$\257\264\246\275\237\254\213\353\212\236", 80, ... ) , 80, ... ) == 0x0
 03152   752   NtClose  (-2147482564, ... ) == 0x0
 03119   752   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "|\355\240[\5L\234%\207hMk\234\3157o^\201t\ALs\242\240]J\373\314\345\363\276\327)B)T,\374D\7q\4V\35ee\214c'E%%'\232^Q\236\214\373bR\256\311\244\315\347\200d\256\37\31\376\371\16\341\364\23\360\307\177\245x{H:\254\241L\336\36S\15-\201\342\244 \13\221\375\205r\247\333\224/?Z\314\272\307\356\274\253\370\356\241\305\266\370\243\15\203z*\251\265P\262\377\315\263\374\232p#\375\264\350}\376n`\251oG\5\337\232{\17\260\343\256\265\345\23\320\313\0\373\365\22r:>\31\30\11\313\365\13\32i\304\5U\35.\265d\203\277z*\274U'\14E\302\253r\200\263\274e\364v\320cw\272\331T\36\231?\363V\20\364\210\251\321\233\23\37A\241\332\246\225^7\374\212\20\335\266+k$\37/i +\352\333!\262\254Z\311\265(\270\361KN2\315", ) , ) == 0x0
 03153   752   NtDeviceIoControlFile  (528, 0, 0x0, 0x0, 0x390008,  (528, 0, 0x0, 0x0, 0x390008, "\367\322K>\225^\225m\377\5\233t$\16\371/\322\264Yq]JD\322\264Yq]JD\322\264Yq]JD\322\264Yq]JD\322\264Yq]JD\322\264Yq]\206\227*\31q\307\271\6"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 03154   752   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 03155   752   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 03156   752   NtQuerySystemInformation  (Performance, 312, ...
 03149   380   NtMapViewOfSection  ... (0x3e0000), {0, 0}, 32768, ) == 0x0
 03150  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75627, 0}  ... {28, 56, reply, 0, 1736, 1744, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\310\6\0\0\230\0\0\0" )  ) == 0x0
 03157   380   NtReleaseMutant  (584, ...
 03158  1744   NtResumeThread  (596, ...
 03157   380   NtReleaseMutant  ... 0x0, ) == 0x0
 03158  1744   NtResumeThread  ... 1, ) == 0x0
 03159   380   NtOpenMutant  (0x100000, {24, 16, 0x0, 0, 0,  (0x100000, {24, 16, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... }, ...
 03160  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03159   380   NtOpenMutant  ... 604, ) == 0x0
 03160  1744   NtAllocateVirtualMemory  ... 90439680, 1048576, ) == 0x0
 03161   380   NtWaitForSingleObject  (604, 0, 0x0, ...
 03162  1744   NtAllocateVirtualMemory  (-1, 91480064, 0, 8192, 4096, 4, ...
 03156   752   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03163   152   NtTestAlert  (...
 03161   380   NtWaitForSingleObject  ... ) == 0x0
 03164   752   NtQuerySystemInformation  (Exception, 16, ...
 03163   152   NtTestAlert  ... ) == 0x0
 03165   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 14742804, ... }, 14742804, ...
 03164   752   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03166   152   NtContinue  (90438960, 1, ...
 03165   380   NtQueryAttributesFile  ... ) == 0x0
 03167   752   NtQuerySystemInformation  (Lookaside, 32, ...
 03168   152   NtRegisterThreadTerminatePort  (24, ...
 03169   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... }, 7, 2113568, ...
 03167   752   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03168   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 03169   380   NtOpenFile  ... 608, {status=0x0, info=1}, ) == 0x0
 03170   752   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03162  1744   NtAllocateVirtualMemory  ... 91480064, 8192, ) == 0x0
 03171   152   NtWaitForSingleObject  (244, 0, 0x0, ...
 03172   380   NtSetInformationFile  (608, 14742780, 40, Basic, ...
 03173  1744   NtProtectVirtualMemory  (-1, (0x573e000), 4096, 260, ...
 03172   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03173  1744   NtProtectVirtualMemory  ... (0x573e000), 4096, 4, ) == 0x0
 03174   380   NtClose  (608, ...
 03175  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03174   380   NtClose  ... ) == 0x0
 03175  1744   NtCreateThread  ... 608, {1736, 2036}, ) == 0x0
 03176   380   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 14742720,  (0xc0100080, {24, 0, 0x40, 0, 14742720, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... }, 0x0, 8198, 3, 3, 2144, 0, 0, ...
 03177  1744   NtQueryInformationThread  (608, Basic, 28, ...
 03176   380   NtCreateFile  ... 612, {status=0x0, info=1}, ) == 0x0
 03170   752   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03177  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1736,Tid=2036,}, 0x0, ) == 0x0
 03178   752   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03179  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75627, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\310\6\0\0\364\7\0\0" ...  ...
 03178   752   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03179  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75628, 0}  ... {28, 56, reply, 0, 1736, 1744, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\310\6\0\0\364\7\0\0" )  ) == 0x0
 03180   752   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03181  1744   NtResumeThread  (608, ...
 03180   752   NtCreateKey  ... -2147482564, 2, ) == 0x0
 03181  1744   NtResumeThread  ... 1, ) == 0x0
 03182   752   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\337\271\302kl\237,\233\35\17\260@\227Mf|~4\\376\271\2353s\374\343\216\3240u\327q>:\310=\204\23\345\245\360\15\275\373\363%g>\255\271\0>\327\300\362}\361Zb=\227\207\16 C\324\364\275L\260\273&\376(\326\2670\254\251\262", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\337\271\302kl\237,\233\35\17\260@\227Mf|~4\\376\271\2353s\374\343\216\3240u\327q>:\310=\204\23\345\245\360\15\275\373\363%g>\255\271\0>\327\300\362}\361Zb=\227\207\16 C\324\364\275L\260\273&\376(\326\2670\254\251\262", 80, ... , 80, ...
 03183   380   NtSetInformationFile  (612, 14742772, 40, Basic, ...
 03184  2036   NtTestAlert  (...
 03185  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03183   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03184  2036   NtTestAlert  ... ) == 0x0
 03185  1744   NtAllocateVirtualMemory  ... 91488256, 1048576, ) == 0x0
 03186   380   NtQueryInformationFile  (612, 14742772, 24, Standard, ...
 03187  2036   NtContinue  (91487536, 1, ...
 03188  1744   NtAllocateVirtualMemory  (-1, 92528640, 0, 8192, 4096, 4, ...
 03186   380   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03189  2036   NtRegisterThreadTerminatePort  (24, ...
 03188  1744   NtAllocateVirtualMemory  ... 92528640, 8192, ) == 0x0
 03190   380   NtOpenSection  (0x2, {24, 16, 0x0, 0, 0,  (0x2, {24, 16, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... }, ...
 03189  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 03191  1744   NtProtectVirtualMemory  (-1, (0x583e000), 4096, 260, ...
 03190   380   NtOpenSection  ... 616, ) == 0x0
 03182   752   NtSetValueKey  ... ) == 0x0
 03191  1744   NtProtectVirtualMemory  ... (0x583e000), 4096, 4, ) == 0x0
 03192  2036   NtWaitForSingleObject  (244, 0, 0x0, ...
 03193   752   NtClose  (-2147482564, ...
 03194   380   NtMapViewOfSection  (616, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ...
 03193   752   NtClose  ... ) == 0x0
 03194   380   NtMapViewOfSection  ... (0xe10000), {0, 0}, 81920, ) == 0x0
 03153   752   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\345\360N\10'\374 \354\320{\216\324\215\225\7f$e\354\367\210\222\375\206W\217rkF\306{}\322\13\300\237\25w\6\310(\270q\223\224\244\330\25\306\1!\357\343\367S\6<\355v\322\11\3753\240\275\212\301\256\231\261*\314\334\315t83\315\323\247E\14\342Q\256\267\33\312\275\222\5\372\270\277_\5\227R\375\212\332\210@h\343\3\247H\11\35D\351N\213}n\25\342LX\233\220\334\202\342\354\224\215\211>\213[\360^y\322\333/\343\5W\205\360C\361\314\355\334\211t\376C\232\272\336?\373\377\224\352B*6z\346\373\247\307\263\257\3^\203\367\202Z\6s\274W\13]\5\327\10\3\305ph\0\270:\6aP\276\365\313\365\12T\7DU\211\21Y<\254)\1\304\0\263\302\3310\231M\361\363qw\17\216\332\215\371pI\236.\30\16\314\367F=\2\274e>\352W1\305g\225\6\323\245E\7\312\316", ) , ) == 0x0
 03195   380   NtReleaseMutant  (604, ...
 03196   752   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03195   380   NtReleaseMutant  ... 0x0, ) == 0x0
 03196   752   NtCreateEvent  ... 620, ) == 0x0
 03197   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 14742380, ... }, 14742380, ...
 03198  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03197   380   NtQueryAttributesFile  ... ) == 0x0
 03198  1744   NtCreateThread  ... 624, {1736, 1708}, ) == 0x0
 03199   752   NtOpenThreadToken  (-2, 0xc, 1, ...
 03200  1744   NtQueryInformationThread  (624, Basic, 28, ...
 03199   752   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 03200  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1736,Tid=1708,}, 0x0, ) == 0x0
 03201   752   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03202  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75628, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\310\6\0\0\254\6\0\0" ...  ...
 03201   752   NtCreateEvent  ... 628, ) == 0x0
 03203   752   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03204   752   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03205   752   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 13693120,  (0xc0100080, {24, 0, 0x40, 0, 13693120, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 632, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 632, {status=0x0, info=1}, ) == 0x0
 03206   752   NtSetInformationFile  (632, 13693176, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03207   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... }, 7, 2113568, ...
 03202  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75629, 0}  ... {28, 56, reply, 0, 1736, 1744, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\310\6\0\0\254\6\0\0" )  ) == 0x0
 03207   380   NtOpenFile  ... 636, {status=0x0, info=1}, ) == 0x0
 03208  1744   NtResumeThread  (624, ...
 03209   380   NtSetInformationFile  (636, 14742352, 40, Basic, ...
 03208  1744   NtResumeThread  ... 1, ) == 0x0
 03209   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03210  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03211   380   NtClose  (636, ...
 03210  1744   NtAllocateVirtualMemory  ... 92536832, 1048576, ) == 0x0
 03211   380   NtClose  ... ) == 0x0
 03212  1744   NtAllocateVirtualMemory  (-1, 93577216, 0, 8192, 4096, 4, ...
 03213   752   NtSetInformationFile  (632, 13693164, 8, Completion, ...
 03214  1708   NtAllocateVirtualMemory  (-1, 3633152, 0, 4096, 4096, 4, ...
 03215   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 14742376, ... }, 14742376, ...
 03213   752   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03214  1708   NtAllocateVirtualMemory  ... 3633152, 4096, ) == 0x0
 03215   380   NtQueryAttributesFile  ... ) == 0x0
 03216   752   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 03217  1708   NtTestAlert  (...
 03218   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 14742380, ... }, 14742380, ...
 03216   752   NtSetInformationThread  ... ) == 0x0
 03217  1708   NtTestAlert  ... ) == 0x0
 03218   380   NtQueryAttributesFile  ... ) == 0x0
 03219   752   NtWriteFile  (632, 301, 0, 0,  (632, 301, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 03220  1708   NtContinue  (92536112, 1, ...
 03221   380   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... }, 7, 2113568, ...
 03219   752   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 03212  1744   NtAllocateVirtualMemory  ... 93577216, 8192, ) == 0x0
 03221   380   NtOpenFile  ... 636, {status=0x0, info=1}, ) == 0x0
 03222  1708   NtRegisterThreadTerminatePort  (24, ...
 03223  1744   NtProtectVirtualMemory  (-1, (0x593e000), 4096, 260, ...
 03224   752   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 03222  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 03223  1744   NtProtectVirtualMemory  ... (0x593e000), 4096, 4, ) == 0x0
 03224   752   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 03225  1708   NtWaitForSingleObject  (244, 0, 0x0, ...
 03226  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03227   752   NtReadFile  (632, 301, 0, 0, 1024, {0, 0}, 0, ...
 03226  1744   NtCreateThread  ... 640, {1736, 1884}, ) == 0x0
 03227   752   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03228  1744   NtQueryInformationThread  (640, Basic, 28, ...
 03229   752   NtFsControlFile  (632, 301, 0x0, 0x0, 0x11c017,  (632, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\320\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 03230   380   NtSetInformationFile  (636, 14742352, 40, Basic, ...
 03229   752   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03230   380   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03228  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1736,Tid=1884,}, 0x0, ) == 0x0
 03231   380   NtClose  (636, ...
 03232  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75629, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\310\6\0\0\\7\0\0" ...  ...
 03231   380   NtClose  ... ) == 0x0
 03232  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75630, 0}  ... {28, 56, reply, 0, 1736, 1744, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\310\6\0\0\\7\0\0" )  ) == 0x0
 03233   380   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 14742376, ... }, 14742376, ...
 03234  1744   NtResumeThread  (640, ...
 03233   380   NtQueryAttributesFile  ... ) == 0x0
 03234  1744   NtResumeThread  ... 1, ) == 0x0
 03235   752   NtFsControlFile  (632, 301, 0x0, 0x0, 0x11c017,  (632, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256\1\0\0\0\1\0\0\0&\0(\0\30\16\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 03236   380   NtWaitForSingleObject  (328, 0, 0x0, ...
 03237  1884   NtTestAlert  (...
 03235   752   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256\0\0\0\0", ) , ) == 0x103
 03236   380   NtWaitForSingleObject  ... ) == 0x0
 03237  1884   NtTestAlert  ... ) == 0x0
 03238   752   NtFsControlFile  (632, 301, 0x0, 0x0, 0x11c017,  (632, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\10\233 IE*dK\202\302\222yAZ\332\256", 44, 1024, ... , 44, 1024, ...
 03239   380   NtReleaseMutant  (328, ...
 03240  1884   NtContinue  (93584688, 1, ...
 03238   752   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\3504\25\0\1\0\0\0\3644\25\0 \0\0\0\1\0\0\0\30\0\32\0\05\25\0\345\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0X\37\25\0\1\0\0\0\5\0\15\0h\37\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03239   380   NtReleaseMutant  ... 0x0, ) == 0x0
 03241  1884   NtRegisterThreadTerminatePort  (24, ...
 03242   752   NtClose  (628, ...
 03243   380   NtOpenKey  (0xf, {24, 140, 0x40, 0, 0,  (0xf, {24, 140, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 03241  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 03242   752   NtClose  ... ) == 0x0
 03244  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03243   380   NtOpenKey  ... 628, ) == 0x0
 03245  1884   NtWaitForSingleObject  (244, 0, 0x0, ...
 03244  1744   NtAllocateVirtualMemory  ... 93585408, 1048576, ) == 0x0
 03246   380   NtOpenKey  (0xf, {24, 628, 0x40, 0, 0,  (0xf, {24, 628, 0x40, 0, 0, "Extensible Cache"}, ... }, ...
 03247  1744   NtAllocateVirtualMemory  (-1, 94625792, 0, 8192, 4096, 4, ...
 03246   380   NtOpenKey  ... 636, ) == 0x0
 03247  1744   NtAllocateVirtualMemory  ... 94625792, 8192, ) == 0x0
 03248   380   NtClose  (628, ...
 03249  1744   NtProtectVirtualMemory  (-1, (0x5a3e000), 4096, 260, ...
 03248   380   NtClose  ... ) == 0x0
 03249  1744   NtProtectVirtualMemory  ... (0x5a3e000), 4096, 4, ) == 0x0
 03250   380   NtWaitForSingleObject  (324, 0, {-600000000, -1}, ...
 03251   752   NtClose  (632, ...
 03252  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03251   752   NtClose  ... ) == 0x0
 03252  1744   NtCreateThread  ... 632, {1736, 248}, ) == 0x0
 03253   752   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1372480, 0x0, 13695044, 188, ... , {12, 2, 1, 1}, 0x0, 1372480, 0x0, 13695044, 188, ...
 03254  1744   NtQueryInformationThread  (632, Basic, 28, ...
 03250   380   NtWaitForSingleObject  ... ) == 0x0
 03254  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1736,Tid=248,}, 0x0, ) == 0x0
 03255   380   NtEnumerateKey  (636, 0, Basic, 288, ...
 03256  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75630, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\310\6\0\0\370\0\0\0" ...  ...
 03255   380   NtEnumerateKey  ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0
 03257   380   NtOpenKey  (0xf, {24, 636, 0x40, 0, 0,  (0xf, {24, 636, 0x40, 0, 0, "feedplat"}, ... 628, ) }, ... 628, ) == 0x0
 03258   380   NtQueryValueKey  (628,  (628, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (628, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03259   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03260   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (628, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 03253   752   NtSecureConnectPort  ... 644, 0x0, 0x0, 0x0, 188, ) == 0x0
 03256  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75631, 0}  ... {28, 56, reply, 0, 1736, 1744, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\310\6\0\0\370\0\0\0" )  ) == 0x0
 03261   752   NtOpenThreadToken  (-2, 0xc, 1, ...
 03262  1744   NtResumeThread  (632, ...
 03261   752   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 03262  1744   NtResumeThread  ... 1, ) == 0x0
 03263   752   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 03264  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03263   752   NtSetInformationThread  ... ) == 0x0
 03264  1744   NtAllocateVirtualMemory  ... 94633984, 1048576, ) == 0x0
 03265   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 144, ... , Partial, 144, ...
 03266   248   NtTestAlert  (...
 03267  1744   NtAllocateVirtualMemory  (-1, 95674368, 0, 8192, 4096, 4, ...
 03265   380   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 03266   248   NtTestAlert  ... ) == 0x0
 03268   752   NtRequestWaitReplyPort  (644, {200, 224, new_msg, 0, 1375800, 12, 2, 1310977}  (644, {200, 224, new_msg, 0, 1375800, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0Q\230\311R\265F.\212\304%j\271\324\236\346|\12\0\0\0(l\227\367Q\300\15\205\0\0\0\00\7\25\0z\35\343X\360\27\206v(\0\0\0\361\20\0{\0\0\24\0\240\366\320\0V\331X\360\0\0\0\0\270.\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\320\0\372\31\221|X\376\320\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 03269   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 148, ... , Partial, 148, ...
 03270   248   NtContinue  (94633264, 1, ...
 03269   380   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0
 03271   248   NtRegisterThreadTerminatePort  (24, ...
 03272   380   NtQueryValueKey  (628,  (628, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 03271   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 03272   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 03267  1744   NtAllocateVirtualMemory  ... 95674368, 8192, ) == 0x0
 03268   752   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1736, 752, 75633, 0}  ... {200, 224, reply, 0, 1736, 752, 75633, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\2\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0Q\230\311R\265F.\212\304%j\271\324\236\346|\12\0\0\0(l\227\367Q\300\15\205\0\0\0\00\7\25\0z\35\343X\360\27\206v(\0\0\0\361\20\0{\0\0\24\0\240\366\320\0V\331X\360\0\0\0\0\270.\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\320\0\372\31\221|X\376\320\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 03273   248   NtWaitForSingleObject  (244, 0, 0x0, ...
 03274  1744   NtProtectVirtualMemory  (-1, (0x5b3e000), 4096, 260, ...
 03275   752   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 03274  1744   NtProtectVirtualMemory  ... (0x5b3e000), 4096, 4, ) == 0x0
 03275   752   NtSetInformationThread  ... ) == 0x0
 03276  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03277   752   NtRequestWaitReplyPort  (644, {56, 80, new_msg, 0, 44, 3, 20, 0}  (644, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0E*dK\202\302\222yAZ\332\256\1\0\0\0\0\0\0\0&\0(\0\10\2\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 03276  1744   NtCreateThread  ... 648, {1736, 1652}, ) == 0x0
 03278   380   NtQueryValueKey  (628,  (628, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 03279  1744   NtQueryInformationThread  (648, Basic, 28, ...
 03278   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0
 03280   380   NtQueryValueKey  (628,  (628, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (628, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03281   380   NtQueryValueKey  (628,  (628, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (628, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03282   380   NtClose  (628, ... ) == 0x0
 03283   380   NtEnumerateKey  (636, 1, Basic, 288, ... {LastWrite={0x4121a6b6,0x1c8903b}, TitleIdx=0, Name= (636, 1, Basic, 288, ... {LastWrite={0x4121a6b6,0x1c8903b}, TitleIdx=0, Name="MSHist012008032720080328"}, 64, ) }, 64, ) == 0x0
 03284   380   NtOpenKey  (0xf, {24, 636, 0x40, 0, 0,  (0xf, {24, 636, 0x40, 0, 0, "MSHist012008032720080328"}, ... 628, ) }, ... 628, ) == 0x0
 03279  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1736,Tid=1652,}, 0x0, ) == 0x0
 03285  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75631, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\310\6\0\0t\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\310\6\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75635, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\310\6\0\0t\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\310\6\0\0t\6\0\0" )  ) == 0x0
 03286  1744   NtResumeThread  (648, ... 1, ) == 0x0
 03287  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95682560, 1048576, ) == 0x0
 03288  1744   NtAllocateVirtualMemory  (-1, 96722944, 0, 8192, 4096, 4, ... 96722944, 8192, ) == 0x0
 03289  1744   NtProtectVirtualMemory  (-1, (0x5c3e000), 4096, 260, ... (0x5c3e000), 4096, 4, ) == 0x0
 03290   380   NtQueryValueKey  (628,  (628, "CacheRepair", Partial, 144, ... , Partial, 144, ...
 03277   752   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1736, 752, 75634, 0}  ... {44, 68, reply, 0, 1736, 752, 75634, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03291  1652   NtTestAlert  (...
 03290   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03292   752   NtRaiseException  (13695504, 13694764, 1, ...
 03291  1652   NtTestAlert  ... ) == 0x0
 03293   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 144, ... , Partial, 144, ...
 03294   752   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 03295  1652   NtContinue  (95681840, 1, ...
 03293   380   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 03294   752   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 03296  1652   NtRegisterThreadTerminatePort  (24, ...
 03297   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 160, ... , Partial, 160, ...
 03298   752   NtContinue  (13693732, 0, ...
 03296  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 03297   380   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 03299  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03300  1652   NtWaitForSingleObject  (244, 0, 0x0, ...
 03299  1744   NtCreateThread  ... 652, {1736, 1620}, ) == 0x0
 03301  1744   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1736,Tid=1620,}, 0x0, ) == 0x0
 03302  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75635, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\310\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\310\6\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75636, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\310\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\310\6\0\0T\6\0\0" )  ) == 0x0
 03303  1744   NtResumeThread  (652, ... 1, ) == 0x0
 03304  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96731136, 1048576, ) == 0x0
 03305  1744   NtAllocateVirtualMemory  (-1, 97771520, 0, 8192, 4096, 4, ...
 03306   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 144, ... , Partial, 144, ...
 03307   752   NtDeviceIoControlFile  (520, 240, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 03308  1620   NtTestAlert  (...
 03306   380   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 03307   752   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 03308  1620   NtTestAlert  ... ) == 0x0
 03309   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 160, ... , Partial, 160, ...
 03305  1744   NtAllocateVirtualMemory  ... 97771520, 8192, ) == 0x0
 03310  1620   NtContinue  (96730416, 1, ...
 03309   380   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0\0\0"}, 160, ) }, 160, ) == 0x0
 03311  1744   NtProtectVirtualMemory  (-1, (0x5d3e000), 4096, 260, ...
 03312  1620   NtRegisterThreadTerminatePort  (24, ...
 03313   380   NtQueryValueKey  (628,  (628, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 03311  1744   NtProtectVirtualMemory  ... (0x5d3e000), 4096, 4, ) == 0x0
 03312  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 03313   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03314  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03315   752   NtWaitForSingleObject  (240, 1, {-5000000, -1}, ...
 03316  1620   NtWaitForSingleObject  (244, 0, 0x0, ...
 03314  1744   NtCreateThread  ... 656, {1736, 1588}, ) == 0x0
 03317  1744   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1736,Tid=1588,}, 0x0, ) == 0x0
 03318  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75636, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\310\6\0\04\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\310\6\0\04\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75637, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\310\6\0\04\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\310\6\0\04\6\0\0" )  ) == 0x0
 03319  1744   NtResumeThread  (656, ... 1, ) == 0x0
 03320   380   NtQueryValueKey  (628,  (628, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 03321  1588   NtTestAlert  (...
 03320   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\03\02\07\02\00\00\08\00\03\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 03321  1588   NtTestAlert  ... ) == 0x0
 03322   380   NtQueryValueKey  (628,  (628, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 03323  1588   NtContinue  (97778992, 1, ...
 03322   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 03324  1588   NtRegisterThreadTerminatePort  (24, ...
 03325   380   NtQueryValueKey  (628,  (628, "CacheOptions", Partial, 144, ... , Partial, 144, ...
 03324  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 03325   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 03326  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03327  1588   NtWaitForSingleObject  (244, 0, 0x0, ...
 03326  1744   NtAllocateVirtualMemory  ... 97779712, 1048576, ) == 0x0
 03328  1744   NtAllocateVirtualMemory  (-1, 98820096, 0, 8192, 4096, 4, ... 98820096, 8192, ) == 0x0
 03329  1744   NtProtectVirtualMemory  (-1, (0x5e3e000), 4096, 260, ... (0x5e3e000), 4096, 4, ) == 0x0
 03330  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1736, 1296}, ) == 0x0
 03331  1744   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1736,Tid=1296,}, 0x0, ) == 0x0
 03332  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75637, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\310\6\0\0\20\5\0\0" ...  ...
 03333   380   NtClose  (628, ... ) == 0x0
 03334   380   NtEnumerateKey  (636, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (636, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0
 03335   380   NtOpenKey  (0xf, {24, 636, 0x40, 0, 0,  (0xf, {24, 636, 0x40, 0, 0, "UserData"}, ... 628, ) }, ... 628, ) == 0x0
 03332  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75638, 0}  ... {28, 56, reply, 0, 1736, 1744, 75638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\310\6\0\0\20\5\0\0" )  ) == 0x0
 03336  1744   NtResumeThread  (660, ... 1, ) == 0x0
 03337  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98828288, 1048576, ) == 0x0
 03338  1744   NtAllocateVirtualMemory  (-1, 99868672, 0, 8192, 4096, 4, ... 99868672, 8192, ) == 0x0
 03339  1744   NtProtectVirtualMemory  (-1, (0x5f3e000), 4096, 260, ... (0x5f3e000), 4096, 4, ) == 0x0
 03340  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1736, 2044}, ) == 0x0
 03341  1744   NtQueryInformationThread  (664, Basic, 28, ...
 03342   380   NtQueryValueKey  (628,  (628, "CacheRepair", Partial, 144, ... , Partial, 144, ...
 03343  1296   NtTestAlert  (...
 03342   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03343  1296   NtTestAlert  ... ) == 0x0
 03344   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 144, ... , Partial, 144, ...
 03345  1296   NtContinue  (98827568, 1, ...
 03344   380   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 03346  1296   NtRegisterThreadTerminatePort  (24, ...
 03347   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 148, ... , Partial, 148, ...
 03346  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 03347   380   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 03341  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1736,Tid=2044,}, 0x0, ) == 0x0
 03348  1296   NtWaitForSingleObject  (244, 0, 0x0, ...
 03349  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75638, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\310\6\0\0\374\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\310\6\0\0\374\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75639, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\310\6\0\0\374\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\310\6\0\0\374\7\0\0" )  ) == 0x0
 03350  1744   NtResumeThread  (664, ... 1, ) == 0x0
 03351  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99876864, 1048576, ) == 0x0
 03352  1744   NtAllocateVirtualMemory  (-1, 100917248, 0, 8192, 4096, 4, ... 100917248, 8192, ) == 0x0
 03353  1744   NtProtectVirtualMemory  (-1, (0x603e000), 4096, 260, ... (0x603e000), 4096, 4, ) == 0x0
 03354   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 144, ... , Partial, 144, ...
 03355  2044   NtTestAlert  (...
 03354   380   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 03355  2044   NtTestAlert  ... ) == 0x0
 03356   380   NtQueryValueKey  (628,  (628, "CachePath", Partial, 148, ... , Partial, 148, ...
 03357  2044   NtContinue  (99876144, 1, ...
 03356   380   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0
 03358  2044   NtRegisterThreadTerminatePort  (24, ...
 03359   380   NtQueryValueKey  (628,  (628, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 03358  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 03359   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 03360  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03361  2044   NtWaitForSingleObject  (244, 0, 0x0, ...
 03360  1744   NtCreateThread  ... 668, {1736, 1308}, ) == 0x0
 03362  1744   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1736,Tid=1308,}, 0x0, ) == 0x0
 03363  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75639, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\310\6\0\0\34\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\310\6\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75640, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\310\6\0\0\34\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\310\6\0\0\34\5\0\0" )  ) == 0x0
 03364  1744   NtResumeThread  (668, ... 1, ) == 0x0
 03365  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100925440, 1048576, ) == 0x0
 03366  1744   NtAllocateVirtualMemory  (-1, 101965824, 0, 8192, 4096, 4, ...
 03367   380   NtQueryValueKey  (628,  (628, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 03368  1308   NtTestAlert  (...
 03367   380   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0
 03368  1308   NtTestAlert  ... ) == 0x0
 03369   380   NtQueryValueKey  (628,  (628, "CacheLimit", Partial, 144, ... , Partial, 144, ...
 03370  1308   NtContinue  (100924720, 1, ...
 03369   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0
 03371  1308   NtRegisterThreadTerminatePort  (24, ...
 03372   380   NtQueryValueKey  (628,  (628, "CacheOptions", Partial, 144, ... , Partial, 144, ...
 03371  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 03372   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0
 03366  1744   NtAllocateVirtualMemory  ... 101965824, 8192, ) == 0x0
 03373  1308   NtWaitForSingleObject  (244, 0, 0x0, ...
 03374  1744   NtProtectVirtualMemory  (-1, (0x613e000), 4096, 260, ... (0x613e000), 4096, 4, ) == 0x0
 03375  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1736, 1676}, ) == 0x0
 03376  1744   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1736,Tid=1676,}, 0x0, ) == 0x0
 03377  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75640, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\310\6\0\0\214\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\310\6\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75641, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\310\6\0\0\214\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\310\6\0\0\214\6\0\0" )  ) == 0x0
 03378  1744   NtResumeThread  (672, ... 1, ) == 0x0
 03379   380   NtClose  (628, ...
 03380  1676   NtTestAlert  (...
 03379   380   NtClose  ... ) == 0x0
 03380  1676   NtTestAlert  ... ) == 0x0
 03381   380   NtEnumerateKey  (636, 3, Basic, 288, ...
 03382  1676   NtContinue  (101973296, 1, ...
 03381   380   NtEnumerateKey  ... ) == STATUS_NO_MORE_ENTRIES
 03383  1676   NtRegisterThreadTerminatePort  (24, ...
 03384   380   NtReleaseMutant  (324, ...
 03383  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 03384   380   NtReleaseMutant  ... 0x0, ) == 0x0
 03385  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03386  1676   NtWaitForSingleObject  (244, 0, 0x0, ...
 03385  1744   NtAllocateVirtualMemory  ... 101974016, 1048576, ) == 0x0
 03387  1744   NtAllocateVirtualMemory  (-1, 103014400, 0, 8192, 4096, 4, ... 103014400, 8192, ) == 0x0
 03388  1744   NtProtectVirtualMemory  (-1, (0x623e000), 4096, 260, ... (0x623e000), 4096, 4, ) == 0x0
 03389  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1736, 1436}, ) == 0x0
 03390  1744   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1736,Tid=1436,}, 0x0, ) == 0x0
 03391  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75641, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\310\6\0\0\234\5\0\0" ...  ...
 03392   380   NtClose  (636, ... ) == 0x0
 03393   380   NtWaitForSingleObject  (328, 0, 0x0, ... ) == 0x0
 03394   380   NtReleaseMutant  (328, ...
 03391  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75642, 0}  ... {28, 56, reply, 0, 1736, 1744, 75642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\310\6\0\0\234\5\0\0" )  ) == 0x0
 03395  1744   NtResumeThread  (628, ... 1, ) == 0x0
 03396  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103022592, 1048576, ) == 0x0
 03397  1744   NtAllocateVirtualMemory  (-1, 104062976, 0, 8192, 4096, 4, ... 104062976, 8192, ) == 0x0
 03398  1744   NtProtectVirtualMemory  (-1, (0x633e000), 4096, 260, ... (0x633e000), 4096, 4, ) == 0x0
 03399  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1736, 724}, ) == 0x0
 03400  1744   NtQueryInformationThread  (636, Basic, 28, ...
 03394   380   NtReleaseMutant  ... 0x0, ) == 0x0
 03401  1436   NtTestAlert  (...
 03402   380   NtWaitForSingleObject  (328, 0, 0x0, ...
 03401  1436   NtTestAlert  ... ) == 0x0
 03402   380   NtWaitForSingleObject  ... ) == 0x0
 03403  1436   NtContinue  (103021872, 1, ...
 03404   380   NtReleaseMutant  (328, ...
 03405  1436   NtRegisterThreadTerminatePort  (24, ...
 03404   380   NtReleaseMutant  ... 0x0, ) == 0x0
 03405  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 03400  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1736,Tid=724,}, 0x0, ) == 0x0
 03406   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03407  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75642, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\310\6\0\0\324\2\0\0" ...  ...
 03406   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03407  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75643, 0}  ... {28, 56, reply, 0, 1736, 1744, 75643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\310\6\0\0\324\2\0\0" )  ) == 0x0
 03408   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03409  1744   NtResumeThread  (636, ...
 03408   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03409  1744   NtResumeThread  ... 1, ) == 0x0
 03410   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03411  1436   NtWaitForSingleObject  (244, 0, 0x0, ...
 03412   724   NtTestAlert  (...
 03410   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03412   724   NtTestAlert  ... ) == 0x0
 03413  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03414   724   NtContinue  (104070448, 1, ...
 03413  1744   NtAllocateVirtualMemory  ... 104071168, 1048576, ) == 0x0
 03415   724   NtRegisterThreadTerminatePort  (24, ...
 03416  1744   NtAllocateVirtualMemory  (-1, 105111552, 0, 8192, 4096, 4, ...
 03415   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 03416  1744   NtAllocateVirtualMemory  ... 105111552, 8192, ) == 0x0
 03417   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03418  1744   NtProtectVirtualMemory  (-1, (0x643e000), 4096, 260, ...
 03417   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03418  1744   NtProtectVirtualMemory  ... (0x643e000), 4096, 4, ) == 0x0
 03419   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03420   724   NtWaitForSingleObject  (244, 0, 0x0, ...
 03419   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03421   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03422   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03423   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 676, ) }, ... 676, ) == 0x0
 03424   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03425  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1736, 1368}, ) == 0x0
 03426  1744   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1736,Tid=1368,}, 0x0, ) == 0x0
 03427  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75643, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\310\6\0\0X\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\310\6\0\0X\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75644, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\310\6\0\0X\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\310\6\0\0X\5\0\0" )  ) == 0x0
 03428  1744   NtResumeThread  (680, ... 1, ) == 0x0
 03429  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 105119744, 1048576, ) == 0x0
 03430  1744   NtAllocateVirtualMemory  (-1, 106160128, 0, 8192, 4096, 4, ...
 03431   380   NtOpenKey  (0x1, {24, 676, 0x40, 0, 0,  (0x1, {24, 676, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... }, ...
 03432  1368   NtTestAlert  (...
 03431   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03432  1368   NtTestAlert  ... ) == 0x0
 03433   380   NtClose  (676, ...
 03434  1368   NtContinue  (105119024, 1, ...
 03433   380   NtClose  ... ) == 0x0
 03435  1368   NtRegisterThreadTerminatePort  (24, ...
 03436   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03435  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 03436   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03430  1744   NtAllocateVirtualMemory  ... 106160128, 8192, ) == 0x0
 03437  1368   NtWaitForSingleObject  (244, 0, 0x0, ...
 03438  1744   NtProtectVirtualMemory  (-1, (0x653e000), 4096, 260, ... (0x653e000), 4096, 4, ) == 0x0
 03439  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1736, 1568}, ) == 0x0
 03440  1744   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1736,Tid=1568,}, 0x0, ) == 0x0
 03441  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75644, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\310\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\310\6\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75645, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\310\6\0\0 \6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\310\6\0\0 \6\0\0" )  ) == 0x0
 03442  1744   NtResumeThread  (676, ... 1, ) == 0x0
 03443   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03444  1568   NtTestAlert  (...
 03443   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03444  1568   NtTestAlert  ... ) == 0x0
 03445   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03446  1568   NtContinue  (106167600, 1, ...
 03445   380   NtOpenKey  ... 684, ) == 0x0
 03447  1568   NtRegisterThreadTerminatePort  (24, ...
 03448   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03447  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 03448   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03449  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03450  1568   NtWaitForSingleObject  (244, 0, 0x0, ...
 03449  1744   NtAllocateVirtualMemory  ... 106168320, 1048576, ) == 0x0
 03451  1744   NtAllocateVirtualMemory  (-1, 107208704, 0, 8192, 4096, 4, ... 107208704, 8192, ) == 0x0
 03452  1744   NtProtectVirtualMemory  (-1, (0x663e000), 4096, 260, ... (0x663e000), 4096, 4, ) == 0x0
 03453  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1736, 784}, ) == 0x0
 03454  1744   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1736,Tid=784,}, 0x0, ) == 0x0
 03455  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75645, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\310\6\0\0\20\3\0\0" ...  ...
 03456   380   NtOpenKey  (0x1, {24, 684, 0x40, 0, 0,  (0x1, {24, 684, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03457   380   NtClose  (684, ... ) == 0x0
 03458   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03455  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75646, 0}  ... {28, 56, reply, 0, 1736, 1744, 75646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\310\6\0\0\20\3\0\0" )  ) == 0x0
 03459  1744   NtResumeThread  (688, ... 1, ) == 0x0
 03460  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 107216896, 1048576, ) == 0x0
 03461  1744   NtAllocateVirtualMemory  (-1, 108257280, 0, 8192, 4096, 4, ... 108257280, 8192, ) == 0x0
 03462  1744   NtProtectVirtualMemory  (-1, (0x673e000), 4096, 260, ... (0x673e000), 4096, 4, ) == 0x0
 03463  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1736, 1792}, ) == 0x0
 03464  1744   NtQueryInformationThread  (684, Basic, 28, ...
 03465   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03466   784   NtTestAlert  (...
 03465   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03466   784   NtTestAlert  ... ) == 0x0
 03467   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03468   784   NtContinue  (107216176, 1, ...
 03467   380   NtOpenKey  ... 692, ) == 0x0
 03469   784   NtRegisterThreadTerminatePort  (24, ...
 03470   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03469   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 03470   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03464  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1736,Tid=1792,}, 0x0, ) == 0x0
 03471   784   NtWaitForSingleObject  (244, 0, 0x0, ...
 03472  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75646, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\310\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\310\6\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75647, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\310\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\310\6\0\0\0\7\0\0" )  ) == 0x0
 03473  1744   NtResumeThread  (684, ... 1, ) == 0x0
 03474  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108265472, 1048576, ) == 0x0
 03475  1744   NtAllocateVirtualMemory  (-1, 109305856, 0, 8192, 4096, 4, ... 109305856, 8192, ) == 0x0
 03476  1744   NtProtectVirtualMemory  (-1, (0x683e000), 4096, 260, ... (0x683e000), 4096, 4, ) == 0x0
 03477   380   NtOpenKey  (0x1, {24, 692, 0x40, 0, 0,  (0x1, {24, 692, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... }, ...
 03478  1792   NtTestAlert  (...
 03477   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03478  1792   NtTestAlert  ... ) == 0x0
 03479   380   NtClose  (692, ...
 03480  1792   NtContinue  (108264752, 1, ...
 03479   380   NtClose  ... ) == 0x0
 03481  1792   NtRegisterThreadTerminatePort  (24, ...
 03482   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03481  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 03482   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03483  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03484  1792   NtWaitForSingleObject  (244, 0, 0x0, ...
 03483  1744   NtCreateThread  ... 692, {1736, 192}, ) == 0x0
 03485  1744   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1736,Tid=192,}, 0x0, ) == 0x0
 03486  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75647, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\310\6\0\0\300\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\310\6\0\0\300\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75648, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\310\6\0\0\300\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\310\6\0\0\300\0\0\0" )  ) == 0x0
 03487  1744   NtResumeThread  (692, ... 1, ) == 0x0
 03488  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109314048, 1048576, ) == 0x0
 03489  1744   NtAllocateVirtualMemory  (-1, 110354432, 0, 8192, 4096, 4, ...
 03490   380   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... , Partial, 144, ...
 03491   192   NtTestAlert  (...
 03490   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03491   192   NtTestAlert  ... ) == 0x0
 03492   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03493   192   NtContinue  (109313328, 1, ...
 03492   380   NtOpenKey  ... 696, ) == 0x0
 03494   192   NtRegisterThreadTerminatePort  (24, ...
 03495   380   NtQueryValueKey  (696,  (696, "DisableWorkerThreadHibernation", Partial, 144, ... , Partial, 144, ...
 03494   192   NtRegisterThreadTerminatePort  ... ) == 0x0
 03495   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03489  1744   NtAllocateVirtualMemory  ... 110354432, 8192, ) == 0x0
 03496   192   NtWaitForSingleObject  (244, 0, 0x0, ...
 03497  1744   NtProtectVirtualMemory  (-1, (0x693e000), 4096, 260, ... (0x693e000), 4096, 4, ) == 0x0
 03498  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1736, 1120}, ) == 0x0
 03499  1744   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1736,Tid=1120,}, 0x0, ) == 0x0
 03500  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75648, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\310\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\310\6\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75649, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\310\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\310\6\0\0`\4\0\0" )  ) == 0x0
 03501  1744   NtResumeThread  (700, ... 1, ) == 0x0
 03502   380   NtClose  (696, ...
 03503  1120   NtTestAlert  (...
 03502   380   NtClose  ... ) == 0x0
 03503  1120   NtTestAlert  ... ) == 0x0
 03504   380   NtQueryValueKey  (136,  (136, "DisableReadRange", Partial, 144, ... , Partial, 144, ...
 03505  1120   NtContinue  (110361904, 1, ...
 03504   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03506  1120   NtRegisterThreadTerminatePort  (24, ...
 03507   380   NtQueryValueKey  (136,  (136, "SocketSendBufferLength", Partial, 144, ... , Partial, 144, ...
 03506  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 03507   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03508  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03509  1120   NtWaitForSingleObject  (244, 0, 0x0, ...
 03508  1744   NtAllocateVirtualMemory  ... 110362624, 1048576, ) == 0x0
 03510  1744   NtAllocateVirtualMemory  (-1, 111403008, 0, 8192, 4096, 4, ... 111403008, 8192, ) == 0x0
 03511  1744   NtProtectVirtualMemory  (-1, (0x6a3e000), 4096, 260, ... (0x6a3e000), 4096, 4, ) == 0x0
 03512  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1736, 1612}, ) == 0x0
 03513  1744   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1736,Tid=1612,}, 0x0, ) == 0x0
 03514  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75649, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\310\6\0\0L\6\0\0" ...  ...
 03515   380   NtQueryValueKey  (136,  (136, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03516   380   NtQueryValueKey  (136,  (136, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03517   380   NtQueryValueKey  (136,  (136, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03514  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75650, 0}  ... {28, 56, reply, 0, 1736, 1744, 75650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\310\6\0\0L\6\0\0" )  ) == 0x0
 03518  1744   NtResumeThread  (696, ... 1, ) == 0x0
 03519  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 111411200, 1048576, ) == 0x0
 03520  1744   NtAllocateVirtualMemory  (-1, 112451584, 0, 8192, 4096, 4, ... 112451584, 8192, ) == 0x0
 03521  1744   NtProtectVirtualMemory  (-1, (0x6b3e000), 4096, 260, ... (0x6b3e000), 4096, 4, ) == 0x0
 03522  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1736, 1628}, ) == 0x0
 03523  1744   NtQueryInformationThread  (704, Basic, 28, ...
 03524   380   NtQueryValueKey  (136,  (136, "MaxConnectionsPerServer", Partial, 144, ... , Partial, 144, ...
 03525  1612   NtTestAlert  (...
 03524   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03525  1612   NtTestAlert  ... ) == 0x0
 03526   380   NtQueryValueKey  (136,  (136, "MaxConnectionsPer1_0Server", Partial, 144, ... , Partial, 144, ...
 03527  1612   NtContinue  (111410480, 1, ...
 03526   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03528  1612   NtRegisterThreadTerminatePort  (24, ...
 03529   380   NtQueryValueKey  (136,  (136, "ServerInfoTimeout", Partial, 144, ... , Partial, 144, ...
 03528  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 03529   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03523  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1736,Tid=1628,}, 0x0, ) == 0x0
 03530  1612   NtWaitForSingleObject  (244, 0, 0x0, ...
 03531  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75650, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\310\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\310\6\0\0\\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75651, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\310\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\310\6\0\0\\6\0\0" )  ) == 0x0
 03532  1744   NtResumeThread  (704, ... 1, ) == 0x0
 03533  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112459776, 1048576, ) == 0x0
 03534  1744   NtAllocateVirtualMemory  (-1, 113500160, 0, 8192, 4096, 4, ... 113500160, 8192, ) == 0x0
 03535  1744   NtProtectVirtualMemory  (-1, (0x6c3e000), 4096, 260, ... (0x6c3e000), 4096, 4, ) == 0x0
 03536   380   NtQueryValueKey  (136,  (136, "ConnectTimeOut", Partial, 144, ... , Partial, 144, ...
 03537  1628   NtTestAlert  (...
 03536   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03537  1628   NtTestAlert  ... ) == 0x0
 03538   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03539  1628   NtContinue  (112459056, 1, ...
 03538   380   NtOpenKey  ... 708, ) == 0x0
 03540  1628   NtRegisterThreadTerminatePort  (24, ...
 03541   380   NtQueryValueKey  (708,  (708, "ConnectTimeOut", Partial, 144, ... , Partial, 144, ...
 03540  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 03541   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03542  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03543  1628   NtWaitForSingleObject  (244, 0, 0x0, ...
 03542  1744   NtCreateThread  ... 712, {1736, 876}, ) == 0x0
 03544  1744   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1736,Tid=876,}, 0x0, ) == 0x0
 03545  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75651, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\310\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\310\6\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75652, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\310\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1736, 1744, 75652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\310\6\0\0l\3\0\0" )  ) == 0x0
 03546  1744   NtResumeThread  (712, ... 1, ) == 0x0
 03547  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 113508352, 1048576, ) == 0x0
 03548  1744   NtAllocateVirtualMemory  (-1, 114548736, 0, 8192, 4096, 4, ...
 03549   380   NtClose  (708, ...
 03550   876   NtTestAlert  (...
 03549   380   NtClose  ... ) == 0x0
 03550   876   NtTestAlert  ... ) == 0x0
 03551   380   NtQueryValueKey  (136,  (136, "ConnectRetries", Partial, 144, ... , Partial, 144, ...
 03552   876   NtContinue  (113507632, 1, ...
 03551   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03553   876   NtRegisterThreadTerminatePort  (24, ...
 03554   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03553   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 03554   380   NtOpenKey  ... 708, ) == 0x0
 03548  1744   NtAllocateVirtualMemory  ... 114548736, 8192, ) == 0x0
 03555   876   NtWaitForSingleObject  (244, 0, 0x0, ...
 03556  1744   NtProtectVirtualMemory  (-1, (0x6d3e000), 4096, 260, ... (0x6d3e000), 4096, 4, ) == 0x0
 03557  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1736, 1924}, ) == 0x0
 03558  1744   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1736,Tid=1924,}, 0x0, ) == 0x0
 03559  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75652, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\310\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\310\6\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75653, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\310\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\310\6\0\0\204\7\0\0" )  ) == 0x0
 03560  1744   NtResumeThread  (716, ... 1, ) == 0x0
 03561   380   NtQueryValueKey  (708,  (708, "ConnectRetries", Partial, 144, ... , Partial, 144, ...
 03562  1924   NtTestAlert  (...
 03561   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03562  1924   NtTestAlert  ... ) == 0x0
 03563   380   NtClose  (708, ...
 03564  1924   NtContinue  (114556208, 1, ...
 03563   380   NtClose  ... ) == 0x0
 03565  1924   NtRegisterThreadTerminatePort  (24, ...
 03566   380   NtQueryValueKey  (136,  (136, "SendTimeOut", Partial, 144, ... , Partial, 144, ...
 03565  1924   NtRegisterThreadTerminatePort  ... ) == 0x0
 03566   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03567  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03568  1924   NtWaitForSingleObject  (244, 0, 0x0, ...
 03567  1744   NtAllocateVirtualMemory  ... 114556928, 1048576, ) == 0x0
 03569  1744   NtAllocateVirtualMemory  (-1, 115597312, 0, 8192, 4096, 4, ... 115597312, 8192, ) == 0x0
 03570  1744   NtProtectVirtualMemory  (-1, (0x6e3e000), 4096, 260, ... (0x6e3e000), 4096, 4, ) == 0x0
 03571  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1736, 644}, ) == 0x0
 03572  1744   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1736,Tid=644,}, 0x0, ) == 0x0
 03573  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75653, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\310\6\0\0\204\2\0\0" ...  ...
 03574   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 720, ) }, ... 720, ) == 0x0
 03575   380   NtQueryValueKey  (720,  (720, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03576   380   NtClose  (720, ... ) == 0x0
 03573  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75654, 0}  ... {28, 56, reply, 0, 1736, 1744, 75654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\310\6\0\0\204\2\0\0" )  ) == 0x0
 03577  1744   NtResumeThread  (708, ... 1, ) == 0x0
 03578  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 115605504, 1048576, ) == 0x0
 03579  1744   NtAllocateVirtualMemory  (-1, 116645888, 0, 8192, 4096, 4, ... 116645888, 8192, ) == 0x0
 03580  1744   NtProtectVirtualMemory  (-1, (0x6f3e000), 4096, 260, ... (0x6f3e000), 4096, 4, ) == 0x0
 03581  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1736, 624}, ) == 0x0
 03582  1744   NtQueryInformationThread  (720, Basic, 28, ...
 03583   380   NtQueryValueKey  (136,  (136, "ReceiveTimeOut", Partial, 144, ... , Partial, 144, ...
 03584   644   NtTestAlert  (...
 03583   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03584   644   NtTestAlert  ... ) == 0x0
 03585   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03586   644   NtContinue  (115604784, 1, ...
 03585   380   NtOpenKey  ... 724, ) == 0x0
 03587   644   NtRegisterThreadTerminatePort  (24, ...
 03588   380   NtQueryValueKey  (724,  (724, "ReceiveTimeOut", Partial, 144, ... , Partial, 144, ...
 03587   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 03588   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03582  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1736,Tid=624,}, 0x0, ) == 0x0
 03589   644   NtWaitForSingleObject  (244, 0, 0x0, ...
 03590  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75654, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\310\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\310\6\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75655, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\310\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\310\6\0\0p\2\0\0" )  ) == 0x0
 03591  1744   NtResumeThread  (720, ... 1, ) == 0x0
 03592  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 116654080, 1048576, ) == 0x0
 03593  1744   NtAllocateVirtualMemory  (-1, 117694464, 0, 8192, 4096, 4, ... 117694464, 8192, ) == 0x0
 03594  1744   NtProtectVirtualMemory  (-1, (0x703e000), 4096, 260, ... (0x703e000), 4096, 4, ) == 0x0
 03595   380   NtClose  (724, ...
 03596   624   NtTestAlert  (...
 03595   380   NtClose  ... ) == 0x0
 03596   624   NtTestAlert  ... ) == 0x0
 03597   380   NtQueryValueKey  (136,  (136, "DisableNTLMPreAuth", Partial, 144, ... , Partial, 144, ...
 03598   624   NtContinue  (116653360, 1, ...
 03597   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03599   624   NtRegisterThreadTerminatePort  (24, ...
 03600   380   NtQueryValueKey  (136,  (136, "ScavengeCacheLowerBound", Partial, 144, ... , Partial, 144, ...
 03599   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 03600   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03601  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03602   624   NtWaitForSingleObject  (244, 0, 0x0, ...
 03601  1744   NtCreateThread  ... 724, {1736, 1124}, ) == 0x0
 03603  1744   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1736,Tid=1124,}, 0x0, ) == 0x0
 03604  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75655, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\310\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\310\6\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75656, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\310\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\310\6\0\0d\4\0\0" )  ) == 0x0
 03605  1744   NtResumeThread  (724, ... 1, ) == 0x0
 03606  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 117702656, 1048576, ) == 0x0
 03607  1744   NtAllocateVirtualMemory  (-1, 118743040, 0, 8192, 4096, 4, ...
 03608   380   NtQueryValueKey  (136,  (136, "CertCacheNoValidate", Partial, 144, ... , Partial, 144, ...
 03609  1124   NtTestAlert  (...
 03608   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03609  1124   NtTestAlert  ... ) == 0x0
 03610   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 03611  1124   NtContinue  (117701936, 1, ...
 03610   380   NtOpenKey  ... 728, ) == 0x0
 03612  1124   NtRegisterThreadTerminatePort  (24, ...
 03613   380   NtQueryValueKey  (728,  (728, "ScavengeCacheFileLifeTime", Partial, 144, ... , Partial, 144, ...
 03612  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 03613   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03607  1744   NtAllocateVirtualMemory  ... 118743040, 8192, ) == 0x0
 03614  1124   NtWaitForSingleObject  (244, 0, 0x0, ...
 03615  1744   NtProtectVirtualMemory  (-1, (0x713e000), 4096, 260, ... (0x713e000), 4096, 4, ) == 0x0
 03616  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1736, 740}, ) == 0x0
 03617  1744   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1736,Tid=740,}, 0x0, ) == 0x0
 03618  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75656, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\310\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\310\6\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75657, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\310\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1736, 1744, 75657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\310\6\0\0\344\2\0\0" )  ) == 0x0
 03619  1744   NtResumeThread  (732, ... 1, ) == 0x0
 03620   380   NtClose  (728, ...
 03621   740   NtTestAlert  (...
 03620   380   NtClose  ... ) == 0x0
 03621   740   NtTestAlert  ... ) == 0x0
 03622   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03623   740   NtContinue  (118750512, 1, ...
 03622   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03624   740   NtRegisterThreadTerminatePort  (24, ...
 03625   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... }, ...
 03624   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 03625   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03626  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03627   740   NtWaitForSingleObject  (244, 0, 0x0, ...
 03626  1744   NtAllocateVirtualMemory  ... 118751232, 1048576, ) == 0x0
 03628  1744   NtAllocateVirtualMemory  (-1, 119791616, 0, 8192, 4096, 4, ... 119791616, 8192, ) == 0x0
 03629  1744   NtProtectVirtualMemory  (-1, (0x723e000), 4096, 260, ... (0x723e000), 4096, 4, ) == 0x0
 03630  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1736, 1716}, ) == 0x0
 03631  1744   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1736,Tid=1716,}, 0x0, ) == 0x0
 03632  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75657, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\310\6\0\0\264\6\0\0" ...  ...
 03633   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03634   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 736, ) }, ... 736, ) == 0x0
 03635   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 740, ) }, ... 740, ) == 0x0
 03632  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75658, 0}  ... {28, 56, reply, 0, 1736, 1744, 75658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\310\6\0\0\264\6\0\0" )  ) == 0x0
 03636  1744   NtResumeThread  (728, ... 1, ) == 0x0
 03637  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 119799808, 1048576, ) == 0x0
 03638  1744   NtAllocateVirtualMemory  (-1, 120840192, 0, 8192, 4096, 4, ... 120840192, 8192, ) == 0x0
 03639  1744   NtProtectVirtualMemory  (-1, (0x733e000), 4096, 260, ... (0x733e000), 4096, 4, ) == 0x0
 03640  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1736, 1440}, ) == 0x0
 03641  1744   NtQueryInformationThread  (744, Basic, 28, ...
 03642   380   NtQueryValueKey  (740,  (740, "ScavengeCacheFileLimit", Partial, 144, ... , Partial, 144, ...
 03643  1716   NtTestAlert  (...
 03642   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03643  1716   NtTestAlert  ... ) == 0x0
 03644   380   NtQueryValueKey  (736,  (736, "ScavengeCacheFileLimit", Partial, 144, ... , Partial, 144, ...
 03645  1716   NtContinue  (119799088, 1, ...
 03644   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03646  1716   NtRegisterThreadTerminatePort  (24, ...
 03647   380   NtClose  (736, ...
 03646  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 03647   380   NtClose  ... ) == 0x0
 03641  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1736,Tid=1440,}, 0x0, ) == 0x0
 03648  1716   NtWaitForSingleObject  (244, 0, 0x0, ...
 03649  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75658, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\310\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75659, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\310\6\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75659, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\310\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1736, 1744, 75659, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\310\6\0\0\240\5\0\0" )  ) == 0x0
 03650  1744   NtResumeThread  (744, ... 1, ) == 0x0
 03651  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 120848384, 1048576, ) == 0x0
 03652  1744   NtAllocateVirtualMemory  (-1, 121888768, 0, 8192, 4096, 4, ... 121888768, 8192, ) == 0x0
 03653  1744   NtProtectVirtualMemory  (-1, (0x743e000), 4096, 260, ... (0x743e000), 4096, 4, ) == 0x0
 03654   380   NtClose  (740, ...
 03655  1440   NtTestAlert  (...
 03654   380   NtClose  ... ) == 0x0
 03655  1440   NtTestAlert  ... ) == 0x0
 03656   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03657  1440   NtContinue  (120847664, 1, ...
 03656   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03658  1440   NtRegisterThreadTerminatePort  (24, ...
 03659   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03658  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 03659   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03660  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03661  1440   NtWaitForSingleObject  (244, 0, 0x0, ...
 03660  1744   NtCreateThread  ... 740, {1736, 1248}, ) == 0x0
 03662  1744   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=1736,Tid=1248,}, 0x0, ) == 0x0
 03663  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75659, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75659, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\310\6\0\0\340\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\310\6\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75660, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75659, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\310\6\0\0\340\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\310\6\0\0\340\4\0\0" )  ) == 0x0
 03664  1744   NtResumeThread  (740, ... 1, ) == 0x0
 03665  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 121896960, 1048576, ) == 0x0
 03666  1744   NtAllocateVirtualMemory  (-1, 122937344, 0, 8192, 4096, 4, ...
 03667   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03668  1248   NtAllocateVirtualMemory  (-1, 3637248, 0, 4096, 4096, 4, ...
 03667   380   NtOpenKey  ... 736, ) == 0x0
 03668  1248   NtAllocateVirtualMemory  ... 3637248, 4096, ) == 0x0
 03669   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03670  1248   NtTestAlert  (...
 03669   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03670  1248   NtTestAlert  ... ) == 0x0
 03671   380   NtOpenKey  (0x1, {24, 736, 0x40, 0, 0,  (0x1, {24, 736, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... }, ...
 03672  1248   NtContinue  (121896240, 1, ...
 03671   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03666  1744   NtAllocateVirtualMemory  ... 122937344, 8192, ) == 0x0
 03673  1248   NtRegisterThreadTerminatePort  (24, ...
 03674  1744   NtProtectVirtualMemory  (-1, (0x753e000), 4096, 260, ...
 03673  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 03674  1744   NtProtectVirtualMemory  ... (0x753e000), 4096, 4, ) == 0x0
 03675  1248   NtWaitForSingleObject  (244, 0, 0x0, ...
 03676  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1736, 1036}, ) == 0x0
 03677  1744   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=1736,Tid=1036,}, 0x0, ) == 0x0
 03678  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75660, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\310\6\0\0\14\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\310\6\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75661, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\310\6\0\0\14\4\0\0" ... {28, 56, reply, 0, 1736, 1744, 75661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\310\6\0\0\14\4\0\0" )  ) == 0x0
 03679  1744   NtResumeThread  (748, ... 1, ) == 0x0
 03680   380   NtClose  (736, ...
 03681  1036   NtTestAlert  (...
 03680   380   NtClose  ... ) == 0x0
 03681  1036   NtTestAlert  ... ) == 0x0
 03682   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03683  1036   NtContinue  (122944816, 1, ...
 03682   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03684  1036   NtRegisterThreadTerminatePort  (24, ...
 03685   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03684  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 03685   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03686  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03687  1036   NtWaitForSingleObject  (244, 0, 0x0, ...
 03686  1744   NtAllocateVirtualMemory  ... 122945536, 1048576, ) == 0x0
 03688  1744   NtAllocateVirtualMemory  (-1, 123985920, 0, 8192, 4096, 4, ... 123985920, 8192, ) == 0x0
 03689  1744   NtProtectVirtualMemory  (-1, (0x763e000), 4096, 260, ... (0x763e000), 4096, 4, ) == 0x0
 03690  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1736, 484}, ) == 0x0
 03691  1744   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=1736,Tid=484,}, 0x0, ) == 0x0
 03692  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75661, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\310\6\0\0\344\1\0\0" ...  ...
 03693   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 752, ) }, ... 752, ) == 0x0
 03694   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03695   380   NtOpenKey  (0x1, {24, 752, 0x40, 0, 0,  (0x1, {24, 752, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03692  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75662, 0}  ... {28, 56, reply, 0, 1736, 1744, 75662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\310\6\0\0\344\1\0\0" )  ) == 0x0
 03696  1744   NtResumeThread  (736, ... 1, ) == 0x0
 03697  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 123994112, 1048576, ) == 0x0
 03698  1744   NtAllocateVirtualMemory  (-1, 125034496, 0, 8192, 4096, 4, ... 125034496, 8192, ) == 0x0
 03699  1744   NtProtectVirtualMemory  (-1, (0x773e000), 4096, 260, ... (0x773e000), 4096, 4, ) == 0x0
 03700  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1736, 1756}, ) == 0x0
 03701  1744   NtQueryInformationThread  (756, Basic, 28, ...
 03702   380   NtClose  (752, ...
 03703   484   NtTestAlert  (...
 03702   380   NtClose  ... ) == 0x0
 03703   484   NtTestAlert  ... ) == 0x0
 03704   380   NtQueryValueKey  (136,  (136, "HttpDefaultExpiryTimeSecs", Partial, 144, ... , Partial, 144, ...
 03705   484   NtContinue  (123993392, 1, ...
 03704   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03706   484   NtRegisterThreadTerminatePort  (24, ...
 03707   380   NtQueryValueKey  (136,  (136, "FtpDefaultExpiryTimeSecs", Partial, 144, ... , Partial, 144, ...
 03706   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 03707   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03701  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=1736,Tid=1756,}, 0x0, ) == 0x0
 03708   484   NtWaitForSingleObject  (244, 0, 0x0, ...
 03709  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75662, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\310\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\310\6\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75663, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\310\6\0\0\334\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\310\6\0\0\334\6\0\0" )  ) == 0x0
 03710  1744   NtResumeThread  (756, ... 1, ) == 0x0
 03711  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125042688, 1048576, ) == 0x0
 03712  1744   NtAllocateVirtualMemory  (-1, 126083072, 0, 8192, 4096, 4, ... 126083072, 8192, ) == 0x0
 03713  1744   NtProtectVirtualMemory  (-1, (0x783e000), 4096, 260, ... (0x783e000), 4096, 4, ) == 0x0
 03714   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03715  1756   NtTestAlert  (...
 03714   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03715  1756   NtTestAlert  ... ) == 0x0
 03716   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03717  1756   NtContinue  (125041968, 1, ...
 03716   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03718  1756   NtRegisterThreadTerminatePort  (24, ...
 03719   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03718  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 03719   380   NtOpenKey  ... 752, ) == 0x0
 03720  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03721  1756   NtWaitForSingleObject  (244, 0, 0x0, ...
 03720  1744   NtCreateThread  ... 760, {1736, 460}, ) == 0x0
 03722  1744   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=1736,Tid=460,}, 0x0, ) == 0x0
 03723  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75663, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\310\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75664, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\310\6\0\0\314\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75664, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\310\6\0\0\314\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75664, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\310\6\0\0\314\1\0\0" )  ) == 0x0
 03724  1744   NtResumeThread  (760, ... 1, ) == 0x0
 03725  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 126091264, 1048576, ) == 0x0
 03726  1744   NtAllocateVirtualMemory  (-1, 127131648, 0, 8192, 4096, 4, ...
 03727   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03728   460   NtTestAlert  (...
 03727   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03728   460   NtTestAlert  ... ) == 0x0
 03729   380   NtOpenKey  (0x1, {24, 752, 0x40, 0, 0,  (0x1, {24, 752, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... }, ...
 03730   460   NtContinue  (126090544, 1, ...
 03729   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03731   460   NtRegisterThreadTerminatePort  (24, ...
 03732   380   NtClose  (752, ...
 03731   460   NtRegisterThreadTerminatePort  ... ) == 0x0
 03732   380   NtClose  ... ) == 0x0
 03726  1744   NtAllocateVirtualMemory  ... 127131648, 8192, ) == 0x0
 03733   460   NtWaitForSingleObject  (244, 0, 0x0, ...
 03734  1744   NtProtectVirtualMemory  (-1, (0x793e000), 4096, 260, ... (0x793e000), 4096, 4, ) == 0x0
 03735  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1736, 1856}, ) == 0x0
 03736  1744   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=1736,Tid=1856,}, 0x0, ) == 0x0
 03737  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75664, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75664, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\310\6\0\0@\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75665, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\310\6\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75665, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75664, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\310\6\0\0@\7\0\0" ... {28, 56, reply, 0, 1736, 1744, 75665, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\310\6\0\0@\7\0\0" )  ) == 0x0
 03738  1744   NtResumeThread  (752, ... 1, ) == 0x0
 03739   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03740  1856   NtTestAlert  (...
 03739   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03740  1856   NtTestAlert  ... ) == 0x0
 03741   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03742  1856   NtContinue  (127139120, 1, ...
 03741   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03743  1856   NtRegisterThreadTerminatePort  (24, ...
 03744   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03743  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 03744   380   NtOpenKey  ... 764, ) == 0x0
 03745  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03746  1856   NtWaitForSingleObject  (244, 0, 0x0, ...
 03745  1744   NtAllocateVirtualMemory  ... 127139840, 1048576, ) == 0x0
 03747  1744   NtAllocateVirtualMemory  (-1, 128180224, 0, 8192, 4096, 4, ... 128180224, 8192, ) == 0x0
 03748  1744   NtProtectVirtualMemory  (-1, (0x7a3e000), 4096, 260, ... (0x7a3e000), 4096, 4, ) == 0x0
 03749  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1736, 2052}, ) == 0x0
 03750  1744   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=1736,Tid=2052,}, 0x0, ) == 0x0
 03751  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75665, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75665, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\310\6\0\0\4\10\0\0" ...  ...
 03752   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03753   380   NtOpenKey  (0x1, {24, 764, 0x40, 0, 0,  (0x1, {24, 764, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 772, ) }, ... 772, ) == 0x0
 03754   380   NtQueryValueKey  (772,  (772, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03751  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75666, 0}  ... {28, 56, reply, 0, 1736, 1744, 75666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\310\6\0\0\4\10\0\0" )  ) == 0x0
 03755  1744   NtResumeThread  (768, ... 1, ) == 0x0
 03756  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 128188416, 1048576, ) == 0x0
 03757  1744   NtAllocateVirtualMemory  (-1, 129228800, 0, 8192, 4096, 4, ... 129228800, 8192, ) == 0x0
 03758  1744   NtProtectVirtualMemory  (-1, (0x7b3e000), 4096, 260, ... (0x7b3e000), 4096, 4, ) == 0x0
 03759  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 776, {1736, 2060}, ) == 0x0
 03760  1744   NtQueryInformationThread  (776, Basic, 28, ...
 03761   380   NtQueryValueKey  (772,  (772, "*", Partial, 144, ... , Partial, 144, ...
 03762  2052   NtTestAlert  (...
 03761   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03762  2052   NtTestAlert  ... ) == 0x0
 03763   380   NtClose  (772, ...
 03764  2052   NtContinue  (128187696, 1, ...
 03763   380   NtClose  ... ) == 0x0
 03765  2052   NtRegisterThreadTerminatePort  (24, ...
 03766   380   NtClose  (764, ...
 03765  2052   NtRegisterThreadTerminatePort  ... ) == 0x0
 03766   380   NtClose  ... ) == 0x0
 03760  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=1736,Tid=2060,}, 0x0, ) == 0x0
 03767  2052   NtWaitForSingleObject  (244, 0, 0x0, ...
 03768  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75666, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\310\6\0\0\14\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\310\6\0\0\14\10\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75667, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\310\6\0\0\14\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\310\6\0\0\14\10\0\0" )  ) == 0x0
 03769  1744   NtResumeThread  (776, ... 1, ) == 0x0
 03770  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 129236992, 1048576, ) == 0x0
 03771  1744   NtAllocateVirtualMemory  (-1, 130277376, 0, 8192, 4096, 4, ... 130277376, 8192, ) == 0x0
 03772  1744   NtProtectVirtualMemory  (-1, (0x7c3e000), 4096, 260, ... (0x7c3e000), 4096, 4, ) == 0x0
 03773   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03774  2060   NtTestAlert  (...
 03773   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03774  2060   NtTestAlert  ... ) == 0x0
 03775   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03776  2060   NtContinue  (129236272, 1, ...
 03775   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03777  2060   NtRegisterThreadTerminatePort  (24, ...
 03778   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03777  2060   NtRegisterThreadTerminatePort  ... ) == 0x0
 03778   380   NtOpenKey  ... 764, ) == 0x0
 03779  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03780  2060   NtWaitForSingleObject  (244, 0, 0x0, ...
 03779  1744   NtCreateThread  ... 772, {1736, 2068}, ) == 0x0
 03781  1744   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=1736,Tid=2068,}, 0x0, ) == 0x0
 03782  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75667, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\310\6\0\0\24\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75668, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\310\6\0\0\24\10\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75668, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\310\6\0\0\24\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75668, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\310\6\0\0\24\10\0\0" )  ) == 0x0
 03783  1744   NtResumeThread  (772, ... 1, ) == 0x0
 03784  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 130285568, 1048576, ) == 0x0
 03785  1744   NtAllocateVirtualMemory  (-1, 131325952, 0, 8192, 4096, 4, ...
 03786   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... }, ...
 03787  2068   NtTestAlert  (...
 03786   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03787  2068   NtTestAlert  ... ) == 0x0
 03788   380   NtOpenKey  (0x1, {24, 764, 0x40, 0, 0,  (0x1, {24, 764, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... }, ...
 03789  2068   NtContinue  (130284848, 1, ...
 03788   380   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03790  2068   NtRegisterThreadTerminatePort  (24, ...
 03791   380   NtClose  (764, ...
 03790  2068   NtRegisterThreadTerminatePort  ... ) == 0x0
 03791   380   NtClose  ... ) == 0x0
 03785  1744   NtAllocateVirtualMemory  ... 131325952, 8192, ) == 0x0
 03792  2068   NtWaitForSingleObject  (244, 0, 0x0, ...
 03793  1744   NtProtectVirtualMemory  (-1, (0x7d3e000), 4096, 260, ... (0x7d3e000), 4096, 4, ) == 0x0
 03794  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1736, 2076}, ) == 0x0
 03795  1744   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=1736,Tid=2076,}, 0x0, ) == 0x0
 03796  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75668, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75668, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\310\6\0\0\34\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\310\6\0\0\34\10\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75669, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75668, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\310\6\0\0\34\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\310\6\0\0\34\10\0\0" )  ) == 0x0
 03797  1744   NtResumeThread  (764, ... 1, ) == 0x0
 03798   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03799  2076   NtTestAlert  (...
 03798   380   NtOpenKey  ... 780, ) == 0x0
 03799  2076   NtTestAlert  ... ) == 0x0
 03800   380   NtQueryValueKey  (780,  (780, "DisableCachingOfSSLPages", Partial, 144, ... , Partial, 144, ...
 03801  2076   NtContinue  (131333424, 1, ...
 03800   380   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03802  2076   NtRegisterThreadTerminatePort  (24, ...
 03803   380   NtClose  (780, ...
 03802  2076   NtRegisterThreadTerminatePort  ... ) == 0x0
 03803   380   NtClose  ... ) == 0x0
 03804  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03805  2076   NtWaitForSingleObject  (244, 0, 0x0, ...
 03804  1744   NtAllocateVirtualMemory  ... 131334144, 1048576, ) == 0x0
 03806  1744   NtAllocateVirtualMemory  (-1, 132374528, 0, 8192, 4096, 4, ... 132374528, 8192, ) == 0x0
 03807  1744   NtProtectVirtualMemory  (-1, (0x7e3e000), 4096, 260, ... (0x7e3e000), 4096, 4, ) == 0x0
 03808  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 780, {1736, 2084}, ) == 0x0
 03809  1744   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=1736,Tid=2084,}, 0x0, ) == 0x0
 03810  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75669, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\310\6\0\0$\10\0\0" ...  ...
 03811   380   NtQueryValueKey  (136,  (136, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03812   380   NtQueryValueKey  (136,  (136, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03813   380   NtQueryValueKey  (136,  (136, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03810  1744   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1736, 1744, 75670, 0}  ... {28, 56, reply, 0, 1736, 1744, 75670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\310\6\0\0$\10\0\0" )  ) == 0x0
 03814  1744   NtResumeThread  (780, ... 1, ) == 0x0
 03815  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 132382720, 1048576, ) == 0x0
 03816  1744   NtAllocateVirtualMemory  (-1, 133423104, 0, 8192, 4096, 4, ... 133423104, 8192, ) == 0x0
 03817  1744   NtProtectVirtualMemory  (-1, (0x7f3e000), 4096, 260, ... (0x7f3e000), 4096, 4, ) == 0x0
 03818  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 784, {1736, 2088}, ) == 0x0
 03819  1744   NtQueryInformationThread  (784, Basic, 28, ...
 03820   380   NtOpenKey  (0x1, {24, 140, 0x40, 0, 0,  (0x1, {24, 140, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03821  2084   NtTestAlert  (...
 03820   380   NtOpenKey  ... 788, ) == 0x0
 03821  2084   NtTestAlert  ... ) == 0x0
 03822   380   NtQueryValueKey  (788,  (788, "DialupUseLanSettings", Partial, 144, ... , Partial, 144, ...
 03823  2084   NtContinue  (132382000, 1, ...
 03822   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03824  2084   NtRegisterThreadTerminatePort  (24, ...
 03825   380   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03824  2084   NtRegisterThreadTerminatePort  ... ) == 0x0
 03825   380   NtOpenKey  ... 792, ) == 0x0
 03819  1744   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=1736,Tid=2088,}, 0x0, ) == 0x0
 03826  2084   NtWaitForSingleObject  (244, 0, 0x0, ...
 03827  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75670, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\310\6\0\0(\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\310\6\0\0(\10\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75671, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\310\6\0\0(\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\310\6\0\0(\10\0\0" )  ) == 0x0
 03828  1744   NtResumeThread  (784, ... 1, ) == 0x0
 03829  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 133431296, 1048576, ) == 0x0
 03830  1744   NtAllocateVirtualMemory  (-1, 134471680, 0, 8192, 4096, 4, ... 134471680, 8192, ) == 0x0
 03831  1744   NtProtectVirtualMemory  (-1, (0x803e000), 4096, 260, ... (0x803e000), 4096, 4, ) == 0x0
 03832   380   NtQueryValueKey  (792,  (792, "DialupUseLanSettings", Partial, 144, ... , Partial, 144, ...
 03833  2088   NtTestAlert  (...
 03832   380   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03833  2088   NtTestAlert  ... ) == 0x0
 03834   380   NtClose  (788, ...
 03835  2088   NtContinue  (133430576, 1, ...
 03834   380   NtClose  ... ) == 0x0
 03836  2088   NtRegisterThreadTerminatePort  (24, ...
 03837   380   NtClose  (792, ...
 03836  2088   NtRegisterThreadTerminatePort  ... ) == 0x0
 03837   380   NtClose  ... ) == 0x0
 03838  1744   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03839  2088   NtWaitForSingleObject  (244, 0, 0x0, ...
 03838  1744   NtCreateThread  ... 792, {1736, 2096}, ) == 0x0
 03840  1744   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=1736,Tid=2096,}, 0x0, ) == 0x0
 03841  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1736, 1744, 75671, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\310\6\0\00\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75672, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\310\6\0\00\10\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75672, 0}  (24, {28, 56, new_msg, 0, 1736, 1744, 75671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\310\6\0\00\10\0\0" ... {28, 56, reply, 0, 1736, 1744, 75672, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\310\6\0\00\10\0\0" )  ) == 0x0
 03842  1744   NtResumeThread  (792, ... 1, ) == 0x0
 03843  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 134479872, 1048576, ) == 0x0
 03844  1744   NtAllocateVirtualMemory  (-1, 135520256, 0, 8192, 4096, 4, ...
 03845   380   NtQueryValueKey  (136,  (136, "SendExtraCRLF", Partial, 144, ... , Partial, 144, ...
NtAdjustPrivilegesToken(>)	1	NtNotifyChangeKey(>)	2	NtOpenMutant(>)	8	NtOpenFile(>)	60
NtDelayExecution(>)	1	NtOpenDirectoryObject(>)	2	NtFsControlFile(>)	10	NtOpenSection(>)	62
NtDuplicateToken(>)	1	NtOpenEvent(>)	2	NtSetInformationThread(>)	10	NtUserRegisterClassExWOW(>)	66
NtEnumerateValueKey(>)	1	NtQueryEvent(>)	2	NtOpenThreadTokenEx(>)	12	NtQueryAttributesFile(>)	83
NtGdiCreateBitmap(>)	1	NtQueryPerformanceCounter(>)	2	NtQueryDefaultUILanguage(>)	12	NtFlushInstructionCache(>)	88
NtGdiInit(>)	1	NtUserGetDC(>)	2	NtQuerySection(>)	12	NtWriteVirtualMemory(>)	116
NtGdiQueryFontAssocInfo(>)	1	NtWaitForMultipleObjects(>)	2	NtOpenProcessTokenEx(>)	13	NtContinue(>)	119
NtGdiSelectBitmap(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUserSystemParametersInfo(>)	13	NtMapViewOfSection(>)	120
NtOpenKeyedEvent(>)	1	NtQueryVolumeInformationFile(>)	3	NtQueryInformationToken(>)	14	NtSetEventBoostPriority(>)	122
NtOpenSymbolicLinkObject(>)	1	NtReadFile(>)	3	NtReleaseMutant(>)	14	NtQuerySystemInformation(>)	124
NtQueryInstallUILanguage(>)	1	NtSecureConnectPort(>)	3	NtQueryInformationFile(>)	15	NtResumeThread(>)	148
NtQueryObject(>)	1	NtSetInformationObject(>)	3	NtOpenThreadToken(>)	18	NtCreateThread(>)	157
NtQuerySymbolicLinkObject(>)	1	NtConnectPort(>)	4	NtSetValueKey(>)	20	NtQueryInformationThread(>)	166
NtQuerySystemTime(>)	1	NtUserRegisterWindowMessage(>)	4	NtCreateFile(>)	22	NtRequestWaitReplyPort(>)	196
NtRaiseException(>)	1	NtWriteFile(>)	4	NtQueryDebugFilterState(>)	22	NtTestAlert(>)	228
NtSetInformationProcess(>)	1	NtAccessCheck(>)	5	NtCreateKey(>)	26	NtRegisterThreadTerminatePort(>)	229
NtUserCallNoParam(>)	1	NtGdiGetStockObject(>)	5	NtFreeVirtualMemory(>)	29	NtWaitForSingleObject(>)	259
NtUserCallOneParam(>)	1	NtSetEvent(>)	5	NtCreateSection(>)	30	NtOpenKey(>)	277
NtUserGetThreadDesktop(>)	1	NtEnumerateKey(>)	6	NtOpenProcess(>)	30	NtQueryValueKey(>)	344
NtUserGetThreadState(>)	1	NtQueryDefaultLocale(>)	6	NtSetInformationFile(>)	35	NtClose(>)	378
NtAddAtom(>)	2	NtReleaseSemaphore(>)	6	NtCreateEvent(>)	39	NtAllocateVirtualMemory(>)	448
NtCallbackReturn(>)	2	NtOpenProcessToken(>)	7	NtDeviceIoControlFile(>)	48	NtProtectVirtualMemory(>)	458
NtCreateIoCompletion(>)	2	NtQueryInformationProcess(>)	7	NtUserFindExistingCursorIcon(>)	53
NtCreateMutant(>)	2	NtCreateSemaphore(>)	8	NtUnmapViewOfSection(>)	54
NtGdiCreateSolidBrush(>)	2