Summary:





NtGdiCreateBitmap(>)  1 
NtOpenProcessToken(>)  2 
NtQueryInformationProcess(>)  9 
NtCreateSection(>)  75 


NtGdiInit(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtQueryVirtualMemory(>)  9 
NtContinue(>)  99 


NtGdiQueryFontAssocInfo(>)  1 
NtSetInformationObject(>)  2 
NtSetInformationThread(>)  9 
NtQuerySystemInformation(>)  125 


NtGdiSelectBitmap(>)  1 
NtUserGetProcessWindowStation(>)  2 
NtUnmapViewOfSection(>)  9 
NtOpenKey(>)  134 


NtOpenKeyedEvent(>)  1 
NtCreateIoCompletion(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtResumeThread(>)  139 


NtOpenSymbolicLinkObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtOpenThreadToken(>)  10 
NtQueryInformationThread(>)  140 


NtQueryInstallUILanguage(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationFile(>)  10 
NtCreateThread(>)  158 


NtQueryObject(>)  1 
NtOpenProcessTokenEx(>)  3 
NtQuerySection(>)  13 
NtRequestWaitReplyPort(>)  174 


NtQueryPerformanceCounter(>)  1 
NtOpenThreadTokenEx(>)  3 
NtQueryDirectoryFile(>)  14 
NtTestAlert(>)  185 


NtQuerySymbolicLinkObject(>)  1 
NtQueryDefaultLocale(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtRegisterThreadTerminatePort(>)  189 


NtQuerySystemTime(>)  1 
NtReadFile(>)  3 
NtCreateFile(>)  15 
NtDuplicateObject(>)  195 


NtRaiseException(>)  1 
NtSecureConnectPort(>)  3 
NtSetValueKey(>)  16 
NtQueryValueKey(>)  252 


NtSetInformationProcess(>)  1 
NtWriteFile(>)  4 
NtCreateKey(>)  18 
NtProtectVirtualMemory(>)  258 


NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtOpenSection(>)  23 
NtClose(>)  318 


NtUserGetObjectInformation(>)  1 
NtConnectPort(>)  6 
NtOpenFile(>)  25 
NtAllocateVirtualMemory(>)  368 


NtUserGetThreadDesktop(>)  1 
NtCreateMutant(>)  6 
NtDeviceIoControlFile(>)  36 
NtSetEventBoostPriority(>)  686 


NtCallbackReturn(>)  2 
NtQueryInformationToken(>)  6 
NtMapViewOfSection(>)  37 
NtWaitForSingleObject(>)  958 


NtGdiCreateSolidBrush(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtQueryAttributesFile(>)  41 


NtNotifyChangeKey(>)  2 
NtFsControlFile(>)  8 
NtFlushInstructionCache(>)  51 


NtOpenDirectoryObject(>)  2 



Trace:

 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482748, {status=0x0, info=1}, ) }, 0, 32, ... -2147482748, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147482748, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147482748, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482748, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147482748, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482748, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482748, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147482748, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147482748, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147482748, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147482748, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147482748, 0, 0x0, 0x0, 0x90120,  (-2147482748, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147481484, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147481484, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147481484, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147481484, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147481484, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00037   896   NtClose  (-2147482104, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147481628, ) == 0x0
 00053   896   NtClose  (-2147481628, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147482760, ) == 0x0
 00055   896   NtClose  (-2147482760, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147482764, ) == 0x0
 00057   896   NtClose  (-2147482764, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00059   896   NtClose  (-2147482688, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482136, ) == 0x0
 00061   896   NtClose  (-2147482136, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482136, ... -2147481480, ) == 0x0
 00063   896   NtClose  (-2147481480, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481480, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147481484, ... ) == 0x0
 00093   896   NtClose  (-2147482104, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147481628, ... ) == 0x0
 00102   896   NtClose  (-2147482760, ... ) == 0x0
 00103   896   NtClose  (-2147482764, ... ) == 0x0
 00104   896   NtClose  (-2147482688, ... ) == 0x0
 00105   896   NtClose  (-2147482136, ... ) == 0x0
 00106   896   NtClose  (-2147481480, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481480, ) == 0x0
 00145   896   NtClose  (-2147481480, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481480, ... -2147482136, ) == 0x0
 00147   896   NtClose  (-2147482136, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482136, ... -2147482688, ) == 0x0
 00149   896   NtClose  (-2147482688, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482688, ... -2147482764, ) == 0x0
 00151   896   NtClose  (-2147482764, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482764, ... -2147482760, ) == 0x0
 00153   896   NtClose  (-2147482760, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147481628, ) == 0x0
 00155   896   NtClose  (-2147481628, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147481480, ... ) == 0x0
 00178   896   NtClose  (-2147482136, ... ) == 0x0
 00179   896   NtClose  (-2147482688, ... ) == 0x0
 00180   896   NtClose  (-2147482764, ... ) == 0x0
 00181   896   NtClose  (-2147482760, ... ) == 0x0
 00182   896   NtClose  (-2147481628, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147482748, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81841, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81842, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81842, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81842, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81843, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81843, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81843, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x409000), 126992, 4, ... (0x409000), 131072, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x409000), 131072, 128, ... (0x409000), 131072, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 4231168, 126992, ... ) == 0x0
 00249   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00251   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00252   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00253   896   NtClose  (16, ... ) == 0x0
 00254   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00255   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   896   NtClose  (16, ... ) == 0x0
 00257   896   NtTestAlert  (... ) == 0x0
 00258   896   NtContinue  (1244464, 1, ...
 00259   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x419010,}, 4, ... ) == 0x0
 00260   896   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00261   896   NtContinue  (1244400, 0, ...
 00262   896   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00263   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00264   896   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   896   NtClose  (16, ... ) == 0x0
 00266   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00267   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00268   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00269   896   NtClose  (16, ... ) == 0x0
 00270   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00271   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00272   896   NtClose  (16, ... ) == 0x0
 00273   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00274   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00275   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00276   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00277   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00278   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00279   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00280   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00281   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00282   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00283   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00284   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00285   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00286   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00287   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00288   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00289   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00290   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00291   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00294   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81844, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81844, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81844, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00295   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00296   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00297   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00298   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00299   896   NtClose  (16, ... ) == 0x0
 00300   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00301   896   NtClose  (28, ... ) == 0x0
 00302   896   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00303   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00304   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00305   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00306   896   NtClose  (28, ... ) == 0x0
 00307   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00308   896   NtClose  (16, ... ) == 0x0
 00309   896   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00310   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00311   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00312   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00313   896   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00314   896   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00315   896   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00316   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00318   896   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00319   896   NtClose  (36, ... ) == 0x0
 00320   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00321   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00322   896   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00323   896   NtClose  (36, ... ) == 0x0
 00324   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   896   NtClose  (32, ... ) == 0x0
 00326   896   NtClose  (16, ... ) == 0x0
 00327   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00328   896   NtClose  (28, ... ) == 0x0
 00329   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00330   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00331   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00332   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00333   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00334   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00335   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00336   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00337   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00338   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00339   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00340   896   NtClose  (28, ... ) == 0x0
 00341   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00342   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00343   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00344   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00345   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00346   896   NtClose  (28, ... ) == 0x0
 00347   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00348   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00349   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00350   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00351   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00352   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00353   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00354   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00355   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00356   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00357   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00358   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00359   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00360   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00362   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00364   896   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00365   896   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00366   896   NtClose  (28, ... ) == 0x0
 00367   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00368   896   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00369   896   NtClose  (28, ... ) == 0x0
 00370   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00371   896   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00372   896   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00375   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00376   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00379   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00381   896   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   896   NtClose  (16, ... ) == 0x0
 00383   896   NtMapViewOfSection  (-2147482748, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00384   896   NtClose  (-2147482748, ... ) == 0x0
 00385   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00386   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00387   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482748, ) == 0x0
 00388   896   NtQueryInformationToken  (-2147482748, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00389   896   NtQueryInformationToken  (-2147482748, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00390   896   NtClose  (-2147482748, ... ) == 0x0
 00391   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5505024, 4096, ) == 0x0
 00392   896   NtFreeVirtualMemory  (-1, (0x540000), 4096, 32768, ... (0x540000), 4096, ) == 0x0
 00393   896   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00394   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00395   896   NtQueryValueKey  (-2147482748,  (-2147482748, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00396   896   NtClose  (-2147482748, ... ) == 0x0
 00397   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00398   896   NtQueryValueKey  (-2147482748,  (-2147482748, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399   896   NtClose  (-2147482748, ... ) == 0x0
 00400   896   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00401   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00402   896   NtUserCallNoParam  (24, ... ) == 0x0
 00403   896   NtGdiCreateCompatibleDC  (0, ...
 00404   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5505024, 4096, ) == 0x0
 00403   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00405   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00406   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00407   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00408   896   NtGdiCreateSolidBrush  (0, 0, ...
 00409   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00408   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00410   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00411   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00412   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00413   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x24
 00414   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00415   896   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00416   896   NtClose  (44, ... ) == 0x0
 00417   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00418   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8177c017
 00419   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00420   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8177c01c
 00421   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00422   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8177c01e
 00423   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00424   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81778002
 00425   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00426   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8177c018
 00427   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00428   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8177c01a
 00429   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00430   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8177c01d
 00431   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00432   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8177c026
 00433   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00434   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8177c019
 00435   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c020
 00436   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c022
 00437   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c023
 00438   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c024
 00439   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c025
 00440   896   NtCallbackReturn  (0, 0, 0, ...
 00441   896   NtGdiInit  (... ) == 0x1
 00442   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00443   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00444   896   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8781824, 28672, ) == 0x0
 00445   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00446   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00447   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00448   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00449   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00450   896   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00451   896   NtClose  (44, ... ) == 0x0
 00452   896   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00453   896   NtClose  (48, ... ) == 0x0
 00454   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00455   896   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00456   896   NtClose  (48, ... ) == 0x0
 00457   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00458   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00459   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00460   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00461   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00462   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00463   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00464   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00466   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00467   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00468   896   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00469   896   NtClose  (48, ... ) == 0x0
 00470   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00471   896   NtClose  (44, ... ) == 0x0
 00472   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00473   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00474   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00475   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00476   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00477   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00478   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00479   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00480   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00481   896   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00482   896   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00483   896   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00484   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00485   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00486   896   NtClose  (44, ... ) == 0x0
 00487   896   NtAllocateVirtualMemory  (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0
 00488   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00489   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00490   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00491   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00492   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00494   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00495   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00496   896   NtFreeVirtualMemory  (-1, (0x860000), 0, 32768, ... (0x860000), 28672, ) == 0x0
 00497   896   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00498   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00499   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00500   896   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00501   896   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00502   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00503   896   NtAllocateVirtualMemory  (-1, 8978432, 0, 32768, 4096, 4, ... 8978432, 32768, ) == 0x0
 00504   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00505   896   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00506   896   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00507   896   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00508   896   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00509   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00510   896   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00511   896   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00512   896   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00513   896   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514   896   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   896   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00516   896   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00517   896   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00518   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00519   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00520   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00521   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00522   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00523   896   NtClose  (68, ... ) == 0x0
 00524   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00525   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00526   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00527   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00528   896   NtClose  (68, ... ) == 0x0
 00529   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00530   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00531   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00532   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00533   896   NtClose  (68, ... ) == 0x0
 00534   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00535   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00536   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00537   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00538   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00539   896   NtClose  (68, ... ) == 0x0
 00540   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00541   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00542   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00543   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00544   896   NtClose  (68, ... ) == 0x0
 00545   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00546   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00547   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00548   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00549   896   NtClose  (68, ... ) == 0x0
 00550   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00551   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00552   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00553   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00554   896   NtClose  (68, ... ) == 0x0
 00555   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00556   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00557   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00558   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00559   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00560   896   NtClose  (68, ... ) == 0x0
 00561   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00562   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00563   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00564   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00565   896   NtClose  (68, ... ) == 0x0
 00566   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00567   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00568   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00569   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00570   896   NtClose  (68, ... ) == 0x0
 00571   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00572   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00573   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00574   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00575   896   NtClose  (68, ... ) == 0x0
 00576   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00577   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00578   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00579   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00580   896   NtClose  (68, ... ) == 0x0
 00581   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00582   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00583   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00584   896   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00585   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00586   896   NtClose  (68, ... ) == 0x0
 00587   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00588   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00589   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00590   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00591   896   NtClose  (68, ... ) == 0x0
 00592   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00593   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00594   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00595   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00596   896   NtClose  (68, ... ) == 0x0
 00597   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00598   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00599   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00600   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00601   896   NtClose  (68, ... ) == 0x0
 00602   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00603   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00604   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00605   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00606   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00607   896   NtClose  (68, ... ) == 0x0
 00608   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00609   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00610   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00611   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00612   896   NtClose  (68, ... ) == 0x0
 00613   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00614   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00615   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00616   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00617   896   NtClose  (68, ... ) == 0x0
 00618   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00619   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00620   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00621   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00622   896   NtClose  (68, ... ) == 0x0
 00623   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00624   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00625   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00626   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00627   896   NtClose  (68, ... ) == 0x0
 00628   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00629   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00630   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00631   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00632   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0}\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0}\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0}\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00633   896   NtClose  (68, ... ) == 0x0
 00634   896   NtClose  (64, ... ) == 0x0
 00635   896   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00636   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00637   896   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00638   896   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00639   896   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00640   896   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00641   896   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   896   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00643   896   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00644   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00645   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00646   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00647   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00648   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00649   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00650   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00651   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00652   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00654   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00655   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00656   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00657   896   NtClose  (76, ... ) == 0x0
 00658   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00659   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00660   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00661   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00662   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00663   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00664   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00665   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00666   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00668   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00669   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00670   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00671   896   NtClose  (76, ... ) == 0x0
 00672   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00673   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00674   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00675   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00676   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00677   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00678   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00679   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00680   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00682   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00683   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00684   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00685   896   NtClose  (76, ... ) == 0x0
 00686   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00687   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00688   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00689   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00690   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00691   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00692   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00693   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00694   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00696   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00697   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00698   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00699   896   NtClose  (76, ... ) == 0x0
 00700   896   NtClose  (72, ... ) == 0x0
 00701   896   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00702   896   NtClose  (52, ... ) == 0x0
 00703   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00704   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00705   896   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00706   896   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707   896   NtClose  (52, ... ) == 0x0
 00708   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00709   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00710   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00711   896   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00712   896   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00713   896   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00714   896   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00715   896   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00716   896   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00717   896   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00718   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00719   896   NtClose  (-2147482748, ... ) == 0x0
 00718   896   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00720   896   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00721   896   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00722   896   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00723   896   NtQueryVolumeInformationFile  (72, 1239912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00724   896   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00725   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00726   896   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x990000), {0, 0}, 122880, ) == 0x0
 00727   896   NtClose  (80, ... ) == 0x0
 00728   896   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\240\240\240\240\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\20\220\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\20\220\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00729   896   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 57360, 0x0, 0, ... {status=0x0, info=57360}, ) , 57360, 0x0, 0, ... {status=0x0, info=57360}, ) == 0x0
 00730   896   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 00731   896   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00732   896   NtClose  (72, ... ) == 0x0
 00733   896   NtClose  (76, ... ) == 0x0
 00734   896   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00735   896   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00736   896   NtSetInformationFile  (-2147482448, -135747792, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00737   896   NtSetInformationFile  (-2147482448, -135747884, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00738   896   NtSetInformationFile  (-2147482448, -135748192, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00739   896   NtSetInformationFile  (-2147482448, -135748288, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00735   896   NtSetValueKey  ... ) == 0x0
 00740   896   NtClose  (76, ... ) == 0x0
 00741   896   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00742   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00743   896   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00744   896   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00745   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1252, 2016}, ) == 0x0
 00746   896   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1252,Tid=2016,}, 0x0, ) == 0x0
 00747   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81845, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\340\7\0\0" )  ) == 0x0
 00748   896   NtResumeThread  (72, ... 1, ) == 0x0
 00749   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11075584, 1048576, ) == 0x0
 00750   896   NtAllocateVirtualMemory  (-1, 12115968, 0, 8192, 4096, 4, ... 12115968, 8192, ) == 0x0
 00751  2016   NtTestAlert  (... ) == 0x0
 00752  2016   NtContinue  (11074864, 1, ...
 00753  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00754  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00755  2016   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00756  2016   NtAllocateVirtualMemory  (-1, 11063296, 0, 4096, 4096, 260, ...
 00757   896   NtProtectVirtualMemory  (-1, (0xb8e000), 4096, 260, ... (0xb8e000), 4096, 4, ) == 0x0
 00758   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1252, 596}, ) == 0x0
 00759   896   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1252,Tid=596,}, 0x0, ) == 0x0
 00760   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81845, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0T\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0T\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81846, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0T\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0T\2\0\0" )  ) == 0x0
 00761   896   NtResumeThread  (84, ... 1, ) == 0x0
 00762   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00756  2016   NtAllocateVirtualMemory  ... 11063296, 4096, ) == 0x0
 00763   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00764  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071988, ... }, 11071988, ...
 00763   596   NtCreateEvent  ... 88, ) == 0x0
 00764  2016   NtQueryAttributesFile  ... ) == 0x0
 00765   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00766  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00767  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00768  2016   NtClose  (92, ... ) == 0x0
 00769  2016   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb90000), 0x0, 245760, ) == 0x0
 00770  2016   NtClose  (96, ...
 00762   896   NtAllocateVirtualMemory  ... 12386304, 1048576, ) == 0x0
 00771   896   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 00772   896   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 00773   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1252, 376}, ) == 0x0
 00774   896   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1252,Tid=376,}, 0x0, ) == 0x0
 00775   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81846, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0x\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81847, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0x\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0x\1\0\0" )  ) == 0x0
 00770  2016   NtClose  ... ) == 0x0
 00776  2016   NtUnmapViewOfSection  (-1, 0xb90000, ... ) == 0x0
 00777  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11072296, ... ) }, 11072296, ... ) == 0x0
 00778  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00779   896   NtResumeThread  (92, ... 1, ) == 0x0
 00780   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 00781   896   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 00782   896   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ... (0xdce000), 4096, 4, ) == 0x0
 00783   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1252, 420}, ) == 0x0
 00784   896   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1252,Tid=420,}, 0x0, ) == 0x0
 00785  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ...
 00786   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 00785  2016   NtCreateSection  ... 104, ) == 0x0
 00787  2016   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00788  2016   NtClose  (96, ... ) == 0x0
 00789  2016   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00790  2016   NtClose  (104, ... ) == 0x0
 00791  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00792   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81847, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\344\4\0\0\244\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\344\4\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81848, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\344\4\0\0\244\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\344\4\0\0\244\1\0\0" )  ) == 0x0
 00793   896   NtResumeThread  (100, ... 1, ) == 0x0
 00794   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14483456, 1048576, ) == 0x0
 00795   896   NtAllocateVirtualMemory  (-1, 15523840, 0, 8192, 4096, 4, ... 15523840, 8192, ) == 0x0
 00796   896   NtProtectVirtualMemory  (-1, (0xece000), 4096, 260, ... (0xece000), 4096, 4, ) == 0x0
 00797   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00798  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00799   420   NtWaitForSingleObject  (88, 0, 0x0, ...
 00798  2016   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00800  2016   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00801  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00802  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00803  2016   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00797   896   NtCreateThread  ... 104, {1252, 384}, ) == 0x0
 00804   896   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1252,Tid=384,}, 0x0, ) == 0x0
 00805   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81848, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81849, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\200\1\0\0" )  ) == 0x0
 00806   896   NtResumeThread  (104, ... 1, ) == 0x0
 00807   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 00808   896   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 00809  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 00810   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00809  2016   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 00811  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00812  2016   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00813   896   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ... (0xfce000), 4096, 4, ) == 0x0
 00814   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1252, 1028}, ) == 0x0
 00815   896   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1252,Tid=1028,}, 0x0, ) == 0x0
 00816  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00818  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00819  2016   NtSetEventBoostPriority  (88, ...
 00765   596   NtWaitForSingleObject  ... ) == 0x0
 00820   596   NtSetEventBoostPriority  (88, ...
 00786   376   NtWaitForSingleObject  ... ) == 0x0
 00821   376   NtSetEventBoostPriority  (88, ...
 00799   420   NtWaitForSingleObject  ... ) == 0x0
 00822   420   NtSetEventBoostPriority  (88, ...
 00810   384   NtWaitForSingleObject  ... ) == 0x0
 00823   384   NtTestAlert  (... ) == 0x0
 00822   420   NtSetEventBoostPriority  ... ) == 0x0
 00821   376   NtSetEventBoostPriority  ... ) == 0x0
 00820   596   NtSetEventBoostPriority  ... ) == 0x0
 00819  2016   NtSetEventBoostPriority  ... ) == 0x0
 00824   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81849, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\4\0\0\4\4\0\0" ...  ...
 00825   384   NtContinue  (15531312, 1, ...
 00826   420   NtTestAlert  (...
 00827   376   NtTestAlert  (...
 00828  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00824   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81850, 0}  ... {28, 56, reply, 0, 1252, 896, 81850, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\4\0\0\4\4\0\0" )  ) == 0x0
 00829   384   NtRegisterThreadTerminatePort  (24, ...
 00826   420   NtTestAlert  ... ) == 0x0
 00827   376   NtTestAlert  ... ) == 0x0
 00828  2016   NtCreateEvent  ... 108, ) == 0x0
 00830   896   NtResumeThread  (96, ...
 00829   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00831   420   NtContinue  (14482736, 1, ...
 00832   376   NtContinue  (13434160, 1, ...
 00833   596   NtTestAlert  (...
 00830   896   NtResumeThread  ... 1, ) == 0x0
 00834   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00835   420   NtRegisterThreadTerminatePort  (24, ...
 00836   376   NtRegisterThreadTerminatePort  (24, ...
 00833   596   NtTestAlert  ... ) == 0x0
 00837   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00834   384   NtDuplicateObject  ... 112, ) == 0x0
 00835   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 00836   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 00838   596   NtContinue  (12123440, 1, ...
 00839  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00840  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00841   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00842   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00843   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00844   596   NtRegisterThreadTerminatePort  (24, ...
 00839  2016   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   896   NtAllocateVirtualMemory  ... 16580608, 1048576, ) == 0x0
 00841   384   NtWaitForSingleObject  ... ) == 0x102
 00842   420   NtDuplicateObject  ... 116, ) == 0x0
 00844   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 00845  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00846   896   NtAllocateVirtualMemory  (-1, 17620992, 0, 8192, 4096, 4, ...
 00847   384   NtAllocateVirtualMemory  (-1, 15519744, 0, 4096, 4096, 260, ...
 00848   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00849   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00846   896   NtAllocateVirtualMemory  ... 17620992, 8192, ) == 0x0
 00847   384   NtAllocateVirtualMemory  ... 15519744, 4096, ) == 0x0
 00848   420   NtWaitForSingleObject  ... ) == 0x102
 00843   376   NtDuplicateObject  ... 120, ) == 0x0
 00850   896   NtProtectVirtualMemory  (-1, (0x10ce000), 4096, 260, ...
 00851   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00852   420   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00853   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00850   896   NtProtectVirtualMemory  ... (0x10ce000), 4096, 4, ) == 0x0
 00852   420   NtCreateEvent  ... 124, ) == 0x0
 00853   376   NtWaitForSingleObject  ... ) == 0x102
 00854   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00849   596   NtDuplicateObject  ... 128, ) == 0x0
 00855   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00856   420   NtWaitForSingleObject  (124, 0, 0x0, ...
 00857   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00855   376   NtCreateEvent  ... 132, ) == 0x0
 00857   596   NtWaitForSingleObject  ... ) == 0x102
 00854   896   NtCreateThread  ... 136, {1252, 2012}, ) == 0x0
 00858   596   NtWaitForSingleObject  (124, 0, 0x0, ...
 00859   896   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1252,Tid=2012,}, 0x0, ) == 0x0
 00860   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81850, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81850, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81851, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81850, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0\334\7\0\0" )  ) == 0x0
 00861   896   NtResumeThread  (136, ... 1, ) == 0x0
 00862   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17629184, 1048576, ) == 0x0
 00863   896   NtAllocateVirtualMemory  (-1, 18669568, 0, 8192, 4096, 4, ... 18669568, 8192, ) == 0x0
 00864   376   NtClose  (132, ...
 00865  2012   NtWaitForSingleObject  (88, 0, 0x0, ...
 00845  2016   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   376   NtClose  ... ) == 0x0
 00866  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00867   376   NtWaitForSingleObject  (124, 0, 0x0, ...
 00866  2016   NtQueryAttributesFile  ... ) == 0x0
 00868  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00869  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 140, ) == 0x0
 00870  2016   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00871  2016   NtClose  (132, ... ) == 0x0
 00872  2016   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00873   896   NtProtectVirtualMemory  (-1, (0x11ce000), 4096, 260, ... (0x11ce000), 4096, 4, ) == 0x0
 00874   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 132, {1252, 1168}, ) == 0x0
 00875   896   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1252,Tid=1168,}, 0x0, ) == 0x0
 00876   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81851, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\344\4\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81852, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\344\4\0\0\220\4\0\0" )  ) == 0x0
 00877   896   NtResumeThread  (132, ... 1, ) == 0x0
 00878   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00872  2016   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 00879  1168   NtWaitForSingleObject  (88, 0, 0x0, ...
 00880  2016   NtClose  (140, ... ) == 0x0
 00881  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00882  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00883  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00884  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00878   896   NtAllocateVirtualMemory  ... 18677760, 1048576, ) == 0x0
 00885   896   NtAllocateVirtualMemory  (-1, 19718144, 0, 8192, 4096, 4, ... 19718144, 8192, ) == 0x0
 00886   896   NtProtectVirtualMemory  (-1, (0x12ce000), 4096, 260, ... (0x12ce000), 4096, 4, ) == 0x0
 00887   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 140, {1252, 1180}, ) == 0x0
 00888   896   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1252,Tid=1180,}, 0x0, ) == 0x0
 00889   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81852, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81853, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0\234\4\0\0" )  ) == 0x0
 00890  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00891  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00892  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00893  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00894  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00895  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00896   896   NtResumeThread  (140, ... 1, ) == 0x0
 00897   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19726336, 1048576, ) == 0x0
 00898   896   NtAllocateVirtualMemory  (-1, 20766720, 0, 8192, 4096, 4, ... 20766720, 8192, ) == 0x0
 00899   896   NtProtectVirtualMemory  (-1, (0x13ce000), 4096, 260, ... (0x13ce000), 4096, 4, ) == 0x0
 00900   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1252, 928}, ) == 0x0
 00901   896   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1252,Tid=928,}, 0x0, ) == 0x0
 00902  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00903  1180   NtWaitForSingleObject  (88, 0, 0x0, ...
 00902  2016   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00904  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00905  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00906  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00907  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00908  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81853, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81854, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\240\3\0\0" )  ) == 0x0
 00910   896   NtResumeThread  (144, ... 1, ) == 0x0
 00911   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20774912, 1048576, ) == 0x0
 00912   896   NtAllocateVirtualMemory  (-1, 21815296, 0, 8192, 4096, 4, ... 21815296, 8192, ) == 0x0
 00913   896   NtProtectVirtualMemory  (-1, (0x14ce000), 4096, 260, ... (0x14ce000), 4096, 4, ) == 0x0
 00914   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00915  2016   NtSetEventBoostPriority  (88, ...
 00916   928   NtWaitForSingleObject  (88, 0, 0x0, ...
 00840  1028   NtWaitForSingleObject  ... ) == 0x0
 00915  2016   NtSetEventBoostPriority  ... ) == 0x0
 00917  1028   NtSetEventBoostPriority  (88, ...
 00851   384   NtWaitForSingleObject  ... ) == 0x0
 00918   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15526864, ... ) }, 15526864, ... ) == 0x0
 00917  1028   NtSetEventBoostPriority  ... ) == 0x0
 00919  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 00914   896   NtCreateThread  ... 148, {1252, 428}, ) == 0x0
 00920   384   NtSetEventBoostPriority  (88, ...
 00921   896   NtQueryInformationThread  (148, Basic, 28, ...
 00865  2012   NtWaitForSingleObject  ... ) == 0x0
 00920   384   NtSetEventBoostPriority  ... ) == 0x0
 00922  2012   NtSetEventBoostPriority  (88, ...
 00921   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1252,Tid=428,}, 0x0, ) == 0x0
 00879  1168   NtWaitForSingleObject  ... ) == 0x0
 00922  2012   NtSetEventBoostPriority  ... ) == 0x0
 00923   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00924  1168   NtSetEventBoostPriority  (88, ...
 00925   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81854, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\0\254\1\0\0" ...  ...
 00926  1028   NtTestAlert  (...
 00903  1180   NtWaitForSingleObject  ... ) == 0x0
 00924  1168   NtSetEventBoostPriority  ... ) == 0x0
 00925   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81855, 0}  ... {28, 56, reply, 0, 1252, 896, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\0\254\1\0\0" )  ) == 0x0
 00927  1180   NtSetEventBoostPriority  (88, ...
 00926  1028   NtTestAlert  ... ) == 0x0
 00928  2012   NtTestAlert  (...
 00929  1168   NtTestAlert  (...
 00916   928   NtWaitForSingleObject  ... ) == 0x0
 00927  1180   NtSetEventBoostPriority  ... ) == 0x0
 00930  1028   NtContinue  (16579888, 1, ...
 00928  2012   NtTestAlert  ... ) == 0x0
 00931   928   NtSetEventBoostPriority  (88, ...
 00929  1168   NtTestAlert  ... ) == 0x0
 00932   896   NtResumeThread  (148, ...
 00933  1028   NtRegisterThreadTerminatePort  (24, ...
 00919  2016   NtWaitForSingleObject  ... ) == 0x0
 00931   928   NtSetEventBoostPriority  ... ) == 0x0
 00934  2012   NtContinue  (17628464, 1, ...
 00935  1168   NtContinue  (18677040, 1, ...
 00932   896   NtResumeThread  ... 1, ) == 0x0
 00936  2016   NtSetEventBoostPriority  (88, ...
 00933  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00937  1180   NtTestAlert  (...
 00938   428   NtWaitForSingleObject  (88, 0, 0x0, ...
 00939  2012   NtRegisterThreadTerminatePort  (24, ...
 00940  1168   NtRegisterThreadTerminatePort  (24, ...
 00923   384   NtWaitForSingleObject  ... ) == 0x0
 00936  2016   NtSetEventBoostPriority  ... ) == 0x0
 00941   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00942  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00937  1180   NtTestAlert  ... ) == 0x0
 00939  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00943   384   NtSetEventBoostPriority  (88, ...
 00940  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 00944   928   NtTestAlert  (...
 00941   896   NtAllocateVirtualMemory  ... 21823488, 1048576, ) == 0x0
 00945  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 00946  1180   NtContinue  (19725616, 1, ...
 00938   428   NtWaitForSingleObject  ... ) == 0x0
 00943   384   NtSetEventBoostPriority  ... ) == 0x0
 00947  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00948  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00944   928   NtTestAlert  ... ) == 0x0
 00949   896   NtAllocateVirtualMemory  (-1, 22863872, 0, 8192, 4096, 4, ...
 00950   428   NtSetEventBoostPriority  (88, ...
 00951  1180   NtRegisterThreadTerminatePort  (24, ...
 00942  1028   NtDuplicateObject  ... 152, ) == 0x0
 00952   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00947  2012   NtDuplicateObject  ... 156, ) == 0x0
 00953   928   NtContinue  (20774192, 1, ...
 00945  2016   NtWaitForSingleObject  ... ) == 0x0
 00950   428   NtSetEventBoostPriority  ... ) == 0x0
 00949   896   NtAllocateVirtualMemory  ... 22863872, 8192, ) == 0x0
 00951  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 00954  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00952   384   NtCreateEvent  ... 160, ) == 0x0
 00955  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00956  2016   NtQuerySystemInformation  (Basic, 44, ...
 00957   928   NtRegisterThreadTerminatePort  (24, ...
 00948  1168   NtDuplicateObject  ... 164, ) == 0x0
 00958   428   NtTestAlert  (...
 00959  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00954  1028   NtWaitForSingleObject  ... ) == 0x102
 00960   384   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00956  2016   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00955  2012   NtWaitForSingleObject  ... ) == 0x102
 00957   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 00961  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00958   428   NtTestAlert  ... ) == 0x0
 00962   896   NtProtectVirtualMemory  (-1, (0x15ce000), 4096, 260, ...
 00963  1028   NtWaitForSingleObject  (124, 0, 0x0, ...
 00964  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00960   384   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965  2012   NtWaitForSingleObject  (124, 0, 0x0, ...
 00966   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00961  1168   NtWaitForSingleObject  ... ) == 0x102
 00967   428   NtContinue  (21822768, 1, ...
 00962   896   NtProtectVirtualMemory  ... (0x15ce000), 4096, 4, ) == 0x0
 00959  1180   NtDuplicateObject  ... 168, ) == 0x0
 00968   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15526968, ... }, 15526968, ...
 00964  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969  1168   NtWaitForSingleObject  (124, 0, 0x0, ...
 00970   428   NtRegisterThreadTerminatePort  (24, ...
 00971   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00972  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00973  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00970   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 00971   896   NtCreateThread  ... 172, {1252, 1732}, ) == 0x0
 00972  1180   NtWaitForSingleObject  ... ) == 0x102
 00973  2016   NtOpenKey  ... 176, ) == 0x0
 00974   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00975   896   NtQueryInformationThread  (172, Basic, 28, ...
 00976  1180   NtWaitForSingleObject  (124, 0, 0x0, ...
 00977  2016   NtQueryValueKey  (176,  (176, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00966   928   NtDuplicateObject  ... 180, ) == 0x0
 00975   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1252,Tid=1732,}, 0x0, ) == 0x0
 00977  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00974   428   NtDuplicateObject  ... 184, ) == 0x0
 00979  2016   NtClose  (176, ...
 00978   928   NtWaitForSingleObject  ... ) == 0x102
 00980   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00981   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81855, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\344\4\0\0\304\6\0\0" ...  ...
 00982   928   NtWaitForSingleObject  (124, 0, 0x0, ...
 00980   428   NtWaitForSingleObject  ... ) == 0x102
 00981   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81856, 0}  ... {28, 56, reply, 0, 1252, 896, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\0\0\0\344\4\0\0\304\6\0\0" )  ) == 0x0
 00983   428   NtWaitForSingleObject  (124, 0, 0x0, ...
 00984   896   NtResumeThread  (172, ... 1, ) == 0x0
 00985   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22872064, 1048576, ) == 0x0
 00986   896   NtAllocateVirtualMemory  (-1, 23912448, 0, 8192, 4096, 4, ... 23912448, 8192, ) == 0x0
 00987   896   NtProtectVirtualMemory  (-1, (0x16ce000), 4096, 260, ... (0x16ce000), 4096, 4, ) == 0x0
 00988   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00979  2016   NtClose  ... ) == 0x0
 00989  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 00990  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 00992  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 00993  2016   NtQuerySystemTime  (... {1445547914, 29929616}, ) == 0x0
 00994  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 00995  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 00988   896   NtCreateThread  ... 196, {1252, 748}, ) == 0x0
 00996   896   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1252,Tid=748,}, 0x0, ) == 0x0
 00997   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81856, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\4\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81857, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\4\0\0\354\2\0\0" )  ) == 0x0
 00998   896   NtResumeThread  (196, ... 1, ) == 0x0
 00999   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23920640, 1048576, ) == 0x0
 01000   896   NtAllocateVirtualMemory  (-1, 24961024, 0, 8192, 4096, 4, ... 24961024, 8192, ) == 0x0
 00995  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   748   NtWaitForSingleObject  (88, 0, 0x0, ...
 00968   384   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002  2016   NtQuerySystemInformation  (Performance, 312, ...
 01003   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15526968, ... }, 15526968, ...
 01002  2016   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01003   384   NtQueryAttributesFile  ... ) == 0x0
 01004  2016   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 01005   384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01004  2016   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01006   896   NtProtectVirtualMemory  (-1, (0x17ce000), 4096, 260, ...
 01007  2016   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01006   896   NtProtectVirtualMemory  ... (0x17ce000), 4096, 4, ) == 0x0
 01005   384   NtOpenFile  ... 200, {status=0x0, info=1}, ) == 0x0
 01008   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01009   384   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 200, ...
 01008   896   NtCreateThread  ... 204, {1252, 900}, ) == 0x0
 01009   384   NtCreateSection  ... 208, ) == 0x0
 01010   896   NtQueryInformationThread  (204, Basic, 28, ...
 01011   384   NtQuerySection  (208, Image, 48, ...
 01010   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1252,Tid=900,}, 0x0, ) == 0x0
 01011   384   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01007  2016   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01012   384   NtClose  (200, ...
 01013  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 01014   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81857, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81858, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\204\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\344\4\0\0\204\3\0\0" )  ) == 0x0
 01015   896   NtResumeThread  (204, ... 1, ) == 0x0
 01016   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24969216, 1048576, ) == 0x0
 01017   896   NtAllocateVirtualMemory  (-1, 26009600, 0, 8192, 4096, 4, ... 26009600, 8192, ) == 0x0
 01018   896   NtProtectVirtualMemory  (-1, (0x18ce000), 4096, 260, ... (0x18ce000), 4096, 4, ) == 0x0
 01019   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01012   384   NtClose  ... ) == 0x0
 01020   900   NtWaitForSingleObject  (88, 0, 0x0, ...
 01021   384   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01022   384   NtClose  (208, ... ) == 0x0
 01023   384   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01024   384   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01025   384   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01026   384   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01019   896   NtCreateThread  ... 208, {1252, 1388}, ) == 0x0
 01027   896   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1252,Tid=1388,}, 0x0, ) == 0x0
 01028   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81858, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\4\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81859, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\4\0\0l\5\0\0" )  ) == 0x0
 01029   896   NtResumeThread  (208, ... 1, ) == 0x0
 01030   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26017792, 1048576, ) == 0x0
 01031   896   NtAllocateVirtualMemory  (-1, 27058176, 0, 8192, 4096, 4, ... 27058176, 8192, ) == 0x0
 01026   384   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01032  1388   NtWaitForSingleObject  (88, 0, 0x0, ...
 01033   384   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01034   384   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01035   384   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01036   384   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01037   384   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01038   384   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01039   896   NtProtectVirtualMemory  (-1, (0x19ce000), 4096, 260, ... (0x19ce000), 4096, 4, ) == 0x0
 01040   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1252, 2036}, ) == 0x0
 01041   896   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1252,Tid=2036,}, 0x0, ) == 0x0
 01042   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81859, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\4\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81860, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\4\0\0\364\7\0\0" )  ) == 0x0
 01043   896   NtResumeThread  (200, ... 1, ) == 0x0
 01044   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01038   384   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01045  2036   NtWaitForSingleObject  (88, 0, 0x0, ...
 01046   384   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01047   384   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01048   384   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01049   384   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01050   384   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01051   384   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01044   896   NtAllocateVirtualMemory  ... 27066368, 1048576, ) == 0x0
 01052   896   NtAllocateVirtualMemory  (-1, 28106752, 0, 8192, 4096, 4, ... 28106752, 8192, ) == 0x0
 01053   896   NtProtectVirtualMemory  (-1, (0x1ace000), 4096, 260, ... (0x1ace000), 4096, 4, ) == 0x0
 01054   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1252, 1372}, ) == 0x0
 01055   896   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1252,Tid=1372,}, 0x0, ) == 0x0
 01051   384   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01056   384   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01057   384   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01058   384   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   384   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 216, 2, ) , 0, ... 216, 2, ) == 0x0
 01060   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 01061   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01062   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81860, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81861, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\\5\0\0" )  ) == 0x0
 01063   896   NtResumeThread  (212, ... 1, ) == 0x0
 01064   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28114944, 1048576, ) == 0x0
 01065   896   NtAllocateVirtualMemory  (-1, 29155328, 0, 8192, 4096, 4, ... 29155328, 8192, ) == 0x0
 01066   896   NtProtectVirtualMemory  (-1, (0x1bce000), 4096, 260, ... (0x1bce000), 4096, 4, ) == 0x0
 01067   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01061   384   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01068  1372   NtWaitForSingleObject  (88, 0, 0x0, ...
 01069   384   NtQueryValueKey  (220,  (220, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   384   NtQueryValueKey  (216,  (216, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01071   384   NtQueryValueKey  (220,  (220, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01072   384   NtQueryValueKey  (216,  (216, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (216, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01073   384   NtQueryValueKey  (220,  (220, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   384   NtQueryValueKey  (216,  (216, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01067   896   NtCreateThread  ... 224, {1252, 1600}, ) == 0x0
 01075   896   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1252,Tid=1600,}, 0x0, ) == 0x0
 01076   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0@\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81862, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0@\6\0\0" )  ) == 0x0
 01077   896   NtResumeThread  (224, ... 1, ) == 0x0
 01078   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29163520, 1048576, ) == 0x0
 01079   896   NtAllocateVirtualMemory  (-1, 30203904, 0, 8192, 4096, 4, ... 30203904, 8192, ) == 0x0
 01074   384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080  1600   NtWaitForSingleObject  (88, 0, 0x0, ...
 01081   384   NtQueryValueKey  (220,  (220, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01082   384   NtQueryValueKey  (216,  (216, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01083   384   NtQueryValueKey  (220,  (220, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01084   384   NtQueryValueKey  (220,  (220, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01085   384   NtQueryValueKey  (220,  (220, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   384   NtQueryValueKey  (220,  (220, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 01087   896   NtProtectVirtualMemory  (-1, (0x1cce000), 4096, 260, ... (0x1cce000), 4096, 4, ) == 0x0
 01088   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1252, 1948}, ) == 0x0
 01089   896   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1252,Tid=1948,}, 0x0, ) == 0x0
 01090   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81862, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81863, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\234\7\0\0" )  ) == 0x0
 01091   896   NtResumeThread  (228, ... 1, ) == 0x0
 01092   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01086   384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093  1948   NtWaitForSingleObject  (88, 0, 0x0, ...
 01094   384   NtQueryValueKey  (220,  (220, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   384   NtQueryValueKey  (220,  (220, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01096   384   NtQueryValueKey  (220,  (220, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   384   NtQueryValueKey  (220,  (220, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   384   NtQueryValueKey  (220,  (220, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099   384   NtQueryValueKey  (216,  (216, "DisableDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 01092   896   NtAllocateVirtualMemory  ... 30212096, 1048576, ) == 0x0
 01100   896   NtAllocateVirtualMemory  (-1, 31252480, 0, 8192, 4096, 4, ... 31252480, 8192, ) == 0x0
 01101   896   NtProtectVirtualMemory  (-1, (0x1dce000), 4096, 260, ... (0x1dce000), 4096, 4, ) == 0x0
 01102   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1252, 252}, ) == 0x0
 01103   896   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1252,Tid=252,}, 0x0, ) == 0x0
 01104   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81863, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\374\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81864, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\374\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\374\0\0\0" )  ) == 0x0
 01099   384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   384   NtQueryValueKey  (220,  (220, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   384   NtQueryValueKey  (220,  (220, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   384   NtQueryValueKey  (216,  (216, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   384   NtQueryValueKey  (220,  (220, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   384   NtQueryValueKey  (216,  (216, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   384   NtQueryValueKey  (220,  (220, "RegisterWanAdapters", Partial, 144, ... , Partial, 144, ...
 01111   896   NtResumeThread  (232, ... 1, ) == 0x0
 01112   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31260672, 1048576, ) == 0x0
 01113   896   NtAllocateVirtualMemory  (-1, 32301056, 0, 8192, 4096, 4, ... 32301056, 8192, ) == 0x0
 01114   896   NtProtectVirtualMemory  (-1, (0x1ece000), 4096, 260, ... (0x1ece000), 4096, 4, ) == 0x0
 01115   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1252, 1300}, ) == 0x0
 01116   896   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1252,Tid=1300,}, 0x0, ) == 0x0
 01110   384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   252   NtWaitForSingleObject  (88, 0, 0x0, ...
 01118   384   NtQueryValueKey  (216,  (216, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   384   NtQueryValueKey  (220,  (220, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   384   NtQueryValueKey  (216,  (216, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   384   NtQueryValueKey  (220,  (220, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   384   NtQueryValueKey  (216,  (216, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01123   384   NtQueryValueKey  (220,  (220, "RegistrationMaxAddressCount", Partial, 144, ... , Partial, 144, ...
 01124   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81864, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81865, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\24\5\0\0" )  ) == 0x0
 01125   896   NtResumeThread  (236, ... 1, ) == 0x0
 01126   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32309248, 1048576, ) == 0x0
 01127   896   NtAllocateVirtualMemory  (-1, 33349632, 0, 8192, 4096, 4, ... 33349632, 8192, ) == 0x0
 01128   896   NtProtectVirtualMemory  (-1, (0x1fce000), 4096, 260, ... (0x1fce000), 4096, 4, ) == 0x0
 01129   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01123   384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 01131   384   NtQueryValueKey  (216,  (216, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   384   NtQueryValueKey  (220,  (220, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   384   NtQueryValueKey  (216,  (216, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134   384   NtQueryValueKey  (220,  (220, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   384   NtQueryValueKey  (220,  (220, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136   384   NtQueryValueKey  (220,  (220, "DnsTest", Partial, 144, ... , Partial, 144, ...
 01129   896   NtCreateThread  ... 240, {1252, 1096}, ) == 0x0
 01137   896   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1252,Tid=1096,}, 0x0, ) == 0x0
 01138   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81865, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81866, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0H\4\0\0" )  ) == 0x0
 01139   896   NtResumeThread  (240, ... 1, ) == 0x0
 01140   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33357824, 1048576, ) == 0x0
 01141   896   NtAllocateVirtualMemory  (-1, 34398208, 0, 8192, 4096, 4, ... 34398208, 8192, ) == 0x0
 01136   384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01142  1096   NtWaitForSingleObject  (88, 0, 0x0, ...
 01143   384   NtQueryValueKey  (220,  (220, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   384   NtQueryValueKey  (220,  (220, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   384   NtQueryValueKey  (220,  (220, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   384   NtQueryValueKey  (220,  (220, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   384   NtQueryValueKey  (220,  (220, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   384   NtQueryValueKey  (220,  (220, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ...
 01149   896   NtProtectVirtualMemory  (-1, (0x20ce000), 4096, 260, ... (0x20ce000), 4096, 4, ) == 0x0
 01150   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1252, 1708}, ) == 0x0
 01151   896   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1252,Tid=1708,}, 0x0, ) == 0x0
 01152   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81866, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81867, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\254\6\0\0" )  ) == 0x0
 01153   896   NtResumeThread  (244, ... 1, ) == 0x0
 01154   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01148   384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155  1708   NtWaitForSingleObject  (88, 0, 0x0, ...
 01156   384   NtQueryValueKey  (220,  (220, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   384   NtQueryValueKey  (220,  (220, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   384   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 248, ) }, ... 248, ) == 0x0
 01159   384   NtQueryValueKey  (248,  (248, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01160   384   NtClose  (248, ... ) == 0x0
 01161   384   NtClose  (216, ...
 01154   896   NtAllocateVirtualMemory  ... 34406400, 1048576, ) == 0x0
 01162   896   NtAllocateVirtualMemory  (-1, 35446784, 0, 8192, 4096, 4, ... 35446784, 8192, ) == 0x0
 01163   896   NtProtectVirtualMemory  (-1, (0x21ce000), 4096, 260, ... (0x21ce000), 4096, 4, ) == 0x0
 01164   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1252, 1024}, ) == 0x0
 01165   896   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1252,Tid=1024,}, 0x0, ) == 0x0
 01166   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81867, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81868, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\0\4\0\0" )  ) == 0x0
 01161   384   NtClose  ... ) == 0x0
 01167   384   NtClose  (220, ... ) == 0x0
 01168   384   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 01169   384   NtQueryValueKey  (220,  (220, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   384   NtQueryValueKey  (220,  (220, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   384   NtQueryValueKey  (220,  (220, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   384   NtClose  (220, ...
 01173   896   NtResumeThread  (248, ... 1, ) == 0x0
 01174   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35454976, 1048576, ) == 0x0
 01175   896   NtAllocateVirtualMemory  (-1, 36495360, 0, 8192, 4096, 4, ... 36495360, 8192, ) == 0x0
 01176   896   NtProtectVirtualMemory  (-1, (0x22ce000), 4096, 260, ... (0x22ce000), 4096, 4, ) == 0x0
 01177   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1252, 1324}, ) == 0x0
 01178   896   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1252,Tid=1324,}, 0x0, ) == 0x0
 01172   384   NtClose  ... ) == 0x0
 01179  1024   NtWaitForSingleObject  (88, 0, 0x0, ...
 01180   384   NtSetEventBoostPriority  (88, ...
 00989  1732   NtWaitForSingleObject  ... ) == 0x0
 01181  1732   NtSetEventBoostPriority  (88, ...
 01001   748   NtWaitForSingleObject  ... ) == 0x0
 01182   748   NtSetEventBoostPriority  (88, ...
 01013  2016   NtWaitForSingleObject  ... ) == 0x0
 01183  2016   NtSetEventBoostPriority  (88, ...
 01020   900   NtWaitForSingleObject  ... ) == 0x0
 01184   900   NtSetEventBoostPriority  (88, ...
 01032  1388   NtWaitForSingleObject  ... ) == 0x0
 01185  1388   NtSetEventBoostPriority  (88, ...
 01045  2036   NtWaitForSingleObject  ... ) == 0x0
 01186  2036   NtSetEventBoostPriority  (88, ...
 01068  1372   NtWaitForSingleObject  ... ) == 0x0
 01187  1372   NtSetEventBoostPriority  (88, ...
 01080  1600   NtWaitForSingleObject  ... ) == 0x0
 01188  1600   NtSetEventBoostPriority  (88, ...
 01093  1948   NtWaitForSingleObject  ... ) == 0x0
 01189  1948   NtSetEventBoostPriority  (88, ...
 01117   252   NtWaitForSingleObject  ... ) == 0x0
 01190   252   NtSetEventBoostPriority  (88, ...
 01130  1300   NtWaitForSingleObject  ... ) == 0x0
 01191  1300   NtSetEventBoostPriority  (88, ...
 01142  1096   NtWaitForSingleObject  ... ) == 0x0
 01192  1096   NtSetEventBoostPriority  (88, ...
 01155  1708   NtWaitForSingleObject  ... ) == 0x0
 01193  1708   NtSetEventBoostPriority  (88, ...
 01179  1024   NtWaitForSingleObject  ... ) == 0x0
 01194  1024   NtTestAlert  (... ) == 0x0
 01193  1708   NtSetEventBoostPriority  ... ) == 0x0
 01192  1096   NtSetEventBoostPriority  ... ) == 0x0
 01191  1300   NtSetEventBoostPriority  ... ) == 0x0
 01190   252   NtSetEventBoostPriority  ... ) == 0x0
 01189  1948   NtSetEventBoostPriority  ... ) == 0x0
 01188  1600   NtSetEventBoostPriority  ... ) == 0x0
 01187  1372   NtSetEventBoostPriority  ... ) == 0x0
 01186  2036   NtSetEventBoostPriority  ... ) == 0x0
 01185  1388   NtSetEventBoostPriority  ... ) == 0x0
 01184   900   NtSetEventBoostPriority  ... ) == 0x0
 01183  2016   NtSetEventBoostPriority  ... ) == 0x0
 01182   748   NtSetEventBoostPriority  ... ) == 0x0
 01181  1732   NtSetEventBoostPriority  ... ) == 0x0
 01180   384   NtSetEventBoostPriority  ... ) == 0x0
 01195   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81868, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0,\5\0\0" ...  ...
 01196  1024   NtContinue  (35454256, 1, ...
 01197  1708   NtTestAlert  (...
 01198  1096   NtTestAlert  (...
 01199  1300   NtTestAlert  (...
 01200   252   NtTestAlert  (...
 01201  1948   NtTestAlert  (...
 01202  1600   NtTestAlert  (...
 01203  1372   NtTestAlert  (...
 01204  2036   NtTestAlert  (...
 01205  1388   NtTestAlert  (...
 01206   900   NtTestAlert  (...
 01207  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01208   748   NtTestAlert  (...
 01209   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01195   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81869, 0}  ... {28, 56, reply, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0,\5\0\0" )  ) == 0x0
 01210  1024   NtRegisterThreadTerminatePort  (24, ...
 01197  1708   NtTestAlert  ... ) == 0x0
 01198  1096   NtTestAlert  ... ) == 0x0
 01199  1300   NtTestAlert  ... ) == 0x0
 01200   252   NtTestAlert  ... ) == 0x0
 01201  1948   NtTestAlert  ... ) == 0x0
 01202  1600   NtTestAlert  ... ) == 0x0
 01203  1372   NtTestAlert  ... ) == 0x0
 01204  2036   NtTestAlert  ... ) == 0x0
 01205  1388   NtTestAlert  ... ) == 0x0
 01206   900   NtTestAlert  ... ) == 0x0
 01207  2016   NtCreateEvent  ... 220, ) == 0x0
 01208   748   NtTestAlert  ... ) == 0x0
 01209   384   NtCreateEvent  ... 252, ) == 0x0
 01211   896   NtResumeThread  (216, ...
 01210  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01212  1708   NtContinue  (34405680, 1, ...
 01213  1096   NtContinue  (33357104, 1, ...
 01214  1300   NtContinue  (32308528, 1, ...
 01215   252   NtContinue  (31259952, 1, ...
 01216  1948   NtContinue  (30211376, 1, ...
 01217  1600   NtContinue  (29162800, 1, ...
 01218  1372   NtContinue  (28114224, 1, ...
 01219  2036   NtContinue  (27065648, 1, ...
 01220  1388   NtContinue  (26017072, 1, ...
 01221   900   NtContinue  (24968496, 1, ...
 01222  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01223   748   NtContinue  (23919920, 1, ...
 01224   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01211   896   NtResumeThread  ... 1, ) == 0x0
 01225  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01226  1708   NtRegisterThreadTerminatePort  (24, ...
 01227  1096   NtRegisterThreadTerminatePort  (24, ...
 01228  1300   NtRegisterThreadTerminatePort  (24, ...
 01229   252   NtRegisterThreadTerminatePort  (24, ...
 01230  1948   NtRegisterThreadTerminatePort  (24, ...
 01231  1600   NtRegisterThreadTerminatePort  (24, ...
 01232  1372   NtRegisterThreadTerminatePort  (24, ...
 01233  2036   NtRegisterThreadTerminatePort  (24, ...
 01234  1388   NtRegisterThreadTerminatePort  (24, ...
 01235   900   NtRegisterThreadTerminatePort  (24, ...
 01222  2016   NtDuplicateObject  ... 256, ) == 0x0
 01236   748   NtRegisterThreadTerminatePort  (24, ...
 01237  1732   NtTestAlert  (...
 01238  1324   NtAllocateVirtualMemory  (-1, 8867840, 0, 4096, 4096, 4, ...
 01239   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01225  1024   NtDuplicateObject  ... 260, ) == 0x0
 01226  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01227  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01228  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01229   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01230  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01231  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01232  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01233  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01234  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01235   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01240  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01236   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01237  1732   NtTestAlert  ... ) == 0x0
 01238  1324   NtAllocateVirtualMemory  ... 8867840, 4096, ) == 0x0
 01224   384   NtDuplicateObject  ... 264, ) == 0x0
 01241  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01242  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01243  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01244  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01245   252   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01246  1948   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01247  1600   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01248  1372   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01249  2036   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01250  1388   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01251   900   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01240  2016   NtOpenKey  ... 268, ) == 0x0
 01252   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01253  1732   NtContinue  (22871344, 1, ...
 01254  1324   NtTestAlert  (...
 01255   384   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01239   896   NtAllocateVirtualMemory  ... 36503552, 1048576, ) == 0x0
 01241  1024   NtWaitForSingleObject  ... ) == 0x102
 01242  1708   NtDuplicateObject  ... 272, ) == 0x0
 01243  1096   NtDuplicateObject  ... 276, ) == 0x0
 01244  1300   NtDuplicateObject  ... 280, ) == 0x0
 01245   252   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01246  1948   NtCreateEvent  ... 284, ) == 0x0
 01247  1600   NtCreateEvent  ... 288, ) == 0x0
 01248  1372   NtCreateEvent  ... 292, ) == 0x0
 01249  2036   NtCreateEvent  ... 296, ) == 0x0
 01250  1388   NtCreateEvent  ... 300, ) == 0x0
 01251   900   NtCreateEvent  ... 304, ) == 0x0
 01256  2016   NtQueryValueKey  (268,  (268, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01257  1732   NtRegisterThreadTerminatePort  (24, ...
 01254  1324   NtTestAlert  ... ) == 0x0
 01255   384   NtCreateEvent  ... 308, ) == 0x0
 01258   896   NtAllocateVirtualMemory  (-1, 37543936, 0, 8192, 4096, 4, ...
 01259  1024   NtWaitForSingleObject  (124, 0, 0x0, ...
 01260  1708   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01261  1096   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01262  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01263   252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01264  1948   NtWaitForSingleObject  (284, 0, 0x0, ...
 01265  1600   NtClose  (288, ...
 01266  1372   NtClose  (292, ...
 01267  2036   NtClose  (296, ...
 01268  1388   NtClose  (300, ...
 01269   900   NtClose  (304, ...
 01256  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01270  1324   NtContinue  (36502832, 1, ...
 01271   384   NtClose  (308, ...
 01258   896   NtAllocateVirtualMemory  ... 37543936, 8192, ) == 0x0
 01260  1708   NtCreateEvent  ... 312, ) == 0x0
 01261  1096   NtCreateEvent  ... 316, ) == 0x0
 01262  1300   NtCreateEvent  ... 320, ) == 0x0
 01263   252   NtCreateEvent  ... 324, ) == 0x0
 01265  1600   NtClose  ... ) == 0x0
 01266  1372   NtClose  ... ) == 0x0
 01267  2036   NtClose  ... ) == 0x0
 01268  1388   NtClose  ... ) == 0x0
 01269   900   NtClose  ... ) == 0x0
 01272  2016   NtClose  (268, ...
 01273  1732   NtWaitForSingleObject  (284, 0, 0x0, ...
 01252   748   NtCreateEvent  ... 304, ) == 0x0
 01271   384   NtClose  ... ) == 0x0
 01274   896   NtProtectVirtualMemory  (-1, (0x23ce000), 4096, 260, ...
 01275  1708   NtClose  (312, ...
 01276  1096   NtClose  (316, ...
 01277  1300   NtClose  (320, ...
 01278   252   NtClose  (324, ...
 01279  1600   NtWaitForSingleObject  (284, 0, 0x0, ...
 01280  1372   NtWaitForSingleObject  (284, 0, 0x0, ...
 01281  2036   NtWaitForSingleObject  (284, 0, 0x0, ...
 01282  1388   NtWaitForSingleObject  (284, 0, 0x0, ...
 01283   900   NtWaitForSingleObject  (284, 0, 0x0, ...
 01284  1324   NtRegisterThreadTerminatePort  (24, ...
 01272  2016   NtClose  ... ) == 0x0
 01285   748   NtClose  (304, ...
 01286   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 01274   896   NtProtectVirtualMemory  ... (0x23ce000), 4096, 4, ) == 0x0
 01275  1708   NtClose  ... ) == 0x0
 01276  1096   NtClose  ... ) == 0x0
 01277  1300   NtClose  ... ) == 0x0
 01278   252   NtClose  ... ) == 0x0
 01284  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01287  2016   NtWaitForSingleObject  (284, 0, 0x0, ...
 01285   748   NtClose  ... ) == 0x0
 01288   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01289  1708   NtWaitForSingleObject  (284, 0, 0x0, ...
 01290  1096   NtWaitForSingleObject  (284, 0, 0x0, ...
 01291  1300   NtWaitForSingleObject  (284, 0, 0x0, ...
 01292   252   NtSetEventBoostPriority  (284, ...
 01293  1324   NtWaitForSingleObject  (284, 0, 0x0, ...
 01294   748   NtWaitForSingleObject  (284, 0, 0x0, ...
 01288   896   NtCreateThread  ... 304, {1252, 1776}, ) == 0x0
 01295   896   NtQueryInformationThread  (304, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1252,Tid=1776,}, 0x0, ) == 0x0
 01296   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81869, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81870, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\1\0\0\344\4\0\0\360\6\0\0" )  ) == 0x0
 01297   896   NtResumeThread  (304, ... 1, ) == 0x0
 01298   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37552128, 1048576, ) == 0x0
 01299   896   NtAllocateVirtualMemory  (-1, 38592512, 0, 8192, 4096, 4, ... 38592512, 8192, ) == 0x0
 01264  1948   NtWaitForSingleObject  ... ) == 0x0
 01292   252   NtSetEventBoostPriority  ... ) == 0x0
 01300  1776   NtTestAlert  (...
 01301  1948   NtSetEventBoostPriority  (284, ...
 01302   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01300  1776   NtTestAlert  ... ) == 0x0
 01279  1600   NtWaitForSingleObject  ... ) == 0x0
 01301  1948   NtSetEventBoostPriority  ... ) == 0x0
 01302   252   NtDuplicateObject  ... 324, ) == 0x0
 01303  1600   NtSetEventBoostPriority  (284, ...
 01304  1776   NtContinue  (37551408, 1, ...
 01305   896   NtProtectVirtualMemory  (-1, (0x24ce000), 4096, 260, ...
 01280  1372   NtWaitForSingleObject  ... ) == 0x0
 01303  1600   NtSetEventBoostPriority  ... ) == 0x0
 01306   252   NtWaitForSingleObject  (284, 0, 0x0, ...
 01307  1776   NtRegisterThreadTerminatePort  (24, ...
 01308  1372   NtSetEventBoostPriority  (284, ...
 01305   896   NtProtectVirtualMemory  ... (0x24ce000), 4096, 4, ) == 0x0
 01309  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01281  2036   NtWaitForSingleObject  ... ) == 0x0
 01308  1372   NtSetEventBoostPriority  ... ) == 0x0
 01307  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01310   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01311  2036   NtSetEventBoostPriority  (284, ...
 01309  1948   NtDuplicateObject  ... 320, ) == 0x0
 01312  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01313  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01282  1388   NtWaitForSingleObject  ... ) == 0x0
 01311  2036   NtSetEventBoostPriority  ... ) == 0x0
 01310   896   NtCreateThread  ... 316, {1252, 500}, ) == 0x0
 01314  1948   NtWaitForSingleObject  (284, 0, 0x0, ...
 01312  1600   NtDuplicateObject  ... 312, ) == 0x0
 01315  1388   NtSetEventBoostPriority  (284, ...
 01313  1372   NtDuplicateObject  ... 268, ) == 0x0
 01316  1776   NtWaitForSingleObject  (284, 0, 0x0, ...
 01317   896   NtQueryInformationThread  (316, Basic, 28, ...
 01283   900   NtWaitForSingleObject  ... ) == 0x0
 01315  1388   NtSetEventBoostPriority  ... ) == 0x0
 01318  1600   NtWaitForSingleObject  (284, 0, 0x0, ...
 01319  1372   NtWaitForSingleObject  (284, 0, 0x0, ...
 01320   900   NtSetEventBoostPriority  (284, ...
 01317   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1252,Tid=500,}, 0x0, ) == 0x0
 01321  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01273  1732   NtWaitForSingleObject  ... ) == 0x0
 01320   900   NtSetEventBoostPriority  ... ) == 0x0
 01322  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01323  1732   NtSetEventBoostPriority  (284, ...
 01321  2036   NtDuplicateObject  ... 308, ) == 0x0
 01324   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81870, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\4\0\0\364\1\0\0" ...  ...
 01287  2016   NtWaitForSingleObject  ... ) == 0x0
 01322  1388   NtDuplicateObject  ... 300, ) == 0x0
 01325  2036   NtWaitForSingleObject  (284, 0, 0x0, ...
 01324   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81871, 0}  ... {28, 56, reply, 0, 1252, 896, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\4\0\0\364\1\0\0" )  ) == 0x0
 01326  2016   NtSetEventBoostPriority  (284, ...
 01327  1388   NtWaitForSingleObject  (284, 0, 0x0, ...
 01328   896   NtResumeThread  (316, ...
 01286   384   NtWaitForSingleObject  ... ) == 0x0
 01326  2016   NtSetEventBoostPriority  ... ) == 0x0
 01329   384   NtSetEventBoostPriority  (284, ...
 01328   896   NtResumeThread  ... 1, ) == 0x0
 01323  1732   NtSetEventBoostPriority  ... ) == 0x0
 01330   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01289  1708   NtWaitForSingleObject  ... ) == 0x0
 01331   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01332  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01330   900   NtDuplicateObject  ... 296, ) == 0x0
 01333  1708   NtSetEventBoostPriority  (284, ...
 01329   384   NtSetEventBoostPriority  ... ) == 0x0
 01334  2016   NtOpenThreadToken  (-2, 0xc, 1, ...
 01335   500   NtTestAlert  (...
 01332  1732   NtDuplicateObject  ... 292, ) == 0x0
 01336   900   NtWaitForSingleObject  (284, 0, 0x0, ...
 01290  1096   NtWaitForSingleObject  ... ) == 0x0
 01337   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 01334  2016   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01335   500   NtTestAlert  ... ) == 0x0
 01333  1708   NtSetEventBoostPriority  ... ) == 0x0
 01331   896   NtAllocateVirtualMemory  ... 38600704, 1048576, ) == 0x0
 01338  1096   NtSetEventBoostPriority  (284, ...
 01339  2016   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01340   500   NtContinue  (38599984, 1, ...
 01341  1708   NtWaitForSingleObject  (284, 0, 0x0, ...
 01342   896   NtAllocateVirtualMemory  (-1, 39641088, 0, 8192, 4096, 4, ...
 01291  1300   NtWaitForSingleObject  ... ) == 0x0
 01339  2016   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01343   500   NtRegisterThreadTerminatePort  (24, ...
 01342   896   NtAllocateVirtualMemory  ... 39641088, 8192, ) == 0x0
 01344  1300   NtSetEventBoostPriority  (284, ...
 01345  2016   NtWaitForSingleObject  (284, 0, 0x0, ...
 01343   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01346   896   NtProtectVirtualMemory  (-1, (0x25ce000), 4096, 260, ...
 01293  1324   NtWaitForSingleObject  ... ) == 0x0
 01344  1300   NtSetEventBoostPriority  ... ) == 0x0
 01338  1096   NtSetEventBoostPriority  ... ) == 0x0
 01347  1732   NtWaitForSingleObject  (284, 0, 0x0, ...
 01346   896   NtProtectVirtualMemory  ... (0x25ce000), 4096, 4, ) == 0x0
 01348  1324   NtSetEventBoostPriority  (284, ...
 01349  1300   NtWaitForSingleObject  (284, 0, 0x0, ...
 01350  1096   NtWaitForSingleObject  (284, 0, 0x0, ...
 01351   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01294   748   NtWaitForSingleObject  ... ) == 0x0
 01348  1324   NtSetEventBoostPriority  ... ) == 0x0
 01352   500   NtWaitForSingleObject  (284, 0, 0x0, ...
 01353   748   NtSetEventBoostPriority  (284, ...
 01351   896   NtCreateThread  ... 288, {1252, 248}, ) == 0x0
 01306   252   NtWaitForSingleObject  ... ) == 0x0
 01353   748   NtSetEventBoostPriority  ... ) == 0x0
 01354   252   NtSetEventBoostPriority  (284, ...
 01355   896   NtQueryInformationThread  (288, Basic, 28, ...
 01356  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01314  1948   NtWaitForSingleObject  ... ) == 0x0
 01354   252   NtSetEventBoostPriority  ... ) == 0x0
 01355   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1252,Tid=248,}, 0x0, ) == 0x0
 01357  1948   NtSetEventBoostPriority  (284, ...
 01356  1324   NtDuplicateObject  ... 328, ) == 0x0
 01358   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01316  1776   NtWaitForSingleObject  ... ) == 0x0
 01357  1948   NtSetEventBoostPriority  ... ) == 0x0
 01359   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81871, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\344\4\0\0\370\0\0\0" ...  ...
 01360  1324   NtWaitForSingleObject  (284, 0, 0x0, ...
 01361  1776   NtSetEventBoostPriority  (284, ...
 01358   748   NtDuplicateObject  ... 332, ) == 0x0
 01362   252   NtWaitForSingleObject  (284, 0, 0x0, ...
 01359   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81872, 0}  ... {28, 56, reply, 0, 1252, 896, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \1\0\0\344\4\0\0\370\0\0\0" )  ) == 0x0
 01318  1600   NtWaitForSingleObject  ... ) == 0x0
 01361  1776   NtSetEventBoostPriority  ... ) == 0x0
 01363   748   NtWaitForSingleObject  (284, 0, 0x0, ...
 01364  1948   NtWaitForSingleObject  (284, 0, 0x0, ...
 01365  1600   NtSetEventBoostPriority  (284, ...
 01366  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01319  1372   NtWaitForSingleObject  ... ) == 0x0
 01365  1600   NtSetEventBoostPriority  ... ) == 0x0
 01367   896   NtResumeThread  (288, ...
 01368  1372   NtSetEventBoostPriority  (284, ...
 01366  1776   NtDuplicateObject  ... 336, ) == 0x0
 01325  2036   NtWaitForSingleObject  ... ) == 0x0
 01368  1372   NtSetEventBoostPriority  ... ) == 0x0
 01367   896   NtResumeThread  ... 1, ) == 0x0
 01369  2036   NtSetEventBoostPriority  (284, ...
 01370  1776   NtWaitForSingleObject  (284, 0, 0x0, ...
 01371  1600   NtWaitForSingleObject  (284, 0, 0x0, ...
 01372   248   NtTestAlert  (...
 01327  1388   NtWaitForSingleObject  ... ) == 0x0
 01369  2036   NtSetEventBoostPriority  ... ) == 0x0
 01373   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01374  1388   NtSetEventBoostPriority  (284, ...
 01372   248   NtTestAlert  ... ) == 0x0
 01375  1372   NtWaitForSingleObject  (284, 0, 0x0, ...
 01336   900   NtWaitForSingleObject  ... ) == 0x0
 01374  1388   NtSetEventBoostPriority  ... ) == 0x0
 01373   896   NtAllocateVirtualMemory  ... 39649280, 1048576, ) == 0x0
 01376   248   NtContinue  (39648560, 1, ...
 01377   900   NtSetEventBoostPriority  (284, ...
 01378  2036   NtWaitForSingleObject  (284, 0, 0x0, ...
 01379   896   NtAllocateVirtualMemory  (-1, 40689664, 0, 8192, 4096, 4, ...
 01337   384   NtWaitForSingleObject  ... ) == 0x0
 01377   900   NtSetEventBoostPriority  ... ) == 0x0
 01380   248   NtRegisterThreadTerminatePort  (24, ...
 01381   384   NtSetEventBoostPriority  (284, ...
 01379   896   NtAllocateVirtualMemory  ... 40689664, 8192, ) == 0x0
 01382  1388   NtWaitForSingleObject  (284, 0, 0x0, ...
 01341  1708   NtWaitForSingleObject  ... ) == 0x0
 01381   384   NtSetEventBoostPriority  ... ) == 0x0
 01380   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01383   900   NtWaitForSingleObject  (284, 0, 0x0, ...
 01384  1708   NtSetEventBoostPriority  (284, ...
 01385   896   NtProtectVirtualMemory  (-1, (0x26ce000), 4096, 260, ...
 01386   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 01345  2016   NtWaitForSingleObject  ... ) == 0x0
 01384  1708   NtSetEventBoostPriority  ... ) == 0x0
 01385   896   NtProtectVirtualMemory  ... (0x26ce000), 4096, 4, ) == 0x0
 01387  2016   NtSetEventBoostPriority  (284, ...
 01388   248   NtWaitForSingleObject  (284, 0, 0x0, ...
 01347  1732   NtWaitForSingleObject  ... ) == 0x0
 01387  2016   NtSetEventBoostPriority  ... ) == 0x0
 01389   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01390  1732   NtSetEventBoostPriority  (284, ...
 01391  1708   NtWaitForSingleObject  (284, 0, 0x0, ...
 01349  1300   NtWaitForSingleObject  ... ) == 0x0
 01390  1732   NtSetEventBoostPriority  ... ) == 0x0
 01389   896   NtCreateThread  ... 340, {1252, 1884}, ) == 0x0
 01392  1300   NtSetEventBoostPriority  (284, ...
 01393  1732   NtWaitForSingleObject  (284, 0, 0x0, ...
 01350  1096   NtWaitForSingleObject  ... ) == 0x0
 01392  1300   NtSetEventBoostPriority  ... ) == 0x0
 01394   896   NtQueryInformationThread  (340, Basic, 28, ...
 01395  2016   NtWaitForSingleObject  (284, 0, 0x0, ...
 01396  1096   NtSetEventBoostPriority  (284, ...
 01394   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1252,Tid=1884,}, 0x0, ) == 0x0
 01352   500   NtWaitForSingleObject  ... ) == 0x0
 01396  1096   NtSetEventBoostPriority  ... ) == 0x0
 01397  1300   NtWaitForSingleObject  (284, 0, 0x0, ...
 01398   500   NtSetEventBoostPriority  (284, ...
 01399   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81872, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\\7\0\0" ...  ...
 01360  1324   NtWaitForSingleObject  ... ) == 0x0
 01398   500   NtSetEventBoostPriority  ... ) == 0x0
 01400  1324   NtSetEventBoostPriority  (284, ...
 01399   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81873, 0}  ... {28, 56, reply, 0, 1252, 896, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0\344\4\0\0\\7\0\0" )  ) == 0x0
 01362   252   NtWaitForSingleObject  ... ) == 0x0
 01400  1324   NtSetEventBoostPriority  ... ) == 0x0
 01401   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01402   252   NtSetEventBoostPriority  (284, ...
 01403   896   NtResumeThread  (340, ...
 01404  1096   NtWaitForSingleObject  (284, 0, 0x0, ...
 01405  1324   NtWaitForSingleObject  (284, 0, 0x0, ...
 01363   748   NtWaitForSingleObject  ... ) == 0x0
 01402   252   NtSetEventBoostPriority  ... ) == 0x0
 01403   896   NtResumeThread  ... 1, ) == 0x0
 01406   748   NtSetEventBoostPriority  (284, ...
 01407   252   NtWaitForSingleObject  (284, 0, 0x0, ...
 01364  1948   NtWaitForSingleObject  ... ) == 0x0
 01406   748   NtSetEventBoostPriority  ... ) == 0x0
 01408   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01401   500   NtDuplicateObject  ... 344, ) == 0x0
 01409  1884   NtTestAlert  (...
 01410  1948   NtSetEventBoostPriority  (284, ...
 01411   748   NtWaitForSingleObject  (284, 0, 0x0, ...
 01412   500   NtWaitForSingleObject  (284, 0, 0x0, ...
 01370  1776   NtWaitForSingleObject  ... ) == 0x0
 01410  1948   NtSetEventBoostPriority  ... ) == 0x0
 01409  1884   NtTestAlert  ... ) == 0x0
 01413  1776   NtSetEventBoostPriority  (284, ...
 01414  1948   NtWaitForSingleObject  (284, 0, 0x0, ...
 01371  1600   NtWaitForSingleObject  ... ) == 0x0
 01413  1776   NtSetEventBoostPriority  ... ) == 0x0
 01415  1884   NtContinue  (40697136, 1, ...
 01408   896   NtAllocateVirtualMemory  ... 40697856, 1048576, ) == 0x0
 01416  1600   NtSetEventBoostPriority  (284, ...
 01417  1884   NtRegisterThreadTerminatePort  (24, ...
 01375  1372   NtWaitForSingleObject  ... ) == 0x0
 01416  1600   NtSetEventBoostPriority  ... ) == 0x0
 01418   896   NtAllocateVirtualMemory  (-1, 41738240, 0, 8192, 4096, 4, ...
 01419  1372   NtSetEventBoostPriority  (284, ...
 01417  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01420  1600   NtWaitForSingleObject  (284, 0, 0x0, ...
 01378  2036   NtWaitForSingleObject  ... ) == 0x0
 01419  1372   NtSetEventBoostPriority  ... ) == 0x0
 01418   896   NtAllocateVirtualMemory  ... 41738240, 8192, ) == 0x0
 01421  1776   NtWaitForSingleObject  (284, 0, 0x0, ...
 01422  1884   NtWaitForSingleObject  (284, 0, 0x0, ...
 01423  2036   NtSetEventBoostPriority  (284, ...
 01424  1372   NtWaitForSingleObject  (284, 0, 0x0, ...
 01425   896   NtProtectVirtualMemory  (-1, (0x27ce000), 4096, 260, ...
 01382  1388   NtWaitForSingleObject  ... ) == 0x0
 01423  2036   NtSetEventBoostPriority  ... ) == 0x0
 01426  1388   NtSetEventBoostPriority  (284, ...
 01425   896   NtProtectVirtualMemory  ... (0x27ce000), 4096, 4, ) == 0x0
 01383   900   NtWaitForSingleObject  ... ) == 0x0
 01426  1388   NtSetEventBoostPriority  ... ) == 0x0
 01427  2036   NtWaitForSingleObject  (284, 0, 0x0, ...
 01428   900   NtSetEventBoostPriority  (284, ...
 01429   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01430  1388   NtWaitForSingleObject  (284, 0, 0x0, ...
 01386   384   NtWaitForSingleObject  ... ) == 0x0
 01428   900   NtSetEventBoostPriority  ... ) == 0x0
 01429   896   NtCreateThread  ... 348, {1252, 1308}, ) == 0x0
 01431   384   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01432   900   NtWaitForSingleObject  (284, 0, 0x0, ...
 01431   384   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01433   896   NtQueryInformationThread  (348, Basic, 28, ...
 01434   384   NtSetEventBoostPriority  (284, ...
 01433   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1252,Tid=1308,}, 0x0, ) == 0x0
 01435   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81873, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\34\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81874, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\34\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\34\5\0\0" )  ) == 0x0
 01436   896   NtResumeThread  (348, ... 1, ) == 0x0
 01437   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 41746432, 1048576, ) == 0x0
 01438   896   NtAllocateVirtualMemory  (-1, 42786816, 0, 8192, 4096, 4, ... 42786816, 8192, ) == 0x0
 01388   248   NtWaitForSingleObject  ... ) == 0x0
 01434   384   NtSetEventBoostPriority  ... ) == 0x0
 01439  1308   NtTestAlert  (...
 01440   248   NtSetEventBoostPriority  (284, ...
 01441   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 01439  1308   NtTestAlert  ... ) == 0x0
 01391  1708   NtWaitForSingleObject  ... ) == 0x0
 01440   248   NtSetEventBoostPriority  ... ) == 0x0
 01442  1708   NtSetEventBoostPriority  (284, ...
 01443  1308   NtContinue  (41745712, 1, ...
 01393  1732   NtWaitForSingleObject  ... ) == 0x0
 01442  1708   NtSetEventBoostPriority  ... ) == 0x0
 01444   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01445  1732   NtSetEventBoostPriority  (284, ...
 01446  1308   NtRegisterThreadTerminatePort  (24, ...
 01447  1708   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01448   896   NtProtectVirtualMemory  (-1, (0x28ce000), 4096, 260, ...
 01395  2016   NtWaitForSingleObject  ... ) == 0x0
 01446  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01445  1732   NtSetEventBoostPriority  ... ) == 0x0
 01444   248   NtDuplicateObject  ... 352, ) == 0x0
 01448   896   NtProtectVirtualMemory  ... (0x28ce000), 4096, 4, ) == 0x0
 01449  2016   NtSetEventBoostPriority  (284, ...
 01447  1708   NtCreateEvent  ... 356, ) == 0x0
 01450  1732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01451   248   NtWaitForSingleObject  (284, 0, 0x0, ...
 01452   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01397  1300   NtWaitForSingleObject  ... ) == 0x0
 01449  2016   NtSetEventBoostPriority  ... ) == 0x0
 01453  1708   NtWaitForSingleObject  (356, 0, 0x0, ...
 01450  1732   NtCreateEvent  ... 360, ) == 0x0
 01454  1300   NtSetEventBoostPriority  (284, ...
 01452   896   NtCreateThread  ... 364, {1252, 1676}, ) == 0x0
 01455  2016   NtSetEventBoostPriority  (356, ...
 01456  1308   NtWaitForSingleObject  (284, 0, 0x0, ...
 01404  1096   NtWaitForSingleObject  ... ) == 0x0
 01454  1300   NtSetEventBoostPriority  ... ) == 0x0
 01457   896   NtQueryInformationThread  (364, Basic, 28, ...
 01458  1732   NtClose  (360, ...
 01459  1096   NtSetEventBoostPriority  (284, ...
 01460  1300   NtWaitForSingleObject  (356, 0, 0x0, ...
 01457   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1252,Tid=1676,}, 0x0, ) == 0x0
 01405  1324   NtWaitForSingleObject  ... ) == 0x0
 01459  1096   NtSetEventBoostPriority  ... ) == 0x0
 01458  1732   NtClose  ... ) == 0x0
 01453  1708   NtWaitForSingleObject  ... ) == 0x0
 01455  2016   NtSetEventBoostPriority  ... ) == 0x0
 01461  1324   NtSetEventBoostPriority  (284, ...
 01462  1096   NtWaitForSingleObject  (356, 0, 0x0, ...
 01463  1732   NtWaitForSingleObject  (356, 0, 0x0, ...
 01464  1708   NtWaitForSingleObject  (284, 0, 0x0, ...
 01407   252   NtWaitForSingleObject  ... ) == 0x0
 01461  1324   NtSetEventBoostPriority  ... ) == 0x0
 01465  2016   NtWaitForSingleObject  (356, 0, 0x0, ...
 01466   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81874, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\214\6\0\0" ...  ...
 01467   252   NtSetEventBoostPriority  (284, ...
 01468  1324   NtWaitForSingleObject  (356, 0, 0x0, ...
 01411   748   NtWaitForSingleObject  ... ) == 0x0
 01466   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81875, 0}  ... {28, 56, reply, 0, 1252, 896, 81875, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\214\6\0\0" )  ) == 0x0
 01467   252   NtSetEventBoostPriority  ... ) == 0x0
 01469   748   NtSetEventBoostPriority  (284, ...
 01470   896   NtResumeThread  (364, ...
 01471   252   NtWaitForSingleObject  (356, 0, 0x0, ...
 01412   500   NtWaitForSingleObject  ... ) == 0x0
 01469   748   NtSetEventBoostPriority  ... ) == 0x0
 01470   896   NtResumeThread  ... 1, ) == 0x0
 01472   500   NtSetEventBoostPriority  (284, ...
 01473   748   NtWaitForSingleObject  (284, 0, 0x0, ...
 01414  1948   NtWaitForSingleObject  ... ) == 0x0
 01472   500   NtSetEventBoostPriority  ... ) == 0x0
 01474   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01475  1676   NtTestAlert  (...
 01476  1948   NtSetEventBoostPriority  (284, ...
 01477   500   NtWaitForSingleObject  (356, 0, 0x0, ...
 01421  1776   NtWaitForSingleObject  ... ) == 0x0
 01475  1676   NtTestAlert  ... ) == 0x0
 01478  1776   NtSetEventBoostPriority  (284, ...
 01479  1676   NtContinue  (42794288, 1, ...
 01422  1884   NtWaitForSingleObject  ... ) == 0x0
 01478  1776   NtSetEventBoostPriority  ... ) == 0x0
 01480  1884   NtSetEventBoostPriority  (284, ...
 01481  1676   NtRegisterThreadTerminatePort  (24, ...
 01420  1600   NtWaitForSingleObject  ... ) == 0x0
 01480  1884   NtSetEventBoostPriority  ... ) == 0x0
 01482  1776   NtWaitForSingleObject  (284, 0, 0x0, ...
 01483  1600   NtSetEventBoostPriority  (284, ...
 01481  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01484  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01476  1948   NtSetEventBoostPriority  ... ) == 0x0
 01474   896   NtAllocateVirtualMemory  ... 42795008, 1048576, ) == 0x0
 01424  1372   NtWaitForSingleObject  ... ) == 0x0
 01483  1600   NtSetEventBoostPriority  ... ) == 0x0
 01485  1676   NtWaitForSingleObject  (284, 0, 0x0, ...
 01486  1948   NtWaitForSingleObject  (356, 0, 0x0, ...
 01487   896   NtAllocateVirtualMemory  (-1, 43835392, 0, 8192, 4096, 4, ...
 01488  1372   NtSetEventBoostPriority  (284, ...
 01489  1600   NtWaitForSingleObject  (284, 0, 0x0, ...
 01487   896   NtAllocateVirtualMemory  ... 43835392, 8192, ) == 0x0
 01427  2036   NtWaitForSingleObject  ... ) == 0x0
 01490   896   NtProtectVirtualMemory  (-1, (0x29ce000), 4096, 260, ...
 01491  2036   NtSetEventBoostPriority  (284, ...
 01490   896   NtProtectVirtualMemory  ... (0x29ce000), 4096, 4, ) == 0x0
 01430  1388   NtWaitForSingleObject  ... ) == 0x0
 01492   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01493  1388   NtSetEventBoostPriority  (284, ...
 01491  2036   NtSetEventBoostPriority  ... ) == 0x0
 01488  1372   NtSetEventBoostPriority  ... ) == 0x0
 01484  1884   NtDuplicateObject  ... 360, ) == 0x0
 01432   900   NtWaitForSingleObject  ... ) == 0x0
 01494  2036   NtWaitForSingleObject  (284, 0, 0x0, ...
 01495  1372   NtWaitForSingleObject  (284, 0, 0x0, ...
 01496  1884   NtWaitForSingleObject  (284, 0, 0x0, ...
 01497   900   NtSetEventBoostPriority  (284, ...
 01441   384   NtWaitForSingleObject  ... ) == 0x0
 01498   384   NtSetEventBoostPriority  (284, ...
 01451   248   NtWaitForSingleObject  ... ) == 0x0
 01499   248   NtSetEventBoostPriority  (284, ...
 01456  1308   NtWaitForSingleObject  ... ) == 0x0
 01500  1308   NtSetEventBoostPriority  (284, ...
 01464  1708   NtWaitForSingleObject  ... ) == 0x0
 01501  1708   NtSetEventBoostPriority  (284, ...
 01473   748   NtWaitForSingleObject  ... ) == 0x0
 01502   748   NtSetEventBoostPriority  (284, ...
 01482  1776   NtWaitForSingleObject  ... ) == 0x0
 01503  1776   NtSetEventBoostPriority  (284, ...
 01485  1676   NtWaitForSingleObject  ... ) == 0x0
 01504  1676   NtSetEventBoostPriority  (284, ...
 01489  1600   NtWaitForSingleObject  ... ) == 0x0
 01505  1600   NtSetEventBoostPriority  (284, ...
 01494  2036   NtWaitForSingleObject  ... ) == 0x0
 01506  2036   NtSetEventBoostPriority  (284, ...
 01495  1372   NtWaitForSingleObject  ... ) == 0x0
 01507  1372   NtSetEventBoostPriority  (284, ...
 01496  1884   NtWaitForSingleObject  ... ) == 0x0
 01508  1884   NtWaitForSingleObject  (356, 0, 0x0, ...
 01507  1372   NtSetEventBoostPriority  ... ) == 0x0
 01506  2036   NtSetEventBoostPriority  ... ) == 0x0
 01505  1600   NtSetEventBoostPriority  ... ) == 0x0
 01504  1676   NtSetEventBoostPriority  ... ) == 0x0
 01501  1708   NtSetEventBoostPriority  ... ) == 0x0
 01500  1308   NtSetEventBoostPriority  ... ) == 0x0
 01499   248   NtSetEventBoostPriority  ... ) == 0x0
 01498   384   NtSetEventBoostPriority  ... ) == 0x0
 01503  1776   NtSetEventBoostPriority  ... ) == 0x0
 01502   748   NtSetEventBoostPriority  ... ) == 0x0
 01497   900   NtSetEventBoostPriority  ... ) == 0x0
 01493  1388   NtSetEventBoostPriority  ... ) == 0x0
 01492   896   NtCreateThread  ... 368, {1252, 1620}, ) == 0x0
 01509  1372   NtWaitForSingleObject  (356, 0, 0x0, ...
 01510  2036   NtWaitForSingleObject  (356, 0, 0x0, ...
 01511  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01512  1600   NtWaitForSingleObject  (356, 0, 0x0, ...
 01513  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01514  1708   NtSetEventBoostPriority  (356, ...
 01515   248   NtWaitForSingleObject  (356, 0, 0x0, ...
 01516  1776   NtWaitForSingleObject  (356, 0, 0x0, ...
 01517   748   NtWaitForSingleObject  (356, 0, 0x0, ...
 01518   900   NtWaitForSingleObject  (356, 0, 0x0, ...
 01519  1388   NtWaitForSingleObject  (356, 0, 0x0, ...
 01520   896   NtQueryInformationThread  (368, Basic, 28, ...
 01521   384   NtWaitForSingleObject  (356, 0, 0x0, ...
 01511  1676   NtDuplicateObject  ... 372, ) == 0x0
 01460  1300   NtWaitForSingleObject  ... ) == 0x0
 01514  1708   NtSetEventBoostPriority  ... ) == 0x0
 01520   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1252,Tid=1620,}, 0x0, ) == 0x0
 01522  1300   NtSetEventBoostPriority  (356, ...
 01523  1676   NtWaitForSingleObject  (356, 0, 0x0, ...
 01524  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01463  1732   NtWaitForSingleObject  ... ) == 0x0
 01525   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81875, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81875, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0T\6\0\0" ...  ...
 01524  1708   NtWaitForSingleObject  ... ) == 0x102
 01526  1732   NtSetEventBoostPriority  (356, ...
 01525   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81876, 0}  ... {28, 56, reply, 0, 1252, 896, 81876, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\344\4\0\0T\6\0\0" )  ) == 0x0
 01527  1708   NtWaitForSingleObject  (124, 0, 0x0, ...
 01465  2016   NtWaitForSingleObject  ... ) == 0x0
 01526  1732   NtSetEventBoostPriority  ... ) == 0x0
 01522  1300   NtSetEventBoostPriority  ... ) == 0x0
 01513  1308   NtDuplicateObject  ... 376, ) == 0x0
 01528   896   NtResumeThread  (368, ...
 01529  2016   NtSetEventBoostPriority  (356, ...
 01530  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01531  1308   NtWaitForSingleObject  (356, 0, 0x0, ...
 01462  1096   NtWaitForSingleObject  ... ) == 0x0
 01529  2016   NtSetEventBoostPriority  ... ) == 0x0
 01528   896   NtResumeThread  ... 1, ) == 0x0
 01532  1096   NtSetEventBoostPriority  (356, ...
 01533  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01534  1620   NtTestAlert  (...
 01530  1300   NtWaitForSingleObject  ... ) == 0x102
 01471   252   NtWaitForSingleObject  ... ) == 0x0
 01535   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01533  1732   NtWaitForSingleObject  ... ) == 0x102
 01534  1620   NtTestAlert  ... ) == 0x0
 01536  1300   NtWaitForSingleObject  (124, 0, 0x0, ...
 01537   252   NtSetEventBoostPriority  (356, ...
 01535   896   NtAllocateVirtualMemory  ... 43843584, 1048576, ) == 0x0
 01538  1732   NtWaitForSingleObject  (124, 0, 0x0, ...
 01539  1620   NtContinue  (43842864, 1, ...
 01468  1324   NtWaitForSingleObject  ... ) == 0x0
 01537   252   NtSetEventBoostPriority  ... ) == 0x0
 01540   896   NtAllocateVirtualMemory  (-1, 44883968, 0, 8192, 4096, 4, ...
 01541  1324   NtSetEventBoostPriority  (356, ...
 01542  1620   NtRegisterThreadTerminatePort  (24, ...
 01532  1096   NtSetEventBoostPriority  ... ) == 0x0
 01543  2016   NtWaitForSingleObject  (356, 0, 0x0, ...
 01477   500   NtWaitForSingleObject  ... ) == 0x0
 01540   896   NtAllocateVirtualMemory  ... 44883968, 8192, ) == 0x0
 01542  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01544  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01545   500   NtSetEventBoostPriority  (356, ...
 01541  1324   NtSetEventBoostPriority  ... ) == 0x0
 01546   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01547   896   NtProtectVirtualMemory  (-1, (0x2ace000), 4096, 260, ...
 01486  1948   NtWaitForSingleObject  ... ) == 0x0
 01545   500   NtSetEventBoostPriority  ... ) == 0x0
 01548  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01546   252   NtWaitForSingleObject  ... ) == 0x102
 01549  1948   NtSetEventBoostPriority  (356, ...
 01547   896   NtProtectVirtualMemory  ... (0x2ace000), 4096, 4, ) == 0x0
 01550   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01508  1884   NtWaitForSingleObject  ... ) == 0x0
 01549  1948   NtSetEventBoostPriority  ... ) == 0x0
 01551   252   NtWaitForSingleObject  (124, 0, 0x0, ...
 01552   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01553  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01544  1096   NtWaitForSingleObject  ... ) == 0x102
 01548  1324   NtWaitForSingleObject  ... ) == 0x102
 01554  1884   NtSetEventBoostPriority  (356, ...
 01550   500   NtWaitForSingleObject  ... ) == 0x102
 01552   896   NtCreateThread  ... 380, {1252, 1296}, ) == 0x0
 01553  1620   NtDuplicateObject  ... 384, ) == 0x0
 01555  1096   NtWaitForSingleObject  (124, 0, 0x0, ...
 01509  1372   NtWaitForSingleObject  ... ) == 0x0
 01554  1884   NtSetEventBoostPriority  ... ) == 0x0
 01556  1324   NtWaitForSingleObject  (124, 0, 0x0, ...
 01557   500   NtWaitForSingleObject  (124, 0, 0x0, ...
 01558   896   NtQueryInformationThread  (380, Basic, 28, ...
 01559  1620   NtWaitForSingleObject  (356, 0, 0x0, ...
 01560  1372   NtSetEventBoostPriority  (356, ...
 01561  1948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01558   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1252,Tid=1296,}, 0x0, ) == 0x0
 01510  2036   NtWaitForSingleObject  ... ) == 0x0
 01560  1372   NtSetEventBoostPriority  ... ) == 0x0
 01561  1948   NtWaitForSingleObject  ... ) == 0x102
 01562  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01563  2036   NtSetEventBoostPriority  (356, ...
 01564  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01565  1948   NtWaitForSingleObject  (124, 0, 0x0, ...
 01512  1600   NtWaitForSingleObject  ... ) == 0x0
 01563  2036   NtSetEventBoostPriority  ... ) == 0x0
 01562  1884   NtWaitForSingleObject  ... ) == 0x102
 01566   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81876, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81876, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0\20\5\0\0" ...  ...
 01567  1600   NtSetEventBoostPriority  (356, ...
 01568  2036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01569  1884   NtWaitForSingleObject  (124, 0, 0x0, ...
 01515   248   NtWaitForSingleObject  ... ) == 0x0
 01567  1600   NtSetEventBoostPriority  ... ) == 0x0
 01566   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81877, 0}  ... {28, 56, reply, 0, 1252, 896, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0\344\4\0\0\20\5\0\0" )  ) == 0x0
 01564  1372   NtWaitForSingleObject  ... ) == 0x102
 01570   248   NtSetEventBoostPriority  (356, ...
 01571  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01572   896   NtResumeThread  (380, ...
 01516  1776   NtWaitForSingleObject  ... ) == 0x0
 01570   248   NtSetEventBoostPriority  ... ) == 0x0
 01573  1372   NtWaitForSingleObject  (124, 0, 0x0, ...
 01568  2036   NtWaitForSingleObject  ... ) == 0x102
 01574  1776   NtSetEventBoostPriority  (356, ...
 01572   896   NtResumeThread  ... 1, ) == 0x0
 01575   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01517   748   NtWaitForSingleObject  ... ) == 0x0
 01574  1776   NtSetEventBoostPriority  ... ) == 0x0
 01576  2036   NtWaitForSingleObject  (124, 0, 0x0, ...
 01577   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01571  1600   NtWaitForSingleObject  ... ) == 0x102
 01578  1296   NtTestAlert  (...
 01579   748   NtSetEventBoostPriority  (356, ...
 01575   248   NtWaitForSingleObject  ... ) == 0x102
 01580  1776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01581  1600   NtWaitForSingleObject  (124, 0, 0x0, ...
 01518   900   NtWaitForSingleObject  ... ) == 0x0
 01579   748   NtSetEventBoostPriority  ... ) == 0x0
 01578  1296   NtTestAlert  ... ) == 0x0
 01582   248   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01580  1776   NtWaitForSingleObject  ... ) == 0x102
 01583   900   NtWaitForSingleObject  (284, 0, 0x0, ...
 01577   896   NtAllocateVirtualMemory  ... 44892160, 1048576, ) == 0x0
 01584  1296   NtContinue  (44891440, 1, ...
 01582   248   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01585  1776   NtWaitForSingleObject  (284, 0, 0x0, ...
 01586   896   NtAllocateVirtualMemory  (-1, 45932544, 0, 8192, 4096, 4, ...
 01587  1296   NtRegisterThreadTerminatePort  (24, ...
 01588   248   NtSetEventBoostPriority  (284, ...
 01586   896   NtAllocateVirtualMemory  ... 45932544, 8192, ) == 0x0
 01587  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01583   900   NtWaitForSingleObject  ... ) == 0x0
 01588   248   NtSetEventBoostPriority  ... ) == 0x0
 01589   896   NtProtectVirtualMemory  (-1, (0x2bce000), 4096, 260, ...
 01590   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01591   900   NtSetEventBoostPriority  (284, ...
 01592  1296   NtWaitForSingleObject  (284, 0, 0x0, ...
 01589   896   NtProtectVirtualMemory  ... (0x2bce000), 4096, 4, ) == 0x0
 01585  1776   NtWaitForSingleObject  ... ) == 0x0
 01591   900   NtSetEventBoostPriority  ... ) == 0x0
 01590   748   NtWaitForSingleObject  ... ) == 0x102
 01593  1776   NtSetEventBoostPriority  (284, ...
 01594   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01595   248   NtWaitForSingleObject  (124, 0, 0x0, ...
 01592  1296   NtWaitForSingleObject  ... ) == 0x0
 01593  1776   NtSetEventBoostPriority  ... ) == 0x0
 01596   748   NtWaitForSingleObject  (284, 0, 0x0, ...
 01597   900   NtSetEventBoostPriority  (356, ...
 01598  1296   NtSetEventBoostPriority  (284, ...
 01594   896   NtCreateThread  ... 388, {1252, 440}, ) == 0x0
 01596   748   NtWaitForSingleObject  ... ) == 0x0
 01598  1296   NtSetEventBoostPriority  ... ) == 0x0
 01519  1388   NtWaitForSingleObject  ... ) == 0x0
 01597   900   NtSetEventBoostPriority  ... ) == 0x0
 01599   748   NtWaitForSingleObject  (124, 0, 0x0, ...
 01600   896   NtQueryInformationThread  (388, Basic, 28, ...
 01601  1388   NtSetEventBoostPriority  (356, ...
 01602  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01603   900   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01521   384   NtWaitForSingleObject  ... ) == 0x0
 01601  1388   NtSetEventBoostPriority  ... ) == 0x0
 01600   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1252,Tid=440,}, 0x0, ) == 0x0
 01604  1776   NtWaitForSingleObject  (124, 0, 0x0, ...
 01605   384   NtSetEventBoostPriority  (356, ...
 01603   900   NtWaitForSingleObject  ... ) == 0x102
 01602  1296   NtDuplicateObject  ... 392, ) == 0x0
 01606   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81877, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0\270\1\0\0" ...  ...
 01523  1676   NtWaitForSingleObject  ... ) == 0x0
 01605   384   NtSetEventBoostPriority  ... ) == 0x0
 01607   900   NtWaitForSingleObject  (124, 0, 0x0, ...
 01608  1296   NtWaitForSingleObject  (356, 0, 0x0, ...
 01609  1676   NtSetEventBoostPriority  (356, ...
 01606   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81878, 0}  ... {28, 56, reply, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0\270\1\0\0" )  ) == 0x0
 01610   384   NtWaitForSingleObject  (356, 0, 0x0, ...
 01611  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01531  1308   NtWaitForSingleObject  ... ) == 0x0
 01609  1676   NtSetEventBoostPriority  ... ) == 0x0
 01612   896   NtResumeThread  (388, ...
 01613  1308   NtSetEventBoostPriority  (356, ...
 01611  1388   NtWaitForSingleObject  ... ) == 0x102
 01543  2016   NtWaitForSingleObject  ... ) == 0x0
 01613  1308   NtSetEventBoostPriority  ... ) == 0x0
 01612   896   NtResumeThread  ... 1, ) == 0x0
 01614  2016   NtSetEventBoostPriority  (356, ...
 01615  1388   NtWaitForSingleObject  (124, 0, 0x0, ...
 01616  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01617   440   NtTestAlert  (...
 01559  1620   NtWaitForSingleObject  ... ) == 0x0
 01614  2016   NtSetEventBoostPriority  ... ) == 0x0
 01618   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01616  1676   NtWaitForSingleObject  ... ) == 0x102
 01619  1620   NtSetEventBoostPriority  (356, ...
 01617   440   NtTestAlert  ... ) == 0x0
 01620  2016   NtWaitForSingleObject  (356, 0, 0x0, ...
 01618   896   NtAllocateVirtualMemory  ... 45940736, 1048576, ) == 0x0
 01608  1296   NtWaitForSingleObject  ... ) == 0x0
 01619  1620   NtSetEventBoostPriority  ... ) == 0x0
 01621  1676   NtWaitForSingleObject  (124, 0, 0x0, ...
 01622   440   NtContinue  (45940016, 1, ...
 01623  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01624  1296   NtSetEventBoostPriority  (356, ...
 01625   896   NtAllocateVirtualMemory  (-1, 46981120, 0, 8192, 4096, 4, ...
 01626   440   NtRegisterThreadTerminatePort  (24, ...
 01610   384   NtWaitForSingleObject  ... ) == 0x0
 01624  1296   NtSetEventBoostPriority  ... ) == 0x0
 01623  1308   NtWaitForSingleObject  ... ) == 0x102
 01625   896   NtAllocateVirtualMemory  ... 46981120, 8192, ) == 0x0
 01627   384   NtSetEventBoostPriority  (356, ...
 01626   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01628  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01629  1308   NtWaitForSingleObject  (124, 0, 0x0, ...
 01630  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01620  2016   NtWaitForSingleObject  ... ) == 0x0
 01627   384   NtSetEventBoostPriority  ... ) == 0x0
 01631   896   NtProtectVirtualMemory  (-1, (0x2cce000), 4096, 260, ...
 01628  1620   NtWaitForSingleObject  ... ) == 0x102
 01630  1296   NtWaitForSingleObject  ... ) == 0x102
 01632  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071600, ... }, 11071600, ...
 01633   384   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01631   896   NtProtectVirtualMemory  ... (0x2cce000), 4096, 4, ) == 0x0
 01634  1620   NtWaitForSingleObject  (284, 0, 0x0, ...
 01635  1296   NtWaitForSingleObject  (284, 0, 0x0, ...
 01632  2016   NtQueryAttributesFile  ... ) == 0x0
 01633   384   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01636   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01637  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01638   440   NtWaitForSingleObject  (284, 0, 0x0, ...
 01636   896   NtCreateThread  ... 396, {1252, 1588}, ) == 0x0
 01637  2016   NtOpenKey  ... 400, ) == 0x0
 01639   896   NtQueryInformationThread  (396, Basic, 28, ...
 01640   384   NtSetEventBoostPriority  (284, ...
 01639   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1252,Tid=1588,}, 0x0, ) == 0x0
 01634  1620   NtWaitForSingleObject  ... ) == 0x0
 01640   384   NtSetEventBoostPriority  ... ) == 0x0
 01641  2016   NtQueryValueKey  (400,  (400, "Transports", Partial, 144, ... , Partial, 144, ...
 01642  1620   NtSetEventBoostPriority  (284, ...
 01643   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 01635  1296   NtWaitForSingleObject  ... ) == 0x0
 01642  1620   NtSetEventBoostPriority  ... ) == 0x0
 01641  2016   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01644  1296   NtSetEventBoostPriority  (284, ...
 01645   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\04\6\0\0" ...  ...
 01638   440   NtWaitForSingleObject  ... ) == 0x0
 01644  1296   NtSetEventBoostPriority  ... ) == 0x0
 01646  2016   NtQueryValueKey  (400,  (400, "Transports", Partial, 144, ... , Partial, 144, ...
 01647   440   NtSetEventBoostPriority  (284, ...
 01645   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81879, 0}  ... {28, 56, reply, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\344\4\0\04\6\0\0" )  ) == 0x0
 01648  1620   NtWaitForSingleObject  (124, 0, 0x0, ...
 01643   384   NtWaitForSingleObject  ... ) == 0x0
 01647   440   NtSetEventBoostPriority  ... ) == 0x0
 01646  2016   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01649   896   NtResumeThread  (396, ...
 01650   384   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01651   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01652  2016   NtClose  (400, ...
 01650   384   NtOpenFile  ... 404, {status=0x0, info=0}, ) == 0x0
 01649   896   NtResumeThread  ... 1, ) == 0x0
 01653  1296   NtWaitForSingleObject  (124, 0, 0x0, ...
 01652  2016   NtClose  ... ) == 0x0
 01651   440   NtDuplicateObject  ... 400, ) == 0x0
 01654  1588   NtTestAlert  (...
 01655   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01656   384   NtDeviceIoControlFile  (404, 0, 0x0, 0x0, 0x390008,  (404, 0, 0x0, 0x0, 0x390008, "\301\327\320\342\20\337\324W%}q\235\6/I\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01657   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01654  1588   NtTestAlert  ... ) == 0x0
 01658  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01659   384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01657   440   NtWaitForSingleObject  ... ) == 0x102
 01660  1588   NtContinue  (46988592, 1, ...
 01658  2016   NtOpenKey  ... 408, ) == 0x0
 01659   384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01661   440   NtWaitForSingleObject  (124, 0, 0x0, ...
 01662  1588   NtRegisterThreadTerminatePort  (24, ...
 01663  2016   NtQueryValueKey  (408,  (408, "Mapping", Partial, 144, ... , Partial, 144, ...
 01664   384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01662  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01663  2016   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01664   384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01655   896   NtAllocateVirtualMemory  ... 46989312, 1048576, ) == 0x0
 01665  2016   NtQueryValueKey  (408,  (408, "Mapping", Partial, 144, ... , Partial, 144, ...
 01666   384   NtQuerySystemInformation  (Performance, 312, ...
 01667   896   NtAllocateVirtualMemory  (-1, 48029696, 0, 8192, 4096, 4, ...
 01665  2016   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01668  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01667   896   NtAllocateVirtualMemory  ... 48029696, 8192, ) == 0x0
 01666   384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01668  1588   NtDuplicateObject  ... 412, ) == 0x0
 01669   896   NtProtectVirtualMemory  (-1, (0x2dce000), 4096, 260, ...
 01670   384   NtQuerySystemInformation  (Exception, 16, ...
 01671  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01669   896   NtProtectVirtualMemory  ... (0x2dce000), 4096, 4, ) == 0x0
 01670   384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01671  1588   NtWaitForSingleObject  ... ) == 0x102
 01672   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01673   384   NtQuerySystemInformation  (Lookaside, 32, ...
 01674  1588   NtWaitForSingleObject  (124, 0, 0x0, ...
 01675  2016   NtQueryValueKey  (408,  (408, "Mapping", Partial, 152, ... , Partial, 152, ...
 01673   384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01672   896   NtCreateThread  ... 416, {1252, 2044}, ) == 0x0
 01675  2016   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01676   384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01677   896   NtQueryInformationThread  (416, Basic, 28, ...
 01678  2016   NtClose  (408, ...
 01677   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1252,Tid=2044,}, 0x0, ) == 0x0
 01678  2016   NtClose  ... ) == 0x0
 01679   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81879, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\374\7\0\0" ...  ...
 01680  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01679   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81880, 0}  ... {28, 56, reply, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\374\7\0\0" )  ) == 0x0
 01680  2016   NtOpenKey  ... 408, ) == 0x0
 01676   384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01681   896   NtResumeThread  (416, ...
 01682   384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01681   896   NtResumeThread  ... 1, ) == 0x0
 01682   384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01683   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01684  2016   NtQueryValueKey  (408,  (408, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01685  2044   NtTestAlert  (...
 01683   896   NtAllocateVirtualMemory  ... 48037888, 1048576, ) == 0x0
 01684  2016   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01685  2044   NtTestAlert  ... ) == 0x0
 01686   896   NtAllocateVirtualMemory  (-1, 49078272, 0, 8192, 4096, 4, ...
 01687  2016   NtQueryValueKey  (408,  (408, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01688  2044   NtContinue  (48037168, 1, ...
 01686   896   NtAllocateVirtualMemory  ... 49078272, 8192, ) == 0x0
 01687  2016   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01689  2044   NtRegisterThreadTerminatePort  (24, ...
 01690   384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01691  2016   NtQueryValueKey  (408,  (408, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01689  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01690   384   NtCreateKey  ... -2147482748, 2, ) == 0x0
 01691  2016   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01692   896   NtProtectVirtualMemory  (-1, (0x2ece000), 4096, 260, ...
 01693   384   NtSetValueKey  (-2147482748,  (-2147482748, "Seed", 0, 3, "\213\321\247\4\353\246\333g\105\367\276\261\226\31\257\316A\355\356G\24\216V\234\343>.\223\33\276\4\373C\211\35\231\232\355\215\347\220\330\21\24\303\344\314\207\271`:\335Vz#\374\\216cj\304k\225\224q\312=\15\231\374\203\37\362\332H(\245\22", 80, ... , 0, 3,  (-2147482748, "Seed", 0, 3, "\213\321\247\4\353\246\333g\105\367\276\261\226\31\257\316A\355\356G\24\216V\234\343>.\223\33\276\4\373C\211\35\231\232\355\215\347\220\330\21\24\303\344\314\207\271`:\335Vz#\374\\216cj\304k\225\224q\312=\15\231\374\203\37\362\332H(\245\22", 80, ... , 80, ...
 01694  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01692   896   NtProtectVirtualMemory  ... (0x2ece000), 4096, 4, ) == 0x0
 01693   384   NtSetValueKey  ... ) == 0x0
 01694  2044   NtDuplicateObject  ... 420, ) == 0x0
 01695   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01696   384   NtClose  (-2147482748, ...
 01697  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01695   896   NtCreateThread  ... 424, {1252, 588}, ) == 0x0
 01696   384   NtClose  ... ) == 0x0
 01697  2044   NtWaitForSingleObject  ... ) == 0x102
 01698   896   NtQueryInformationThread  (424, Basic, 28, ...
 01699  2016   NtQueryValueKey  (408,  (408, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01700  2044   NtWaitForSingleObject  (124, 0, 0x0, ...
 01698   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1252,Tid=588,}, 0x0, ) == 0x0
 01699  2016   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01656   384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\334\23\213\344h+\245\3241\11\365>\210$\252h\364\341\252\364aE\254j\253\331\225\352\220\227\10\251\204\26\337\305}\227nj\261,\30\214\347q\255\34o6Ru\355\10f\233\223\221\213\312*(\275S\271\7U\330\345\374\354<\223\3\11!riNT\353\275\252\254\323\324\370\334N\357#\334\321\311\227'\262\264\204\215\333\277\352!\226\265\277d\201\375\253\301\233\375\203;\310sZ\367\10\215>\23R\363\225B9\247\212\350\315\325\370i\356\364-\2\275\7\57$\257\33\31\310\\14\261\21\324\263Gb\322`Au\201\32)\367\264\375<\225\26", ) !\226\265\277d\201\375\253\301\233\375\203;\310sZ\367\10\215>\23R\363\225B9\247\212\350\315\325\370i\356\364-\2\275\7\57$\257\33\31\310\\14\261\21\324\263Gb\322`Au\201\32)\367\264\375<\225\26", ) == 0x0
 01701  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072556, ... }, 11072556, ...
 01702   384   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01701  2016   NtQueryAttributesFile  ... ) == 0x0
 01702   384   NtCreateEvent  ... 428, ) == 0x0
 01703  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01704   384   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15527428, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15527428, 188, ...
 01703  2016   NtOpenFile  ... 432, {status=0x0, info=1}, ) == 0x0
 01704   384   NtConnectPort  ... 436, 0x0, 0x0, 0x0, 188, ) == 0x0
 01705   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0L\2\0\0" ...  ...
 01706  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 432, ...
 01705   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81882, 0}  ... {28, 56, reply, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0L\2\0\0" )  ) == 0x0
 01706  2016   NtCreateSection  ... 440, ) == 0x0
 01707   896   NtResumeThread  (424, ...
 01708  2016   NtClose  (432, ...
 01707   896   NtResumeThread  ... 1, ) == 0x0
 01708  2016   NtClose  ... ) == 0x0
 01709   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01710  2016   NtMapViewOfSection  (440, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01711   384   NtRequestWaitReplyPort  (436, {200, 224, new_msg, 0, 1384080, 12, 2, 1}  (436, {200, 224, new_msg, 0, 1384080, 12, 2, 1} "\0\3\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0@\3\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\341\324\200\323%\14\37\272\20\36\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\0\2(\0\0\0\30\36\25\04\335\353sh\3\24\08\36\25\0`\1\24\0\0\0\0\0\0\0\0\08\36\25\0P\0\0\0@\36\25\0\360\6\221|@\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\354\0\372\31\221|\30\364\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01712   588   NtWaitForSingleObject  (88, 0, 0x0, ...
 01710  2016   NtMapViewOfSection  ... (0x860000), 0x0, 20480, ) == 0x0
 01711   384   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 384, 81883, 0}  ... {200, 224, reply, 0, 1252, 384, 81883, 0} "\7\3\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\341\324\200\323%\14\37\272\20\36\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\0\2(\0\0\0\30\36\25\04\335\353sh\3\24\08\36\25\0`\1\24\0\0\0\0\0\0\0\0\08\36\25\0P\0\0\0@\36\25\0\360\6\221|@\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\354\0\372\31\221|\30\364\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01709   896   NtAllocateVirtualMemory  ... 49086464, 1048576, ) == 0x0
 01713   384   NtRequestWaitReplyPort  (436, {64, 88, new_msg, 0, 0, 0, 0, 0}  (436, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01714   896   NtAllocateVirtualMemory  (-1, 50126848, 0, 8192, 4096, 4, ... 50126848, 8192, ) == 0x0
 01715   896   NtProtectVirtualMemory  (-1, (0x2fce000), 4096, 260, ... (0x2fce000), 4096, 4, ) == 0x0
 01716   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01713   384   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1252, 384, 81884, 0}  ... {52, 76, reply, 0, 1252, 384, 81884, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01717  2016   NtClose  (440, ...
 01716   896   NtCreateThread  ... 432, {1252, 1652}, ) == 0x0
 01717  2016   NtClose  ... ) == 0x0
 01718   896   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1252,Tid=1652,}, 0x0, ) == 0x0
 01719   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0t\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0t\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0t\6\0\0" )  ) == 0x0
 01720  2016   NtUnmapViewOfSection  (-1, 0x860000, ...
 01721   384   NtClose  (428, ...
 01720  2016   NtUnmapViewOfSection  ... ) == 0x0
 01721   384   NtClose  ... ) == 0x0
 01722   896   NtResumeThread  (432, ...
 01723   384   NtClose  (436, ...
 01722   896   NtResumeThread  ... 1, ) == 0x0
 01723   384   NtClose  ... ) == 0x0
 01724   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01725   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 01724   896   NtAllocateVirtualMemory  ... 50135040, 1048576, ) == 0x0
 01726   896   NtAllocateVirtualMemory  (-1, 51175424, 0, 8192, 4096, 4, ... 51175424, 8192, ) == 0x0
 01727   896   NtProtectVirtualMemory  (-1, (0x30ce000), 4096, 260, ... (0x30ce000), 4096, 4, ) == 0x0
 01728   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 436, {1252, 1376}, ) == 0x0
 01729   896   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1252,Tid=1376,}, 0x0, ) == 0x0
 01730  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072864, ... }, 11072864, ...
 01731  1652   NtWaitForSingleObject  (88, 0, 0x0, ...
 01730  2016   NtQueryAttributesFile  ... ) == 0x0
 01732  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 428, {status=0x0, info=1}, ) }, 5, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 01733  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 428, ... 440, ) == 0x0
 01734  2016   NtQuerySection  (440, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01735  2016   NtClose  (428, ... ) == 0x0
 01736  2016   NtMapViewOfSection  (440, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01737   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0`\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0`\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0`\5\0\0" )  ) == 0x0
 01738   896   NtResumeThread  (436, ... 1, ) == 0x0
 01739   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51183616, 1048576, ) == 0x0
 01740   896   NtAllocateVirtualMemory  (-1, 52224000, 0, 8192, 4096, 4, ... 52224000, 8192, ) == 0x0
 01741   896   NtProtectVirtualMemory  (-1, (0x31ce000), 4096, 260, ... (0x31ce000), 4096, 4, ) == 0x0
 01742   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01743  2016   NtClose  (440, ...
 01744  1376   NtWaitForSingleObject  (88, 0, 0x0, ...
 01743  2016   NtClose  ... ) == 0x0
 01745  2016   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01746  2016   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01747  2016   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01742   896   NtCreateThread  ... 440, {1252, 1436}, ) == 0x0
 01748   896   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1252,Tid=1436,}, 0x0, ) == 0x0
 01749   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\234\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\234\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0\234\5\0\0" )  ) == 0x0
 01750   896   NtResumeThread  (440, ... 1, ) == 0x0
 01751   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52232192, 1048576, ) == 0x0
 01752   896   NtAllocateVirtualMemory  (-1, 53272576, 0, 8192, 4096, 4, ... 53272576, 8192, ) == 0x0
 01753  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01754  1436   NtWaitForSingleObject  (88, 0, 0x0, ...
 01753  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01755  2016   NtSetEventBoostPriority  (88, ...
 01712   588   NtWaitForSingleObject  ... ) == 0x0
 01756   588   NtSetEventBoostPriority  (88, ...
 01725   384   NtWaitForSingleObject  ... ) == 0x0
 01757   384   NtSetEventBoostPriority  (88, ...
 01731  1652   NtWaitForSingleObject  ... ) == 0x0
 01758  1652   NtSetEventBoostPriority  (88, ...
 01744  1376   NtWaitForSingleObject  ... ) == 0x0
 01759  1376   NtSetEventBoostPriority  (88, ...
 01754  1436   NtWaitForSingleObject  ... ) == 0x0
 01760  1436   NtTestAlert  (... ) == 0x0
 01759  1376   NtSetEventBoostPriority  ... ) == 0x0
 01758  1652   NtSetEventBoostPriority  ... ) == 0x0
 01757   384   NtSetEventBoostPriority  ... ) == 0x0
 01756   588   NtSetEventBoostPriority  ... ) == 0x0
 01755  2016   NtSetEventBoostPriority  ... ) == 0x0
 01761   896   NtProtectVirtualMemory  (-1, (0x32ce000), 4096, 260, ...
 01762  1436   NtContinue  (52231472, 1, ...
 01763  1376   NtTestAlert  (...
 01764  1652   NtTestAlert  (...
 01765   384   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01766   588   NtTestAlert  (...
 01761   896   NtProtectVirtualMemory  ... (0x32ce000), 4096, 4, ) == 0x0
 01767  1436   NtRegisterThreadTerminatePort  (24, ...
 01763  1376   NtTestAlert  ... ) == 0x0
 01764  1652   NtTestAlert  ... ) == 0x0
 01765   384   NtCreateKey  ... 428, 2, ) == 0x0
 01766   588   NtTestAlert  ... ) == 0x0
 01768   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01767  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01769  1376   NtContinue  (51182896, 1, ...
 01770  1652   NtContinue  (50134320, 1, ...
 01771   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01772   588   NtContinue  (49085744, 1, ...
 01768   896   NtCreateThread  ... 444, {1252, 1368}, ) == 0x0
 01773  1436   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01774  1376   NtRegisterThreadTerminatePort  (24, ...
 01775  1652   NtRegisterThreadTerminatePort  (24, ...
 01771   384   NtOpenKey  ... 448, ) == 0x0
 01776   588   NtRegisterThreadTerminatePort  (24, ...
 01777   896   NtQueryInformationThread  (444, Basic, 28, ...
 01773  1436   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01774  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01775  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01778   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01776   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01777   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1252,Tid=1368,}, 0x0, ) == 0x0
 01779  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01780  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01781  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01778   384   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01782   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01783  2016   NtClose  (408, ...
 01784   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0X\5\0\0" ...  ...
 01779  1436   NtDuplicateObject  ... 452, ) == 0x0
 01780  1376   NtDuplicateObject  ... 456, ) == 0x0
 01781  1652   NtDuplicateObject  ... 460, ) == 0x0
 01785   384   NtQueryValueKey  (428,  (428, "Hostname", Partial, 144, ... , Partial, 144, ...
 01783  2016   NtClose  ... ) == 0x0
 01784   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81889, 0}  ... {28, 56, reply, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0X\5\0\0" )  ) == 0x0
 01786  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01787  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01788  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01785   384   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01789  2016   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11075200, 67, ... }, 0x0, 0, 3, 3, 0, 11075200, 67, ...
 01790   896   NtResumeThread  (444, ...
 01786  1436   NtWaitForSingleObject  ... ) == 0x102
 01787  1376   NtWaitForSingleObject  ... ) == 0x102
 01788  1652   NtWaitForSingleObject  ... ) == 0x102
 01791   384   NtQueryValueKey  (428,  (428, "Hostname", Partial, 144, ... , Partial, 144, ...
 01789  2016   NtCreateFile  ... 408, {status=0x0, info=0}, ) == 0x0
 01790   896   NtResumeThread  ... 1, ) == 0x0
 01792  1436   NtWaitForSingleObject  (124, 0, 0x0, ...
 01793  1376   NtWaitForSingleObject  (124, 0, 0x0, ...
 01794  1652   NtWaitForSingleObject  (124, 0, 0x0, ...
 01791   384   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01795  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x1207b,  (408, 108, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01796   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01797   384   NtClose  (428, ...
 01795  2016   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\230\353s\201", ) , ) == 0x0
 01782   588   NtDuplicateObject  ... 464, ) == 0x0
 01798  1368   NtTestAlert  (...
 01797   384   NtClose  ... ) == 0x0
 01796   896   NtAllocateVirtualMemory  ... 53280768, 1048576, ) == 0x0
 01799   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01798  1368   NtTestAlert  ... ) == 0x0
 01800  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x1207b,  (408, 108, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\230\353s\201", 16, 16, ... , 16, 16, ...
 01801   896   NtAllocateVirtualMemory  (-1, 54321152, 0, 8192, 4096, 4, ...
 01799   588   NtWaitForSingleObject  ... ) == 0x102
 01802  1368   NtContinue  (53280048, 1, ...
 01800  2016   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\230\353s\201", ) , ) == 0x0
 01801   896   NtAllocateVirtualMemory  ... 54321152, 8192, ) == 0x0
 01803   588   NtWaitForSingleObject  (124, 0, 0x0, ...
 01804  1368   NtRegisterThreadTerminatePort  (24, ...
 01805  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x12047,  (408, 108, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01806   896   NtProtectVirtualMemory  (-1, (0x33ce000), 4096, 260, ...
 01804  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 01805  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01806   896   NtProtectVirtualMemory  ... (0x33ce000), 4096, 4, ) == 0x0
 01807   384   NtClose  (448, ...
 01808  2016   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01809   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01807   384   NtClose  ... ) == 0x0
 01808  2016   NtWaitForSingleObject  ... ) == 0x102
 01810  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01811   384   NtDeviceIoControlFile  (404, 0, 0x0, 0x0, 0x390008,  (404, 0, 0x0, 0x0, 0x390008, "\301\327\320\342\20\337\324\3006\253\305$\364\21\202\302\306/hhw*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01812  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x12003,  (408, 108, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01810  1368   NtDuplicateObject  ... 448, ) == 0x0
 01813   384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01812  2016   NtDeviceIoControlFile  ... {status=0x0, info=428},  ... {status=0x0, info=428}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01814  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01813   384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01815  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x12047,  (408, 108, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01814  1368   NtWaitForSingleObject  ... ) == 0x102
 01816   384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01815  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01817  1368   NtWaitForSingleObject  (124, 0, 0x0, ...
 01809   896   NtCreateThread  ... 468, {1252, 724}, ) == 0x0
 01816   384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01818  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x12037,  (408, 108, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01819   896   NtQueryInformationThread  (468, Basic, 28, ...
 01820   384   NtQuerySystemInformation  (Performance, 312, ...
 01818  2016   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01819   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1252,Tid=724,}, 0x0, ) == 0x0
 01820   384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01821  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x1200b,  (408, 108, 0x0, 0x0, 0x1200b, "\0\376\250\0\5\0\0\0\0\256\24\0", 12, 0, ... , 12, 0, ...
 01822   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\324\2\0\0" ...  ...
 01823   384   NtQuerySystemInformation  (Exception, 16, ...
 01821  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01822   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81890, 0}  ... {28, 56, reply, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\1\0\0\344\4\0\0\324\2\0\0" )  ) == 0x0
 01823   384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01824  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x12047,  (408, 108, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\250\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01825   384   NtQuerySystemInformation  (Lookaside, 32, ...
 01824  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01826   896   NtResumeThread  (468, ...
 01825   384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01826   896   NtResumeThread  ... 1, ) == 0x0
 01827   384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01828   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01827   384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01828   896   NtAllocateVirtualMemory  ... 54329344, 1048576, ) == 0x0
 01829   384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01830   896   NtAllocateVirtualMemory  (-1, 55369728, 0, 8192, 4096, 4, ...
 01829   384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01830   896   NtAllocateVirtualMemory  ... 55369728, 8192, ) == 0x0
 01831   384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01832  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01833   724   NtTestAlert  (...
 01834   896   NtProtectVirtualMemory  (-1, (0x34ce000), 4096, 260, ...
 01832  2016   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01833   724   NtTestAlert  ... ) == 0x0
 01834   896   NtProtectVirtualMemory  ... (0x34ce000), 4096, 4, ) == 0x0
 01835  2016   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01836   724   NtContinue  (54328624, 1, ...
 01837   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01835  2016   NtCreateEvent  ... 472, ) == 0x0
 01838   724   NtRegisterThreadTerminatePort  (24, ...
 01837   896   NtCreateThread  ... 476, {1252, 1276}, ) == 0x0
 01839  2016   NtWaitForSingleObject  (472, 0, 0x0, ...
 01838   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 01840   896   NtQueryInformationThread  (476, Basic, 28, ...
 01831   384   NtCreateKey  ... -2147482764, 2, ) == 0x0
 01840   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1252,Tid=1276,}, 0x0, ) == 0x0
 01841   384   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "$\214\31\315\25\315"SFCH\301t*\30p\344E\206\234t\276\306\236\243\323\11\345\177\3562\273\345\267\340\225,\30\261}w\266F^\224\217\323.\275\271\302\251GI\321\266&\11\244\233\350\266,\204m\340\22\251^\207\211\300w\205\252\221Q\205\357#", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "$\214\31\315\25\315"SFCH\301t*\30p\344E\206\234t\276\306\236\243\323\11\345\177\3562\273\345\267\340\225,\30\261}w\266F^\224\217\323.\275\271\302\251GI\321\266&\11\244\233\350\266,\204m\340\22\251^\207\211\300w\205\252\221Q\205\357#", 80, ... SFCH\301t*\30p\344E\206\234t\276\306\236\243\323\11\345\177\3562\273\345\267\340\225,\30\261}w\266F^\224\217\323.\275\271\302\251GI\321\266&\11\244\233\350\266,\204m\340\22\251^\207\211\300w\205\252\221Q\205\357#", 80, ...
 01842   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01841   384   NtSetValueKey  ... ) == 0x0
 01842   724   NtDuplicateObject  ... 480, ) == 0x0
 01843   384   NtClose  (-2147482764, ...
 01844   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01843   384   NtClose  ... ) == 0x0
 01844   724   NtWaitForSingleObject  ... ) == 0x102
 01811   384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\10N\221\341\260\372\340\215\351\347\211\212\246P^Ds\213\314jb\307\310.\17\311\202\334E.x$\334\310\273Al\217\242\337\321p\244\255\310\226_?_Oi\271\234g\202e\26`+kp\350\230\334\21k\347\310v\245\26\7C\25\274\233\304r\3777\3\21\375\243\210>\327\217\217\301j\267P\306%,\34\211,\35a0\3723\221\373_\221q\24}\16\263\310\25\204\314\353\301m\244\301\273\365\200\363\324\340\2166\35\315$?\237\216C\331\361#=\15\202{N]\305\177y\207\354\311\317\1\300\222S\323d\377\252\12t\216{\321\244\353\251Z\300M\247\221yc6\356Hd\250taT\305\5A\260\202\13\366H#\317\246(\254\304\10\35\0\362\355\336\24\372c\347\363>f\335'\263E\210\243\251\206\335\347\322\354FX]}\307\240{[n\24\32\275\3254\237\11]c\342<\361\370,\237\256P\310C\13H\12h", ) , ) == 0x0
 01845   724   NtWaitForSingleObject  (124, 0, 0x0, ...
 01846   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\374\4\0\0" ...  ...
 01847   384   NtDeviceIoControlFile  (404, 0, 0x0, 0x0, 0x390008,  (404, 0, 0x0, 0x0, 0x390008, "\301\327\320\342\20\337\324\3006\253\305$\364\2\246\221\24r\226\232E\17 \302\306/hhw*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01846   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81891, 0}  ... {28, 56, reply, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\374\4\0\0" )  ) == 0x0
 01848   384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01849   896   NtResumeThread  (476, ...
 01848   384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01849   896   NtResumeThread  ... 1, ) == 0x0
 01850   384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01851   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01850   384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01852  1276   NtTestAlert  (...
 01853   384   NtQuerySystemInformation  (Performance, 312, ...
 01852  1276   NtTestAlert  ... ) == 0x0
 01851   896   NtAllocateVirtualMemory  ... 55377920, 1048576, ) == 0x0
 01854  1276   NtContinue  (55377200, 1, ...
 01855   896   NtAllocateVirtualMemory  (-1, 56418304, 0, 8192, 4096, 4, ...
 01856  1276   NtRegisterThreadTerminatePort  (24, ...
 01855   896   NtAllocateVirtualMemory  ... 56418304, 8192, ) == 0x0
 01856  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 01857   896   NtProtectVirtualMemory  (-1, (0x35ce000), 4096, 260, ...
 01853   384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01857   896   NtProtectVirtualMemory  ... (0x35ce000), 4096, 4, ) == 0x0
 01858   384   NtQuerySystemInformation  (Exception, 16, ...
 01859   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01858   384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01860  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01861   384   NtQuerySystemInformation  (Lookaside, 32, ...
 01860  1276   NtDuplicateObject  ... 484, ) == 0x0
 01861   384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01862  1276   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01863   384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01862  1276   NtWaitForSingleObject  ... ) == 0x102
 01859   896   NtCreateThread  ... 488, {1252, 220}, ) == 0x0
 01864  1276   NtWaitForSingleObject  (124, 0, 0x0, ...
 01865   896   NtQueryInformationThread  (488, Basic, 28, ...
 01863   384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01865   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1252,Tid=220,}, 0x0, ) == 0x0
 01866   384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01867   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\334\0\0\0" ...  ...
 01866   384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01867   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81892, 0}  ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\334\0\0\0" )  ) == 0x0
 01868   384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482764, 2, ) }, 0, 0x0, 0, ... -2147482764, 2, ) == 0x0
 01869   384   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "\272Q\26Z\322g\211\322\341#\37f\17\11\330\363\272\330\33L\25\7\252+!\300\311*\242,\255Q\27T\314G8\276\245\224c\200\227\20\215\322\277\227\214\300e\226\303\317|$^\327>\272O\344\205I\316t0HL|\11\244\264w\274\214", 80, ... ) , 0, 3,  (-2147482764, "Seed", 0, 3, "\272Q\26Z\322g\211\322\341#\37f\17\11\330\363\272\330\33L\25\7\252+!\300\311*\242,\255Q\27T\314G8\276\245\224c\200\227\20\215\322\277\227\214\300e\226\303\317|$^\327>\272O\344\205I\316t0HL|\11\244\264w\274\214", 80, ... ) , 80, ... ) == 0x0
 01870   384   NtClose  (-2147482764, ... ) == 0x0
 01847   384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Z(\371\303\300,\350\255\211\341\260\263L\313x\226fy_twV}\255oP\360\334\341A\204\10\207\32\204WC\315N\352\267$\234\27m\357\12/\232;\231y\313\227\213\361\13\331$}\24\213l\234\352\263\24\257x\230kE\334\226\\223\224\274\313%$\236\373d\32\370r\17\375Z\36\261\330`\304\234\226uz\253\300\201\3379d]\210\202~\313\263\340\33\266\250\17/)\231\22\340`k\252\30@\26\2268\221m\336\2\1\4\306}\220e\22*\243\23\353\37h2\6\233\232\345!-$\3yp\5\14\244\346\14\365\346\11\377sM\263\241\326\241\247\311A\3\27<\346\273T-,\k\221\:\311oX\34)A\312\17*\255\341_\33\331[\357O\11\313\37\343\312P\354"O\257\349\34\377\371\245e{\5WJl^^0\357\17\205\241I\245\271\352[O`u257\349\34\377\371\245e{\5WJl^^0\357\17\205\241I\245\271\352[O`u305\345b\261-\216\17\374\261*\2137", ) == 0x0
 01871   384   NtDeviceIoControlFile  (404, 0, 0x0, 0x0, 0x390008,  (404, 0, 0x0, 0x0, 0x390008, "\301\327\320\342\20\337\324\3006\253\305$\364\2\246\221\24r\226\232E\2303\24r\226\232E\17 \302\306/hhw*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01872   384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01873   896   NtResumeThread  (488, ... 1, ) == 0x0
 01874   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56426496, 1048576, ) == 0x0
 01875   896   NtAllocateVirtualMemory  (-1, 57466880, 0, 8192, 4096, 4, ... 57466880, 8192, ) == 0x0
 01876   896   NtProtectVirtualMemory  (-1, (0x36ce000), 4096, 260, ... (0x36ce000), 4096, 4, ) == 0x0
 01877   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {1252, 1328}, ) == 0x0
 01878   896   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1252,Tid=1328,}, 0x0, ) == 0x0
 01872   384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01879   220   NtTestAlert  (...
 01880   384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01879   220   NtTestAlert  ... ) == 0x0
 01880   384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01881   220   NtContinue  (56425776, 1, ...
 01882   384   NtQuerySystemInformation  (Performance, 312, ...
 01883   220   NtRegisterThreadTerminatePort  (24, ...
 01882   384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01883   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01884   384   NtQuerySystemInformation  (Exception, 16, ...
 01885   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\00\5\0\0" ...  ...
 01886   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01885   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81893, 0}  ... {28, 56, reply, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0\344\4\0\00\5\0\0" )  ) == 0x0
 01886   220   NtDuplicateObject  ... 496, ) == 0x0
 01887   896   NtResumeThread  (492, ...
 01888   220   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01887   896   NtResumeThread  ... 1, ) == 0x0
 01888   220   NtWaitForSingleObject  ... ) == 0x102
 01889   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01890   220   NtWaitForSingleObject  (124, 0, 0x0, ...
 01884   384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01891  1328   NtTestAlert  (...
 01889   896   NtAllocateVirtualMemory  ... 57475072, 1048576, ) == 0x0
 01892   384   NtQuerySystemInformation  (Lookaside, 32, ...
 01891  1328   NtTestAlert  ... ) == 0x0
 01893   896   NtAllocateVirtualMemory  (-1, 58515456, 0, 8192, 4096, 4, ...
 01892   384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01894  1328   NtContinue  (57474352, 1, ...
 01893   896   NtAllocateVirtualMemory  ... 58515456, 8192, ) == 0x0
 01895   384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01896  1328   NtRegisterThreadTerminatePort  (24, ...
 01897   896   NtProtectVirtualMemory  (-1, (0x37ce000), 4096, 260, ...
 01895   384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01896  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 01897   896   NtProtectVirtualMemory  ... (0x37ce000), 4096, 4, ) == 0x0
 01898   384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01899   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01900  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01898   384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01900  1328   NtDuplicateObject  ... 500, ) == 0x0
 01901   384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01902  1328   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01901   384   NtCreateKey  ... -2147482764, 2, ) == 0x0
 01902  1328   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01903   384   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "j\243\311(3\253\272\344~q\253\253\1a\232\324q\376\7}IG2\317\304\252\4&x\302?N\353:\320\305D\216z\117\214\33)\2776\222\321GIp\11\372\256\256\361\303\265h\25\263\371Y\203\324\314\21\6\254V\326Q\361\272\263\32+;\12\353", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "j\243\311(3\253\272\344~q\253\253\1a\232\324q\376\7}IG2\317\304\252\4&x\302?N\353:\320\305D\216z\117\214\33)\2776\222\321GIp\11\372\256\256\361\303\265h\25\263\371Y\203\324\314\21\6\254V\326Q\361\272\263\32+;\12\353", 80, ... , 80, ...
 01904  1328   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01903   384   NtSetValueKey  ... ) == 0x0
 01905   384   NtClose  (-2147482764, ... ) == 0x0
 01871   384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\265\327A\375\241!\16k8\4 \246\344\363\336\235\245]\303\14\361b\262\244C@\27\237\2338\223\16\333\11\37\17\37\374*s\203=ce\341\10\372\1\215A\15\246=\214m\39\335+\236\260\225\371Q\34\372!G\20J\315cC\337\346\250\245\262\256%\305(\303\302\223;\305\300M\27\263\36\16\274\301\307X\253\25*\253(d;\177\17w>\346:\303\3332+\200}iG\36Z}4\255\327\325ja&\20\243N\244\236\341\264!\255m\270p\336\227O\3478\234\303\364\11/D\333\314\245\377\254\263)\206\306&\233\304\343\367\5\2Fi\330$.\367\21\2){\5\316\20'\245\225\335\246o\314\206\221\337\333\362\35\357\356PQ\220\217@\370\215&\204&\37\273\262\207\271c\301\351\327[\353\227\26\244\331\313\325\251\4\334\373\335\212K g\360 VT\364\324\242\320\272\365I9u\27\\213\332?\323\232\2100\2557", ) , ) == 0x0
 01906   384   NtDeviceIoControlFile  (404, 0, 0x0, 0x0, 0x390008,  (404, 0, 0x0, 0x0, 0x390008, "\301\327\320\342\20\337\324\3006\253\305$\364\2\246\221\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\17 \302\306/hhw*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01907   384   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01908   384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01899   896   NtCreateThread  ... 504, {1252, 1636}, ) == 0x0
 01904  1328   NtWaitForSingleObject  ... ) == 0x102
 01909   896   NtQueryInformationThread  (504, Basic, 28, ...
 01910  1328   NtWaitForSingleObject  (124, 0, 0x0, ...
 01909   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1252,Tid=1636,}, 0x0, ) == 0x0
 01911   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0d\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0d\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81894, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0d\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0d\6\0\0" )  ) == 0x0
 01912   896   NtResumeThread  (504, ... 1, ) == 0x0
 01913   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58523648, 1048576, ) == 0x0
 01914   896   NtAllocateVirtualMemory  (-1, 59564032, 0, 8192, 4096, 4, ... 59564032, 8192, ) == 0x0
 01908   384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01915  1636   NtTestAlert  (...
 01916   384   NtQuerySystemInformation  (Performance, 312, ...
 01915  1636   NtTestAlert  ... ) == 0x0
 01916   384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01917  1636   NtContinue  (58522928, 1, ...
 01918   384   NtQuerySystemInformation  (Exception, 16, ...
 01919  1636   NtRegisterThreadTerminatePort  (24, ...
 01918   384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01919  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 01920   384   NtQuerySystemInformation  (Lookaside, 32, ...
 01921   896   NtProtectVirtualMemory  (-1, (0x38ce000), 4096, 260, ...
 01922  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01921   896   NtProtectVirtualMemory  ... (0x38ce000), 4096, 4, ) == 0x0
 01922  1636   NtDuplicateObject  ... 508, ) == 0x0
 01923   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01924  1636   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01925  1636   NtWaitForSingleObject  (124, 0, 0x0, ...
 01923   896   NtCreateThread  ... 512, {1252, 704}, ) == 0x0
 01926   896   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1252,Tid=704,}, 0x0, ) == 0x0
 01927   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\300\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81897, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\300\2\0\0" )  ) == 0x0
 01920   384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01928   384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01929   384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01930   384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482764, 2, ) }, 0, 0x0, 0, ... -2147482764, 2, ) == 0x0
 01931   384   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "'\216\270\2765.\20\353\270\234h4)H.\275\322\204\267\2539\204!,\245\274\326\31]\277\26=\375\5'\347\331\376\365\357v^\13\364M\312\344\227\314{\15\1\274\257C\340\365\31=\311\13zi\1\200\335#\250\351as\351%\306\206\263>\331\244\326", 80, ... ) , 0, 3,  (-2147482764, "Seed", 0, 3, "'\216\270\2765.\20\353\270\234h4)H.\275\322\204\267\2539\204!,\245\274\326\31]\277\26=\375\5'\347\331\376\365\357v^\13\364M\312\344\227\314{\15\1\274\257C\340\365\31=\311\13zi\1\200\335#\250\351as\351%\306\206\263>\331\244\326", 80, ... ) , 80, ... ) == 0x0
 01932   384   NtClose  (-2147482764, ... ) == 0x0
 01906   384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3461\4\253\225d\27a\227;\372\267\15\32\272tS||z\303\35\6\215\36#\24\26{?p\371s/\267\27+\243\3272O\272\257\367\331\306\346\315x\340\221a\251\360\320\201oS\305\326\370\36\273\373\327ZwD\240\10\305\307ME\1|p$\364\23&\242\364\262~\245\237\343\352\321\252\263bH\270C\262\354Peb~\340\260\215\374(\374v\217\357#\213*\24\233N\27#\303\213\0\202t6Id\316\345\315\275\246}\237\0\227[e? \356\211\25,\1\6W\10\206&\253&n\372\205\252\360\305+\\245\361\341~\272w\310\223\332\30\336jr_\226\371\234]~\236B.t{\23\262\304esW=\365D\365\23\302j\35u\24\344\334(\341W\244:\237\3107\253^h\227\29S\210y`\346\304\5C\251\303p__\216\26\311\20\262\26\356\212\357f*B\335\345%ZP\327\321\7\2558?\206\247J", ) , ) == 0x0
 01933   896   NtResumeThread  (512, ... 1, ) == 0x0
 01934   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59572224, 1048576, ) == 0x0
 01935   896   NtAllocateVirtualMemory  (-1, 60612608, 0, 8192, 4096, 4, ... 60612608, 8192, ) == 0x0
 01936   896   NtProtectVirtualMemory  (-1, (0x39ce000), 4096, 260, ... (0x39ce000), 4096, 4, ) == 0x0
 01937   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 516, {1252, 1152}, ) == 0x0
 01938   896   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1252,Tid=1152,}, 0x0, ) == 0x0
 01939   384   NtDeviceIoControlFile  (404, 0, 0x0, 0x0, 0x390008,  (404, 0, 0x0, 0x0, 0x390008, "\301\327\320\342\20\337\324\3006\253\305$\364\2\246\221\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\17 \302\306/hhw*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01940   704   NtTestAlert  (...
 01941   384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01940   704   NtTestAlert  ... ) == 0x0
 01941   384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01942   704   NtContinue  (59571504, 1, ...
 01943   384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01944   704   NtRegisterThreadTerminatePort  (24, ...
 01943   384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01944   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 01945   384   NtQuerySystemInformation  (Performance, 312, ...
 01946   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81897, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\200\4\0\0" ...  ...
 01947   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01946   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81898, 0}  ... {28, 56, reply, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0\344\4\0\0\200\4\0\0" )  ) == 0x0
 01947   704   NtDuplicateObject  ... 520, ) == 0x0
 01948   896   NtResumeThread  (516, ...
 01949   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01948   896   NtResumeThread  ... 1, ) == 0x0
 01949   704   NtWaitForSingleObject  ... ) == 0x102
 01950   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01951   704   NtWaitForSingleObject  (124, 0, 0x0, ...
 01945   384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01952  1152   NtTestAlert  (...
 01950   896   NtAllocateVirtualMemory  ... 60620800, 1048576, ) == 0x0
 01953   384   NtQuerySystemInformation  (Exception, 16, ...
 01952  1152   NtTestAlert  ... ) == 0x0
 01954   896   NtAllocateVirtualMemory  (-1, 61661184, 0, 8192, 4096, 4, ...
 01953   384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01955  1152   NtContinue  (60620080, 1, ...
 01954   896   NtAllocateVirtualMemory  ... 61661184, 8192, ) == 0x0
 01956   384   NtQuerySystemInformation  (Lookaside, 32, ...
 01957  1152   NtRegisterThreadTerminatePort  (24, ...
 01958   896   NtProtectVirtualMemory  (-1, (0x3ace000), 4096, 260, ...
 01956   384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01957  1152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01958   896   NtProtectVirtualMemory  ... (0x3ace000), 4096, 4, ) == 0x0
 01959   384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01960   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01961  1152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01959   384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01961  1152   NtDuplicateObject  ... 524, ) == 0x0
 01962   384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01963  1152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01962   384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01963  1152   NtWaitForSingleObject  ... ) == 0x102
 01964   384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01965  1152   NtWaitForSingleObject  (124, 0, 0x0, ...
 01964   384   NtCreateKey  ... -2147482764, 2, ) == 0x0
 01960   896   NtCreateThread  ... 528, {1252, 1228}, ) == 0x0
 01966   384   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "\265\275\360\256\247\12\251\324\330\367\7\224\16\216\3437vw\240\231\341.\234R\360\33NWJ~\365\344\11\340A\375\304\251\375\313\331\315:\307\200bo\377\264\341'\220\34\0\324\201\7Z\302?\7\232W\354\246\264\32\215\14O-(f~Bo\274%\341\247", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "\265\275\360\256\247\12\251\324\330\367\7\224\16\216\3437vw\240\231\341.\234R\360\33NWJ~\365\344\11\340A\375\304\251\375\313\331\315:\307\200bo\377\264\341'\220\34\0\324\201\7Z\302?\7\232W\354\246\264\32\215\14O-(f~Bo\274%\341\247", 80, ... , 80, ...
 01967   896   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1252,Tid=1228,}, 0x0, ) == 0x0
 01968   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\314\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\314\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81899, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81898, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\314\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0\314\4\0\0" )  ) == 0x0
 01969   896   NtResumeThread  (528, ... 1, ) == 0x0
 01970   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61669376, 1048576, ) == 0x0
 01971   896   NtAllocateVirtualMemory  (-1, 62709760, 0, 8192, 4096, 4, ... 62709760, 8192, ) == 0x0
 01966   384   NtSetValueKey  ... ) == 0x0
 01972  1228   NtTestAlert  (...
 01973   384   NtClose  (-2147482764, ...
 01972  1228   NtTestAlert  ... ) == 0x0
 01973   384   NtClose  ... ) == 0x0
 01974  1228   NtContinue  (61668656, 1, ...
 01939   384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\312\254\320sE\231\247\226\23\251\13\334r\20\316?!\273g\202\58\353z'lI\36\27\300Z\25$\343\336\275J\21GN\335}%\316\312\1\272\304j9\346\234F\320G\373\11\325\353\263\275-\15\251\232\320\234\253\244\252\335w\344mC\322;\23\221\276\347+"\2\300\3\212\211\20L\235\26\242\217\1\254v\354\300 i\35{\10\256\211]%\6\302\2352\212\304\211\27\354/X\241\266\321\324>\4\277)\236Q\312\220*k]\260\325R;\367\305{\201\303\242*xDg534\303\231^-\224\272\33\215\240\211\21\360\321\223\352\257\34\223\265p\371\375j\10\310@5|o\351\353> \210\337`\227x\322\235\204\@\336\3727)?\201\4+\336~\357\10n\210#\342\274k\324\207z,AW\362e\311T\374>\p8O\340\300;>\177\314_#\32-`\234\230\203\213\232\352\30j\366\361y\255%^v7I", ) \2\300\3\212\211\20L\235\26\242\217\1\254v\354\300 i\35{\10\256\211]%\6\302\2352\212\304\211\27\354/X\241\266\321\324>\4\277)\236Q\312\220*k]\260\325R;\367\305{\201\303\242*xDg534\303\231^-\224\272\33\215\240\211\21\360\321\223\352\257\34\223\265p\371\375j\10\310@5|o\351\353> \210\337`\227x\322\235\204\@\336\3727)?\201\4+\336~\357\10n\210#\342\274k\324\207z,AW\362e\311T\374>\p8O\340\300;>\177\314_#\32-`\234\230\203\213\232\352\30j\366\361y\255%^v7I", ) == 0x0
 01975  1228   NtRegisterThreadTerminatePort  (24, ...
 01976   384   NtDeviceIoControlFile  (404, 0, 0x0, 0x0, 0x390008,  (404, 0, 0x0, 0x0, 0x390008, "\301\327\320\342\20\337\324\3006\253\305$\364\2\246\221\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\17 \302\306/hhw*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01975  1228   NtRegisterThreadTerminatePort  ... ) == 0x0
 01977   384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01978   896   NtProtectVirtualMemory  (-1, (0x3bce000), 4096, 260, ...
 01979  1228   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01978   896   NtProtectVirtualMemory  ... (0x3bce000), 4096, 4, ) == 0x0
 01979  1228   NtDuplicateObject  ... 532, ) == 0x0
 01980   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01981  1228   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01980   896   NtCreateThread  ... 536, {1252, 792}, ) == 0x0
 01981  1228   NtWaitForSingleObject  ... ) == 0x102
 01982   896   NtQueryInformationThread  (536, Basic, 28, ...
 01983  1228   NtWaitForSingleObject  (124, 0, 0x0, ...
 01982   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1252,Tid=792,}, 0x0, ) == 0x0
 01977   384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01984   384   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01985   384   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01986   384   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01987   384   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01988   384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01989   384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01990   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\30\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\30\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81900, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81899, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\30\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\30\3\0\0" )  ) == 0x0
 01991   896   NtResumeThread  (536, ... 1, ) == 0x0
 01992   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62717952, 1048576, ) == 0x0
 01993   896   NtAllocateVirtualMemory  (-1, 63758336, 0, 8192, 4096, 4, ... 63758336, 8192, ) == 0x0
 01994   896   NtProtectVirtualMemory  (-1, (0x3cce000), 4096, 260, ... (0x3cce000), 4096, 4, ) == 0x0
 01995   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01989   384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01996   792   NtTestAlert  (...
 01997   384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01996   792   NtTestAlert  ... ) == 0x0
 01997   384   NtCreateKey  ... -2147482764, 2, ) == 0x0
 01998   792   NtContinue  (62717232, 1, ...
 01999   384   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "x\271&\347\221\27\325\277\355(r\344\334\362\370;\317\11y\2`\270o\365\365\337\21\200\37\366\345b\224\321\1g\1NK\316 D\221?\260\20\355\303\263\262\253\247\207\221S\364S\276O\256M\306\241\0B\345\30\21\261\2574/_\326^\370\366 \243,", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "x\271&\347\221\27\325\277\355(r\344\334\362\370;\317\11y\2`\270o\365\365\337\21\200\37\366\345b\224\321\1g\1NK\316 D\221?\260\20\355\303\263\262\253\247\207\221S\364S\276O\256M\306\241\0B\345\30\21\261\2574/_\326^\370\366 \243,", 80, ... , 80, ...
 02000   792   NtRegisterThreadTerminatePort  (24, ...
 01999   384   NtSetValueKey  ... ) == 0x0
 02000   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02001   384   NtClose  (-2147482764, ...
 01995   896   NtCreateThread  ... 540, {1252, 1484}, ) == 0x0
 02002   792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02003   896   NtQueryInformationThread  (540, Basic, 28, ...
 02002   792   NtDuplicateObject  ... 544, ) == 0x0
 02003   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1252,Tid=1484,}, 0x0, ) == 0x0
 02004   792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02005   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\314\5\0\0" ...  ...
 02004   792   NtWaitForSingleObject  ... ) == 0x102
 02005   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81901, 0}  ... {28, 56, reply, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\344\4\0\0\314\5\0\0" )  ) == 0x0
 02006   792   NtWaitForSingleObject  (124, 0, 0x0, ...
 02001   384   NtClose  ... ) == 0x0
 02007   896   NtResumeThread  (540, ...
 01976   384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "Y\24&\226\305\366f\255\305\\321\335\227\303\246\211C\203\340\305\242\302l\222\33\3\357\350x\376\316\247\370\243\25\303\200u{\321*[\355!\232,\365\314\21@2k\201\265\230\371\7a\343\254.P\2\240\316\244nr\317\263\354\221T\355\377\313\231\2"", ) r\317\263\354\221T\355\377\313\231\2"", ) == 0x0
 02007   896   NtResumeThread  ... 1, ) == 0x0
 02008   384   NtDeviceIoControlFile  (404, 0, 0x0, 0x0, 0x390008,  (404, 0, 0x0, 0x0, 0x390008, "\301\327\320\342\20\337\324\3006\253\305$\364\2\246\221\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\2303\24r\226\232E\17 \302\306/hhw*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02009   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02010   384   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02009   896   NtAllocateVirtualMemory  ... 63766528, 1048576, ) == 0x0
 02010   384   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02011   896   NtAllocateVirtualMemory  (-1, 64806912, 0, 8192, 4096, 4, ...
 02012   384   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02011   896   NtAllocateVirtualMemory  ... 64806912, 8192, ) == 0x0
 02013  1484   NtTestAlert  (...
 02012   384   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02013  1484   NtTestAlert  ... ) == 0x0
 02014   384   NtQuerySystemInformation  (Performance, 312, ...
 02015  1484   NtContinue  (63765808, 1, ...
 02014   384   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02016  1484   NtRegisterThreadTerminatePort  (24, ...
 02017   384   NtQuerySystemInformation  (Exception, 16, ...
 02016  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02017   384   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02018   896   NtProtectVirtualMemory  (-1, (0x3dce000), 4096, 260, ...
 02019   384   NtQuerySystemInformation  (Lookaside, 32, ...
 02018   896   NtProtectVirtualMemory  ... (0x3dce000), 4096, 4, ) == 0x0
 02020  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02021   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02020  1484   NtDuplicateObject  ... 548, ) == 0x0
 02021   896   NtCreateThread  ... 552, {1252, 888}, ) == 0x0
 02022  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02023   896   NtQueryInformationThread  (552, Basic, 28, ...
 02022  1484   NtWaitForSingleObject  ... ) == 0x102
 02023   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1252,Tid=888,}, 0x0, ) == 0x0
 02024  1484   NtWaitForSingleObject  (124, 0, 0x0, ...
 02019   384   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02025   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81901, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0x\3\0\0" ...  ...
 02026   384   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02025   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81902, 0}  ... {28, 56, reply, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0x\3\0\0" )  ) == 0x0
 02026   384   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02027   896   NtResumeThread  (552, ...
 02028   384   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02027   896   NtResumeThread  ... 1, ) == 0x0
 02028   384   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02029   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02030   384   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02031   888   NtTestAlert  (...
 02029   896   NtAllocateVirtualMemory  ... 64815104, 1048576, ) == 0x0
 02031   888   NtTestAlert  ... ) == 0x0
 02032   896   NtAllocateVirtualMemory  (-1, 65855488, 0, 8192, 4096, 4, ...
 02033   888   NtContinue  (64814384, 1, ...
 02032   896   NtAllocateVirtualMemory  ... 65855488, 8192, ) == 0x0
 02034   888   NtRegisterThreadTerminatePort  (24, ...
 02035   896   NtProtectVirtualMemory  (-1, (0x3ece000), 4096, 260, ...
 02034   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02035   896   NtProtectVirtualMemory  ... (0x3ece000), 4096, 4, ) == 0x0
 02030   384   NtCreateKey  ... -2147482764, 2, ) == 0x0
 02036   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02037   384   NtSetValueKey  (-2147482764,  (-2147482764, "Seed", 0, 3, "\7kTO\7\262m\315\232P>x\316\237<]0\211\346\320\224\27\341\235\2076,[\21\367\332\213._\226\234\364\303\223\16\36\366\3o\317\346}\23\202\346\272\210\347>\243\236!~!R}=\353\305\6\257&\353\32\253\13\273\30\2\317\336\232\356\36\255", 80, ... , 0, 3,  (-2147482764, "Seed", 0, 3, "\7kTO\7\262m\315\232P>x\316\237<]0\211\346\320\224\27\341\235\2076,[\21\367\332\213._\226\234\364\303\223\16\36\366\3o\317\346}\23\202\346\272\210\347>\243\236!~!R}=\353\305\6\257&\353\32\253\13\273\30\2\317\336\232\356\36\255", 80, ... , 80, ...
 02038   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02037   384   NtSetValueKey  ... ) == 0x0
 02038   888   NtDuplicateObject  ... 556, ) == 0x0
 02039   384   NtClose  (-2147482764, ...
 02040   888   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02039   384   NtClose  ... ) == 0x0
 02040   888   NtWaitForSingleObject  ... ) == 0x102
 02008   384   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\4\226\261\377\262|p\230\7*|i~\255-}\330\21:\313\31\345\222\21@\32\273\375\377\241\215\356\367\7M\240Xc^\27\343\257`@P\344\301{G\266*\17DQ%\363\243\247\`l\250]\364\231:\355\255\337\342\200\343\235\230\37\34v(\313\3\250\213\20I\321\212(\2366\|\221\310d\227\276P_~\235\2353\2208\271\367u\250\367\177D\262\271)\342\351\211p\336\224\257\337\365\217VL)\6@\20\302\31W\270\372\22\376\370\5\215\270*\347tGy\22>\224\262TNV\3\37\323\15}\315\306\345\315\337\254\230\324\253\20\353K&A\372\324\332|Ro3\226\205\264\346\350\272\5\205\277\231]\342\253\263(\234\250\14\323r\272\15\3238?\326?\270\371\232@\263\375$\24\367f\376\351\336\26j\20)\266\344q<\221r\214V* A\22\234\204|\2543`\332\21cr7\340\335\250v\332\7\31\303", ) , ) == 0x0
 02041   888   NtWaitForSingleObject  (124, 0, 0x0, ...
 02036   896   NtCreateThread  ... 560, {1252, 1120}, ) == 0x0
 02042   384   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02043   896   NtQueryInformationThread  (560, Basic, 28, ...
 02042   384   NtCreateEvent  ... 564, ) == 0x0
 02043   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1252,Tid=1120,}, 0x0, ) == 0x0
 02044   384   NtSetEventBoostPriority  (472, ...
 02045   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81902, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0`\4\0\0" ...  ...
 01839  2016   NtWaitForSingleObject  ... ) == 0x0
 02044   384   NtSetEventBoostPriority  ... ) == 0x0
 02046  2016   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02045   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81903, 0}  ... {28, 56, reply, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0`\4\0\0" )  ) == 0x0
 02046  2016   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02047   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 02048   896   NtResumeThread  (560, ... 1, ) == 0x0
 02049   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65863680, 1048576, ) == 0x0
 02050   896   NtAllocateVirtualMemory  (-1, 66904064, 0, 8192, 4096, 4, ... 66904064, 8192, ) == 0x0
 02051   896   NtProtectVirtualMemory  (-1, (0x3fce000), 4096, 260, ... (0x3fce000), 4096, 4, ) == 0x0
 02052   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {1252, 840}, ) == 0x0
 02053   896   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1252,Tid=840,}, 0x0, ) == 0x0
 02054  2016   NtSetEventBoostPriority  (284, ...
 02055  1120   NtAllocateVirtualMemory  (-1, 8871936, 0, 4096, 4096, 4, ...
 02047   384   NtWaitForSingleObject  ... ) == 0x0
 02054  2016   NtSetEventBoostPriority  ... ) == 0x0
 02056   384   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15527276, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15527276, 188, ...
 02055  1120   NtAllocateVirtualMemory  ... 8871936, 4096, ) == 0x0
 02057  2016   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02058  1120   NtTestAlert  (...
 02057  2016   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02058  1120   NtTestAlert  ... ) == 0x0
 02059  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02060  1120   NtContinue  (65862960, 1, ...
 02059  2016   NtCreateEvent  ... 572, ) == 0x0
 02061   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81903, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0H\3\0\0" ...  ...
 02056   384   NtConnectPort  ... 576, 0x0, 0x0, 0x0, 188, ) == 0x0
 02062  1120   NtRegisterThreadTerminatePort  (24, ...
 02061   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81905, 0}  ... {28, 56, reply, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0H\3\0\0" )  ) == 0x0
 02063   384   NtRequestWaitReplyPort  (576, {200, 224, new_msg, 0, 1384080, 12, 2, 1310721}  (576, {200, 224, new_msg, 0, 1384080, 12, 2, 1310721} "\0\0\0\0\274\0\0\0$?\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\08\13\340\12\17Fk\1\220G\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\0<\25\0\223\241\212\225x\1\24\0\210G\25\0h\1\24\0\0\0\0\0\0\0\0\0\210G\25\0P\0\0\0\220G\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\354\0\372\31\221|\200\363\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02062  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02064   896   NtResumeThread  (568, ...
 02065  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02064   896   NtResumeThread  ... 1, ) == 0x0
 02063   384   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 384, 81906, 0}  ... {200, 224, reply, 0, 1252, 384, 81906, 0} "\7\0\0\0\274\0\0\0$?\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\08\13\340\12\17Fk\1\220G\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\0<\25\0\223\241\212\225x\1\24\0\210G\25\0h\1\24\0\0\0\0\0\0\0\0\0\210G\25\0P\0\0\0\220G\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\354\0\372\31\221|\200\363\354\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02065  1120   NtDuplicateObject  ... 580, ) == 0x0
 02066   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02067   384   NtRequestWaitReplyPort  (576, {44, 68, new_msg, 0, 1252, 384, 81884, 0}  (576, {44, 68, new_msg, 0, 1252, 384, 81884, 0} "\1\0\0\0A\2\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02068  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02069  2016   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ...
 02070   840   NtTestAlert  (... ) == 0x0
 02071   840   NtContinue  (66911536, 1, ...
 02072   840   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02069  2016   NtConnectPort  ... 584, 0x0, 0x0, 0x0, 188, ) == 0x0
 02066   896   NtAllocateVirtualMemory  ... 66912256, 1048576, ) == 0x0
 02068  1120   NtWaitForSingleObject  ... ) == 0x102
 02067   384   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 384, 81907, 0}  ... {40, 64, reply, 0, 1252, 384, 81907, 0} "\2\356Q\200\4\0\0\0@\14\250\201\0\320\372\177\220kt\367\370\37`\300lkt\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 02073  2016   NtRequestWaitReplyPort  (584, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (584, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\240<\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\311\325l=\314\135\256\220V\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0hV\25\0\350\273\313\363x\1\24\0\210V\25\0h\1\24\0\0\0\0\0\0\0\0\0\210V\25\0P\0\0\0\220V\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02074   896   NtAllocateVirtualMemory  (-1, 67952640, 0, 8192, 4096, 4, ...
 02075  1120   NtWaitForSingleObject  (124, 0, 0x0, ...
 02076   384   NtRequestWaitReplyPort  (576, {64, 88, new_msg, 56, 1371720, 15527788, 15527888, 0}  (576, {64, 88, new_msg, 56, 1371720, 15527788, 15527888, 0} "\10\357\354\0@\0\24\0\346\277\347w\320\357\354\0l\357\354\0\20\0\0\0\250.\362v\274\356\24\0\1\0\0\0\340V\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\332\24\0" ...  ...
 02074   896   NtAllocateVirtualMemory  ... 67952640, 8192, ) == 0x0
 02073  2016   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 2016, 81909, 0}  ... {200, 224, reply, 0, 1252, 2016, 81909, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\311\325l=\314\135\256\220V\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0hV\25\0\350\273\313\363x\1\24\0\210V\25\0h\1\24\0\0\0\0\0\0\0\0\0\210V\25\0P\0\0\0\220V\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02077   896   NtProtectVirtualMemory  (-1, (0x40ce000), 4096, 260, ...
 02078   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02076   384   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 384, 81910, 0}  ... {64, 88, reply, 56, 1252, 384, 81910, 0} "\10\357\354\0@\0\24\0\346\277\347w\320\357\354\0l\357\354\0\20\0\0\0\250.\362v\274\356\24\0\1\0\0\0\340V\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\300\332\24\0" )  ) == 0x0
 02077   896   NtProtectVirtualMemory  ... (0x40ce000), 4096, 4, ) == 0x0
 02078   840   NtDuplicateObject  ... 588, ) == 0x0
 02079   384   NtClose  (564, ...
 02080   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02081   840   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02079   384   NtClose  ... ) == 0x0
 02082  2016   NtRequestWaitReplyPort  (584, {44, 68, new_msg, 56, 0, 0, 0, 0}  (584, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\340\\25\0\322\0\0\0" ...  ...
 02081   840   NtWaitForSingleObject  ... ) == 0x102
 02080   896   NtCreateThread  ... 564, {1252, 876}, ) == 0x0
 02083   840   NtWaitForSingleObject  (124, 0, 0x0, ...
 02084   896   NtQueryInformationThread  (564, Basic, 28, ...
 02082  2016   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 2016, 81911, 0}  ... {40, 64, reply, 0, 1252, 2016, 81911, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02085   384   NtClose  (576, ...
 02084   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1252,Tid=876,}, 0x0, ) == 0x0
 02086  2016   NtRequestWaitReplyPort  (584, {64, 88, new_msg, 56, 1310720, 11071988, 1400024, 0}  (584, {64, 88, new_msg, 56, 1310720, 11071988, 1400024, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\300]\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02085   384   NtClose  ... ) == 0x0
 02087   384   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 02088   384   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 576, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 576, 2, ) , 0, ... 576, 2, ) == 0x0
 02086  2016   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 2016, 81913, 0}  ... {64, 88, reply, 56, 1252, 2016, 81913, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\300]\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02089   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81905, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81905, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0l\3\0\0" ...  ...
 02090   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02089   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81914, 0}  ... {28, 56, reply, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\344\4\0\0l\3\0\0" )  ) == 0x0
 02090   384   NtOpenKey  ... 592, ) == 0x0
 02091   896   NtResumeThread  (564, ...
 02092   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02091   896   NtResumeThread  ... 1, ) == 0x0
 02092   384   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02094   384   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02095  2016   NtRequestWaitReplyPort  (584, {44, 68, new_msg, 56, 1252, 2016, 81911, 0}  (584, {44, 68, new_msg, 56, 1252, 2016, 81911, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\340\\25\0\322\0\0\0" ...  ...
 02096   876   NtTestAlert  (...
 02094   384   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02096   876   NtTestAlert  ... ) == 0x0
 02095  2016   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 2016, 81915, 0}  ... {40, 64, reply, 0, 1252, 2016, 81915, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02093   896   NtAllocateVirtualMemory  ... 67960832, 1048576, ) == 0x0
 02097   876   NtContinue  (67960112, 1, ...
 02098  2016   NtRequestWaitReplyPort  (584, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (584, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\30j\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02099   896   NtAllocateVirtualMemory  (-1, 69001216, 0, 8192, 4096, 4, ...
 02100   876   NtRegisterThreadTerminatePort  (24, ...
 02099   896   NtAllocateVirtualMemory  ... 69001216, 8192, ) == 0x0
 02100   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02098  2016   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 2016, 81916, 0}  ... {64, 88, reply, 56, 1252, 2016, 81916, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\30j\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02101   896   NtProtectVirtualMemory  (-1, (0x41ce000), 4096, 260, ...
 02102   384   NtQueryValueKey  (576,  (576, "Domain", Partial, 144, ... , Partial, 144, ...
 02103   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02101   896   NtProtectVirtualMemory  ... (0x41ce000), 4096, 4, ) == 0x0
 02102   384   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02103   876   NtDuplicateObject  ... 596, ) == 0x0
 02104   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02105   384   NtQueryValueKey  (576,  (576, "Domain", Partial, 144, ... , Partial, 144, ...
 02106   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02107  2016   NtRequestWaitReplyPort  (584, {44, 68, new_msg, 56, 1252, 2016, 81915, 0}  (584, {44, 68, new_msg, 56, 1252, 2016, 81915, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\340\\25\0\322\0\0\0" ...  ...
 02105   384   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02106   876   NtWaitForSingleObject  ... ) == 0x102
 02108   384   NtClose  (576, ...
 02109   876   NtWaitForSingleObject  (124, 0, 0x0, ...
 02107  2016   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 2016, 81917, 0}  ... {40, 64, reply, 0, 1252, 2016, 81917, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 02108   384   NtClose  ... ) == 0x0
 02104   896   NtCreateThread  ... 576, {1252, 1104}, ) == 0x0
 02110  2016   NtRequestWaitReplyPort  (584, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (584, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\350l\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02111   896   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1252,Tid=1104,}, 0x0, ) == 0x0
 02112   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81919, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0P\4\0\0" )  ) == 0x0
 02110  2016   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 2016, 81918, 0}  ... {64, 88, reply, 56, 1252, 2016, 81918, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\350l\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02113   384   NtClose  (592, ...
 02114   896   NtResumeThread  (576, ...
 02113   384   NtClose  ... ) == 0x0
 02114   896   NtResumeThread  ... 1, ) == 0x0
 02115   384   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02116   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02115   384   NtOpenKey  ... 592, ) == 0x0
 02116   896   NtAllocateVirtualMemory  ... 69009408, 1048576, ) == 0x0
 02117   384   NtQueryValueKey  (592,  (592, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02118   896   NtAllocateVirtualMemory  (-1, 70049792, 0, 8192, 4096, 4, ...
 02117   384   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02118   896   NtAllocateVirtualMemory  ... 70049792, 8192, ) == 0x0
 02119  2016   NtClose  (572, ...
 02120  1104   NtTestAlert  (...
 02121   384   NtClose  (592, ...
 02119  2016   NtClose  ... ) == 0x0
 02120  1104   NtTestAlert  ... ) == 0x0
 02121   384   NtClose  ... ) == 0x0
 02122  2016   NtClose  (584, ...
 02123  1104   NtContinue  (69008688, 1, ...
 02124   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15526864, ... }, 15526864, ...
 02122  2016   NtClose  ... ) == 0x0
 02125  1104   NtRegisterThreadTerminatePort  (24, ...
 02124   384   NtQueryAttributesFile  ... ) == 0x0
 02126  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02125  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02127   384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02126  2016   NtCreateEvent  ... 584, ) == 0x0
 02128   896   NtProtectVirtualMemory  (-1, (0x42ce000), 4096, 260, ...
 02127   384   NtOpenFile  ... 592, {status=0x0, info=1}, ) == 0x0
 02129  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02128   896   NtProtectVirtualMemory  ... (0x42ce000), 4096, 4, ) == 0x0
 02130  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02129  1104   NtDuplicateObject  ... 572, ) == 0x0
 02131   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02130  2016   NtOpenKey  ... 600, ) == 0x0
 02132  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02131   896   NtCreateThread  ... 604, {1252, 860}, ) == 0x0
 02133  2016   NtOpenKey  (0x20019, {24, 600, 0x40, 0, 0,  (0x20019, {24, 600, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02132  1104   NtWaitForSingleObject  ... ) == 0x102
 02134   896   NtQueryInformationThread  (604, Basic, 28, ...
 02133  2016   NtOpenKey  ... 608, ) == 0x0
 02135  1104   NtWaitForSingleObject  (124, 0, 0x0, ...
 02134   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1252,Tid=860,}, 0x0, ) == 0x0
 02136  2016   NtQueryValueKey  (608,  (608, "ComputerName", Full, 108, ... , Full, 108, ...
 02137   384   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 592, ...
 02136  2016   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02137   384   NtCreateSection  ... 612, ) == 0x0
 02138   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0\\3\0\0" ...  ...
 02139   384   NtClose  (592, ...
 02138   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81921, 0}  ... {28, 56, reply, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0\\3\0\0" )  ) == 0x0
 02139   384   NtClose  ... ) == 0x0
 02140   896   NtResumeThread  (604, ...
 02141   384   NtMapViewOfSection  (612, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02140   896   NtResumeThread  ... 1, ) == 0x0
 02141   384   NtMapViewOfSection  ... (0x860000), 0x0, 20480, ) == 0x0
 02142   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02143  2016   NtClose  (608, ...
 02144   860   NtWaitForSingleObject  (88, 0, 0x0, ...
 02145   384   NtClose  (612, ...
 02143  2016   NtClose  ... ) == 0x0
 02145   384   NtClose  ... ) == 0x0
 02146  2016   NtClose  (600, ... ) == 0x0
 02147  2016   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 600, ) == 0x0
 02148   384   NtUnmapViewOfSection  (-1, 0x860000, ...
 02142   896   NtAllocateVirtualMemory  ... 70057984, 1048576, ) == 0x0
 02148   384   NtUnmapViewOfSection  ... ) == 0x0
 02149   896   NtAllocateVirtualMemory  (-1, 71098368, 0, 8192, 4096, 4, ...
 02150  2016   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 02149   896   NtAllocateVirtualMemory  ... 71098368, 8192, ) == 0x0
 02150  2016   NtCreateIoCompletion  ... 612, ) == 0x0
 02151   896   NtProtectVirtualMemory  (-1, (0x43ce000), 4096, 260, ...
 02152  2016   NtDuplicateObject  (-1, 600, -1, 0x0, 0, 2, ...
 02151   896   NtProtectVirtualMemory  ... (0x43ce000), 4096, 4, ) == 0x0
 02152  2016   NtDuplicateObject  ... 608, ) == 0x0
 02153   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02154  2016   NtOpenThreadToken  (-2, 0xc, 1, ...
 02155   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15527172, ... }, 15527172, ...
 02154  2016   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02155   384   NtQueryAttributesFile  ... ) == 0x0
 02153   896   NtCreateThread  ... 592, {1252, 1516}, ) == 0x0
 02156   384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02157   896   NtQueryInformationThread  (592, Basic, 28, ...
 02156   384   NtOpenFile  ... 616, {status=0x0, info=1}, ) == 0x0
 02157   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1252,Tid=1516,}, 0x0, ) == 0x0
 02158   384   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 616, ...
 02159   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\354\5\0\0" ...  ...
 02158   384   NtCreateSection  ... 620, ) == 0x0
 02159   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81922, 0}  ... {28, 56, reply, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\354\5\0\0" )  ) == 0x0
 02160  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02161   384   NtQuerySection  (620, Image, 48, ...
 02160  2016   NtCreateEvent  ... 624, ) == 0x0
 02161   384   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02162  2016   NtOpenThreadToken  (-2, 0xc, 1, ...
 02163   384   NtClose  (616, ...
 02162  2016   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02163   384   NtClose  ... ) == 0x0
 02164  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02165   384   NtMapViewOfSection  (620, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02164  2016   NtSetInformationThread  ... ) == 0x0
 02165   384   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02166   896   NtResumeThread  (592, ...
 02167  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11071680,  (0xc0100080, {24, 0, 0x40, 0, 11071680, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02166   896   NtResumeThread  ... 1, ) == 0x0
 02167  2016   NtCreateFile  ... 616, {status=0x0, info=1}, ) == 0x0
 02168   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02169  2016   NtSetInformationFile  (616, 11071736, 8, Pipe, ...
 02168   896   NtAllocateVirtualMemory  ... 71106560, 1048576, ) == 0x0
 02169  2016   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02170   896   NtAllocateVirtualMemory  (-1, 72146944, 0, 8192, 4096, 4, ...
 02171  2016   NtSetInformationFile  (616, 11071724, 8, Completion, ...
 02170   896   NtAllocateVirtualMemory  ... 72146944, 8192, ) == 0x0
 02171  2016   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02172   384   NtClose  (620, ...
 02173  1516   NtWaitForSingleObject  (88, 0, 0x0, ...
 02174   896   NtProtectVirtualMemory  (-1, (0x44ce000), 4096, 260, ...
 02172   384   NtClose  ... ) == 0x0
 02174   896   NtProtectVirtualMemory  ... (0x44ce000), 4096, 4, ) == 0x0
 02175   384   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02176   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02175   384   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02176   896   NtCreateThread  ... 620, {1252, 780}, ) == 0x0
 02177   896   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1252,Tid=780,}, 0x0, ) == 0x0
 02178   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81923, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\344\4\0\0\14\3\0\0" )  ) == 0x0
 02179   896   NtResumeThread  (620, ... 1, ) == 0x0
 02180   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02181  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02182   780   NtWaitForSingleObject  (88, 0, 0x0, ...
 02183   384   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02181  2016   NtSetInformationThread  ... ) == 0x0
 02183   384   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02184  2016   NtWriteFile  (616, 221, 0, 0,  (616, 221, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02185   384   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02184  2016   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02185   384   NtFlushInstructionCache  ... ) == 0x0
 02186  2016   NtReadFile  (616, 221, 0, 0, 1024, {0, 0}, 0, ...
 02187   384   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02186  2016   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02187   384   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02180   896   NtAllocateVirtualMemory  ... 72155136, 1048576, ) == 0x0
 02188  2016   NtFsControlFile  (616, 221, 0x0, 0x0, 0x11c017,  (616, 221, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\250\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02189   896   NtAllocateVirtualMemory  (-1, 73195520, 0, 8192, 4096, 4, ...
 02188  2016   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02189   896   NtAllocateVirtualMemory  ... 73195520, 8192, ) == 0x0
 02190  2016   NtFsControlFile  (616, 221, 0x0, 0x0, 0x11c017,  (616, 221, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\1\0\0\0\1\0\0\0&\0(\0Ho\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 02191   896   NtProtectVirtualMemory  (-1, (0x45ce000), 4096, 260, ...
 02192   384   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02191   896   NtProtectVirtualMemory  ... (0x45ce000), 4096, 4, ) == 0x0
 02192   384   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02193   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02194   384   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02190  2016   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) , ) == 0x103
 02194   384   NtFlushInstructionCache  ... ) == 0x0
 02195  2016   NtFsControlFile  (616, 221, 0x0, 0x0, 0x11c017,  (616, 221, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... , 44, 1024, ...
 02196   384   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 02195  2016   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\300`\25\0\1\0\0\0\314`\25\0 \0\0\0\1\0\0\0\30\0\32\0\330`\25\0\364`\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\370F\25\0\1\0\0\0\5\0i\0\10G\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02196   384   NtOpenSection  ... 628, ) == 0x0
 02197  2016   NtClose  (624, ...
 02193   896   NtCreateThread  ... 632, {1252, 940}, ) == 0x0
 02197  2016   NtClose  ... ) == 0x0
 02198   896   NtQueryInformationThread  (632, Basic, 28, ...
 02199  2016   NtClose  (616, ...
 02198   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1252,Tid=940,}, 0x0, ) == 0x0
 02200   384   NtMapViewOfSection  (628, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02201   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\254\3\0\0" ...  ...
 02200   384   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 02201   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81924, 0}  ... {28, 56, reply, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\254\3\0\0" )  ) == 0x0
 02202   384   NtClose  (628, ...
 02199  2016   NtClose  ... ) == 0x0
 02202   384   NtClose  ... ) == 0x0
 02203  2016   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1384080, 0x0, 11073604, 188, ... , {12, 2, 1, 1}, 0x0, 1384080, 0x0, 11073604, 188, ...
 02204   384   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 02203  2016   NtSecureConnectPort  ... 628, 0x0, 0x0, 0x0, 188, ) == 0x0
 02204   384   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 02205  2016   NtOpenThreadToken  (-2, 0xc, 1, ...
 02206   896   NtResumeThread  (632, ...
 02205  2016   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02206   896   NtResumeThread  ... 1, ) == 0x0
 02207   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73203712, 1048576, ) == 0x0
 02208   896   NtAllocateVirtualMemory  (-1, 74244096, 0, 8192, 4096, 4, ... 74244096, 8192, ) == 0x0
 02209   896   NtProtectVirtualMemory  (-1, (0x46ce000), 4096, 260, ... (0x46ce000), 4096, 4, ) == 0x0
 02210   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1252, 1268}, ) == 0x0
 02211   896   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1252,Tid=1268,}, 0x0, ) == 0x0
 02212  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02213   940   NtWaitForSingleObject  (88, 0, 0x0, ...
 02214   384   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02212  2016   NtSetInformationThread  ... ) == 0x0
 02214   384   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02215  2016   NtRequestWaitReplyPort  (628, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (628, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0FmHq\324PG\367\177\253P\4\345\265\304\224\12\0\0\0hc\345\320\20%\305\0\0\0\0\330Y\25\0\200\303\233"\352H\221\365(\0\0\0\4\242\0\363\0\0\24\0\240\366\250\0\233b&%\0\0\0\0\220V\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... \352H\221\365(\0\0\0\4\242\0\363\0\0\24\0\240\366\250\0\233b&%\0\0\0\0\220V\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...
 02216   384   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02215  2016   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 2016, 81926, 0}  ... {200, 224, reply, 0, 1252, 2016, 81926, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0FmHq\324PG\367\177\253P\4\345\265\304\224\12\0\0\0hc\345\320\20%\305\0\0\0\0\330Y\25\0\200\303\233"\352H\221\365(\0\0\0\4\242\0\363\0\0\24\0\240\366\250\0\233b&%\0\0\0\0\220V\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) \352H\221\365(\0\0\0\4\242\0\363\0\0\24\0\240\366\250\0\233b&%\0\0\0\0\220V\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) == 0x0
 02217   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\364\4\0\0" ...  ...
 02218  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02217   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81927, 0}  ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\364\4\0\0" )  ) == 0x0
 02219   384   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 02220   896   NtResumeThread  (616, ...
 02219   384   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 02220   896   NtResumeThread  ... 1, ) == 0x0
 02221   384   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02222   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02221   384   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02218  2016   NtSetInformationThread  ... ) == 0x0
 02223  1268   NtWaitForSingleObject  (88, 0, 0x0, ...
 02224   384   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 02225  2016   NtRequestWaitReplyPort  (628, {56, 80, new_msg, 0, 44, 3, 20, 0}  (628, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0gS\263F\252\227\2L\355h\28\1\0\0\0\0\0\0\0&\0(\0\230\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02224   384   NtFlushInstructionCache  ... ) == 0x0
 02222   896   NtAllocateVirtualMemory  ... 74252288, 1048576, ) == 0x0
 02226   896   NtAllocateVirtualMemory  (-1, 75292672, 0, 8192, 4096, 4, ... 75292672, 8192, ) == 0x0
 02227   896   NtProtectVirtualMemory  (-1, (0x47ce000), 4096, 260, ... (0x47ce000), 4096, 4, ) == 0x0
 02228   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1252, 644}, ) == 0x0
 02229   896   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1252,Tid=644,}, 0x0, ) == 0x0
 02230   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\204\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81929, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\204\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\204\2\0\0" )  ) == 0x0
 02231   384   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 02232   384   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 02233   384   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02234   896   NtResumeThread  (624, ... 1, ) == 0x0
 02235   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75300864, 1048576, ) == 0x0
 02236   896   NtAllocateVirtualMemory  (-1, 76341248, 0, 8192, 4096, 4, ... 76341248, 8192, ) == 0x0
 02225  2016   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1252, 2016, 81928, 0}  ... {44, 68, reply, 0, 1252, 2016, 81928, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02237   644   NtWaitForSingleObject  (88, 0, 0x0, ...
 02238   384   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... }, ...
 02239  2016   NtRaiseException  (11074064, 11073324, 1, ...
 02238   384   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240  2016   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02241   384   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02242   896   NtProtectVirtualMemory  (-1, (0x48ce000), 4096, 260, ...
 02241   384   NtCreateEvent  ... 636, ) == 0x0
 02242   896   NtProtectVirtualMemory  ... (0x48ce000), 4096, 4, ) == 0x0
 02240  2016   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02243   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02244  2016   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02243   896   NtCreateThread  ... 640, {1252, 1736}, ) == 0x0
 02244  2016   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02245   896   NtQueryInformationThread  (640, Basic, 28, ...
 02246  2016   NtContinue  (11072292, 0, ...
 02245   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1252,Tid=1736,}, 0x0, ) == 0x0
 02247  2016   NtDeviceIoControlFile  (408, 108, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02248   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... }, ...
 02247  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02248   384   NtOpenKey  ... 644, ) == 0x0
 02249   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\310\6\0\0" ...  ...
 02250   384   NtQueryValueKey  (644,  (644, "LdapClientIntegrity", Partial, 144, ... , Partial, 144, ...
 02249   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81930, 0}  ... {28, 56, reply, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0\310\6\0\0" )  ) == 0x0
 02251  2016   NtWaitForSingleObject  (108, 1, {-5000000, -1}, ...
 02252   896   NtResumeThread  (640, ... 1, ) == 0x0
 02253   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76349440, 1048576, ) == 0x0
 02254   896   NtAllocateVirtualMemory  (-1, 77389824, 0, 8192, 4096, 4, ... 77389824, 8192, ) == 0x0
 02255   896   NtProtectVirtualMemory  (-1, (0x49ce000), 4096, 260, ... (0x49ce000), 4096, 4, ) == 0x0
 02256   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02250   384   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02257  1736   NtWaitForSingleObject  (88, 0, 0x0, ...
 02258   384   NtClose  (644, ... ) == 0x0
 02259   384   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   384   NtQueryPerformanceCounter  (... {-1439036388, 16}, {3579545, 0}, ) == 0x0
 02261   384   NtSetEventBoostPriority  (88, ...
 02144   860   NtWaitForSingleObject  ... ) == 0x0
 02262   860   NtSetEventBoostPriority  (88, ...
 02173  1516   NtWaitForSingleObject  ... ) == 0x0
 02263  1516   NtSetEventBoostPriority  (88, ...
 02182   780   NtWaitForSingleObject  ... ) == 0x0
 02264   780   NtSetEventBoostPriority  (88, ...
 02213   940   NtWaitForSingleObject  ... ) == 0x0
 02265   940   NtSetEventBoostPriority  (88, ...
 02223  1268   NtWaitForSingleObject  ... ) == 0x0
 02266  1268   NtSetEventBoostPriority  (88, ...
 02237   644   NtWaitForSingleObject  ... ) == 0x0
 02267   644   NtSetEventBoostPriority  (88, ...
 02257  1736   NtWaitForSingleObject  ... ) == 0x0
 02268  1736   NtTestAlert  (... ) == 0x0
 02267   644   NtSetEventBoostPriority  ... ) == 0x0
 02266  1268   NtSetEventBoostPriority  ... ) == 0x0
 02265   940   NtSetEventBoostPriority  ... ) == 0x0
 02264   780   NtSetEventBoostPriority  ... ) == 0x0
 02263  1516   NtSetEventBoostPriority  ... ) == 0x0
 02262   860   NtSetEventBoostPriority  ... ) == 0x0
 02261   384   NtSetEventBoostPriority  ... ) == 0x0
 02256   896   NtCreateThread  ... 644, {1252, 320}, ) == 0x0
 02269  1736   NtContinue  (76348720, 1, ...
 02270   644   NtTestAlert  (...
 02271  1268   NtTestAlert  (...
 02272   940   NtTestAlert  (...
 02273   780   NtTestAlert  (...
 02274  1516   NtTestAlert  (...
 02275   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15526864, ... }, 15526864, ...
 02276   896   NtQueryInformationThread  (644, Basic, 28, ...
 02277  1736   NtRegisterThreadTerminatePort  (24, ...
 02270   644   NtTestAlert  ... ) == 0x0
 02271  1268   NtTestAlert  ... ) == 0x0
 02272   940   NtTestAlert  ... ) == 0x0
 02273   780   NtTestAlert  ... ) == 0x0
 02274  1516   NtTestAlert  ... ) == 0x0
 02278   860   NtTestAlert  (...
 02276   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1252,Tid=320,}, 0x0, ) == 0x0
 02277  1736   NtRegisterThreadTerminatePort  ... ) == 0x0
 02279   644   NtContinue  (75300144, 1, ...
 02280  1268   NtContinue  (74251568, 1, ...
 02281   940   NtContinue  (73202992, 1, ...
 02282   780   NtContinue  (72154416, 1, ...
 02283  1516   NtContinue  (71105840, 1, ...
 02278   860   NtTestAlert  ... ) == 0x0
 02284   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0@\1\0\0" ...  ...
 02285  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02286   644   NtRegisterThreadTerminatePort  (24, ...
 02287  1268   NtRegisterThreadTerminatePort  (24, ...
 02288   940   NtRegisterThreadTerminatePort  (24, ...
 02289   780   NtRegisterThreadTerminatePort  (24, ...
 02290  1516   NtRegisterThreadTerminatePort  (24, ...
 02291   860   NtContinue  (70057264, 1, ...
 02284   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81931, 0}  ... {28, 56, reply, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\344\4\0\0@\1\0\0" )  ) == 0x0
 02285  1736   NtDuplicateObject  ... 648, ) == 0x0
 02286   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02287  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02288   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 02289   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02290  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 02292   860   NtRegisterThreadTerminatePort  (24, ...
 02275   384   NtQueryAttributesFile  ... ) == 0x0
 02293  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02294   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02295  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02296   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02297   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02298  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02292   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 02299   384   NtQuerySystemInformation  (Basic, 44, ...
 02300   896   NtResumeThread  (644, ...
 02293  1736   NtWaitForSingleObject  ... ) == 0x102
 02294   644   NtDuplicateObject  ... 652, ) == 0x0
 02295  1268   NtDuplicateObject  ... 656, ) == 0x0
 02296   940   NtDuplicateObject  ... 660, ) == 0x0
 02297   780   NtDuplicateObject  ... 664, ) == 0x0
 02301   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02299   384   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02300   896   NtResumeThread  ... 1, ) == 0x0
 02302  1736   NtWaitForSingleObject  (124, 0, 0x0, ...
 02303   644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02304  1268   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02305   940   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02306   780   NtWaitForSingleObject  (284, 0, 0x0, ...
 02298  1516   NtDuplicateObject  ... 668, ) == 0x0
 02307   320   NtWaitForSingleObject  (284, 0, 0x0, ...
 02308   384   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02309   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02303   644   NtWaitForSingleObject  ... ) == 0x102
 02304  1268   NtWaitForSingleObject  ... ) == 0x102
 02305   940   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02310  1516   NtWaitForSingleObject  (284, 0, 0x0, ...
 02308   384   NtAllocateVirtualMemory  ... 8781824, 65536, ) == 0x0
 02309   896   NtAllocateVirtualMemory  ... 77398016, 1048576, ) == 0x0
 02311   644   NtWaitForSingleObject  (284, 0, 0x0, ...
 02312  1268   NtWaitForSingleObject  (284, 0, 0x0, ...
 02313   940   NtSetEventBoostPriority  (284, ...
 02314   384   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ...
 02315   896   NtAllocateVirtualMemory  (-1, 78438400, 0, 8192, 4096, 4, ...
 02306   780   NtWaitForSingleObject  ... ) == 0x0
 02313   940   NtSetEventBoostPriority  ... ) == 0x0
 02301   860   NtDuplicateObject  ... 672, ) == 0x0
 02316   780   NtSetEventBoostPriority  (284, ...
 02315   896   NtAllocateVirtualMemory  ... 78438400, 8192, ) == 0x0
 02317   940   NtWaitForSingleObject  (284, 0, 0x0, ...
 02307   320   NtWaitForSingleObject  ... ) == 0x0
 02316   780   NtSetEventBoostPriority  ... ) == 0x0
 02318   860   NtWaitForSingleObject  (284, 0, 0x0, ...
 02314   384   NtAllocateVirtualMemory  ... 8781824, 4096, ) == 0x0
 02319   896   NtProtectVirtualMemory  (-1, (0x4ace000), 4096, 260, ...
 02320   320   NtSetEventBoostPriority  (284, ...
 02321   384   NtWaitForSingleObject  (356, 0, 0x0, ...
 02310  1516   NtWaitForSingleObject  ... ) == 0x0
 02320   320   NtSetEventBoostPriority  ... ) == 0x0
 02319   896   NtProtectVirtualMemory  ... (0x4ace000), 4096, 4, ) == 0x0
 02322  1516   NtSetEventBoostPriority  (284, ...
 02323   780   NtWaitForSingleObject  (284, 0, 0x0, ...
 02311   644   NtWaitForSingleObject  ... ) == 0x0
 02322  1516   NtSetEventBoostPriority  ... ) == 0x0
 02324   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02325   644   NtSetEventBoostPriority  (284, ...
 02326   320   NtTestAlert  (...
 02312  1268   NtWaitForSingleObject  ... ) == 0x0
 02325   644   NtSetEventBoostPriority  ... ) == 0x0
 02324   896   NtCreateThread  ... 676, {1252, 380}, ) == 0x0
 02327  1268   NtSetEventBoostPriority  (284, ...
 02326   320   NtTestAlert  ... ) == 0x0
 02328  1516   NtWaitForSingleObject  (284, 0, 0x0, ...
 02317   940   NtWaitForSingleObject  ... ) == 0x0
 02327  1268   NtSetEventBoostPriority  ... ) == 0x0
 02329   896   NtQueryInformationThread  (676, Basic, 28, ...
 02330   320   NtContinue  (77397296, 1, ...
 02331   940   NtSetEventBoostPriority  (284, ...
 02332   644   NtWaitForSingleObject  (124, 0, 0x0, ...
 02329   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1252,Tid=380,}, 0x0, ) == 0x0
 02318   860   NtWaitForSingleObject  ... ) == 0x0
 02333   320   NtRegisterThreadTerminatePort  (24, ...
 02331   940   NtSetEventBoostPriority  ... ) == 0x0
 02334  1268   NtWaitForSingleObject  (124, 0, 0x0, ...
 02335   860   NtSetEventBoostPriority  (284, ...
 02333   320   NtRegisterThreadTerminatePort  ... ) == 0x0
 02336   940   NtSetEventBoostPriority  (356, ...
 02323   780   NtWaitForSingleObject  ... ) == 0x0
 02335   860   NtSetEventBoostPriority  ... ) == 0x0
 02337   320   NtWaitForSingleObject  (284, 0, 0x0, ...
 02338   780   NtSetEventBoostPriority  (284, ...
 02321   384   NtWaitForSingleObject  ... ) == 0x0
 02336   940   NtSetEventBoostPriority  ... ) == 0x0
 02339   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81931, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0|\1\0\0" ...  ...
 02340   860   NtWaitForSingleObject  (284, 0, 0x0, ...
 02328  1516   NtWaitForSingleObject  ... ) == 0x0
 02341   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 02338   780   NtSetEventBoostPriority  ... ) == 0x0
 02339   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81932, 0}  ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\0|\1\0\0" )  ) == 0x0
 02342  1516   NtSetEventBoostPriority  (284, ...
 02343   780   NtWaitForSingleObject  (356, 0, 0x0, ...
 02337   320   NtWaitForSingleObject  ... ) == 0x0
 02342  1516   NtSetEventBoostPriority  ... ) == 0x0
 02344   896   NtResumeThread  (676, ...
 02345   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02346   320   NtSetEventBoostPriority  (284, ...
 02347  1516   NtWaitForSingleObject  (356, 0, 0x0, ...
 02344   896   NtResumeThread  ... 1, ) == 0x0
 02341   384   NtWaitForSingleObject  ... ) == 0x0
 02345   940   NtWaitForSingleObject  ... ) == 0x102
 02346   320   NtSetEventBoostPriority  ... ) == 0x0
 02348   380   NtWaitForSingleObject  (284, 0, 0x0, ...
 02349   384   NtSetEventBoostPriority  (284, ...
 02350   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02351   940   NtWaitForSingleObject  (124, 0, 0x0, ...
 02352   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02340   860   NtWaitForSingleObject  ... ) == 0x0
 02349   384   NtSetEventBoostPriority  ... ) == 0x0
 02353   860   NtSetEventBoostPriority  (284, ...
 02352   320   NtDuplicateObject  ... 680, ) == 0x0
 02350   896   NtAllocateVirtualMemory  ... 78446592, 1048576, ) == 0x0
 02348   380   NtWaitForSingleObject  ... ) == 0x0
 02353   860   NtSetEventBoostPriority  ... ) == 0x0
 02354   384   NtSetEventBoostPriority  (356, ...
 02355   380   NtTestAlert  (...
 02356   896   NtAllocateVirtualMemory  (-1, 79486976, 0, 8192, 4096, 4, ...
 02357   860   NtWaitForSingleObject  (356, 0, 0x0, ...
 02355   380   NtTestAlert  ... ) == 0x0
 02343   780   NtWaitForSingleObject  ... ) == 0x0
 02354   384   NtSetEventBoostPriority  ... ) == 0x0
 02356   896   NtAllocateVirtualMemory  ... 79486976, 8192, ) == 0x0
 02358   320   NtWaitForSingleObject  (356, 0, 0x0, ...
 02359   780   NtSetEventBoostPriority  (356, ...
 02360   384   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ...
 02361   896   NtProtectVirtualMemory  (-1, (0x4bce000), 4096, 260, ...
 02347  1516   NtWaitForSingleObject  ... ) == 0x0
 02360   384   NtAllocateVirtualMemory  ... 8785920, 8192, ) == 0x0
 02361   896   NtProtectVirtualMemory  ... (0x4bce000), 4096, 4, ) == 0x0
 02362  1516   NtSetEventBoostPriority  (356, ...
 02363   384   NtWaitForSingleObject  (356, 0, 0x0, ...
 02364   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02357   860   NtWaitForSingleObject  ... ) == 0x0
 02362  1516   NtSetEventBoostPriority  ... ) == 0x0
 02359   780   NtSetEventBoostPriority  ... ) == 0x0
 02365   380   NtContinue  (78445872, 1, ...
 02366   860   NtSetEventBoostPriority  (356, ...
 02367  1516   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02368   780   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02369   380   NtRegisterThreadTerminatePort  (24, ...
 02358   320   NtWaitForSingleObject  ... ) == 0x0
 02369   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02370   320   NtSetEventBoostPriority  (356, ...
 02371   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02363   384   NtWaitForSingleObject  ... ) == 0x0
 02370   320   NtSetEventBoostPriority  ... ) == 0x0
 02372   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15526864, ... }, 15526864, ...
 02371   380   NtDuplicateObject  ... 684, ) == 0x0
 02372   384   NtQueryAttributesFile  ... ) == 0x0
 02373   320   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02374   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02366   860   NtSetEventBoostPriority  ... ) == 0x0
 02364   896   NtCreateThread  ... 688, {1252, 1332}, ) == 0x0
 02367  1516   NtWaitForSingleObject  ... ) == 0x102
 02368   780   NtWaitForSingleObject  ... ) == 0x102
 02375   384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02373   320   NtWaitForSingleObject  ... ) == 0x102
 02376   860   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02377   896   NtQueryInformationThread  (688, Basic, 28, ...
 02378  1516   NtWaitForSingleObject  (124, 0, 0x0, ...
 02379   780   NtWaitForSingleObject  (124, 0, 0x0, ...
 02375   384   NtOpenFile  ... 692, {status=0x0, info=1}, ) == 0x0
 02380   320   NtWaitForSingleObject  (124, 0, 0x0, ...
 02377   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1252,Tid=1332,}, 0x0, ) == 0x0
 02381   384   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 692, ...
 02382   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\04\5\0\0" ...  ...
 02381   384   NtCreateSection  ... 696, ) == 0x0
 02382   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81933, 0}  ... {28, 56, reply, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\04\5\0\0" )  ) == 0x0
 02383   384   NtClose  (692, ...
 02374   380   NtWaitForSingleObject  ... ) == 0x102
 02376   860   NtWaitForSingleObject  ... ) == 0x102
 02383   384   NtClose  ... ) == 0x0
 02384   380   NtWaitForSingleObject  (124, 0, 0x0, ...
 02385   860   NtWaitForSingleObject  (124, 0, 0x0, ...
 02386   896   NtResumeThread  (688, ... 1, ) == 0x0
 02387   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79495168, 1048576, ) == 0x0
 02388   896   NtAllocateVirtualMemory  (-1, 80535552, 0, 8192, 4096, 4, ... 80535552, 8192, ) == 0x0
 02389   896   NtProtectVirtualMemory  (-1, (0x4cce000), 4096, 260, ... (0x4cce000), 4096, 4, ) == 0x0
 02390   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1252, 1336}, ) == 0x0
 02391   896   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1252,Tid=1336,}, 0x0, ) == 0x0
 02392   384   NtMapViewOfSection  (696, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02393  1332   NtWaitForSingleObject  (88, 0, 0x0, ...
 02392   384   NtMapViewOfSection  ... (0xb90000), 0x0, 110592, ) == 0x0
 02394   384   NtClose  (696, ... ) == 0x0
 02395   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\08\5\0\0" ...  ...
 02396   384   NtUnmapViewOfSection  (-1, 0xb90000, ... ) == 0x0
 02397   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 15527172, ... ) }, 15527172, ... ) == 0x0
 02398   384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 696, {status=0x0, info=1}, ) }, 5, 96, ... 696, {status=0x0, info=1}, ) == 0x0
 02395   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81934, 0}  ... {28, 56, reply, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\08\5\0\0" )  ) == 0x0
 02399   896   NtResumeThread  (692, ... 1, ) == 0x0
 02400   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80543744, 1048576, ) == 0x0
 02401   896   NtAllocateVirtualMemory  (-1, 81584128, 0, 8192, 4096, 4, ... 81584128, 8192, ) == 0x0
 02402   896   NtProtectVirtualMemory  (-1, (0x4dce000), 4096, 260, ... (0x4dce000), 4096, 4, ) == 0x0
 02403   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02404   384   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 696, ...
 02405  1336   NtWaitForSingleObject  (88, 0, 0x0, ...
 02404   384   NtCreateSection  ... 700, ) == 0x0
 02406   384   NtQuerySection  (700, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02407   384   NtClose  (696, ... ) == 0x0
 02408   384   NtMapViewOfSection  (700, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02409   384   NtClose  (700, ... ) == 0x0
 02410   384   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02403   896   NtCreateThread  ... 700, {1252, 1808}, ) == 0x0
 02411   896   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1252,Tid=1808,}, 0x0, ) == 0x0
 02412   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\20\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81935, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\20\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\20\7\0\0" )  ) == 0x0
 02413   896   NtResumeThread  (700, ... 1, ) == 0x0
 02414   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81592320, 1048576, ) == 0x0
 02415   896   NtAllocateVirtualMemory  (-1, 82632704, 0, 8192, 4096, 4, ... 82632704, 8192, ) == 0x0
 02416   384   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02417  1808   NtWaitForSingleObject  (88, 0, 0x0, ...
 02416   384   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02418   384   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02419   384   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02420   384   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02421   384   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02422   896   NtProtectVirtualMemory  (-1, (0x4ece000), 4096, 260, ... (0x4ece000), 4096, 4, ) == 0x0
 02423   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1252, 468}, ) == 0x0
 02424   896   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1252,Tid=468,}, 0x0, ) == 0x0
 02425   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\324\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81936, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\324\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\324\1\0\0" )  ) == 0x0
 02426   896   NtResumeThread  (696, ... 1, ) == 0x0
 02427   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02428   384   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... }, ...
 02429   468   NtWaitForSingleObject  (88, 0, 0x0, ...
 02428   384   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02430   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 15526348, ... }, 15526348, ...
 02427   896   NtAllocateVirtualMemory  ... 82640896, 1048576, ) == 0x0
 02431   896   NtAllocateVirtualMemory  (-1, 83681280, 0, 8192, 4096, 4, ... 83681280, 8192, ) == 0x0
 02432   896   NtProtectVirtualMemory  (-1, (0x4fce000), 4096, 260, ... (0x4fce000), 4096, 4, ) == 0x0
 02433   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1252, 752}, ) == 0x0
 02434   896   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1252,Tid=752,}, 0x0, ) == 0x0
 02435   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81937, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0\360\2\0\0" )  ) == 0x0
 02436   896   NtResumeThread  (704, ... 1, ) == 0x0
 02437   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83689472, 1048576, ) == 0x0
 02438   896   NtAllocateVirtualMemory  (-1, 84729856, 0, 8192, 4096, 4, ... 84729856, 8192, ) == 0x0
 02439   752   NtWaitForSingleObject  (88, 0, 0x0, ...
 02440   896   NtProtectVirtualMemory  (-1, (0x50ce000), 4096, 260, ... (0x50ce000), 4096, 4, ) == 0x0
 02441   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1252, 1512}, ) == 0x0
 02442   896   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1252,Tid=1512,}, 0x0, ) == 0x0
 02443   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\350\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\350\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81938, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\350\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\350\5\0\0" )  ) == 0x0
 02444   896   NtResumeThread  (708, ... 1, ) == 0x0
 02445   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02430   384   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02446  1512   NtWaitForSingleObject  (88, 0, 0x0, ...
 02447   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 15526348, ... ) }, 15526348, ... ) == 0x0
 02448   384   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 712, {status=0x0, info=1}, ) }, 5, 96, ... 712, {status=0x0, info=1}, ) == 0x0
 02449   384   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 712, ... 716, ) == 0x0
 02450   384   NtQuerySection  (716, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02451   384   NtClose  (712, ... ) == 0x0
 02452   384   NtMapViewOfSection  (716, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02445   896   NtAllocateVirtualMemory  ... 84738048, 1048576, ) == 0x0
 02453   896   NtAllocateVirtualMemory  (-1, 85778432, 0, 8192, 4096, 4, ... 85778432, 8192, ) == 0x0
 02454   896   NtProtectVirtualMemory  (-1, (0x51ce000), 4096, 260, ... (0x51ce000), 4096, 4, ) == 0x0
 02455   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1252, 1380}, ) == 0x0
 02456   896   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1252,Tid=1380,}, 0x0, ) == 0x0
 02452   384   NtMapViewOfSection  ... (0x77920000), 0x0, 995328, ) == 0x0
 02457   384   NtClose  (716, ... ) == 0x0
 02458   384   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02459   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0d\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0d\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81939, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0d\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0d\5\0\0" )  ) == 0x0
 02460   896   NtResumeThread  (712, ... 1, ) == 0x0
 02461   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02462   384   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02463  1380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02462   384   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02464   384   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02465   384   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02466   384   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02467   384   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02468   384   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ...
 02461   896   NtAllocateVirtualMemory  ... 85786624, 1048576, ) == 0x0
 02469   896   NtAllocateVirtualMemory  (-1, 86827008, 0, 8192, 4096, 4, ... 86827008, 8192, ) == 0x0
 02470   896   NtProtectVirtualMemory  (-1, (0x52ce000), 4096, 260, ... (0x52ce000), 4096, 4, ) == 0x0
 02471   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1252, 1564}, ) == 0x0
 02472   896   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1252,Tid=1564,}, 0x0, ) == 0x0
 02473   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81939, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81940, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\0\34\6\0\0" )  ) == 0x0
 02468   384   NtProtectVirtualMemory  ... (0x77921000), 4096, 32, ) == 0x0
 02474   384   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02475   384   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02476   384   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02477   384   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02478   384   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02479   384   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ...
 02480   896   NtResumeThread  (716, ... 1, ) == 0x0
 02481   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86835200, 1048576, ) == 0x0
 02482   896   NtAllocateVirtualMemory  (-1, 87875584, 0, 8192, 4096, 4, ... 87875584, 8192, ) == 0x0
 02483   896   NtProtectVirtualMemory  (-1, (0x53ce000), 4096, 260, ... (0x53ce000), 4096, 4, ) == 0x0
 02484   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1252, 164}, ) == 0x0
 02485   896   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1252,Tid=164,}, 0x0, ) == 0x0
 02479   384   NtProtectVirtualMemory  ... (0x77921000), 4096, 32, ) == 0x0
 02486  1564   NtWaitForSingleObject  (88, 0, 0x0, ...
 02487   384   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02488   384   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02489   384   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02490   384   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02491   384   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02492   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\244\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81941, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\244\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\244\0\0\0" )  ) == 0x0
 02493   896   NtResumeThread  (720, ... 1, ) == 0x0
 02494   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02495   164   NtWaitForSingleObject  (88, 0, 0x0, ...
 02494   896   NtAllocateVirtualMemory  ... 87883776, 1048576, ) == 0x0
 02496   896   NtAllocateVirtualMemory  (-1, 88924160, 0, 8192, 4096, 4, ... 88924160, 8192, ) == 0x0
 02497   896   NtProtectVirtualMemory  (-1, (0x54ce000), 4096, 260, ... (0x54ce000), 4096, 4, ) == 0x0
 02498   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02499   384   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02500   384   NtQueryDefaultUILanguage  (2090319928, ...
 02501   384   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02502   384   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482764, ) == 0x0
 02503   384   NtQueryInformationToken  (-2147482764, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02498   896   NtCreateThread  ... 724, {1252, 312}, ) == 0x0
 02504   896   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1252,Tid=312,}, 0x0, ) == 0x0
 02505   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\08\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\08\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81942, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\08\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\08\1\0\0" )  ) == 0x0
 02506   896   NtResumeThread  (724, ... 1, ) == 0x0
 02507   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88932352, 1048576, ) == 0x0
 02508   896   NtAllocateVirtualMemory  (-1, 89972736, 0, 8192, 4096, 4, ... 89972736, 8192, ) == 0x0
 02509   384   NtClose  (-2147482764, ...
 02510   312   NtWaitForSingleObject  (88, 0, 0x0, ...
 02509   384   NtClose  ... ) == 0x0
 02511   384   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482764, ) }, ... -2147482764, ) == 0x0
 02512   384   NtOpenKey  (0x80000000, {24, -2147482764, 0x240, 0, 0,  (0x80000000, {24, -2147482764, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02513   384   NtOpenKey  (0x80000000, {24, -2147482764, 0x640, 0, 0,  (0x80000000, {24, -2147482764, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482688, ) }, ... -2147482688, ) == 0x0
 02514   384   NtQueryValueKey  (-2147482688,  (-2147482688, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02515   384   NtClose  (-2147482688, ... ) == 0x0
 02516   896   NtProtectVirtualMemory  (-1, (0x55ce000), 4096, 260, ... (0x55ce000), 4096, 4, ) == 0x0
 02517   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1252, 1964}, ) == 0x0
 02518   896   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1252,Tid=1964,}, 0x0, ) == 0x0
 02519   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\254\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\254\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81943, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\254\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\254\7\0\0" )  ) == 0x0
 02520   896   NtResumeThread  (728, ... 1, ) == 0x0
 02521   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02522   384   NtClose  (-2147482764, ...
 02523  1964   NtWaitForSingleObject  (88, 0, 0x0, ...
 02522   384   NtClose  ... ) == 0x0
 02500   384   NtQueryDefaultUILanguage  ... ) == 0x0
 02524   384   NtAllocateVirtualMemory  (-1, 15515648, 0, 4096, 4096, 260, ... 15515648, 4096, ) == 0x0
 02525   384   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02526   384   NtQueryDefaultLocale  (1, 15527068, ... ) == 0x0
 02527   384   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02528   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... }, ...
 02521   896   NtAllocateVirtualMemory  ... 89980928, 1048576, ) == 0x0
 02529   896   NtAllocateVirtualMemory  (-1, 91021312, 0, 8192, 4096, 4, ... 91021312, 8192, ) == 0x0
 02530   896   NtProtectVirtualMemory  (-1, (0x56ce000), 4096, 260, ... (0x56ce000), 4096, 4, ) == 0x0
 02531   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1252, 1568}, ) == 0x0
 02532   896   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1252,Tid=1568,}, 0x0, ) == 0x0
 02533   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0 \6\0\0" ... {28, 56, reply, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81944, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0 \6\0\0" ... {28, 56, reply, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0 \6\0\0" )  ) == 0x0
 02528   384   NtOpenKey  ... 736, ) == 0x0
 02534   384   NtQueryValueKey  (736,  (736, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (736, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02535   384   NtClose  (736, ... ) == 0x0
 02536   384   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 736, ) == 0x0
 02537   384   NtCallbackReturn  (0, 0, 0, ...
 02538   384   NtUserGetProcessWindowStation  (...
 02539   896   NtResumeThread  (732, ... 1, ) == 0x0
 02540   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91029504, 1048576, ) == 0x0
 02541   896   NtAllocateVirtualMemory  (-1, 92069888, 0, 8192, 4096, 4, ... 92069888, 8192, ) == 0x0
 02542   896   NtProtectVirtualMemory  (-1, (0x57ce000), 4096, 260, ... (0x57ce000), 4096, 4, ) == 0x0
 02543   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1252, 1624}, ) == 0x0
 02544   896   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1252,Tid=1624,}, 0x0, ) == 0x0
 02538   384   NtUserGetProcessWindowStation  ... ) == 0x20
 02545  1568   NtWaitForSingleObject  (88, 0, 0x0, ...
 02546   384   NtUserGetObjectInformation  (32, 1, 15526664, 12, 15526676, ... ) == 0x1
 02547   384   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02548   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 744, ) }, ... 744, ) == 0x0
 02549   384   NtQueryValueKey  (744,  (744, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (744, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02550   384   NtClose  (744, ... ) == 0x0
 02551   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... }, ...
 02552   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0X\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81945, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0X\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\344\4\0\0X\6\0\0" )  ) == 0x0
 02553   896   NtResumeThread  (740, ... 1, ) == 0x0
 02554   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92078080, 1048576, ) == 0x0
 02555   896   NtAllocateVirtualMemory  (-1, 93118464, 0, 8192, 4096, 4, ... 93118464, 8192, ) == 0x0
 02556   896   NtProtectVirtualMemory  (-1, (0x58ce000), 4096, 260, ... (0x58ce000), 4096, 4, ) == 0x0
 02557   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02551   384   NtOpenKey  ... 744, ) == 0x0
 02558  1624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02559   384   NtQueryValueKey  (744,  (744, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02560   384   NtQueryValueKey  (744,  (744, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02561   384   NtClose  (744, ... ) == 0x0
 02562   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02563   384   NtQueryValueKey  (744,  (744, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02564   384   NtQueryValueKey  (744,  (744, "SystemPartition", Partial, 144, ... , Partial, 144, ...
 02557   896   NtCreateThread  ... 748, {1252, 1716}, ) == 0x0
 02565   896   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1252,Tid=1716,}, 0x0, ) == 0x0
 02566   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\264\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\264\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\264\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\344\4\0\0\264\6\0\0" )  ) == 0x0
 02567   896   NtResumeThread  (748, ... 1, ) == 0x0
 02568   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93126656, 1048576, ) == 0x0
 02569   896   NtAllocateVirtualMemory  (-1, 94167040, 0, 8192, 4096, 4, ... 94167040, 8192, ) == 0x0
 02564   384   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02570  1716   NtWaitForSingleObject  (88, 0, 0x0, ...
 02571   384   NtClose  (744, ... ) == 0x0
 02572   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02573   384   NtQueryValueKey  (744,  (744, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02574   384   NtQueryValueKey  (744,  (744, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02575   384   NtClose  (744, ... ) == 0x0
 02576   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02577   896   NtProtectVirtualMemory  (-1, (0x59ce000), 4096, 260, ... (0x59ce000), 4096, 4, ) == 0x0
 02578   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1252, 1440}, ) == 0x0
 02579   896   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1252,Tid=1440,}, 0x0, ) == 0x0
 02580   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\240\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81947, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\240\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\240\5\0\0" )  ) == 0x0
 02581   896   NtResumeThread  (744, ... 1, ) == 0x0
 02582   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02576   384   NtOpenKey  ... 752, ) == 0x0
 02583  1440   NtWaitForSingleObject  (88, 0, 0x0, ...
 02584   384   NtQueryValueKey  (752,  (752, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (752, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02585   384   NtQueryValueKey  (752,  (752, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (752, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02586   384   NtClose  (752, ... ) == 0x0
 02587   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 752, ) }, ... 752, ) == 0x0
 02588   384   NtQueryValueKey  (752,  (752, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (752, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02589   384   NtQueryValueKey  (752,  (752, "ServicePackCachePath", Partial, 144, ... , Partial, 144, ...
 02582   896   NtAllocateVirtualMemory  ... 94175232, 1048576, ) == 0x0
 02590   896   NtAllocateVirtualMemory  (-1, 95215616, 0, 8192, 4096, 4, ... 95215616, 8192, ) == 0x0
 02591   896   NtProtectVirtualMemory  (-1, (0x5ace000), 4096, 260, ... (0x5ace000), 4096, 4, ) == 0x0
 02592   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1252, 1664}, ) == 0x0
 02593   896   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1252,Tid=1664,}, 0x0, ) == 0x0
 02594   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\344\4\0\0\200\6\0\0" )  ) == 0x0
 02589   384   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02595   384   NtClose  (752, ... ) == 0x0
 02596   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 752, ) }, ... 752, ) == 0x0
 02597   384   NtQueryValueKey  (752,  (752, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (752, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02598   384   NtQueryValueKey  (752,  (752, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (752, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02599   384   NtClose  (752, ... ) == 0x0
 02600   384   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... }, ...
 02601   896   NtResumeThread  (756, ... 1, ) == 0x0
 02602   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95223808, 1048576, ) == 0x0
 02603   896   NtAllocateVirtualMemory  (-1, 96264192, 0, 8192, 4096, 4, ... 96264192, 8192, ) == 0x0
 02604   896   NtProtectVirtualMemory  (-1, (0x5bce000), 4096, 260, ... (0x5bce000), 4096, 4, ) == 0x0
 02605   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1252, 1972}, ) == 0x0
 02606   896   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1252,Tid=1972,}, 0x0, ) == 0x0
 02600   384   NtOpenKey  ... 760, ) == 0x0
 02607  1664   NtWaitForSingleObject  (88, 0, 0x0, ...
 02608   384   NtQueryValueKey  (760,  (760, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02609   384   NtQueryValueKey  (760,  (760, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (760, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02610   384   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02611   384   NtClose  (760, ... ) == 0x0
 02612   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 760, ) == 0x0
 02613   384   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 02614   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\264\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\264\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\264\7\0\0" )  ) == 0x0
 02615   896   NtResumeThread  (752, ... 1, ) == 0x0
 02616   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96272384, 1048576, ) == 0x0
 02617   896   NtAllocateVirtualMemory  (-1, 97312768, 0, 8192, 4096, 4, ... 97312768, 8192, ) == 0x0
 02618   896   NtProtectVirtualMemory  (-1, (0x5cce000), 4096, 260, ... (0x5cce000), 4096, 4, ) == 0x0
 02619   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02613   384   NtCreateMutant  ... 764, ) == 0x0
 02620  1972   NtWaitForSingleObject  (88, 0, 0x0, ...
 02621   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 768, ) == 0x0
 02622   384   NtCreateMutant  (0x1f0001, 0x0, 0, ... 772, ) == 0x0
 02623   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 776, ) == 0x0
 02624   384   NtCreateMutant  (0x1f0001, 0x0, 0, ... 780, ) == 0x0
 02625   384   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 784, ) }, ... 784, ) == 0x0
 02626   384   NtQueryValueKey  (784,  (784, "LogLevel", Partial, 144, ... , Partial, 144, ...
 02619   896   NtCreateThread  ... 788, {1252, 1036}, ) == 0x0
 02627   896   NtQueryInformationThread  (788, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1252,Tid=1036,}, 0x0, ) == 0x0
 02628   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\4\0\0\14\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\4\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\4\0\0\14\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\344\4\0\0\14\4\0\0" )  ) == 0x0
 02629   896   NtResumeThread  (788, ... 1, ) == 0x0
 02630   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97320960, 1048576, ) == 0x0
 02631   896   NtAllocateVirtualMemory  (-1, 98361344, 0, 8192, 4096, 4, ... 98361344, 8192, ) == 0x0
 02626   384   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02632  1036   NtWaitForSingleObject  (88, 0, 0x0, ...
 02633   384   NtQueryValueKey  (784,  (784, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (784, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02634   384   NtQueryValueKey  (784,  (784, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   384   NtOpenKey  (0x1, {24, 784, 0x40, 0, 0,  (0x1, {24, 784, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02636   384   NtClose  (784, ... ) == 0x0
 02637   384   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 15526580, ... ) }, 15526580, ... ) == 0x0
 02638   384   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... }, ...
 02639   896   NtProtectVirtualMemory  (-1, (0x5dce000), 4096, 260, ... (0x5dce000), 4096, 4, ) == 0x0
 02640   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 784, {1252, 1248}, ) == 0x0
 02641   896   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1252,Tid=1248,}, 0x0, ) == 0x0
 02642   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0\340\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81951, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0\340\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0\340\4\0\0" )  ) == 0x0
 02643   896   NtResumeThread  (784, ... 1, ) == 0x0
 02644   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02638   384   NtOpenKey  ... 792, ) == 0x0
 02645  1248   NtWaitForSingleObject  (88, 0, 0x0, ...
 02646   384   NtQueryValueKey  (792,  (792, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (792, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (792, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02647   384   NtClose  (792, ... ) == 0x0
 02648   384   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 792, ) }, ... 792, ) == 0x0
 02649   384   NtQueryValueKey  (792,  (792, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (792, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (792, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02650   384   NtClose  (792, ... ) == 0x0
 02651   384   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... }, ...
 02644   896   NtAllocateVirtualMemory  ... 98369536, 1048576, ) == 0x0
 02652   896   NtAllocateVirtualMemory  (-1, 99409920, 0, 8192, 4096, 4, ... 99409920, 8192, ) == 0x0
 02653   896   NtProtectVirtualMemory  (-1, (0x5ece000), 4096, 260, ... (0x5ece000), 4096, 4, ) == 0x0
 02654   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 792, {1252, 1656}, ) == 0x0
 02655   896   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1252,Tid=1656,}, 0x0, ) == 0x0
 02656   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0x\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0x\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81952, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0x\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0x\6\0\0" )  ) == 0x0
 02651   384   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02657   384   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 796, ) }, ... 796, ) == 0x0
 02658   384   NtQueryValueKey  (796,  (796, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (796, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (796, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02659   384   NtClose  (796, ... ) == 0x0
 02660   384   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02661   384   NtSetEventBoostPriority  (88, ...
 02393  1332   NtWaitForSingleObject  ... ) == 0x0
 02662  1332   NtSetEventBoostPriority  (88, ...
 02405  1336   NtWaitForSingleObject  ... ) == 0x0
 02663  1336   NtSetEventBoostPriority  (88, ...
 02417  1808   NtWaitForSingleObject  ... ) == 0x0
 02664  1808   NtSetEventBoostPriority  (88, ...
 02429   468   NtWaitForSingleObject  ... ) == 0x0
 02665   468   NtSetEventBoostPriority  (88, ...
 02439   752   NtWaitForSingleObject  ... ) == 0x0
 02666   752   NtSetEventBoostPriority  (88, ...
 02446  1512   NtWaitForSingleObject  ... ) == 0x0
 02667  1512   NtSetEventBoostPriority  (88, ...
 02463  1380   NtWaitForSingleObject  ... ) == 0x0
 02668  1380   NtSetEventBoostPriority  (88, ...
 02486  1564   NtWaitForSingleObject  ... ) == 0x0
 02669  1564   NtSetEventBoostPriority  (88, ...
 02495   164   NtWaitForSingleObject  ... ) == 0x0
 02670   164   NtSetEventBoostPriority  (88, ...
 02510   312   NtWaitForSingleObject  ... ) == 0x0
 02671   312   NtSetEventBoostPriority  (88, ...
 02523  1964   NtWaitForSingleObject  ... ) == 0x0
 02672  1964   NtSetEventBoostPriority  (88, ...
 02545  1568   NtWaitForSingleObject  ... ) == 0x0
 02673  1568   NtSetEventBoostPriority  (88, ...
 02558  1624   NtWaitForSingleObject  ... ) == 0x0
 02674  1624   NtSetEventBoostPriority  (88, ...
 02570  1716   NtWaitForSingleObject  ... ) == 0x0
 02675  1716   NtAllocateVirtualMemory  (-1, 8876032, 0, 4096, 4096, 4, ... 8876032, 4096, ) == 0x0
 02674  1624   NtSetEventBoostPriority  ... ) == 0x0
 02673  1568   NtSetEventBoostPriority  ... ) == 0x0
 02672  1964   NtSetEventBoostPriority  ... ) == 0x0
 02671   312   NtSetEventBoostPriority  ... ) == 0x0
 02670   164   NtSetEventBoostPriority  ... ) == 0x0
 02669  1564   NtSetEventBoostPriority  ... ) == 0x0
 02668  1380   NtSetEventBoostPriority  ... ) == 0x0
 02667  1512   NtSetEventBoostPriority  ... ) == 0x0
 02666   752   NtSetEventBoostPriority  ... ) == 0x0
 02665   468   NtSetEventBoostPriority  ... ) == 0x0
 02664  1808   NtSetEventBoostPriority  ... ) == 0x0
 02663  1336   NtSetEventBoostPriority  ... ) == 0x0
 02662  1332   NtSetEventBoostPriority  ... ) == 0x0
 02661   384   NtSetEventBoostPriority  ... ) == 0x0
 02676   896   NtResumeThread  (792, ...
 02677  1716   NtSetEventBoostPriority  (88, ...
 02678  1624   NtTestAlert  (...
 02679  1568   NtTestAlert  (...
 02680  1964   NtTestAlert  (...
 02681   312   NtTestAlert  (...
 02682   164   NtTestAlert  (...
 02683  1564   NtTestAlert  (...
 02684  1380   NtTestAlert  (...
 02685  1512   NtTestAlert  (...
 02686   752   NtTestAlert  (...
 02687   468   NtTestAlert  (...
 02688  1808   NtTestAlert  (...
 02689  1336   NtTestAlert  (...
 02690   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 02676   896   NtResumeThread  ... 1, ) == 0x0
 02583  1440   NtWaitForSingleObject  ... ) == 0x0
 02677  1716   NtSetEventBoostPriority  ... ) == 0x0
 02678  1624   NtTestAlert  ... ) == 0x0
 02679  1568   NtTestAlert  ... ) == 0x0
 02680  1964   NtTestAlert  ... ) == 0x0
 02681   312   NtTestAlert  ... ) == 0x0
 02682   164   NtTestAlert  ... ) == 0x0
 02683  1564   NtTestAlert  ... ) == 0x0
 02684  1380   NtTestAlert  ... ) == 0x0
 02685  1512   NtTestAlert  ... ) == 0x0
 02686   752   NtTestAlert  ... ) == 0x0
 02687   468   NtTestAlert  ... ) == 0x0
 02688  1808   NtTestAlert  ... ) == 0x0
 02689  1336   NtTestAlert  ... ) == 0x0
 02691  1332   NtTestAlert  (...
 02692  1656   NtWaitForSingleObject  (88, 0, 0x0, ...
 02693  1440   NtSetEventBoostPriority  (88, ...
 02694   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02695  1716   NtTestAlert  (...
 02696  1624   NtContinue  (92077360, 1, ...
 02697  1568   NtContinue  (91028784, 1, ...
 02698  1964   NtContinue  (89980208, 1, ...
 02699   312   NtContinue  (88931632, 1, ...
 02700   164   NtContinue  (87883056, 1, ...
 02701  1564   NtContinue  (86834480, 1, ...
 02702  1380   NtContinue  (85785904, 1, ...
 02703  1512   NtContinue  (84737328, 1, ...
 02704   752   NtContinue  (83688752, 1, ...
 02705   468   NtContinue  (82640176, 1, ...
 02706  1808   NtContinue  (81591600, 1, ...
 02707  1336   NtContinue  (80543024, 1, ...
 02691  1332   NtTestAlert  ... ) == 0x0
 02607  1664   NtWaitForSingleObject  ... ) == 0x0
 02693  1440   NtSetEventBoostPriority  ... ) == 0x0
 02694   896   NtAllocateVirtualMemory  ... 99418112, 1048576, ) == 0x0
 02695  1716   NtTestAlert  ... ) == 0x0
 02708  1624   NtRegisterThreadTerminatePort  (24, ...
 02709  1568   NtRegisterThreadTerminatePort  (24, ...
 02710  1964   NtRegisterThreadTerminatePort  (24, ...
 02711   312   NtRegisterThreadTerminatePort  (24, ...
 02712   164   NtRegisterThreadTerminatePort  (24, ...
 02713  1564   NtRegisterThreadTerminatePort  (24, ...
 02714  1380   NtRegisterThreadTerminatePort  (24, ...
 02715  1512   NtRegisterThreadTerminatePort  (24, ...
 02716   752   NtRegisterThreadTerminatePort  (24, ...
 02717   468   NtRegisterThreadTerminatePort  (24, ...
 02718  1808   NtRegisterThreadTerminatePort  (24, ...
 02719  1336   NtRegisterThreadTerminatePort  (24, ...
 02720  1664   NtSetEventBoostPriority  (88, ...
 02721  1332   NtContinue  (79494448, 1, ...
 02722   896   NtAllocateVirtualMemory  (-1, 100458496, 0, 8192, 4096, 4, ...
 02723  1716   NtContinue  (93125936, 1, ...
 02708  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02709  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 02710  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 02711   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02712   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 02713  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 02714  1380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02715  1512   NtRegisterThreadTerminatePort  ... ) == 0x0
 02716   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02717   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02718  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 02620  1972   NtWaitForSingleObject  ... ) == 0x0
 02720  1664   NtSetEventBoostPriority  ... ) == 0x0
 02719  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02724  1332   NtRegisterThreadTerminatePort  (24, ...
 02722   896   NtAllocateVirtualMemory  ... 100458496, 8192, ) == 0x0
 02725  1716   NtRegisterThreadTerminatePort  (24, ...
 02726  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02727  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02728  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02729   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02730   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02731  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02732  1380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02733  1512   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02734   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02735   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02736  1972   NtSetEventBoostPriority  (88, ...
 02737  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02738  1440   NtTestAlert  (...
 02739  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02724  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02740  1664   NtTestAlert  (...
 02741   896   NtProtectVirtualMemory  (-1, (0x5fce000), 4096, 260, ...
 02725  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 02726  1624   NtDuplicateObject  ... 796, ) == 0x0
 02727  1568   NtDuplicateObject  ... 800, ) == 0x0
 02728  1964   NtDuplicateObject  ... 804, ) == 0x0
 02729   312   NtDuplicateObject  ... 808, ) == 0x0
 02730   164   NtDuplicateObject  ... 812, ) == 0x0
 02731  1564   NtDuplicateObject  ... 816, ) == 0x0
 02732  1380   NtDuplicateObject  ... 820, ) == 0x0
 02733  1512   NtDuplicateObject  ... 824, ) == 0x0
 02734   752   NtDuplicateObject  ... 828, ) == 0x0
 02632  1036   NtWaitForSingleObject  ... ) == 0x0
 02736  1972   NtSetEventBoostPriority  ... ) == 0x0
 02735   468   NtDuplicateObject  ... 832, ) == 0x0
 02738  1440   NtTestAlert  ... ) == 0x0
 02737  1808   NtDuplicateObject  ... 836, ) == 0x0
 02742  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02740  1664   NtTestAlert  ... ) == 0x0
 02741   896   NtProtectVirtualMemory  ... (0x5fce000), 4096, 4, ) == 0x0
 02743  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02744  1624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02745  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02746  1964   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02747   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02748   164   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02749  1564   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02750  1380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02751  1512   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02752  1036   NtSetEventBoostPriority  (88, ...
 02753   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02739  1336   NtDuplicateObject  ... 840, ) == 0x0
 02754   468   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02755  1440   NtContinue  (94174512, 1, ...
 02756  1808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02757  1972   NtTestAlert  (...
 02758  1664   NtContinue  (95223088, 1, ...
 02759   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02743  1716   NtDuplicateObject  ... 844, ) == 0x0
 02744  1624   NtWaitForSingleObject  ... ) == 0x102
 02745  1568   NtWaitForSingleObject  ... ) == 0x102
 02746  1964   NtWaitForSingleObject  ... ) == 0x102
 02747   312   NtWaitForSingleObject  ... ) == 0x102
 02748   164   NtWaitForSingleObject  ... ) == 0x102
 02749  1564   NtWaitForSingleObject  ... ) == 0x102
 02750  1380   NtWaitForSingleObject  ... ) == 0x102
 02645  1248   NtWaitForSingleObject  ... ) == 0x0
 02752  1036   NtSetEventBoostPriority  ... ) == 0x0
 02751  1512   NtWaitForSingleObject  ... ) == 0x102
 02753   752   NtWaitForSingleObject  ... ) == 0x102
 02760  1336   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02754   468   NtWaitForSingleObject  ... ) == 0x102
 02761  1440   NtRegisterThreadTerminatePort  (24, ...
 02756  1808   NtWaitForSingleObject  ... ) == 0x102
 02757  1972   NtTestAlert  ... ) == 0x0
 02762  1664   NtRegisterThreadTerminatePort  (24, ...
 02759   896   NtCreateThread  ... 848, {1252, 760}, ) == 0x0
 02763  1716   NtWaitForSingleObject  (284, 0, 0x0, ...
 02764  1624   NtWaitForSingleObject  (284, 0, 0x0, ...
 02765  1568   NtWaitForSingleObject  (284, 0, 0x0, ...
 02766  1964   NtWaitForSingleObject  (284, 0, 0x0, ...
 02767   312   NtWaitForSingleObject  (284, 0, 0x0, ...
 02768   164   NtWaitForSingleObject  (284, 0, 0x0, ...
 02769  1564   NtWaitForSingleObject  (284, 0, 0x0, ...
 02770  1248   NtWaitForSingleObject  (284, 0, 0x0, ...
 02771  1380   NtWaitForSingleObject  (284, 0, 0x0, ...
 02742  1332   NtDuplicateObject  ... 852, ) == 0x0
 02772  1512   NtWaitForSingleObject  (284, 0, 0x0, ...
 02773   752   NtWaitForSingleObject  (284, 0, 0x0, ...
 02760  1336   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02774   468   NtWaitForSingleObject  (284, 0, 0x0, ...
 02761  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02775  1808   NtWaitForSingleObject  (284, 0, 0x0, ...
 02776  1972   NtContinue  (96271664, 1, ...
 02762  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 02777   896   NtQueryInformationThread  (848, Basic, 28, ...
 02778  1332   NtWaitForSingleObject  (284, 0, 0x0, ...
 02779  1336   NtSetEventBoostPriority  (284, ...
 02780  1440   NtWaitForSingleObject  (284, 0, 0x0, ...
 02781  1972   NtRegisterThreadTerminatePort  (24, ...
 02782  1664   NtWaitForSingleObject  (284, 0, 0x0, ...
 02777   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1252,Tid=760,}, 0x0, ) == 0x0
 02763  1716   NtWaitForSingleObject  ... ) == 0x0
 02779  1336   NtSetEventBoostPriority  ... ) == 0x0
 02783  1036   NtTestAlert  (...
 02781  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 02784  1716   NtSetEventBoostPriority  (284, ...
 02785  1336   NtWaitForSingleObject  (284, 0, 0x0, ...
 02783  1036   NtTestAlert  ... ) == 0x0
 02764  1624   NtWaitForSingleObject  ... ) == 0x0
 02784  1716   NtSetEventBoostPriority  ... ) == 0x0
 02786  1972   NtWaitForSingleObject  (284, 0, 0x0, ...
 02787   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0\370\2\0\0" ...  ...
 02788  1624   NtSetEventBoostPriority  (284, ...
 02789  1036   NtContinue  (97320240, 1, ...
 02790  1716   NtWaitForSingleObject  (284, 0, 0x0, ...
 02765  1568   NtWaitForSingleObject  ... ) == 0x0
 02788  1624   NtSetEventBoostPriority  ... ) == 0x0
 02787   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81953, 0}  ... {28, 56, reply, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0\370\2\0\0" )  ) == 0x0
 02791  1036   NtRegisterThreadTerminatePort  (24, ...
 02792  1568   NtSetEventBoostPriority  (284, ...
 02793   896   NtResumeThread  (848, ...
 02766  1964   NtWaitForSingleObject  ... ) == 0x0
 02792  1568   NtSetEventBoostPriority  ... ) == 0x0
 02791  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 02794  1964   NtSetEventBoostPriority  (284, ...
 02793   896   NtResumeThread  ... 1, ) == 0x0
 02795  1624   NtWaitForSingleObject  (124, 0, 0x0, ...
 02767   312   NtWaitForSingleObject  ... ) == 0x0
 02794  1964   NtSetEventBoostPriority  ... ) == 0x0
 02796  1036   NtWaitForSingleObject  (284, 0, 0x0, ...
 02797   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02798   312   NtSetEventBoostPriority  (284, ...
 02799  1568   NtWaitForSingleObject  (124, 0, 0x0, ...
 02800   760   NtWaitForSingleObject  (88, 0, 0x0, ...
 02801  1964   NtWaitForSingleObject  (124, 0, 0x0, ...
 02768   164   NtWaitForSingleObject  ... ) == 0x0
 02798   312   NtSetEventBoostPriority  ... ) == 0x0
 02802   164   NtSetEventBoostPriority  (284, ...
 02797   896   NtAllocateVirtualMemory  ... 100466688, 1048576, ) == 0x0
 02770  1248   NtWaitForSingleObject  ... ) == 0x0
 02802   164   NtSetEventBoostPriority  ... ) == 0x0
 02803  1248   NtSetEventBoostPriority  (284, ...
 02804   896   NtAllocateVirtualMemory  (-1, 101507072, 0, 8192, 4096, 4, ...
 02805   312   NtWaitForSingleObject  (124, 0, 0x0, ...
 02769  1564   NtWaitForSingleObject  ... ) == 0x0
 02803  1248   NtSetEventBoostPriority  ... ) == 0x0
 02804   896   NtAllocateVirtualMemory  ... 101507072, 8192, ) == 0x0
 02806  1564   NtSetEventBoostPriority  (284, ...
 02807   164   NtWaitForSingleObject  (124, 0, 0x0, ...
 02771  1380   NtWaitForSingleObject  ... ) == 0x0
 02806  1564   NtSetEventBoostPriority  ... ) == 0x0
 02808   896   NtProtectVirtualMemory  (-1, (0x60ce000), 4096, 260, ...
 02809  1380   NtSetEventBoostPriority  (284, ...
 02810  1248   NtSetEventBoostPriority  (88, ...
 02772  1512   NtWaitForSingleObject  ... ) == 0x0
 02809  1380   NtSetEventBoostPriority  ... ) == 0x0
 02808   896   NtProtectVirtualMemory  ... (0x60ce000), 4096, 4, ) == 0x0
 02811  1512   NtSetEventBoostPriority  (284, ...
 02692  1656   NtWaitForSingleObject  ... ) == 0x0
 02810  1248   NtSetEventBoostPriority  ... ) == 0x0
 02812  1564   NtWaitForSingleObject  (124, 0, 0x0, ...
 02773   752   NtWaitForSingleObject  ... ) == 0x0
 02813  1656   NtWaitForSingleObject  (284, 0, 0x0, ...
 02811  1512   NtSetEventBoostPriority  ... ) == 0x0
 02814   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02815  1248   NtTestAlert  (...
 02816   752   NtSetEventBoostPriority  (284, ...
 02817  1380   NtWaitForSingleObject  (124, 0, 0x0, ...
 02818  1512   NtWaitForSingleObject  (124, 0, 0x0, ...
 02774   468   NtWaitForSingleObject  ... ) == 0x0
 02816   752   NtSetEventBoostPriority  ... ) == 0x0
 02815  1248   NtTestAlert  ... ) == 0x0
 02819   468   NtSetEventBoostPriority  (284, ...
 02814   896   NtCreateThread  ... 856, {1252, 484}, ) == 0x0
 02775  1808   NtWaitForSingleObject  ... ) == 0x0
 02819   468   NtSetEventBoostPriority  ... ) == 0x0
 02820  1248   NtContinue  (98368816, 1, ...
 02821  1808   NtSetEventBoostPriority  (284, ...
 02822   896   NtQueryInformationThread  (856, Basic, 28, ...
 02823   752   NtWaitForSingleObject  (124, 0, 0x0, ...
 02778  1332   NtWaitForSingleObject  ... ) == 0x0
 02821  1808   NtSetEventBoostPriority  ... ) == 0x0
 02824  1248   NtRegisterThreadTerminatePort  (24, ...
 02822   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1252,Tid=484,}, 0x0, ) == 0x0
 02825  1332   NtSetEventBoostPriority  (284, ...
 02826   468   NtWaitForSingleObject  (124, 0, 0x0, ...
 02827  1808   NtWaitForSingleObject  (124, 0, 0x0, ...
 02780  1440   NtWaitForSingleObject  ... ) == 0x0
 02825  1332   NtSetEventBoostPriority  ... ) == 0x0
 02828   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\344\1\0\0" ...  ...
 02829  1440   NtSetEventBoostPriority  (284, ...
 02824  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02782  1664   NtWaitForSingleObject  ... ) == 0x0
 02828   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81954, 0}  ... {28, 56, reply, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\344\1\0\0" )  ) == 0x0
 02830  1248   NtWaitForSingleObject  (284, 0, 0x0, ...
 02831  1664   NtSetEventBoostPriority  (284, ...
 02829  1440   NtSetEventBoostPriority  ... ) == 0x0
 02832  1332   NtWaitForSingleObject  (284, 0, 0x0, ...
 02785  1336   NtWaitForSingleObject  ... ) == 0x0
 02833  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02834  1336   NtSetEventBoostPriority  (284, ...
 02833  1440   NtDuplicateObject  ... 860, ) == 0x0
 02790  1716   NtWaitForSingleObject  ... ) == 0x0
 02834  1336   NtSetEventBoostPriority  ... ) == 0x0
 02831  1664   NtSetEventBoostPriority  ... ) == 0x0
 02835   896   NtResumeThread  (856, ...
 02836  1716   NtSetEventBoostPriority  (284, ...
 02837  1336   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02838  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02835   896   NtResumeThread  ... 1, ) == 0x0
 02786  1972   NtWaitForSingleObject  ... ) == 0x0
 02836  1716   NtSetEventBoostPriority  ... ) == 0x0
 02838  1664   NtDuplicateObject  ... 864, ) == 0x0
 02839  1972   NtSetEventBoostPriority  (284, ...
 02840   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02841  1716   NtWaitForSingleObject  (284, 0, 0x0, ...
 02842  1440   NtWaitForSingleObject  (284, 0, 0x0, ...
 02843   484   NtWaitForSingleObject  (88, 0, 0x0, ...
 02837  1336   NtWaitForSingleObject  ... ) == 0x102
 02796  1036   NtWaitForSingleObject  ... ) == 0x0
 02840   896   NtAllocateVirtualMemory  ... 101515264, 1048576, ) == 0x0
 02839  1972   NtSetEventBoostPriority  ... ) == 0x0
 02844  1664   NtWaitForSingleObject  (284, 0, 0x0, ...
 02845  1336   NtWaitForSingleObject  (284, 0, 0x0, ...
 02846  1036   NtSetEventBoostPriority  (284, ...
 02847   896   NtAllocateVirtualMemory  (-1, 102555648, 0, 8192, 4096, 4, ...
 02848  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02813  1656   NtWaitForSingleObject  ... ) == 0x0
 02847   896   NtAllocateVirtualMemory  ... 102555648, 8192, ) == 0x0
 02849  1656   NtSetEventBoostPriority  (284, ...
 02848  1972   NtDuplicateObject  ... 868, ) == 0x0
 02846  1036   NtSetEventBoostPriority  ... ) == 0x0
 02830  1248   NtWaitForSingleObject  ... ) == 0x0
 02849  1656   NtSetEventBoostPriority  ... ) == 0x0
 02850   896   NtProtectVirtualMemory  (-1, (0x61ce000), 4096, 260, ...
 02851  1248   NtSetEventBoostPriority  (284, ...
 02852  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02853  1972   NtWaitForSingleObject  (284, 0, 0x0, ...
 02832  1332   NtWaitForSingleObject  ... ) == 0x0
 02851  1248   NtSetEventBoostPriority  ... ) == 0x0
 02850   896   NtProtectVirtualMemory  ... (0x61ce000), 4096, 4, ) == 0x0
 02852  1036   NtDuplicateObject  ... 872, ) == 0x0
 02854  1332   NtSetEventBoostPriority  (284, ...
 02855  1656   NtSetEventBoostPriority  (88, ...
 02856   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02857  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02842  1440   NtWaitForSingleObject  ... ) == 0x0
 02854  1332   NtSetEventBoostPriority  ... ) == 0x0
 02690   384   NtWaitForSingleObject  ... ) == 0x0
 02855  1656   NtSetEventBoostPriority  ... ) == 0x0
 02856   896   NtCreateThread  ... 876, {1252, 1580}, ) == 0x0
 02858  1440   NtSetEventBoostPriority  (284, ...
 02857  1248   NtDuplicateObject  ... 880, ) == 0x0
 02859   384   NtSetEventBoostPriority  (88, ...
 02860  1332   NtWaitForSingleObject  (356, 0, 0x0, ...
 02861  1656   NtTestAlert  (...
 02844  1664   NtWaitForSingleObject  ... ) == 0x0
 02858  1440   NtSetEventBoostPriority  ... ) == 0x0
 02862   896   NtQueryInformationThread  (876, Basic, 28, ...
 02800   760   NtWaitForSingleObject  ... ) == 0x0
 02863  1248   NtWaitForSingleObject  (284, 0, 0x0, ...
 02859   384   NtSetEventBoostPriority  ... ) == 0x0
 02864  1036   NtWaitForSingleObject  (284, 0, 0x0, ...
 02865  1664   NtSetEventBoostPriority  (284, ...
 02861  1656   NtTestAlert  ... ) == 0x0
 02866  1440   NtWaitForSingleObject  (284, 0, 0x0, ...
 02862   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1252,Tid=1580,}, 0x0, ) == 0x0
 02867   760   NtWaitForSingleObject  (284, 0, 0x0, ...
 02868   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 02845  1336   NtWaitForSingleObject  ... ) == 0x0
 02865  1664   NtSetEventBoostPriority  ... ) == 0x0
 02869  1656   NtContinue  (99417392, 1, ...
 02870  1336   NtSetEventBoostPriority  (284, ...
 02871  1664   NtWaitForSingleObject  (284, 0, 0x0, ...
 02841  1716   NtWaitForSingleObject  ... ) == 0x0
 02870  1336   NtSetEventBoostPriority  ... ) == 0x0
 02872  1656   NtRegisterThreadTerminatePort  (24, ...
 02873   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81954, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\4\0\0,\6\0\0" ...  ...
 02874  1716   NtSetEventBoostPriority  (284, ...
 02875  1336   NtWaitForSingleObject  (124, 0, 0x0, ...
 02853  1972   NtWaitForSingleObject  ... ) == 0x0
 02873   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81955, 0}  ... {28, 56, reply, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\344\4\0\0,\6\0\0" )  ) == 0x0
 02876  1972   NtSetEventBoostPriority  (284, ...
 02877   896   NtResumeThread  (876, ...
 02863  1248   NtWaitForSingleObject  ... ) == 0x0
 02876  1972   NtSetEventBoostPriority  ... ) == 0x0
 02878  1248   NtSetEventBoostPriority  (284, ...
 02877   896   NtResumeThread  ... 1, ) == 0x0
 02864  1036   NtWaitForSingleObject  ... ) == 0x0
 02878  1248   NtSetEventBoostPriority  ... ) == 0x0
 02879  1972   NtWaitForSingleObject  (284, 0, 0x0, ...
 02880  1036   NtSetEventBoostPriority  (284, ...
 02881   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02874  1716   NtSetEventBoostPriority  ... ) == 0x0
 02872  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 02882  1580   NtWaitForSingleObject  (88, 0, 0x0, ...
 02883  1248   NtWaitForSingleObject  (284, 0, 0x0, ...
 02866  1440   NtWaitForSingleObject  ... ) == 0x0
 02880  1036   NtSetEventBoostPriority  ... ) == 0x0
 02884  1716   NtSetEventBoostPriority  (356, ...
 02885  1656   NtWaitForSingleObject  (284, 0, 0x0, ...
 02886  1440   NtSetEventBoostPriority  (284, ...
 02887  1036   NtWaitForSingleObject  (284, 0, 0x0, ...
 02860  1332   NtWaitForSingleObject  ... ) == 0x0
 02884  1716   NtSetEventBoostPriority  ... ) == 0x0
 02867   760   NtWaitForSingleObject  ... ) == 0x0
 02886  1440   NtSetEventBoostPriority  ... ) == 0x0
 02881   896   NtAllocateVirtualMemory  ... 102563840, 1048576, ) == 0x0
 02888  1332   NtWaitForSingleObject  (284, 0, 0x0, ...
 02889   760   NtSetEventBoostPriority  (284, ...
 02890  1440   NtWaitForSingleObject  (356, 0, 0x0, ...
 02891   896   NtAllocateVirtualMemory  (-1, 103604224, 0, 8192, 4096, 4, ...
 02868   384   NtWaitForSingleObject  ... ) == 0x0
 02889   760   NtSetEventBoostPriority  ... ) == 0x0
 02892   384   NtSetEventBoostPriority  (284, ...
 02891   896   NtAllocateVirtualMemory  ... 103604224, 8192, ) == 0x0
 02893  1716   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02871  1664   NtWaitForSingleObject  ... ) == 0x0
 02892   384   NtSetEventBoostPriority  ... ) == 0x0
 02894   896   NtProtectVirtualMemory  (-1, (0x62ce000), 4096, 260, ...
 02895  1664   NtSetEventBoostPriority  (284, ...
 02893  1716   NtWaitForSingleObject  ... ) == 0x102
 02896   760   NtSetEventBoostPriority  (88, ...
 02879  1972   NtWaitForSingleObject  ... ) == 0x0
 02894   896   NtProtectVirtualMemory  ... (0x62ce000), 4096, 4, ) == 0x0
 02897  1716   NtWaitForSingleObject  (124, 0, 0x0, ...
 02843   484   NtWaitForSingleObject  ... ) == 0x0
 02896   760   NtSetEventBoostPriority  ... ) == 0x0
 02898  1972   NtSetEventBoostPriority  (284, ...
 02899   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02900   484   NtWaitForSingleObject  (284, 0, 0x0, ...
 02901   760   NtTestAlert  (...
 02883  1248   NtWaitForSingleObject  ... ) == 0x0
 02898  1972   NtSetEventBoostPriority  ... ) == 0x0
 02895  1664   NtSetEventBoostPriority  ... ) == 0x0
 02902   384   NtSetEventBoostPriority  (124, ...
 02901   760   NtTestAlert  ... ) == 0x0
 02903  1248   NtSetEventBoostPriority  (284, ...
 02904  1972   NtWaitForSingleObject  (356, 0, 0x0, ...
 02905  1664   NtWaitForSingleObject  (356, 0, 0x0, ...
 00856   420   NtWaitForSingleObject  ... ) == 0x0
 02902   384   NtSetEventBoostPriority  ... ) == 0x0
 02906   760   NtContinue  (100465968, 1, ...
 02885  1656   NtWaitForSingleObject  ... ) == 0x0
 02903  1248   NtSetEventBoostPriority  ... ) == 0x0
 02907   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 02908   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 02909  1656   NtSetEventBoostPriority  (284, ...
 02910   760   NtRegisterThreadTerminatePort  (24, ...
 02911  1248   NtWaitForSingleObject  (356, 0, 0x0, ...
 02887  1036   NtWaitForSingleObject  ... ) == 0x0
 02909  1656   NtSetEventBoostPriority  ... ) == 0x0
 02899   896   NtCreateThread  ... 884, {1252, 1756}, ) == 0x0
 02910   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 02912  1036   NtSetEventBoostPriority  (284, ...
 02913   896   NtQueryInformationThread  (884, Basic, 28, ...
 02888  1332   NtWaitForSingleObject  ... ) == 0x0
 02914   760   NtWaitForSingleObject  (284, 0, 0x0, ...
 02915  1332   NtSetEventBoostPriority  (284, ...
 02913   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1252,Tid=1756,}, 0x0, ) == 0x0
 02900   484   NtWaitForSingleObject  ... ) == 0x0
 02916   484   NtSetEventBoostPriority  (284, ...
 02907   420   NtWaitForSingleObject  ... ) == 0x0
 02917   420   NtSetEventBoostPriority  (284, ...
 02908   384   NtWaitForSingleObject  ... ) == 0x0
 02918   384   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02917   420   NtSetEventBoostPriority  ... ) == 0x0
 02916   484   NtSetEventBoostPriority  ... ) == 0x0
 02919   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\344\4\0\0\334\6\0\0" ...  ...
 02915  1332   NtSetEventBoostPriority  ... ) == 0x0
 02912  1036   NtSetEventBoostPriority  ... ) == 0x0
 02920  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02921   384   NtSetEventBoostPriority  (284, ...
 02922   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 02919   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81956, 0}  ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\344\4\0\0\334\6\0\0" )  ) == 0x0
 02923   484   NtSetEventBoostPriority  (88, ...
 02924  1036   NtWaitForSingleObject  (356, 0, 0x0, ...
 02920  1656   NtDuplicateObject  ... 888, ) == 0x0
 02914   760   NtWaitForSingleObject  ... ) == 0x0
 02921   384   NtSetEventBoostPriority  ... ) == 0x0
 02925  1332   NtSetEventBoostPriority  (356, ...
 02882  1580   NtWaitForSingleObject  ... ) == 0x0
 02923   484   NtSetEventBoostPriority  ... ) == 0x0
 02926   760   NtSetEventBoostPriority  (284, ...
 02927  1656   NtWaitForSingleObject  (284, 0, 0x0, ...
 02928   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 02929  1580   NtWaitForSingleObject  (284, 0, 0x0, ...
 02890  1440   NtWaitForSingleObject  ... ) == 0x0
 02925  1332   NtSetEventBoostPriority  ... ) == 0x0
 02922   420   NtWaitForSingleObject  ... ) == 0x0
 02926   760   NtSetEventBoostPriority  ... ) == 0x0
 02930   484   NtTestAlert  (...
 02931  1440   NtWaitForSingleObject  (284, 0, 0x0, ...
 02932   420   NtSetEventBoostPriority  (284, ...
 02933  1332   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02934   896   NtResumeThread  (884, ...
 02927  1656   NtWaitForSingleObject  ... ) == 0x0
 02932   420   NtSetEventBoostPriority  ... ) == 0x0
 02930   484   NtTestAlert  ... ) == 0x0
 02933  1332   NtWaitForSingleObject  ... ) == 0x102
 02935  1656   NtSetEventBoostPriority  (284, ...
 02934   896   NtResumeThread  ... 1, ) == 0x0
 02936   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 02937   484   NtContinue  (101514544, 1, ...
 02929  1580   NtWaitForSingleObject  ... ) == 0x0
 02935  1656   NtSetEventBoostPriority  ... ) == 0x0
 02938  1332   NtWaitForSingleObject  (284, 0, 0x0, ...
 02939   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02940   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02941  1756   NtWaitForSingleObject  (88, 0, 0x0, ...
 02942  1580   NtSetEventBoostPriority  (284, ...
 02943   484   NtRegisterThreadTerminatePort  (24, ...
 02944  1656   NtWaitForSingleObject  (284, 0, 0x0, ...
 02939   896   NtAllocateVirtualMemory  ... 103612416, 1048576, ) == 0x0
 02940   760   NtDuplicateObject  ... 892, ) == 0x0
 02928   384   NtWaitForSingleObject  ... ) == 0x0
 02942  1580   NtSetEventBoostPriority  ... ) == 0x0
 02945   896   NtAllocateVirtualMemory  (-1, 104652800, 0, 8192, 4096, 4, ...
 02946   384   NtSetEventBoostPriority  (284, ...
 02947   760   NtWaitForSingleObject  (284, 0, 0x0, ...
 02943   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02931  1440   NtWaitForSingleObject  ... ) == 0x0
 02946   384   NtSetEventBoostPriority  ... ) == 0x0
 02945   896   NtAllocateVirtualMemory  ... 104652800, 8192, ) == 0x0
 02948  1440   NtSetEventBoostPriority  (284, ...
 02949   484   NtWaitForSingleObject  (284, 0, 0x0, ...
 02950  1580   NtSetEventBoostPriority  (88, ...
 02951   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 02936   420   NtWaitForSingleObject  ... ) == 0x0
 02948  1440   NtSetEventBoostPriority  ... ) == 0x0
 02941  1756   NtWaitForSingleObject  ... ) == 0x0
 02950  1580   NtSetEventBoostPriority  ... ) == 0x0
 02952   420   NtSetEventBoostPriority  (284, ...
 02953   896   NtProtectVirtualMemory  (-1, (0x63ce000), 4096, 260, ...
 02954  1756   NtWaitForSingleObject  (284, 0, 0x0, ...
 02938  1332   NtWaitForSingleObject  ... ) == 0x0
 02955  1580   NtTestAlert  (...
 02953   896   NtProtectVirtualMemory  ... (0x63ce000), 4096, 4, ) == 0x0
 02956  1332   NtSetEventBoostPriority  (284, ...
 02955  1580   NtTestAlert  ... ) == 0x0
 02957   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02944  1656   NtWaitForSingleObject  ... ) == 0x0
 02958  1580   NtContinue  (102563120, 1, ...
 02957   896   NtCreateThread  ... 896, {1252, 1304}, ) == 0x0
 02959  1656   NtSetEventBoostPriority  (284, ...
 02960  1580   NtRegisterThreadTerminatePort  (24, ...
 02961   896   NtQueryInformationThread  (896, Basic, 28, ...
 02947   760   NtWaitForSingleObject  ... ) == 0x0
 02959  1656   NtSetEventBoostPriority  ... ) == 0x0
 02956  1332   NtSetEventBoostPriority  ... ) == 0x0
 02952   420   NtSetEventBoostPriority  ... ) == 0x0
 02962  1440   NtSetEventBoostPriority  (356, ...
 02963   760   NtSetEventBoostPriority  (284, ...
 02961   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1252,Tid=1304,}, 0x0, ) == 0x0
 02964  1656   NtWaitForSingleObject  (284, 0, 0x0, ...
 02965  1332   NtWaitForSingleObject  (124, 0, 0x0, ...
 02966   420   NtSetEventBoostPriority  (124, ...
 02949   484   NtWaitForSingleObject  ... ) == 0x0
 02963   760   NtSetEventBoostPriority  ... ) == 0x0
 02904  1972   NtWaitForSingleObject  ... ) == 0x0
 02962  1440   NtSetEventBoostPriority  ... ) == 0x0
 02960  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 02967   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\30\5\0\0" ...  ...
 02968   484   NtSetEventBoostPriority  (284, ...
 00858   596   NtWaitForSingleObject  ... ) == 0x0
 02966   420   NtSetEventBoostPriority  ... ) == 0x0
 02969  1972   NtWaitForSingleObject  (284, 0, 0x0, ...
 02970  1440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02971  1580   NtWaitForSingleObject  (284, 0, 0x0, ...
 02951   384   NtWaitForSingleObject  ... ) == 0x0
 02972   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 02968   484   NtSetEventBoostPriority  ... ) == 0x0
 02967   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81957, 0}  ... {28, 56, reply, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\30\5\0\0" )  ) == 0x0
 02973   760   NtWaitForSingleObject  (284, 0, 0x0, ...
 02970  1440   NtWaitForSingleObject  ... ) == 0x102
 02974   384   NtSetEventBoostPriority  (284, ...
 02975   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02976   896   NtResumeThread  (896, ...
 02954  1756   NtWaitForSingleObject  ... ) == 0x0
 02974   384   NtSetEventBoostPriority  ... ) == 0x0
 02977  1440   NtWaitForSingleObject  (124, 0, 0x0, ...
 02975   420   NtCreateEvent  ... 900, ) == 0x0
 02978  1756   NtSetEventBoostPriority  (284, ...
 02976   896   NtResumeThread  ... 1, ) == 0x0
 02979   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 02980   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02981  1304   NtWaitForSingleObject  (88, 0, 0x0, ...
 02964  1656   NtWaitForSingleObject  ... ) == 0x0
 02978  1756   NtSetEventBoostPriority  ... ) == 0x0
 02982   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 02983   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02980   484   NtDuplicateObject  ... 904, ) == 0x0
 02984  1656   NtSetEventBoostPriority  (284, ...
 02985  1756   NtSetEventBoostPriority  (88, ...
 02969  1972   NtWaitForSingleObject  ... ) == 0x0
 02986   484   NtWaitForSingleObject  (284, 0, 0x0, ...
 02987  1972   NtSetEventBoostPriority  (284, ...
 02981  1304   NtWaitForSingleObject  ... ) == 0x0
 02985  1756   NtSetEventBoostPriority  ... ) == 0x0
 02972   596   NtWaitForSingleObject  ... ) == 0x0
 02988  1304   NtWaitForSingleObject  (284, 0, 0x0, ...
 02987  1972   NtSetEventBoostPriority  ... ) == 0x0
 02989   596   NtSetEventBoostPriority  (284, ...
 02990  1756   NtTestAlert  (...
 02984  1656   NtSetEventBoostPriority  ... ) == 0x0
 02983   896   NtAllocateVirtualMemory  ... 104660992, 1048576, ) == 0x0
 02971  1580   NtWaitForSingleObject  ... ) == 0x0
 02989   596   NtSetEventBoostPriority  ... ) == 0x0
 02990  1756   NtTestAlert  ... ) == 0x0
 02991  1656   NtWaitForSingleObject  (356, 0, 0x0, ...
 02992  1580   NtSetEventBoostPriority  (284, ...
 02993   896   NtAllocateVirtualMemory  (-1, 105701376, 0, 8192, 4096, 4, ...
 02994  1972   NtSetEventBoostPriority  (356, ...
 02995  1756   NtContinue  (103611696, 1, ...
 02973   760   NtWaitForSingleObject  ... ) == 0x0
 02992  1580   NtSetEventBoostPriority  ... ) == 0x0
 02993   896   NtAllocateVirtualMemory  ... 105701376, 8192, ) == 0x0
 02905  1664   NtWaitForSingleObject  ... ) == 0x0
 02994  1972   NtSetEventBoostPriority  ... ) == 0x0
 02996   760   NtSetEventBoostPriority  (284, ...
 02997  1756   NtRegisterThreadTerminatePort  (24, ...
 02998   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 02999  1664   NtWaitForSingleObject  (284, 0, 0x0, ...
 03000   896   NtProtectVirtualMemory  (-1, (0x64ce000), 4096, 260, ...
 02979   384   NtWaitForSingleObject  ... ) == 0x0
 02996   760   NtSetEventBoostPriority  ... ) == 0x0
 03001  1972   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03002  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03003   384   NtSetEventBoostPriority  (284, ...
 03000   896   NtProtectVirtualMemory  ... (0x64ce000), 4096, 4, ) == 0x0
 03004   760   NtWaitForSingleObject  (356, 0, 0x0, ...
 03001  1972   NtWaitForSingleObject  ... ) == 0x102
 02982   420   NtWaitForSingleObject  ... ) == 0x0
 03002  1580   NtDuplicateObject  ... 908, ) == 0x0
 03005   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03003   384   NtSetEventBoostPriority  ... ) == 0x0
 02997  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 03006  1972   NtWaitForSingleObject  (284, 0, 0x0, ...
 03007   420   NtSetEventBoostPriority  (284, ...
 03008  1580   NtWaitForSingleObject  (284, 0, 0x0, ...
 03009   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 03010  1756   NtWaitForSingleObject  (284, 0, 0x0, ...
 03005   896   NtCreateThread  ... 912, {1252, 2052}, ) == 0x0
 02986   484   NtWaitForSingleObject  ... ) == 0x0
 03007   420   NtSetEventBoostPriority  ... ) == 0x0
 03011   484   NtSetEventBoostPriority  (284, ...
 03012   896   NtQueryInformationThread  (912, Basic, 28, ...
 02988  1304   NtWaitForSingleObject  ... ) == 0x0
 03011   484   NtSetEventBoostPriority  ... ) == 0x0
 03013  1304   NtSetEventBoostPriority  (284, ...
 03012   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1252,Tid=2052,}, 0x0, ) == 0x0
 03014   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 02999  1664   NtWaitForSingleObject  ... ) == 0x0
 03013  1304   NtSetEventBoostPriority  ... ) == 0x0
 03015   484   NtWaitForSingleObject  (284, 0, 0x0, ...
 03016  1664   NtSetEventBoostPriority  (284, ...
 03017   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0\4\10\0\0" ...  ...
 02998   596   NtWaitForSingleObject  ... ) == 0x0
 03016  1664   NtSetEventBoostPriority  ... ) == 0x0
 03018   596   NtSetEventBoostPriority  (284, ...
 03017   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81958, 0}  ... {28, 56, reply, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0\4\10\0\0" )  ) == 0x0
 03019  1304   NtTestAlert  (...
 03008  1580   NtWaitForSingleObject  ... ) == 0x0
 03018   596   NtSetEventBoostPriority  ... ) == 0x0
 03020   896   NtResumeThread  (912, ...
 03021  1580   NtSetEventBoostPriority  (284, ...
 03019  1304   NtTestAlert  ... ) == 0x0
 03022   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 03009   384   NtWaitForSingleObject  ... ) == 0x0
 03021  1580   NtSetEventBoostPriority  ... ) == 0x0
 03020   896   NtResumeThread  ... 1, ) == 0x0
 03023  1304   NtContinue  (104660272, 1, ...
 03024  1664   NtSetEventBoostPriority  (356, ...
 03025  2052   NtWaitForSingleObject  (284, 0, 0x0, ...
 03026   384   NtSetEventBoostPriority  (284, ...
 03027   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03028  1304   NtRegisterThreadTerminatePort  (24, ...
 02911  1248   NtWaitForSingleObject  ... ) == 0x0
 03024  1664   NtSetEventBoostPriority  ... ) == 0x0
 03010  1756   NtWaitForSingleObject  ... ) == 0x0
 03026   384   NtSetEventBoostPriority  ... ) == 0x0
 03029  1580   NtWaitForSingleObject  (284, 0, 0x0, ...
 03030  1248   NtWaitForSingleObject  (284, 0, 0x0, ...
 03028  1304   NtRegisterThreadTerminatePort  ... ) == 0x0
 03031  1756   NtSetEventBoostPriority  (284, ...
 03032  1664   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03027   896   NtAllocateVirtualMemory  ... 105709568, 1048576, ) == 0x0
 03006  1972   NtWaitForSingleObject  ... ) == 0x0
 03031  1756   NtSetEventBoostPriority  ... ) == 0x0
 03033  1304   NtWaitForSingleObject  (284, 0, 0x0, ...
 03032  1664   NtWaitForSingleObject  ... ) == 0x102
 03034  1972   NtSetEventBoostPriority  (284, ...
 03035   896   NtAllocateVirtualMemory  (-1, 106749952, 0, 8192, 4096, 4, ...
 03036   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 03037  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03014   420   NtWaitForSingleObject  ... ) == 0x0
 03038  1664   NtWaitForSingleObject  (124, 0, 0x0, ...
 03035   896   NtAllocateVirtualMemory  ... 106749952, 8192, ) == 0x0
 03037  1756   NtDuplicateObject  ... 916, ) == 0x0
 03039   420   NtSetEventBoostPriority  (284, ...
 03034  1972   NtSetEventBoostPriority  ... ) == 0x0
 03040   896   NtProtectVirtualMemory  (-1, (0x65ce000), 4096, 260, ...
 03041  1756   NtWaitForSingleObject  (284, 0, 0x0, ...
 03015   484   NtWaitForSingleObject  ... ) == 0x0
 03039   420   NtSetEventBoostPriority  ... ) == 0x0
 03042  1972   NtWaitForSingleObject  (124, 0, 0x0, ...
 03040   896   NtProtectVirtualMemory  ... (0x65ce000), 4096, 4, ) == 0x0
 03043   484   NtSetEventBoostPriority  (284, ...
 03044   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 03022   596   NtWaitForSingleObject  ... ) == 0x0
 03043   484   NtSetEventBoostPriority  ... ) == 0x0
 03045   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03046   596   NtSetEventBoostPriority  (284, ...
 03047   484   NtWaitForSingleObject  (356, 0, 0x0, ...
 03025  2052   NtWaitForSingleObject  ... ) == 0x0
 03046   596   NtSetEventBoostPriority  ... ) == 0x0
 03045   896   NtCreateThread  ... 920, {1252, 2056}, ) == 0x0
 03048  2052   NtSetEventBoostPriority  (284, ...
 03049   596   NtSetEventBoostPriority  (124, ...
 03050   896   NtQueryInformationThread  (920, Basic, 28, ...
 03030  1248   NtWaitForSingleObject  ... ) == 0x0
 03048  2052   NtSetEventBoostPriority  ... ) == 0x0
 00867   376   NtWaitForSingleObject  ... ) == 0x0
 03049   596   NtSetEventBoostPriority  ... ) == 0x0
 03051  1248   NtSetEventBoostPriority  (284, ...
 03050   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1252,Tid=2056,}, 0x0, ) == 0x0
 03052   376   NtWaitForSingleObject  (284, 0, 0x0, ...
 03053  2052   NtTestAlert  (...
 03029  1580   NtWaitForSingleObject  ... ) == 0x0
 03054   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0\10\10\0\0" ...  ...
 03053  2052   NtTestAlert  ... ) == 0x0
 03055  1580   NtSetEventBoostPriority  (284, ...
 03054   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81959, 0}  ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0\10\10\0\0" )  ) == 0x0
 03056  2052   NtContinue  (105708848, 1, ...
 03036   384   NtWaitForSingleObject  ... ) == 0x0
 03055  1580   NtSetEventBoostPriority  ... ) == 0x0
 03051  1248   NtSetEventBoostPriority  ... ) == 0x0
 03057   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03058   384   NtSetEventBoostPriority  (284, ...
 03059  2052   NtRegisterThreadTerminatePort  (24, ...
 03060  1580   NtWaitForSingleObject  (356, 0, 0x0, ...
 03061   896   NtResumeThread  (920, ...
 03033  1304   NtWaitForSingleObject  ... ) == 0x0
 03058   384   NtSetEventBoostPriority  ... ) == 0x0
 03057   596   NtCreateEvent  ... 924, ) == 0x0
 03059  2052   NtRegisterThreadTerminatePort  ... ) == 0x0
 03062  1248   NtSetEventBoostPriority  (356, ...
 03063  1304   NtSetEventBoostPriority  (284, ...
 03061   896   NtResumeThread  ... 1, ) == 0x0
 03064   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 03065   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 03066  2052   NtWaitForSingleObject  (284, 0, 0x0, ...
 03041  1756   NtWaitForSingleObject  ... ) == 0x0
 02924  1036   NtWaitForSingleObject  ... ) == 0x0
 03062  1248   NtSetEventBoostPriority  ... ) == 0x0
 03067   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03063  1304   NtSetEventBoostPriority  ... ) == 0x0
 03068  2056   NtWaitForSingleObject  (284, 0, 0x0, ...
 03069  1036   NtWaitForSingleObject  (284, 0, 0x0, ...
 03070  1756   NtSetEventBoostPriority  (284, ...
 03071  1248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03067   896   NtAllocateVirtualMemory  ... 106758144, 1048576, ) == 0x0
 03072  1304   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03044   420   NtWaitForSingleObject  ... ) == 0x0
 03070  1756   NtSetEventBoostPriority  ... ) == 0x0
 03071  1248   NtWaitForSingleObject  ... ) == 0x102
 03073   896   NtAllocateVirtualMemory  (-1, 107798528, 0, 8192, 4096, 4, ...
 03074   420   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 03072  1304   NtDuplicateObject  ... 928, ) == 0x0
 03075  1248   NtWaitForSingleObject  (284, 0, 0x0, ...
 03074   420   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 03073   896   NtAllocateVirtualMemory  ... 107798528, 8192, ) == 0x0
 03076  1756   NtWaitForSingleObject  (284, 0, 0x0, ...
 03077  1304   NtWaitForSingleObject  (284, 0, 0x0, ...
 03078   420   NtSetEventBoostPriority  (284, ...
 03052   376   NtWaitForSingleObject  ... ) == 0x0
 03079   376   NtSetEventBoostPriority  (284, ...
 03065   596   NtWaitForSingleObject  ... ) == 0x0
 03080   596   NtSetEventBoostPriority  (284, ...
 03064   384   NtWaitForSingleObject  ... ) == 0x0
 03081   384   NtSetEventBoostPriority  (284, ...
 03069  1036   NtWaitForSingleObject  ... ) == 0x0
 03082  1036   NtSetEventBoostPriority  (284, ...
 03068  2056   NtWaitForSingleObject  ... ) == 0x0
 03083  2056   NtSetEventBoostPriority  (284, ...
 03066  2052   NtWaitForSingleObject  ... ) == 0x0
 03084  2052   NtSetEventBoostPriority  (284, ...
 03075  1248   NtWaitForSingleObject  ... ) == 0x0
 03085  1248   NtSetEventBoostPriority  (284, ...
 03076  1756   NtWaitForSingleObject  ... ) == 0x0
 03086  1756   NtSetEventBoostPriority  (284, ... ) == 0x0
 03087  1756   NtWaitForSingleObject  (284, 0, 0x0, ...
 03083  2056   NtSetEventBoostPriority  ... ) == 0x0
 03082  1036   NtSetEventBoostPriority  ... ) == 0x0
 03080   596   NtSetEventBoostPriority  ... ) == 0x0
 03079   376   NtSetEventBoostPriority  ... ) == 0x0
 03077  1304   NtWaitForSingleObject  ... ) == 0x0
 03085  1248   NtSetEventBoostPriority  ... ) == 0x0
 03084  2052   NtSetEventBoostPriority  ... ) == 0x0
 03081   384   NtSetEventBoostPriority  ... ) == 0x0
 03078   420   NtSetEventBoostPriority  ... ) == 0x0
 03088   896   NtProtectVirtualMemory  (-1, (0x66ce000), 4096, 260, ...
 03089  2056   NtTestAlert  (...
 03090  1036   NtSetEventBoostPriority  (356, ...
 03091   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 03092  1304   NtSetEventBoostPriority  (284, ...
 03093  1248   NtWaitForSingleObject  (124, 0, 0x0, ...
 03094  2052   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03095   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 03096   376   NtWaitForSingleObject  (284, 0, 0x0, ...
 03088   896   NtProtectVirtualMemory  ... (0x66ce000), 4096, 4, ) == 0x0
 03089  2056   NtTestAlert  ... ) == 0x0
 02991  1656   NtWaitForSingleObject  ... ) == 0x0
 03090  1036   NtSetEventBoostPriority  ... ) == 0x0
 03087  1756   NtWaitForSingleObject  ... ) == 0x0
 03092  1304   NtSetEventBoostPriority  ... ) == 0x0
 03094  2052   NtDuplicateObject  ... 932, ) == 0x0
 03097   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03098  1656   NtWaitForSingleObject  (284, 0, 0x0, ...
 03099  2056   NtContinue  (106757424, 1, ...
 03100  1756   NtSetEventBoostPriority  (284, ...
 03101  1036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03102  1304   NtWaitForSingleObject  (284, 0, 0x0, ...
 03103   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 03097   896   NtCreateThread  ... 936, {1252, 2060}, ) == 0x0
 03091   596   NtWaitForSingleObject  ... ) == 0x0
 03104  2056   NtRegisterThreadTerminatePort  (24, ...
 03101  1036   NtWaitForSingleObject  ... ) == 0x102
 03100  1756   NtSetEventBoostPriority  ... ) == 0x0
 03105  2052   NtWaitForSingleObject  (284, 0, 0x0, ...
 03106   896   NtQueryInformationThread  (936, Basic, 28, ...
 03107   596   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 03104  2056   NtRegisterThreadTerminatePort  ... ) == 0x0
 03108  1036   NtWaitForSingleObject  (284, 0, 0x0, ...
 03109  1756   NtWaitForSingleObject  (284, 0, 0x0, ...
 03106   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1252,Tid=2060,}, 0x0, ) == 0x0
 03107   596   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 03110  2056   NtWaitForSingleObject  (284, 0, 0x0, ...
 03111   596   NtSetEventBoostPriority  (284, ...
 03112   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\14\10\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\14\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\14\10\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\14\10\0\0" )  ) == 0x0
 03113   896   NtResumeThread  (936, ... 1, ) == 0x0
 03114   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 107806720, 1048576, ) == 0x0
 03115   896   NtAllocateVirtualMemory  (-1, 108847104, 0, 8192, 4096, 4, ... 108847104, 8192, ) == 0x0
 03116   896   NtProtectVirtualMemory  (-1, (0x67ce000), 4096, 260, ... (0x67ce000), 4096, 4, ) == 0x0
 03117   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03095   384   NtWaitForSingleObject  ... ) == 0x0
 03111   596   NtSetEventBoostPriority  ... ) == 0x0
 03118  2060   NtWaitForSingleObject  (284, 0, 0x0, ...
 03119   384   NtSetEventBoostPriority  (284, ...
 03120   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 03096   376   NtWaitForSingleObject  ... ) == 0x0
 03119   384   NtSetEventBoostPriority  ... ) == 0x0
 03121   376   NtSetEventBoostPriority  (284, ...
 03117   896   NtCreateThread  ... 940, {1252, 2064}, ) == 0x0
 03098  1656   NtWaitForSingleObject  ... ) == 0x0
 03121   376   NtSetEventBoostPriority  ... ) == 0x0
 03122  1656   NtSetEventBoostPriority  (284, ...
 03123   896   NtQueryInformationThread  (940, Basic, 28, ...
 03103   420   NtWaitForSingleObject  ... ) == 0x0
 03122  1656   NtSetEventBoostPriority  ... ) == 0x0
 03124   376   NtWaitForSingleObject  (284, 0, 0x0, ...
 03125   420   NtSetEventBoostPriority  (284, ...
 03123   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1252,Tid=2064,}, 0x0, ) == 0x0
 03126   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 03127  1656   NtSetEventBoostPriority  (356, ...
 03105  2052   NtWaitForSingleObject  ... ) == 0x0
 03125   420   NtSetEventBoostPriority  ... ) == 0x0
 03128   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\344\4\0\0\20\10\0\0" ...  ...
 03129  2052   NtSetEventBoostPriority  (284, ...
 03004   760   NtWaitForSingleObject  ... ) == 0x0
 03127  1656   NtSetEventBoostPriority  ... ) == 0x0
 03130   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 03102  1304   NtWaitForSingleObject  ... ) == 0x0
 03131   760   NtWaitForSingleObject  (284, 0, 0x0, ...
 03129  2052   NtSetEventBoostPriority  ... ) == 0x0
 03128   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81961, 0}  ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\344\4\0\0\20\10\0\0" )  ) == 0x0
 03132  1656   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03133  1304   NtSetEventBoostPriority  (284, ...
 03134  2052   NtWaitForSingleObject  (284, 0, 0x0, ...
 03109  1756   NtWaitForSingleObject  ... ) == 0x0
 03132  1656   NtWaitForSingleObject  ... ) == 0x102
 03133  1304   NtSetEventBoostPriority  ... ) == 0x0
 03135   896   NtResumeThread  (940, ...
 03136  1756   NtSetEventBoostPriority  (284, ...
 03137  1656   NtWaitForSingleObject  (124, 0, 0x0, ...
 03138  1304   NtWaitForSingleObject  (284, 0, 0x0, ...
 03135   896   NtResumeThread  ... 1, ) == 0x0
 03108  1036   NtWaitForSingleObject  ... ) == 0x0
 03136  1756   NtSetEventBoostPriority  ... ) == 0x0
 03139  2064   NtWaitForSingleObject  (88, 0, 0x0, ...
 03140  1036   NtSetEventBoostPriority  (284, ...
 03141   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03110  2056   NtWaitForSingleObject  ... ) == 0x0
 03141   896   NtAllocateVirtualMemory  ... 108855296, 1048576, ) == 0x0
 03142  2056   NtSetEventBoostPriority  (284, ...
 03143   896   NtAllocateVirtualMemory  (-1, 109895680, 0, 8192, 4096, 4, ...
 03118  2060   NtWaitForSingleObject  ... ) == 0x0
 03143   896   NtAllocateVirtualMemory  ... 109895680, 8192, ) == 0x0
 03144  2060   NtSetEventBoostPriority  (284, ...
 03142  2056   NtSetEventBoostPriority  ... ) == 0x0
 03140  1036   NtSetEventBoostPriority  ... ) == 0x0
 03145  1756   NtWaitForSingleObject  (356, 0, 0x0, ...
 03120   596   NtWaitForSingleObject  ... ) == 0x0
 03144  2060   NtSetEventBoostPriority  ... ) == 0x0
 03146  2056   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03147  1036   NtWaitForSingleObject  (124, 0, 0x0, ...
 03148   596   NtSetEventBoostPriority  (284, ...
 03149   896   NtProtectVirtualMemory  (-1, (0x68ce000), 4096, 260, ...
 03146  2056   NtDuplicateObject  ... 944, ) == 0x0
 03126   384   NtWaitForSingleObject  ... ) == 0x0
 03148   596   NtSetEventBoostPriority  ... ) == 0x0
 03149   896   NtProtectVirtualMemory  ... (0x68ce000), 4096, 4, ) == 0x0
 03150  2060   NtSetEventBoostPriority  (88, ...
 03151   384   NtSetEventBoostPriority  (284, ...
 03152  2056   NtWaitForSingleObject  (284, 0, 0x0, ...
 03153   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03124   376   NtWaitForSingleObject  ... ) == 0x0
 03151   384   NtSetEventBoostPriority  ... ) == 0x0
 03139  2064   NtWaitForSingleObject  ... ) == 0x0
 03150  2060   NtSetEventBoostPriority  ... ) == 0x0
 03154   376   NtSetEventBoostPriority  (284, ...
 03153   896   NtCreateThread  ... 948, {1252, 2068}, ) == 0x0
 03155  2064   NtWaitForSingleObject  (284, 0, 0x0, ...
 03156   384   NtWaitForSingleObject  (284, 0, 0x0, ...
 03131   760   NtWaitForSingleObject  ... ) == 0x0
 03157  2060   NtTestAlert  (...
 03158   896   NtQueryInformationThread  (948, Basic, 28, ...
 03154   376   NtSetEventBoostPriority  ... ) == 0x0
 03159   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 03160   760   NtSetEventBoostPriority  (284, ...
 03157  2060   NtTestAlert  ... ) == 0x0
 03158   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1252,Tid=2068,}, 0x0, ) == 0x0
 03161   376   NtSetEventBoostPriority  (124, ...
 03130   420   NtWaitForSingleObject  ... ) == 0x0
 03162  2060   NtContinue  (107806000, 1, ...
 03160   760   NtSetEventBoostPriority  ... ) == 0x0
 00963  1028   NtWaitForSingleObject  ... ) == 0x0
 03161   376   NtSetEventBoostPriority  ... ) == 0x0
 03163   420   NtSetEventBoostPriority  (284, ...
 03164  2060   NtRegisterThreadTerminatePort  (24, ...
 03165   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\344\4\0\0\24\10\0\0" ...  ...
 03166  1028   NtWaitForSingleObject  (284, 0, 0x0, ...
 03167   760   NtSetEventBoostPriority  (356, ...
 03134  2052   NtWaitForSingleObject  ... ) == 0x0
 03163   420   NtSetEventBoostPriority  ... ) == 0x0
 03168   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03165   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81962, 0}  ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\344\4\0\0\24\10\0\0" )  ) == 0x0
 03047   484   NtWaitForSingleObject  ... ) == 0x0
 03167   760   NtSetEventBoostPriority  ... ) == 0x0
 03169  2052   NtSetEventBoostPriority  (284, ...
 03170   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 03168   376   NtCreateEvent  ... 952, ) == 0x0
 03171   484   NtWaitForSingleObject  (284, 0, 0x0, ...
 03172   896   NtResumeThread  (948, ...
 03173   760   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03138  1304   NtWaitForSingleObject  ... ) == 0x0
 03174   376   NtWaitForSingleObject  (284, 0, 0x0, ...
 03172   896   NtResumeThread  ... 1, ) == 0x0
 03173   760   NtWaitForSingleObject  ... ) == 0x102
 03175  1304   NtSetEventBoostPriority  (284, ...
 03176   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03177   760   NtWaitForSingleObject  (124, 0, 0x0, ...
 03152  2056   NtWaitForSingleObject  ... ) == 0x0
 03175  1304   NtSetEventBoostPriority  ... ) == 0x0
 03169  2052   NtSetEventBoostPriority  ... ) == 0x0
 03164  2060   NtRegisterThreadTerminatePort  ... ) == 0x0
 03178  2068   NtWaitForSingleObject  (88, 0, 0x0, ...
 03176   896   NtAllocateVirtualMemory  ... 109903872, 1048576, ) == 0x0
 03179  2056   NtSetEventBoostPriority  (284, ...
 03180  2052   NtWaitForSingleObject  (356, 0, 0x0, ...
 03181  2060   NtWaitForSingleObject  (284, 0, 0x0, ...
 03155  2064   NtWaitForSingleObject  ... ) == 0x0
 03179  2056   NtSetEventBoostPriority  ... ) == 0x0
 03182   896   NtAllocateVirtualMemory  (-1, 110944256, 0, 8192, 4096, 4, ...
 03183  2064   NtSetEventBoostPriority  (284, ...
 03184  2056   NtWaitForSingleObject  (284, 0, 0x0, ...
 03159   596   NtWaitForSingleObject  ... ) == 0x0
 03183  2064   NtSetEventBoostPriority  ... ) == 0x0
 03182   896   NtAllocateVirtualMemory  ... 110944256, 8192, ) == 0x0
 03185  1304   NtWaitForSingleObject  (356, 0, 0x0, ...
 03186   596   NtSetEventBoostPriority  (284, ...
 03187   896   NtProtectVirtualMemory  (-1, (0x69ce000), 4096, 260, ...
 03156   384   NtWaitForSingleObject  ... ) == 0x0
 03186   596   NtSetEventBoostPriority  ... ) == 0x0
 03188   384   NtSetEventBoostPriority  (284, ...
 03187   896   NtProtectVirtualMemory  ... (0x69ce000), 4096, 4, ) == 0x0
 03166  1028   NtWaitForSingleObject  ... ) == 0x0
 03189   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 03190  1028   NtSetEventBoostPriority  (284, ...
 03191   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03188   384   NtSetEventBoostPriority  ... ) == 0x0
 03192  2064   NtSetEventBoostPriority  (88, ...
 03170   420   NtWaitForSingleObject  ... ) == 0x0
 03190  1028   NtSetEventBoostPriority  ... ) == 0x0
 03193   384   NtWaitForSingleObject  (356, 0, 0x0, ...
 03194   420   NtSetEventBoostPriority  (284, ...
 03178  2068   NtWaitForSingleObject  ... ) == 0x0
 03192  2064   NtSetEventBoostPriority  ... ) == 0x0
 03191   896   NtCreateThread  ... 956, {1252, 2072}, ) == 0x0
 03171   484   NtWaitForSingleObject  ... ) == 0x0
 03195  2068   NtWaitForSingleObject  (284, 0, 0x0, ...
 03194   420   NtSetEventBoostPriority  ... ) == 0x0
 03196  2064   NtTestAlert  (...
 03197   484   NtSetEventBoostPriority  (284, ...
 03198   896   NtQueryInformationThread  (956, Basic, 28, ...
 03199  1028   NtWaitForSingleObject  (284, 0, 0x0, ...
 03174   376   NtWaitForSingleObject  ... ) == 0x0
 03196  2064   NtTestAlert  ... ) == 0x0
 03198   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1252,Tid=2072,}, 0x0, ) == 0x0
 03200   376   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 03201  2064   NtContinue  (108854576, 1, ...
 03202   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\344\4\0\0\30\10\0\0" ...  ...
 03200   376   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 03203  2064   NtRegisterThreadTerminatePort  (24, ...
 03202   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81963, 0}  ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\344\4\0\0\30\10\0\0" )  ) == 0x0
 03197   484   NtSetEventBoostPriority  ... ) == 0x0
 03204   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 03205   376   NtSetEventBoostPriority  (284, ...
 03203  2064   NtRegisterThreadTerminatePort  ... ) == 0x0
 03206   896   NtResumeThread  (956, ...
 03181  2060   NtWaitForSingleObject  ... ) == 0x0
 03205   376   NtSetEventBoostPriority  ... ) == 0x0
 03207  2064   NtWaitForSingleObject  (284, 0, 0x0, ...
 03208  2060   NtSetEventBoostPriority  (284, ...
 03206   896   NtResumeThread  ... 1, ) == 0x0
 03209   376   NtWaitForSingleObject  (284, 0, 0x0, ...
 03184  2056   NtWaitForSingleObject  ... ) == 0x0
 03208  2060   NtSetEventBoostPriority  ... ) == 0x0
 03210   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03211  2056   NtSetEventBoostPriority  (284, ...
 03212   484   NtSetEventBoostPriority  (356, ...
 03213  2072   NtWaitForSingleObject  (88, 0, 0x0, ...
 03189   596   NtWaitForSingleObject  ... ) == 0x0
 03210   896   NtAllocateVirtualMemory  ... 110952448, 1048576, ) == 0x0
 03060  1580   NtWaitForSingleObject  ... ) == 0x0
 03212   484   NtSetEventBoostPriority  ... ) == 0x0
 03214   596   NtSetEventBoostPriority  (284, ...
 03215  1580   NtWaitForSingleObject  (284, 0, 0x0, ...
 03216   896   NtAllocateVirtualMemory  (-1, 111992832, 0, 8192, 4096, 4, ...
 03217   484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03195  2068   NtWaitForSingleObject  ... ) == 0x0
 03216   896   NtAllocateVirtualMemory  ... 111992832, 8192, ) == 0x0
 03218  2068   NtSetEventBoostPriority  (284, ...
 03217   484   NtWaitForSingleObject  ... ) == 0x102
 03214   596   NtSetEventBoostPriority  ... ) == 0x0
 03211  2056   NtSetEventBoostPriority  ... ) == 0x0
 03219  2060   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03199  1028   NtWaitForSingleObject  ... ) == 0x0
 03218  2068   NtSetEventBoostPriority  ... ) == 0x0
 03220   484   NtWaitForSingleObject  (124, 0, 0x0, ...
 03221   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 03222  2056   NtWaitForSingleObject  (356, 0, 0x0, ...
 03223  1028   NtSetEventBoostPriority  (284, ...
 03219  2060   NtDuplicateObject  ... 960, ) == 0x0
 03224   896   NtProtectVirtualMemory  (-1, (0x6ace000), 4096, 260, ...
 03225  2068   NtSetEventBoostPriority  (88, ...
 03204   420   NtWaitForSingleObject  ... ) == 0x0
 03223  1028   NtSetEventBoostPriority  ... ) == 0x0
 03226  2060   NtWaitForSingleObject  (284, 0, 0x0, ...
 03224   896   NtProtectVirtualMemory  ... (0x6ace000), 4096, 4, ) == 0x0
 03227   420   NtSetEventBoostPriority  (284, ...
 03213  2072   NtWaitForSingleObject  ... ) == 0x0
 03225  2068   NtSetEventBoostPriority  ... ) == 0x0
 03228  1028   NtSetEventBoostPriority  (124, ...
 03207  2064   NtWaitForSingleObject  ... ) == 0x0
 03229  2072   NtWaitForSingleObject  (284, 0, 0x0, ...
 03227   420   NtSetEventBoostPriority  ... ) == 0x0
 03230   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03231  2068   NtTestAlert  (...
 03232  2064   NtSetEventBoostPriority  (284, ...
 03233   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 03230   896   NtCreateThread  ... 964, {1252, 2076}, ) == 0x0
 03209   376   NtWaitForSingleObject  ... ) == 0x0
 03232  2064   NtSetEventBoostPriority  ... ) == 0x0
 03231  2068   NtTestAlert  ... ) == 0x0
 00965  2012   NtWaitForSingleObject  ... ) == 0x0
 03228  1028   NtSetEventBoostPriority  ... ) == 0x0
 03234   376   NtSetEventBoostPriority  (284, ...
 03235   896   NtQueryInformationThread  (964, Basic, 28, ...
 03236  2068   NtContinue  (109903152, 1, ...
 03237  2012   NtWaitForSingleObject  (284, 0, 0x0, ...
 03215  1580   NtWaitForSingleObject  ... ) == 0x0
 03234   376   NtSetEventBoostPriority  ... ) == 0x0
 03238  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03235   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1252,Tid=2076,}, 0x0, ) == 0x0
 03239  2068   NtRegisterThreadTerminatePort  (24, ...
 03240  1580   NtSetEventBoostPriority  (284, ...
 03241  2064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03238  1028   NtCreateEvent  ... 968, ) == 0x0
 03242   376   NtWaitForSingleObject  (284, 0, 0x0, ...
 03243   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\344\4\0\0\34\10\0\0" ...  ...
 03221   596   NtWaitForSingleObject  ... ) == 0x0
 03241  2064   NtDuplicateObject  ... 972, ) == 0x0
 03244  1028   NtWaitForSingleObject  (284, 0, 0x0, ...
 03243   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81964, 0}  ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\344\4\0\0\34\10\0\0" )  ) == 0x0
 03245   596   NtSetEventBoostPriority  (284, ...
 03246  2064   NtWaitForSingleObject  (284, 0, 0x0, ...
 03247   896   NtResumeThread  (964, ...
 03226  2060   NtWaitForSingleObject  ... ) == 0x0
 03245   596   NtSetEventBoostPriority  ... ) == 0x0
 03248  2060   NtSetEventBoostPriority  (284, ...
 03247   896   NtResumeThread  ... 1, ) == 0x0
 03240  1580   NtSetEventBoostPriority  ... ) == 0x0
 03239  2068   NtRegisterThreadTerminatePort  ... ) == 0x0
 03229  2072   NtWaitForSingleObject  ... ) == 0x0
 03248  2060   NtSetEventBoostPriority  ... ) == 0x0
 03249   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03250   596   NtWaitForSingleObject  (284, 0, 0x0, ...
 03251  2076   NtWaitForSingleObject  (88, 0, 0x0, ...
 03252  2072   NtSetEventBoostPriority  (284, ...
 03253  2068   NtWaitForSingleObject  (284, 0, 0x0, ...
 03254  1580   NtSetEventBoostPriority  (356, ...
 03255  2060   NtWaitForSingleObject  (284, 0, 0x0, ...
 03233   420   NtWaitForSingleObject  ... ) == 0x0
 03252  2072   NtSetEventBoostPriority  ... ) == 0x0
 03145  1756   NtWaitForSingleObject  ... ) == 0x0
 03254  1580   NtSetEventBoostPriority  ... ) == 0x0
 03256   420   NtSetEventBoostPriority  (284, ...
 03249   896   NtAllocateVirtualMemory  ... 112001024, 1048576, ) == 0x0
 03257  1756   NtWaitForSingleObject  (284, 0, 0x0, ...
 03237  2012   NtWaitForSingleObject  ... ) == 0x0
 03258  1580   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03259   896   NtAllocateVirtualMemory  (-1, 113041408, 0, 8192, 4096, 4, ...
 03260  2012   NtSetEventBoostPriority  (284, ...
 03258  1580   NtWaitForSingleObject  ... ) == 0x102
 03259   896   NtAllocateVirtualMemory  ... 113041408, 8192, ) == 0x0
 03242   376   NtWaitForSingleObject  ... ) == 0x0
 03260  2012   NtSetEventBoostPriority  ... ) == 0x0
 03261  1580   NtWaitForSingleObject  (124, 0, 0x0, ...
 03262   376   NtSetEventBoostPriority  (284, ...
 03263   896   NtProtectVirtualMemory  (-1, (0x6bce000), 4096, 260, ...
 03256   420   NtSetEventBoostPriority  ... ) == 0x0
 03264  2072   NtSetEventBoostPriority  (88, ...
 03265  2012   NtSetEventBoostPriority  (124, ...
 03244  1028   NtWaitForSingleObject  ... ) == 0x0
 03262   376   NtSetEventBoostPriority  ... ) == 0x0
 03263   896   NtProtectVirtualMemory  ... (0x6bce000), 4096, 4, ) == 0x0
 03266   420   NtWaitForSingleObject  (284, 0, 0x0, ...
 03251  2076   NtWaitForSingleObject  ... ) == 0x0
 03264  2072   NtSetEventBoostPriority  ... ) == 0x0
 03267  1028   NtSetEventBoostPriority  (284, ...
 00969  1168   NtWaitForSingleObject  ... ) == 0x0
 03265  2012   NtSetEventBoostPriority  ... ) == 0x0
 03268   376   NtWaitForSingleObject  (284, 0, 0x0, ...
 03269   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03270  2076   NtWaitForSingleObject  (284, 0, 0x0, ...
 03246  2064   NtWaitForSingleObject  ... ) == 0x0