Summary:


NtGdiCreateBitmap(>) 
 1 
NtOpenDirectoryObject(>) 
 2 
NtQueryInformationToken(>) 
 6 
NtFlushInstructionCache(>) 
 55 

NtGdiInit(>) 
 1 
NtOpenProcessToken(>) 
 2 
NtQueryInformationFile(>) 
 7 
NtQueryAttributesFile(>) 
 60 

NtGdiQueryFontAssocInfo(>) 
 1 
NtQueryDefaultUILanguage(>) 
 2 
NtConnectPort(>) 
 8 
NtCreateEvent(>) 
 87 

NtGdiSelectBitmap(>) 
 1 
NtQuerySystemTime(>) 
 2 
NtSetInformationThread(>) 
 8 
NtContinue(>) 
 96 

NtOpenKeyedEvent(>) 
 1 
NtSetInformationObject(>) 
 2 
NtSetInformationFile(>) 
 9 
NtQuerySystemInformation(>) 
 119 

NtOpenSymbolicLinkObject(>) 
 1 
NtUserGetProcessWindowStation(>) 
 2 
NtUserFindExistingCursorIcon(>) 
 9 
NtOpenKey(>) 
 135 

NtQueryInstallUILanguage(>) 
 1 
NtFreeVirtualMemory(>) 
 3 
NtOpenThreadToken(>) 
 10 
NtQueryInformationThread(>) 
 142 

NtQueryObject(>) 
 1 
NtGdiCreateCompatibleDC(>) 
 3 
NtQueryInformationProcess(>) 
 10 
NtResumeThread(>) 
 142 

NtQueryPerformanceCounter(>) 
 1 
NtOpenProcessTokenEx(>) 
 3 
NtQueryVirtualMemory(>) 
 10 
NtCreateThread(>) 
 155 

NtQuerySymbolicLinkObject(>) 
 1 
NtOpenThreadTokenEx(>) 
 3 
NtUnmapViewOfSection(>) 
 10 
NtRequestWaitReplyPort(>) 
 178 

NtRaiseException(>) 
 1 
NtQueryDefaultLocale(>) 
 3 
NtUserRegisterClassExWOW(>) 
 14 
NtTestAlert(>) 
 183 

NtReadFile(>) 
 1 
NtSecureConnectPort(>) 
 3 
NtQuerySection(>) 
 15 
NtRegisterThreadTerminatePort(>) 
 184 

NtSetInformationProcess(>) 
 1 
NtCreateIoCompletion(>) 
 4 
NtSetValueKey(>) 
 16 
NtDuplicateObject(>) 
 194 

NtUserCallNoParam(>) 
 1 
NtFsControlFile(>) 
 4 
NtCreateKey(>) 
 19 
NtClose(>) 
 201 

NtUserGetObjectInformation(>) 
 1 
NtQueryVolumeInformationFile(>) 
 4 
NtCreateSection(>) 
 22 
NtProtectVirtualMemory(>) 
 251 

NtUserGetThreadDesktop(>) 
 1 
NtWriteFile(>) 
 4 
NtOpenSection(>) 
 22 
NtQueryValueKey(>) 
 256 

NtCallbackReturn(>) 
 2 
NtGdiGetStockObject(>) 
 5 
NtOpenFile(>) 
 26 
NtAllocateVirtualMemory(>) 
 392 

NtGdiCreateSolidBrush(>) 
 2 
NtCreateFile(>) 
 6 
NtMapViewOfSection(>) 
 33 
NtSetEventBoostPriority(>) 
 763 

NtNotifyChangeKey(>) 
 2 
NtCreateMutant(>) 
 6 
NtDeviceIoControlFile(>) 
 35 
NtWaitForSingleObject(>) 
 1033 


Trace:
 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 122896, 4, ... (0x409000), 126976, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 126976, 128, ... (0x409000), 126976, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 122896, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1736   NtClose  (16, ... ) == 0x0
 00069  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1736   NtClose  (16, ... ) == 0x0
 00072  1736   NtTestAlert  (... ) == 0x0
 00073  1736   NtContinue  (1244464, 1, ...
 00074  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00075  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00076  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077  1736   NtClose  (16, ... ) == 0x0
 00078  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00079  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, ".dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00082  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00083  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085  1736   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ".dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDDK\3790~1.183\bin\x86\drvfast\scripts\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00089  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\site\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Perl\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Wbem\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kktools\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00095  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00097  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\Common\Tools\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Microsoft Visual Studio\VC98\bin\.dll"}, 1242988, ... ) }, 1242988, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099  1736   NtQueryVirtualMemory  (-1, 0x402846, Basic, 28, ... {BaseAddress=0x402000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00100  1736   NtContinue  (1244304, 0, ...
 00101  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00102  1736   NtContinue  (1244400, 0, ...
 00103  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00104  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00105  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00106  1736   NtClose  (16, ... ) == 0x0
 00107  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00108  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00109  1736   NtClose  (16, ... ) == 0x0
 00110  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00111  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00112  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00113  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00114  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00115  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00116  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00117  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00118  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00119  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00120  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00121  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00122  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00123  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00124  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00125  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00126  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00127  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00128  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00131  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00132  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00133  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00134  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00135  1736   NtClose  (16, ... ) == 0x0
 00136  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00137  1736   NtClose  (28, ... ) == 0x0
 00138  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00139  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00140  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00141  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00142  1736   NtClose  (28, ... ) == 0x0
 00143  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00144  1736   NtClose  (16, ... ) == 0x0
 00145  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00146  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00147  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00148  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00149  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00150  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00151  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00152  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00154  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00155  1736   NtClose  (36, ... ) == 0x0
 00156  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00157  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00158  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00159  1736   NtClose  (36, ... ) == 0x0
 00160  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00161  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162  1736   NtClose  (32, ... ) == 0x0
 00163  1736   NtClose  (16, ... ) == 0x0
 00164  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00165  1736   NtClose  (28, ... ) == 0x0
 00166  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00167  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00168  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00169  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00170  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00171  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00172  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00173  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00174  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00175  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00176  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00177  1736   NtClose  (28, ... ) == 0x0
 00178  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00179  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00180  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00181  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00182  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00183  1736   NtClose  (28, ... ) == 0x0
 00184  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00185  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00186  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00187  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00188  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00189  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00190  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00191  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00192  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00193  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00194  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00195  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00196  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00197  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00200  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00201  1736   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00202  1736   NtClose  (28, ... ) == 0x0
 00203  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00204  1736   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205  1736   NtClose  (28, ... ) == 0x0
 00206  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00207  1736   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00208  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00210  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00211  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00212  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00213  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00215  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00217  1736   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218  1736   NtClose  (16, ... ) == 0x0
 00219  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00220  1736   NtClose  (-2147482576, ... ) == 0x0
 00221  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00222  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00223  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00224  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00225  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00226  1736   NtClose  (-2147482576, ... ) == 0x0
 00227  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5505024, 4096, ) == 0x0
 00228  1736   NtFreeVirtualMemory  (-1, (0x540000), 4096, 32768, ... (0x540000), 4096, ) == 0x0
 00229  1736   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00230  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00231  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232  1736   NtClose  (-2147482576, ... ) == 0x0
 00233  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00234  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235  1736   NtClose  (-2147482576, ... ) == 0x0
 00236  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00237  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00238  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00239  1736   NtGdiCreateCompatibleDC  (0, ...
 00240  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5505024, 4096, ) == 0x0
 00239  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00241  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00242  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00243  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00244  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00245  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00244  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00246  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00247  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00248  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00249  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00250  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00251  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00252  1736   NtClose  (44, ... ) == 0x0
 00253  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00254  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8173c017
 00255  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00256  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8173c01c
 00257  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00258  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8173c01e
 00259  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00260  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81738002
 00261  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00262  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8173c018
 00263  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00264  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8173c01a
 00265  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00266  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8173c01d
 00267  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00268  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8173c026
 00269  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00270  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8173c019
 00271  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c020
 00272  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c022
 00273  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c023
 00274  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8173c024
 00275  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8173c025
 00276  1736   NtCallbackReturn  (0, 0, 0, ...
 00277  1736   NtGdiInit  (... ) == 0x1
 00278  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00279  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00280  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8781824, 28672, ) == 0x0
 00281  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00283  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00285  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00286  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00287  1736   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00288  1736   NtClose  (44, ... ) == 0x0
 00289  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00290  1736   NtClose  (48, ... ) == 0x0
 00291  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00292  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00293  1736   NtClose  (48, ... ) == 0x0
 00294  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00295  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00296  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00297  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00298  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00299  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00300  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00303  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00304  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00305  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00306  1736   NtClose  (48, ... ) == 0x0
 00307  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00308  1736   NtClose  (44, ... ) == 0x0
 00309  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00310  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00311  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00312  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00313  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00314  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00315  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00317  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00318  1736   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00319  1736   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00320  1736   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00321  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00322  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00323  1736   NtClose  (44, ... ) == 0x0
 00324  1736   NtAllocateVirtualMemory  (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0
 00325  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00326  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00327  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00328  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00329  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00332  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00333  1736   NtFreeVirtualMemory  (-1, (0x860000), 0, 32768, ... (0x860000), 28672, ) == 0x0
 00334  1736   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00335  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00336  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00337  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00338  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00339  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00340  1736   NtAllocateVirtualMemory  (-1, 8978432, 0, 32768, 4096, 4, ... 8978432, 32768, ) == 0x0
 00341  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00342  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00343  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00344  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00345  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00346  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00347  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00348  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00349  1736   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00350  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00351  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00352  1736   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00353  1736   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00354  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00355  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00356  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00357  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00358  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00359  1736   NtClose  (68, ... ) == 0x0
 00360  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00361  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00362  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00363  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00364  1736   NtClose  (68, ... ) == 0x0
 00365  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00366  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00367  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00368  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00369  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0r\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0r\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0s\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0r\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0r\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0s\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0r\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0r\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0s\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0u\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00370  1736   NtClose  (68, ... ) == 0x0
 00371  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00372  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00373  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00374  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00375  1736   NtClose  (68, ... ) == 0x0
 00376  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00377  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00378  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00379  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00380  1736   NtClose  (68, ... ) == 0x0
 00381  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00382  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00383  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00384  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00385  1736   NtClose  (68, ... ) == 0x0
 00386  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00387  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00388  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00389  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00390  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\207\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\207\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\210\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\207\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\207\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\210\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\207\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\207\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\210\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\212\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00391  1736   NtClose  (68, ... ) == 0x0
 00392  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00393  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00394  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00395  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\214\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\214\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\215\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\214\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\214\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\215\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\214\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\214\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\215\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\215\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00396  1736   NtClose  (68, ... ) == 0x0
 00397  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00398  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00399  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00400  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00401  1736   NtClose  (68, ... ) == 0x0
 00402  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00403  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00404  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00405  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00406  1736   NtClose  (68, ... ) == 0x0
 00407  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00408  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00409  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00410  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00411  1736   NtClose  (68, ... ) == 0x0
 00412  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00413  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00414  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00415  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00416  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\241\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\241\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\242\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\241\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\241\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\242\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\241\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\241\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\242\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\242\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\244\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00417  1736   NtClose  (68, ... ) == 0x0
 00418  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00419  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00420  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00421  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00422  1736   NtClose  (68, ... ) == 0x0
 00423  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00424  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00425  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00426  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00427  1736   NtClose  (68, ... ) == 0x0
 00428  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00429  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00432  1736   NtClose  (68, ... ) == 0x0
 00433  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00434  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00436  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00437  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\266\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\266\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\267\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\266\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\266\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\267\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\266\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\266\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\267\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\267\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\271\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00438  1736   NtClose  (68, ... ) == 0x0
 00439  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00440  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00441  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00442  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\273\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\273\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\274\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\273\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\273\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\274\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\273\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\273\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\274\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00443  1736   NtClose  (68, ... ) == 0x0
 00444  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00445  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00447  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\301\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\301\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\301\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00448  1736   NtClose  (68, ... ) == 0x0
 00449  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00450  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00451  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00452  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\305\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\306\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\307\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00453  1736   NtClose  (68, ... ) == 0x0
 00454  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00455  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00456  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00457  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\312\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\312\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\313\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\312\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\312\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\313\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\312\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\312\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\360P\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\313\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\314\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00458  1736   NtClose  (68, ... ) == 0x0
 00459  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00460  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00461  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00462  1736   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00463  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\320\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\320\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\377\377\377\377\353\6\221|ky@\0\0\0\207\0\11\0\0\0\0\10\0\0\24\0\0\0\24\0\0\0\0\340\375\177\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\340\375\177\6\0\0\0\4-\202\367\224\377\22\0\1\0\0\0\340\377\22\0d\222@\0\30\321@\0\0\0\0\0\360\377\22\0\327o\201|\24\0\0\0\0\0\0\0\0\340\375\177\375?T\200\310\377\22\0 \351i\201\377\377\377\377\250\232\203|\340o\201|\0\0\0\0\0\0\0\0\0\0\0\0\206m@\0\0\0\0\0Actx \0\0\0\1\0\0\0\230$\0\0\304\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\6\0\0\04\0\0\0\24\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\2\0\0\234\1\0\0\0\0\0\0[IY-\260\3\0\02\0\0\0\344\3\0\0\322\2\0\0\0\0\0\0\344\2\2\203\270\6\0\0F\0\0\0\0\7\0\0\352\2\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\320\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\320\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\377\377\377\377\353\6\221|ky@\0\0\0\207\0\11\0\0\0\0\10\0\0\24\0\0\0\24\0\0\0\0\340\375\177\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\340\375\177\6\0\0\0\4-\202\367\224\377\22\0\1\0\0\0\340\377\22\0d\222@\0\30\321@\0\0\0\0\0\360\377\22\0\327o\201|\24\0\0\0\0\0\0\0\0\340\375\177\375?T\200\310\377\22\0 \351i\201\377\377\377\377\250\232\203|\340o\201|\0\0\0\0\0\0\0\0\0\0\0\0\206m@\0\0\0\0\0Actx \0\0\0\1\0\0\0\230$\0\0\304\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\6\0\0\04\0\0\0\24\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\2\0\0\234\1\0\0\0\0\0\0[IY-\260\3\0\02\0\0\0\344\3\0\0\322\2\0\0\0\0\0\0\344\2\2\203\270\6\0\0F\0\0\0\0\7\0\0\352\2\0\0"}, 900, ) }, 900, ) == 0x0
 00464  1736   NtClose  (68, ... ) == 0x0
 00465  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00466  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00467  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00468  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\325\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\325\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\331\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300P\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\325\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\325\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\331\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300P\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\325\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\325\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\326\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\327\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\330\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\331\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\300P\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00469  1736   NtClose  (68, ... ) == 0x0
 00470  1736   NtClose  (64, ... ) == 0x0
 00471  1736   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00472  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00473  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00474  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00475  1736   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00476  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00477  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00478  1736   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00479  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00480  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00481  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00482  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00483  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00484  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00485  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00486  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00487  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00488  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00489  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00490  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00491  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00492  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00493  1736   NtClose  (76, ... ) == 0x0
 00494  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00495  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00496  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00497  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00498  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00499  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00500  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00501  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00502  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00504  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00506  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00507  1736   NtClose  (76, ... ) == 0x0
 00508  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00509  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00510  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00511  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00512  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00513  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00514  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00515  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00516  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00518  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00519  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00520  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00521  1736   NtClose  (76, ... ) == 0x0
 00522  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00523  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00524  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00525  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00526  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00527  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00528  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00529  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00530  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00531  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00533  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00534  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00535  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00536  1736   NtClose  (76, ... ) == 0x0
 00537  1736   NtClose  (72, ... ) == 0x0
 00538  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00539  1736   NtClose  (52, ... ) == 0x0
 00540  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00541  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00542  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00543  1736   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544  1736   NtClose  (52, ... ) == 0x0
 00545  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00546  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00547  1736   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00548  1736   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00549  1736   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00550  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00551  1736   NtQueryInformationFile  (72, 1356912, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00552  1736   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00553  1736   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00554  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00555  1736   NtClose  (-2147482576, ... ) == 0x0
 00554  1736   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00556  1736   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00557  1736   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00558  1736   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00559  1736   NtQueryVolumeInformationFile  (72, 1239912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00560  1736   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00561  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00562  1736   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x990000), {0, 0}, 118784, ) == 0x0
 00563  1736   NtClose  (80, ... ) == 0x0
 00564  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\240\240\240\240\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\200\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0`\0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00565  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 56848, 0x0, 0, ... {status=0x0, info=56848}, ) , 56848, 0x0, 0, ... {status=0x0, info=56848}, ) == 0x0
 00566  1736   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 00567  1736   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00568  1736   NtClose  (72, ... ) == 0x0
 00569  1736   NtClose  (76, ... ) == 0x0
 00570  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00571  1736   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00572  1736   NtSetInformationFile  (-2147482448, -139348176, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00573  1736   NtSetInformationFile  (-2147482448, -139348268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00574  1736   NtSetInformationFile  (-2147482448, -139348576, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00571  1736   NtSetValueKey  ... ) == 0x0
 00575  1736   NtClose  (76, ... ) == 0x0
 00576  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00577  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00578  1736   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00579  1736   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00580  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1636, 1356}, ) == 0x0
 00581  1736   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 00582  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75488, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 00583  1736   NtResumeThread  (72, ... 1, ) == 0x0
 00584  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11075584, 1048576, ) == 0x0
 00585  1736   NtAllocateVirtualMemory  (-1, 12115968, 0, 8192, 4096, 4, ... 12115968, 8192, ) == 0x0
 00586  1356   NtTestAlert  (... ) == 0x0
 00587  1356   NtContinue  (11074864, 1, ...
 00588  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00589  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00590  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00591  1356   NtAllocateVirtualMemory  (-1, 11063296, 0, 4096, 4096, 260, ...
 00592  1736   NtProtectVirtualMemory  (-1, (0xb8e000), 4096, 260, ... (0xb8e000), 4096, 4, ) == 0x0
 00593  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1636, 868}, ) == 0x0
 00594  1736   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 00595  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 00596  1736   NtResumeThread  (84, ... 1, ) == 0x0
 00597  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00591  1356   NtAllocateVirtualMemory  ... 11063296, 4096, ) == 0x0
 00598   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00599  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071988, ... }, 11071988, ...
 00598   868   NtCreateEvent  ... 88, ) == 0x0
 00599  1356   NtQueryAttributesFile  ... ) == 0x0
 00600   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00601  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00602  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00603  1356   NtClose  (92, ... ) == 0x0
 00604  1356   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb90000), 0x0, 245760, ) == 0x0
 00605  1356   NtClose  (96, ...
 00597  1736   NtAllocateVirtualMemory  ... 12386304, 1048576, ) == 0x0
 00606  1736   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 00607  1736   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 00608  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1636, 808}, ) == 0x0
 00609  1736   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 00610  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 00605  1356   NtClose  ... ) == 0x0
 00611  1736   NtResumeThread  (92, ... 1, ) == 0x0
 00612  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 00613  1736   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 00614  1356   NtUnmapViewOfSection  (-1, 0xb90000, ...
 00615   808   NtWaitForSingleObject  (88, 0, 0x0, ...
 00614  1356   NtUnmapViewOfSection  ... ) == 0x0
 00616  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11072296, ... ) }, 11072296, ... ) == 0x0
 00617  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00618  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00619  1356   NtQuerySection  (100, Image, 48, ...
 00620  1736   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ... (0xdce000), 4096, 4, ) == 0x0
 00621  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1636, 2020}, ) == 0x0
 00622  1736   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 00623  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 00624  1736   NtResumeThread  (104, ... 1, ) == 0x0
 00625  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00619  1356   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00626  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 00627  1356   NtClose  (96, ... ) == 0x0
 00628  1356   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00629  1356   NtClose  (100, ... ) == 0x0
 00630  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00631  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00625  1736   NtAllocateVirtualMemory  ... 14483456, 1048576, ) == 0x0
 00632  1736   NtAllocateVirtualMemory  (-1, 15523840, 0, 8192, 4096, 4, ... 15523840, 8192, ) == 0x0
 00633  1736   NtProtectVirtualMemory  (-1, (0xece000), 4096, 260, ... (0xece000), 4096, 4, ) == 0x0
 00634  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1636, 896}, ) == 0x0
 00635  1736   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 00636  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 00631  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00637  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00638  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00639  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00640  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00641  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00642  1356   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00643  1736   NtResumeThread  (100, ... 1, ) == 0x0
 00644  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 00645  1736   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 00646  1736   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ... (0xfce000), 4096, 4, ) == 0x0
 00647  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1636, 1252}, ) == 0x0
 00648  1736   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 00642  1356   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00649   896   NtWaitForSingleObject  (88, 0, 0x0, ...
 00650  1356   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00651  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\4\0\0" ...  ...
 00652  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653  1356   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00654  1356   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00655  1356   NtSetEventBoostPriority  (88, ...
 00651  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 00656  1736   NtResumeThread  (96, ... 1, ) == 0x0
 00657  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16580608, 1048576, ) == 0x0
 00658  1736   NtAllocateVirtualMemory  (-1, 17620992, 0, 8192, 4096, 4, ... 17620992, 8192, ) == 0x0
 00659  1736   NtProtectVirtualMemory  (-1, (0x10ce000), 4096, 260, ... (0x10ce000), 4096, 4, ) == 0x0
 00660  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00600   868   NtWaitForSingleObject  ... ) == 0x0
 00655  1356   NtSetEventBoostPriority  ... ) == 0x0
 00661  1252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00662   868   NtSetEventBoostPriority  (88, ...
 00663  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00615   808   NtWaitForSingleObject  ... ) == 0x0
 00662   868   NtSetEventBoostPriority  ... ) == 0x0
 00664   808   NtSetEventBoostPriority  (88, ...
 00660  1736   NtCreateThread  ... 108, {1636, 2016}, ) == 0x0
 00626  2020   NtWaitForSingleObject  ... ) == 0x0
 00664   808   NtSetEventBoostPriority  ... ) == 0x0
 00665  2020   NtSetEventBoostPriority  (88, ...
 00666  1736   NtQueryInformationThread  (108, Basic, 28, ...
 00667   868   NtTestAlert  (...
 00649   896   NtWaitForSingleObject  ... ) == 0x0
 00665  2020   NtSetEventBoostPriority  ... ) == 0x0
 00666  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 00668   896   NtSetEventBoostPriority  (88, ...
 00667   868   NtTestAlert  ... ) == 0x0
 00669   808   NtTestAlert  (...
 00661  1252   NtWaitForSingleObject  ... ) == 0x0
 00668   896   NtSetEventBoostPriority  ... ) == 0x0
 00670  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\340\7\0\0" ...  ...
 00671   868   NtContinue  (12123440, 1, ...
 00672  1252   NtSetEventBoostPriority  (88, ...
 00669   808   NtTestAlert  ... ) == 0x0
 00673  2020   NtTestAlert  (...
 00670  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 00663  1356   NtWaitForSingleObject  ... ) == 0x0
 00672  1252   NtSetEventBoostPriority  ... ) == 0x0
 00674   868   NtRegisterThreadTerminatePort  (24, ...
 00675   808   NtContinue  (13434160, 1, ...
 00673  2020   NtTestAlert  ... ) == 0x0
 00676   896   NtTestAlert  (...
 00677  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00678  1736   NtResumeThread  (108, ...
 00674   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 00679   808   NtRegisterThreadTerminatePort  (24, ...
 00680  2020   NtContinue  (14482736, 1, ...
 00677  1356   NtCreateEvent  ... 112, ) == 0x0
 00676   896   NtTestAlert  ... ) == 0x0
 00678  1736   NtResumeThread  ... 1, ) == 0x0
 00681   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00679   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 00682  2020   NtRegisterThreadTerminatePort  (24, ...
 00683  1252   NtTestAlert  (...
 00684  2016   NtTestAlert  (...
 00685   896   NtContinue  (15531312, 1, ...
 00686  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00687  1356   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00688   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00682  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 00683  1252   NtTestAlert  ... ) == 0x0
 00684  2016   NtTestAlert  ... ) == 0x0
 00689   896   NtRegisterThreadTerminatePort  (24, ...
 00686  1736   NtAllocateVirtualMemory  ... 17629184, 1048576, ) == 0x0
 00687  1356   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   868   NtDuplicateObject  ... 116, ) == 0x0
 00690  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00691  1252   NtContinue  (16579888, 1, ...
 00692  2016   NtContinue  (17628464, 1, ...
 00689   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 00693  1736   NtAllocateVirtualMemory  (-1, 18669568, 0, 8192, 4096, 4, ...
 00694  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00695   868   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00688   808   NtDuplicateObject  ... 120, ) == 0x0
 00696  1252   NtRegisterThreadTerminatePort  (24, ...
 00697  2016   NtRegisterThreadTerminatePort  (24, ...
 00698   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00693  1736   NtAllocateVirtualMemory  ... 18669568, 8192, ) == 0x0
 00695   868   NtWaitForSingleObject  ... ) == 0x102
 00699   808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00696  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 00697  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 00690  2020   NtDuplicateObject  ... 124, ) == 0x0
 00698   896   NtDuplicateObject  ... 128, ) == 0x0
 00700   868   NtAllocateVirtualMemory  (-1, 12111872, 0, 4096, 4096, 260, ...
 00701  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00702  1736   NtProtectVirtualMemory  (-1, (0x11ce000), 4096, 260, ...
 00699   808   NtWaitForSingleObject  ... ) == 0x102
 00703  2020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00704   896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00700   868   NtAllocateVirtualMemory  ... 12111872, 4096, ) == 0x0
 00705  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00702  1736   NtProtectVirtualMemory  ... (0x11ce000), 4096, 4, ) == 0x0
 00706   808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00703  2020   NtWaitForSingleObject  ... ) == 0x102
 00704   896   NtWaitForSingleObject  ... ) == 0x102
 00701  1252   NtDuplicateObject  ... 132, ) == 0x0
 00705  2016   NtDuplicateObject  ... 136, ) == 0x0
 00707  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00706   808   NtCreateEvent  ... 140, ) == 0x0
 00708  2020   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00709   896   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00710  1252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00711  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00707  1736   NtCreateThread  ... 144, {1636, 2012}, ) == 0x0
 00712   808   NtWaitForSingleObject  (140, 0, 0x0, ...
 00708  2020   NtCreateEvent  ... 148, ) == 0x0
 00709   896   NtCreateEvent  ... 152, ) == 0x0
 00710  1252   NtWaitForSingleObject  ... ) == 0x102
 00711  2016   NtWaitForSingleObject  ... ) == 0x102
 00713  1736   NtQueryInformationThread  (144, Basic, 28, ...
 00714   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00694  1356   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00715  2020   NtClose  (148, ...
 00716  1252   NtWaitForSingleObject  (140, 0, 0x0, ...
 00717  2016   NtWaitForSingleObject  (140, 0, 0x0, ...
 00713  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 00718  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00715  2020   NtClose  ... ) == 0x0
 00719   896   NtClose  (152, ...
 00718  1356   NtQueryAttributesFile  ... ) == 0x0
 00720  2020   NtWaitForSingleObject  (140, 0, 0x0, ...
 00719   896   NtClose  ... ) == 0x0
 00721  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 00722   896   NtWaitForSingleObject  (140, 0, 0x0, ...
 00721  1356   NtOpenFile  ... 152, {status=0x0, info=1}, ) == 0x0
 00723  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 148, ) == 0x0
 00724  1356   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00725  1356   NtClose  (152, ... ) == 0x0
 00726  1356   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00727  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 00728  1736   NtResumeThread  (144, ... 1, ) == 0x0
 00729  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18677760, 1048576, ) == 0x0
 00730  1736   NtAllocateVirtualMemory  (-1, 19718144, 0, 8192, 4096, 4, ... 19718144, 8192, ) == 0x0
 00731  1736   NtProtectVirtualMemory  (-1, (0x12ce000), 4096, 260, ... (0x12ce000), 4096, 4, ) == 0x0
 00732  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00726  1356   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 00733  2012   NtWaitForSingleObject  (88, 0, 0x0, ...
 00734  1356   NtClose  (148, ... ) == 0x0
 00735  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00736  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00737  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00738  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00739  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00732  1736   NtCreateThread  ... 148, {1636, 1028}, ) == 0x0
 00740  1736   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 00741  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 00742  1736   NtResumeThread  (148, ... 1, ) == 0x0
 00743  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19726336, 1048576, ) == 0x0
 00744  1736   NtAllocateVirtualMemory  (-1, 20766720, 0, 8192, 4096, 4, ... 20766720, 8192, ) == 0x0
 00739  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00745  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00746  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00747  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00748  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00749  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00750  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00751  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00752  1736   NtProtectVirtualMemory  (-1, (0x13ce000), 4096, 260, ... (0x13ce000), 4096, 4, ) == 0x0
 00753  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1636, 384}, ) == 0x0
 00754  1736   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 00755  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 00756  1736   NtResumeThread  (152, ... 1, ) == 0x0
 00757  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00751  1356   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00758   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00759  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00760  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00761  1356   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00762  1356   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00763  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764  1356   NtSetEventBoostPriority  (88, ...
 00757  1736   NtAllocateVirtualMemory  ... 20774912, 1048576, ) == 0x0
 00765  1736   NtAllocateVirtualMemory  (-1, 21815296, 0, 8192, 4096, 4, ... 21815296, 8192, ) == 0x0
 00766  1736   NtProtectVirtualMemory  (-1, (0x14ce000), 4096, 260, ... (0x14ce000), 4096, 4, ) == 0x0
 00767  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 156, {1636, 1180}, ) == 0x0
 00768  1736   NtQueryInformationThread  (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 00769  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 00714   868   NtWaitForSingleObject  ... ) == 0x0
 00764  1356   NtSetEventBoostPriority  ... ) == 0x0
 00770   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12118992, ... }, 12118992, ...
 00771  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00770   868   NtQueryAttributesFile  ... ) == 0x0
 00772   868   NtSetEventBoostPriority  (88, ...
 00733  2012   NtWaitForSingleObject  ... ) == 0x0
 00773  2012   NtSetEventBoostPriority  (88, ...
 00745  1028   NtWaitForSingleObject  ... ) == 0x0
 00774  1028   NtSetEventBoostPriority  (88, ...
 00758   384   NtWaitForSingleObject  ... ) == 0x0
 00775   384   NtSetEventBoostPriority  (88, ...
 00771  1356   NtWaitForSingleObject  ... ) == 0x0
 00776  1356   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00775   384   NtSetEventBoostPriority  ... ) == 0x0
 00774  1028   NtSetEventBoostPriority  ... ) == 0x0
 00773  2012   NtSetEventBoostPriority  ... ) == 0x0
 00772   868   NtSetEventBoostPriority  ... ) == 0x0
 00777  1736   NtResumeThread  (156, ...
 00778  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00779   384   NtTestAlert  (...
 00780  1028   NtTestAlert  (...
 00781   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00777  1736   NtResumeThread  ... 1, ) == 0x0
 00778  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   384   NtTestAlert  ... ) == 0x0
 00780  1028   NtTestAlert  ... ) == 0x0
 00781   868   NtCreateEvent  ... 160, ) == 0x0
 00782  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00783  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00784   384   NtContinue  (20774192, 1, ...
 00785  1028   NtContinue  (19725616, 1, ...
 00786   868   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00782  1736   NtAllocateVirtualMemory  ... 21823488, 1048576, ) == 0x0
 00783  1356   NtOpenKey  ... 164, ) == 0x0
 00787   384   NtRegisterThreadTerminatePort  (24, ...
 00788  1028   NtRegisterThreadTerminatePort  (24, ...
 00786   868   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789  1736   NtAllocateVirtualMemory  (-1, 22863872, 0, 8192, 4096, 4, ...
 00790  1356   NtQueryValueKey  (164,  (164, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00787   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00788  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00791   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12119096, ... }, 12119096, ...
 00789  1736   NtAllocateVirtualMemory  ... 22863872, 8192, ) == 0x0
 00790  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00792   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00793  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00794  2012   NtTestAlert  (...
 00795  1180   NtWaitForSingleObject  (88, 0, 0x0, ...
 00796  1736   NtProtectVirtualMemory  (-1, (0x15ce000), 4096, 260, ...
 00797  1356   NtClose  (164, ...
 00792   384   NtDuplicateObject  ... 168, ) == 0x0
 00794  2012   NtTestAlert  ... ) == 0x0
 00796  1736   NtProtectVirtualMemory  ... (0x15ce000), 4096, 4, ) == 0x0
 00797  1356   NtClose  ... ) == 0x0
 00798   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00799  2012   NtContinue  (18677040, 1, ...
 00800  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00801  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 00798   384   NtWaitForSingleObject  ... ) == 0x102
 00802  2012   NtRegisterThreadTerminatePort  (24, ...
 00800  1736   NtCreateThread  ... 164, {1636, 420}, ) == 0x0
 00801  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00803   384   NtWaitForSingleObject  (140, 0, 0x0, ...
 00802  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00804  1736   NtQueryInformationThread  (164, Basic, 28, ...
 00805  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00806  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00804  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 00805  1356   NtCreateEvent  ... 172, ) == 0x0
 00793  1028   NtDuplicateObject  ... 176, ) == 0x0
 00806  2012   NtDuplicateObject  ... 180, ) == 0x0
 00807  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0d\6\0\0\244\1\0\0" ...  ...
 00791   868   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00809  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00807  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 00810   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 12119096, ... }, 12119096, ...
 00808  1028   NtWaitForSingleObject  ... ) == 0x102
 00809  2012   NtWaitForSingleObject  ... ) == 0x102
 00811  1736   NtResumeThread  (164, ...
 00810   868   NtQueryAttributesFile  ... ) == 0x0
 00812  1028   NtWaitForSingleObject  (140, 0, 0x0, ...
 00813  2012   NtWaitForSingleObject  (140, 0, 0x0, ...
 00811  1736   NtResumeThread  ... 1, ) == 0x0
 00814  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00815  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00814  1356   NtCreateEvent  ... 184, ) == 0x0
 00816   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00817   420   NtWaitForSingleObject  (88, 0, 0x0, ...
 00818  1356   NtQuerySystemTime  (...
 00816   868   NtOpenFile  ... 188, {status=0x0, info=1}, ) == 0x0
 00818  1356   NtQuerySystemTime  ... {1836562776, 29922244}, ) == 0x0
 00819   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 188, ...
 00820  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00819   868   NtCreateSection  ... 192, ) == 0x0
 00820  1356   NtCreateEvent  ... 196, ) == 0x0
 00821   868   NtQuerySection  (192, Image, 48, ...
 00815  1736   NtAllocateVirtualMemory  ... 22872064, 1048576, ) == 0x0
 00821   868   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00822  1736   NtAllocateVirtualMemory  (-1, 23912448, 0, 8192, 4096, 4, ...
 00823  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 00822  1736   NtAllocateVirtualMemory  ... 23912448, 8192, ) == 0x0
 00823  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824  1736   NtProtectVirtualMemory  (-1, (0x16ce000), 4096, 260, ...
 00825  1356   NtQuerySystemInformation  (Performance, 312, ...
 00824  1736   NtProtectVirtualMemory  ... (0x16ce000), 4096, 4, ) == 0x0
 00825  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00826  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00827  1356   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 00828   868   NtClose  (188, ...
 00827  1356   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00828   868   NtClose  ... ) == 0x0
 00826  1736   NtCreateThread  ... 188, {1636, 596}, ) == 0x0
 00829   868   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00830  1736   NtQueryInformationThread  (188, Basic, 28, ...
 00829   868   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 00830  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 00831   868   NtClose  (192, ...
 00832  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0d\6\0\0T\2\0\0" ...  ...
 00831   868   NtClose  ... ) == 0x0
 00832  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 00833  1356   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 00834   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00833  1356   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00834   868   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00835  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00836   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00837   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00838   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00839   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00840   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00841  1736   NtResumeThread  (188, ... 1, ) == 0x0
 00842  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23920640, 1048576, ) == 0x0
 00843  1736   NtAllocateVirtualMemory  (-1, 24961024, 0, 8192, 4096, 4, ... 24961024, 8192, ) == 0x0
 00844  1736   NtProtectVirtualMemory  (-1, (0x17ce000), 4096, 260, ... (0x17ce000), 4096, 4, ) == 0x0
 00845  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {1636, 376}, ) == 0x0
 00846  1736   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 00847   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00848   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00847   868   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00849   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00850   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00851   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00852   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 00853  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 00854  1736   NtResumeThread  (192, ... 1, ) == 0x0
 00855  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24969216, 1048576, ) == 0x0
 00856  1736   NtAllocateVirtualMemory  (-1, 26009600, 0, 8192, 4096, 4, ... 26009600, 8192, ) == 0x0
 00857  1736   NtProtectVirtualMemory  (-1, (0x18ce000), 4096, 260, ... (0x18ce000), 4096, 4, ) == 0x0
 00858  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00852   868   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 00859   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 00860   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00861   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00862   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00863   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00864   868   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00865   868   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 00858  1736   NtCreateThread  ... 200, {1636, 1168}, ) == 0x0
 00866  1736   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 00867  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 00868  1736   NtResumeThread  (200, ... 1, ) == 0x0
 00869  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26017792, 1048576, ) == 0x0
 00870  1736   NtAllocateVirtualMemory  (-1, 27058176, 0, 8192, 4096, 4, ... 27058176, 8192, ) == 0x0
 00865   868   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 00871  1168   NtWaitForSingleObject  (88, 0, 0x0, ...
 00872   868   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00873   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 204, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 204, 2, ) , 0, ... 204, 2, ) == 0x0
 00875   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 00876   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877   868   NtQueryValueKey  (208,  (208, "QueryAdapterName", Partial, 144, ... , Partial, 144, ...
 00878  1736   NtProtectVirtualMemory  (-1, (0x19ce000), 4096, 260, ... (0x19ce000), 4096, 4, ) == 0x0
 00879  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1636, 120}, ) == 0x0
 00880  1736   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 00881  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 00882  1736   NtResumeThread  (212, ... 1, ) == 0x0
 00883  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00877   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   120   NtWaitForSingleObject  (88, 0, 0x0, ...
 00885   868   NtQueryValueKey  (204,  (204, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   868   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   868   NtQueryValueKey  (204,  (204, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00888   868   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   868   NtQueryValueKey  (204,  (204, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   868   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 00883  1736   NtAllocateVirtualMemory  ... 27066368, 1048576, ) == 0x0
 00891  1736   NtAllocateVirtualMemory  (-1, 28106752, 0, 8192, 4096, 4, ... 28106752, 8192, ) == 0x0
 00892  1736   NtProtectVirtualMemory  (-1, (0x1ace000), 4096, 260, ... (0x1ace000), 4096, 4, ) == 0x0
 00893  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1636, 928}, ) == 0x0
 00894  1736   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=928,}, 0x0, ) == 0x0
 00895  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" )  ) == 0x0
 00890   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   868   NtQueryValueKey  (204,  (204, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   868   NtQueryValueKey  (208,  (208, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   868   NtQueryValueKey  (208,  (208, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   868   NtQueryValueKey  (208,  (208, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   868   NtQueryValueKey  (208,  (208, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   868   NtQueryValueKey  (208,  (208, "WaitForNameErrorOnAll", Partial, 144, ... , Partial, 144, ...
 00902  1736   NtResumeThread  (216, ... 1, ) == 0x0
 00903  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28114944, 1048576, ) == 0x0
 00904  1736   NtAllocateVirtualMemory  (-1, 29155328, 0, 8192, 4096, 4, ... 29155328, 8192, ) == 0x0
 00905  1736   NtProtectVirtualMemory  (-1, (0x1bce000), 4096, 260, ... (0x1bce000), 4096, 4, ) == 0x0
 00906  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1636, 1732}, ) == 0x0
 00907  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 00901   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   928   NtWaitForSingleObject  (88, 0, 0x0, ...
 00909   868   NtQueryValueKey  (208,  (208, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   868   NtQueryValueKey  (208,  (208, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   868   NtQueryValueKey  (208,  (208, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   868   NtQueryValueKey  (208,  (208, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   868   NtQueryValueKey  (204,  (204, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   868   NtQueryValueKey  (208,  (208, "RegisterPrimaryName", Partial, 144, ... , Partial, 144, ...
 00915  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 00916  1736   NtResumeThread  (220, ... 1, ) == 0x0
 00917  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29163520, 1048576, ) == 0x0
 00918  1736   NtAllocateVirtualMemory  (-1, 30203904, 0, 8192, 4096, 4, ... 30203904, 8192, ) == 0x0
 00919  1736   NtProtectVirtualMemory  (-1, (0x1cce000), 4096, 260, ... (0x1cce000), 4096, 4, ) == 0x0
 00920  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00914   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 00922   868   NtQueryValueKey  (208,  (208, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   868   NtQueryValueKey  (204,  (204, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   868   NtQueryValueKey  (208,  (208, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   868   NtQueryValueKey  (204,  (204, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   868   NtQueryValueKey  (208,  (208, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   868   NtQueryValueKey  (204,  (204, "DisableWanDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 00920  1736   NtCreateThread  ... 224, {1636, 428}, ) == 0x0
 00928  1736   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=428,}, 0x0, ) == 0x0
 00929  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\254\1\0\0" )  ) == 0x0
 00930  1736   NtResumeThread  (224, ... 1, ) == 0x0
 00931  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30212096, 1048576, ) == 0x0
 00932  1736   NtAllocateVirtualMemory  (-1, 31252480, 0, 8192, 4096, 4, ... 31252480, 8192, ) == 0x0
 00927   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   428   NtWaitForSingleObject  (88, 0, 0x0, ...
 00934   868   NtQueryValueKey  (208,  (208, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   868   NtQueryValueKey  (204,  (204, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   868   NtQueryValueKey  (208,  (208, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   868   NtQueryValueKey  (204,  (204, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   868   NtQueryValueKey  (208,  (208, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   868   NtQueryValueKey  (204,  (204, "MaxNumberOfAddressesToRegister", Partial, 144, ... , Partial, 144, ...
 00940  1736   NtProtectVirtualMemory  (-1, (0x1dce000), 4096, 260, ... (0x1dce000), 4096, 4, ) == 0x0
 00941  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1636, 748}, ) == 0x0
 00942  1736   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 00943  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 00944  1736   NtResumeThread  (228, ... 1, ) == 0x0
 00945  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00939   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   748   NtWaitForSingleObject  (88, 0, 0x0, ...
 00947   868   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   868   NtQueryValueKey  (204,  (204, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   868   NtQueryValueKey  (208,  (208, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   868   NtQueryValueKey  (208,  (208, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   868   NtQueryValueKey  (208,  (208, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   868   NtQueryValueKey  (208,  (208, "MaxCacheSize", Partial, 144, ... , Partial, 144, ...
 00945  1736   NtAllocateVirtualMemory  ... 31260672, 1048576, ) == 0x0
 00953  1736   NtAllocateVirtualMemory  (-1, 32301056, 0, 8192, 4096, 4, ... 32301056, 8192, ) == 0x0
 00954  1736   NtProtectVirtualMemory  (-1, (0x1ece000), 4096, 260, ... (0x1ece000), 4096, 4, ) == 0x0
 00955  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1636, 1300}, ) == 0x0
 00956  1736   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 00957  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 00952   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   868   NtQueryValueKey  (208,  (208, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   868   NtQueryValueKey  (208,  (208, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   868   NtQueryValueKey  (208,  (208, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   868   NtQueryValueKey  (208,  (208, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   868   NtQueryValueKey  (208,  (208, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   868   NtQueryValueKey  (208,  (208, "MulticastListenLevel", Partial, 144, ... , Partial, 144, ...
 00964  1736   NtResumeThread  (232, ... 1, ) == 0x0
 00965  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32309248, 1048576, ) == 0x0
 00966  1736   NtAllocateVirtualMemory  (-1, 33349632, 0, 8192, 4096, 4, ... 33349632, 8192, ) == 0x0
 00967  1736   NtProtectVirtualMemory  (-1, (0x1fce000), 4096, 260, ... (0x1fce000), 4096, 4, ) == 0x0
 00968  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1636, 1096}, ) == 0x0
 00969  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=1096,}, 0x0, ) == 0x0
 00963   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 00971   868   NtQueryValueKey  (208,  (208, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 240, ) }, ... 240, ) == 0x0
 00973   868   NtQueryValueKey  (240,  (240, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (240, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00974   868   NtClose  (240, ... ) == 0x0
 00975   868   NtClose  (204, ... ) == 0x0
 00976   868   NtClose  (208, ...
 00977  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0H\4\0\0" )  ) == 0x0
 00978  1736   NtResumeThread  (236, ... 1, ) == 0x0
 00979  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33357824, 1048576, ) == 0x0
 00980  1736   NtAllocateVirtualMemory  (-1, 34398208, 0, 8192, 4096, 4, ... 34398208, 8192, ) == 0x0
 00981  1736   NtProtectVirtualMemory  (-1, (0x20ce000), 4096, 260, ... (0x20ce000), 4096, 4, ) == 0x0
 00982  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00976   868   NtClose  ... ) == 0x0
 00983  1096   NtWaitForSingleObject  (88, 0, 0x0, ...
 00984   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 00985   868   NtQueryValueKey  (208,  (208, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   868   NtQueryValueKey  (208,  (208, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   868   NtQueryValueKey  (208,  (208, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   868   NtClose  (208, ... ) == 0x0
 00989   868   NtSetEventBoostPriority  (88, ...
 00982  1736   NtCreateThread  ... 208, {1636, 252}, ) == 0x0
 00990  1736   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=252,}, 0x0, ) == 0x0
 00991  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0\374\0\0\0" )  ) == 0x0
 00992  1736   NtResumeThread  (208, ... 1, ) == 0x0
 00993  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34406400, 1048576, ) == 0x0
 00994  1736   NtAllocateVirtualMemory  (-1, 35446784, 0, 8192, 4096, 4, ... 35446784, 8192, ) == 0x0
 00795  1180   NtWaitForSingleObject  ... ) == 0x0
 00989   868   NtSetEventBoostPriority  ... ) == 0x0
 00995   252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00996  1180   NtSetEventBoostPriority  (88, ...
 00997   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00817   420   NtWaitForSingleObject  ... ) == 0x0
 00996  1180   NtSetEventBoostPriority  ... ) == 0x0
 00998   420   NtSetEventBoostPriority  (88, ...
 00999  1736   NtProtectVirtualMemory  (-1, (0x21ce000), 4096, 260, ...
 00835  1356   NtWaitForSingleObject  ... ) == 0x0
 00998   420   NtSetEventBoostPriority  ... ) == 0x0
 01000  1356   NtSetEventBoostPriority  (88, ...
 00999  1736   NtProtectVirtualMemory  ... (0x21ce000), 4096, 4, ) == 0x0
 01001  1180   NtTestAlert  (...
 00848   596   NtWaitForSingleObject  ... ) == 0x0
 01000  1356   NtSetEventBoostPriority  ... ) == 0x0
 01002  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01003   596   NtSetEventBoostPriority  (88, ...
 01001  1180   NtTestAlert  ... ) == 0x0
 01004   420   NtTestAlert  (...
 00859   376   NtWaitForSingleObject  ... ) == 0x0
 01003   596   NtSetEventBoostPriority  ... ) == 0x0
 01002  1736   NtCreateThread  ... 204, {1636, 500}, ) == 0x0
 01005  1180   NtContinue  (21822768, 1, ...
 01006   376   NtSetEventBoostPriority  (88, ...
 01004   420   NtTestAlert  ... ) == 0x0
 01007  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01008  1736   NtQueryInformationThread  (204, Basic, 28, ...
 00871  1168   NtWaitForSingleObject  ... ) == 0x0
 01006   376   NtSetEventBoostPriority  ... ) == 0x0
 01009  1180   NtRegisterThreadTerminatePort  (24, ...
 01010   420   NtContinue  (22871344, 1, ...
 01007  1356   NtCreateEvent  ... 240, ) == 0x0
 01011  1168   NtSetEventBoostPriority  (88, ...
 01008  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 01012   596   NtTestAlert  (...
 01009  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 01013   420   NtRegisterThreadTerminatePort  (24, ...
 00884   120   NtWaitForSingleObject  ... ) == 0x0
 01011  1168   NtSetEventBoostPriority  ... ) == 0x0
 01014  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01015   376   NtTestAlert  (...
 01012   596   NtTestAlert  ... ) == 0x0
 01016  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01017   120   NtSetEventBoostPriority  (88, ...
 01013   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01018  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0\364\1\0\0" ...  ...
 01014  1356   NtDuplicateObject  ... 244, ) == 0x0
 01015   376   NtTestAlert  ... ) == 0x0
 01019   596   NtContinue  (23919920, 1, ...
 01020  1168   NtTestAlert  (...
 00908   928   NtWaitForSingleObject  ... ) == 0x0
 01017   120   NtSetEventBoostPriority  ... ) == 0x0
 01021   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01018  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 01022  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01023   376   NtContinue  (24968496, 1, ...
 01024   596   NtRegisterThreadTerminatePort  (24, ...
 01025   928   NtSetEventBoostPriority  (88, ...
 01020  1168   NtTestAlert  ... ) == 0x0
 01016  1180   NtDuplicateObject  ... 248, ) == 0x0
 01026   120   NtTestAlert  (...
 01027  1736   NtResumeThread  (204, ...
 01022  1356   NtOpenKey  ... 252, ) == 0x0
 01028   376   NtRegisterThreadTerminatePort  (24, ...
 00921  1732   NtWaitForSingleObject  ... ) == 0x0
 01025   928   NtSetEventBoostPriority  ... ) == 0x0
 01024   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01029  1168   NtContinue  (26017072, 1, ...
 01030  1180   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01026   120   NtTestAlert  ... ) == 0x0
 01027  1736   NtResumeThread  ... 1, ) == 0x0
 01021   420   NtDuplicateObject  ... 256, ) == 0x0
 01031  1732   NtSetEventBoostPriority  (88, ...
 01028   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01032  1356   NtQueryValueKey  (252,  (252, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01033   500   NtWaitForSingleObject  (88, 0, 0x0, ...
 01034   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01035  1168   NtRegisterThreadTerminatePort  (24, ...
 01030  1180   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01036   120   NtContinue  (27065648, 1, ...
 01037  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00933   428   NtWaitForSingleObject  ... ) == 0x0
 01031  1732   NtSetEventBoostPriority  ... ) == 0x0
 01038   420   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01039   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01032  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040   928   NtTestAlert  (...
 01035  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 01041  1180   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01042   120   NtRegisterThreadTerminatePort  (24, ...
 01034   596   NtCreateEvent  ... 260, ) == 0x0
 01043   428   NtSetEventBoostPriority  (88, ...
 01037  1736   NtAllocateVirtualMemory  ... 35454976, 1048576, ) == 0x0
 01038   420   NtCreateEvent  ... 264, ) == 0x0
 01044  1732   NtTestAlert  (...
 01045  1356   NtClose  (252, ...
 01040   928   NtTestAlert  ... ) == 0x0
 01046  1168   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01041  1180   NtCreateEvent  ... 268, ) == 0x0
 01042   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 00946   748   NtWaitForSingleObject  ... ) == 0x0
 01043   428   NtSetEventBoostPriority  ... ) == 0x0
 01047   596   NtWaitForSingleObject  (260, 0, 0x0, ...
 01048  1736   NtAllocateVirtualMemory  (-1, 36495360, 0, 8192, 4096, 4, ...
 01049   420   NtClose  (264, ...
 01044  1732   NtTestAlert  ... ) == 0x0
 01045  1356   NtClose  ... ) == 0x0
 01050   928   NtContinue  (28114224, 1, ...
 01039   376   NtCreateEvent  ... 252, ) == 0x0
 01051  1180   NtClose  (268, ...
 01052   748   NtSetEventBoostPriority  (88, ...
 01053   120   NtWaitForSingleObject  (260, 0, 0x0, ...
 01046  1168   NtCreateEvent  ... 272, ) == 0x0
 01048  1736   NtAllocateVirtualMemory  ... 36495360, 8192, ) == 0x0
 01049   420   NtClose  ... ) == 0x0
 01054  1732   NtContinue  (29162800, 1, ...
 01055  1356   NtWaitForSingleObject  (260, 0, 0x0, ...
 01056   928   NtRegisterThreadTerminatePort  (24, ...
 01057   376   NtClose  (252, ...
 01058   428   NtTestAlert  (...
 00970  1300   NtWaitForSingleObject  ... ) == 0x0
 01052   748   NtSetEventBoostPriority  ... ) == 0x0
 01051  1180   NtClose  ... ) == 0x0
 01059  1168   NtClose  (272, ...
 01060  1736   NtProtectVirtualMemory  (-1, (0x22ce000), 4096, 260, ...
 01061   420   NtWaitForSingleObject  (260, 0, 0x0, ...
 01062  1732   NtRegisterThreadTerminatePort  (24, ...
 01056   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01057   376   NtClose  ... ) == 0x0
 01063  1300   NtSetEventBoostPriority  (88, ...
 01058   428   NtTestAlert  ... ) == 0x0
 01064  1180   NtSetEventBoostPriority  (260, ...
 01059  1168   NtClose  ... ) == 0x0
 01060  1736   NtProtectVirtualMemory  ... (0x22ce000), 4096, 4, ) == 0x0
 01065   748   NtTestAlert  (...
 01062  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01066   928   NtWaitForSingleObject  (260, 0, 0x0, ...
 00983  1096   NtWaitForSingleObject  ... ) == 0x0
 01063  1300   NtSetEventBoostPriority  ... ) == 0x0
 01067   376   NtWaitForSingleObject  (260, 0, 0x0, ...
 01068   428   NtContinue  (30211376, 1, ...
 01047   596   NtWaitForSingleObject  ... ) == 0x0
 01064  1180   NtSetEventBoostPriority  ... ) == 0x0
 01069  1168   NtWaitForSingleObject  (260, 0, 0x0, ...
 01070  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01065   748   NtTestAlert  ... ) == 0x0
 01071  1732   NtWaitForSingleObject  (260, 0, 0x0, ...
 01072  1096   NtSetEventBoostPriority  (88, ...
 01073   596   NtSetEventBoostPriority  (260, ...
 01074   428   NtRegisterThreadTerminatePort  (24, ...
 01075  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 01076  1300   NtTestAlert  (...
 01077   748   NtContinue  (31259952, 1, ...
 01070  1736   NtCreateThread  ... 272, {1636, 1132}, ) == 0x0
 00995   252   NtWaitForSingleObject  ... ) == 0x0
 01055  1356   NtWaitForSingleObject  ... ) == 0x0
 01073   596   NtSetEventBoostPriority  ... ) == 0x0
 01072  1096   NtSetEventBoostPriority  ... ) == 0x0
 01074   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 01076  1300   NtTestAlert  ... ) == 0x0
 01078   748   NtRegisterThreadTerminatePort  (24, ...
 01079   252   NtSetEventBoostPriority  (88, ...
 01080  1356   NtSetEventBoostPriority  (260, ...
 01081  1736   NtQueryInformationThread  (272, Basic, 28, ...
 01082   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01083   428   NtWaitForSingleObject  (260, 0, 0x0, ...
 01084  1300   NtContinue  (32308528, 1, ...
 00997   868   NtWaitForSingleObject  ... ) == 0x0
 01053   120   NtWaitForSingleObject  ... ) == 0x0
 01080  1356   NtSetEventBoostPriority  ... ) == 0x0
 01079   252   NtSetEventBoostPriority  ... ) == 0x0
 01078   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01081  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1636,Tid=1132,}, 0x0, ) == 0x0
 01082   596   NtDuplicateObject  ... 252, ) == 0x0
 01085  1096   NtTestAlert  (...
 01086   868   NtSetEventBoostPriority  (88, ...
 01087   120   NtSetEventBoostPriority  (260, ...
 01088  1300   NtRegisterThreadTerminatePort  (24, ...
 01089  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01090   748   NtWaitForSingleObject  (260, 0, 0x0, ...
 01091  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0d\6\0\0l\4\0\0" ...  ...
 01092   596   NtWaitForSingleObject  (260, 0, 0x0, ...
 01033   500   NtWaitForSingleObject  ... ) == 0x0
 01061   420   NtWaitForSingleObject  ... ) == 0x0
 01086   868   NtSetEventBoostPriority  ... ) == 0x0
 01085  1096   NtTestAlert  ... ) == 0x0
 01088  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01089  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01087   120   NtSetEventBoostPriority  ... ) == 0x0
 01093   252   NtTestAlert  (...
 01091  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\1\0\0d\6\0\0l\4\0\0" )  ) == 0x0
 01094   500   NtTestAlert  (...
 01095   420   NtSetEventBoostPriority  (260, ...
 01096  1096   NtContinue  (33357104, 1, ...
 01097  1300   NtWaitForSingleObject  (260, 0, 0x0, ...
 01098  1356   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01099   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01093   252   NtTestAlert  ... ) == 0x0
 01100   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 01094   500   NtTestAlert  ... ) == 0x0
 01066   928   NtWaitForSingleObject  ... ) == 0x0
 01101  1096   NtRegisterThreadTerminatePort  (24, ...
 01095   420   NtSetEventBoostPriority  ... ) == 0x0
 01102  1736   NtResumeThread  (272, ...
 01098  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01099   120   NtDuplicateObject  ... 268, ) == 0x0
 01103   252   NtContinue  (34405680, 1, ...
 01104   928   NtSetEventBoostPriority  (260, ...
 01101  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01105   420   NtWaitForSingleObject  (260, 0, 0x0, ...
 01102  1736   NtResumeThread  ... 1, ) == 0x0
 01106  1356   NtWaitForSingleObject  (260, 0, 0x0, ...
 01107   500   NtContinue  (35454256, 1, ...
 01108  1132   NtAllocateVirtualMemory  (-1, 8867840, 0, 4096, 4096, 4, ...
 01109   252   NtRegisterThreadTerminatePort  (24, ...
 01110   120   NtWaitForSingleObject  (260, 0, 0x0, ...
 01111  1096   NtWaitForSingleObject  (260, 0, 0x0, ...
 01112  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01113   500   NtRegisterThreadTerminatePort  (24, ...
 01108  1132   NtAllocateVirtualMemory  ... 8867840, 4096, ) == 0x0
 01109   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01067   376   NtWaitForSingleObject  ... ) == 0x0
 01104   928   NtSetEventBoostPriority  ... ) == 0x0
 01112  1736   NtAllocateVirtualMemory  ... 36503552, 1048576, ) == 0x0
 01113   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01114  1132   NtTestAlert  (...
 01115   252   NtWaitForSingleObject  (260, 0, 0x0, ...
 01116   376   NtSetEventBoostPriority  (260, ...
 01117   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01118  1736   NtAllocateVirtualMemory  (-1, 37543936, 0, 8192, 4096, 4, ...
 01119   500   NtWaitForSingleObject  (260, 0, 0x0, ...
 01114  1132   NtTestAlert  ... ) == 0x0
 01069  1168   NtWaitForSingleObject  ... ) == 0x0
 01116   376   NtSetEventBoostPriority  ... ) == 0x0
 01117   928   NtDuplicateObject  ... 264, ) == 0x0
 01118  1736   NtAllocateVirtualMemory  ... 37543936, 8192, ) == 0x0
 01120  1168   NtSetEventBoostPriority  (260, ...
 01121  1132   NtContinue  (36502832, 1, ...
 01122   928   NtWaitForSingleObject  (260, 0, 0x0, ...
 01123   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01075  1180   NtWaitForSingleObject  ... ) == 0x0
 01120  1168   NtSetEventBoostPriority  ... ) == 0x0
 01124  1736   NtProtectVirtualMemory  (-1, (0x23ce000), 4096, 260, ...
 01125  1180   NtSetEventBoostPriority  (260, ...
 01123   376   NtDuplicateObject  ... 276, ) == 0x0
 01126  1132   NtRegisterThreadTerminatePort  (24, ...
 01071  1732   NtWaitForSingleObject  ... ) == 0x0
 01125  1180   NtSetEventBoostPriority  ... ) == 0x0
 01124  1736   NtProtectVirtualMemory  ... (0x23ce000), 4096, 4, ) == 0x0
 01127   376   NtWaitForSingleObject  (260, 0, 0x0, ...
 01128  1732   NtSetEventBoostPriority  (260, ...
 01126  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 01129  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01130  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01083   428   NtWaitForSingleObject  ... ) == 0x0
 01131  1132   NtWaitForSingleObject  (260, 0, 0x0, ...
 01129  1168   NtDuplicateObject  ... 280, ) == 0x0
 01130  1736   NtCreateThread  ... 284, {1636, 1024}, ) == 0x0
 01132   428   NtSetEventBoostPriority  (260, ...
 01133  1168   NtWaitForSingleObject  (260, 0, 0x0, ...
 01134  1736   NtQueryInformationThread  (284, Basic, 28, ...
 01092   596   NtWaitForSingleObject  ... ) == 0x0
 01134  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=1024,}, 0x0, ) == 0x0
 01135   596   NtSetEventBoostPriority  (260, ...
 01132   428   NtSetEventBoostPriority  ... ) == 0x0
 01128  1732   NtSetEventBoostPriority  ... ) == 0x0
 01136  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01090   748   NtWaitForSingleObject  ... ) == 0x0
 01135   596   NtSetEventBoostPriority  ... ) == 0x0
 01137   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01138  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01139   748   NtSetEventBoostPriority  (260, ...
 01136  1180   NtWaitForSingleObject  ... ) == 0x102
 01140  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0d\6\0\0\0\4\0\0" ...  ...
 01137   428   NtDuplicateObject  ... 288, ) == 0x0
 01100   868   NtWaitForSingleObject  ... ) == 0x0
 01138  1732   NtDuplicateObject  ... 292, ) == 0x0
 01141  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 01140  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0d\6\0\0\0\4\0\0" )  ) == 0x0
 01139   748   NtSetEventBoostPriority  ... ) == 0x0
 01142   596   NtWaitForSingleObject  (260, 0, 0x0, ...
 01143   868   NtSetEventBoostPriority  (260, ...
 01144   428   NtWaitForSingleObject  (260, 0, 0x0, ...
 01145  1736   NtResumeThread  (284, ...
 01146   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01097  1300   NtWaitForSingleObject  ... ) == 0x0
 01143   868   NtSetEventBoostPriority  ... ) == 0x0
 01145  1736   NtResumeThread  ... 1, ) == 0x0
 01147  1300   NtSetEventBoostPriority  (260, ...
 01146   748   NtDuplicateObject  ... 296, ) == 0x0
 01148   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 01105   420   NtWaitForSingleObject  ... ) == 0x0
 01149  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01147  1300   NtSetEventBoostPriority  ... ) == 0x0
 01150  1732   NtWaitForSingleObject  (260, 0, 0x0, ...
 01151  1024   NtTestAlert  (...
 01152   748   NtWaitForSingleObject  (260, 0, 0x0, ...
 01153   420   NtSetEventBoostPriority  (260, ...
 01154  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01151  1024   NtTestAlert  ... ) == 0x0
 01106  1356   NtWaitForSingleObject  ... ) == 0x0
 01153   420   NtSetEventBoostPriority  ... ) == 0x0
 01154  1300   NtDuplicateObject  ... 300, ) == 0x0
 01155  1356   NtSetEventBoostPriority  (260, ...
 01156  1024   NtContinue  (37551408, 1, ...
 01149  1736   NtAllocateVirtualMemory  ... 37552128, 1048576, ) == 0x0
 01157   420   NtWaitForSingleObject  (260, 0, 0x0, ...
 01110   120   NtWaitForSingleObject  ... ) == 0x0
 01155  1356   NtSetEventBoostPriority  ... ) == 0x0
 01158  1024   NtRegisterThreadTerminatePort  (24, ...
 01159  1736   NtAllocateVirtualMemory  (-1, 38592512, 0, 8192, 4096, 4, ...
 01160   120   NtSetEventBoostPriority  (260, ...
 01161  1300   NtWaitForSingleObject  (260, 0, 0x0, ...
 01158  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01111  1096   NtWaitForSingleObject  ... ) == 0x0
 01160   120   NtSetEventBoostPriority  ... ) == 0x0
 01159  1736   NtAllocateVirtualMemory  ... 38592512, 8192, ) == 0x0
 01162  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01163  1096   NtSetEventBoostPriority  (260, ...
 01164   120   NtWaitForSingleObject  (260, 0, 0x0, ...
 01165  1736   NtProtectVirtualMemory  (-1, (0x24ce000), 4096, 260, ...
 01119   500   NtWaitForSingleObject  ... ) == 0x0
 01162  1356   NtCreateEvent  ... 304, ) == 0x0
 01163  1096   NtSetEventBoostPriority  ... ) == 0x0
 01166  1024   NtWaitForSingleObject  (260, 0, 0x0, ...
 01165  1736   NtProtectVirtualMemory  ... (0x24ce000), 4096, 4, ) == 0x0
 01167   500   NtSetEventBoostPriority  (260, ...
 01168  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01169  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01170  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01115   252   NtWaitForSingleObject  ... ) == 0x0
 01167   500   NtSetEventBoostPriority  ... ) == 0x0
 01169  1096   NtDuplicateObject  ... 308, ) == 0x0
 01171   252   NtSetEventBoostPriority  (260, ...
 01170  1736   NtCreateThread  ... 312, {1636, 948}, ) == 0x0
 01172   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01122   928   NtWaitForSingleObject  ... ) == 0x0
 01173  1736   NtQueryInformationThread  (312, Basic, 28, ...
 01172   500   NtDuplicateObject  ... 316, ) == 0x0
 01174   928   NtSetEventBoostPriority  (260, ...
 01173  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 01175   500   NtWaitForSingleObject  (260, 0, 0x0, ...
 01127   376   NtWaitForSingleObject  ... ) == 0x0
 01174   928   NtSetEventBoostPriority  ... ) == 0x0
 01176  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0\264\3\0\0" ...  ...
 01177   376   NtSetEventBoostPriority  (260, ...
 01171   252   NtSetEventBoostPriority  ... ) == 0x0
 01178  1096   NtWaitForSingleObject  (260, 0, 0x0, ...
 01131  1132   NtWaitForSingleObject  ... ) == 0x0
 01177   376   NtSetEventBoostPriority  ... ) == 0x0
 01176  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75514, 0}  ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 01179   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01180  1132   NtSetEventBoostPriority  (260, ...
 01181   928   NtWaitForSingleObject  (260, 0, 0x0, ...
 01182   376   NtWaitForSingleObject  (260, 0, 0x0, ...
 01133  1168   NtWaitForSingleObject  ... ) == 0x0
 01180  1132   NtSetEventBoostPriority  ... ) == 0x0
 01179   252   NtDuplicateObject  ... 320, ) == 0x0
 01183  1168   NtSetEventBoostPriority  (260, ...
 01184  1736   NtResumeThread  (312, ...
 01185  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01141  1180   NtWaitForSingleObject  ... ) == 0x0
 01183  1168   NtSetEventBoostPriority  ... ) == 0x0
 01184  1736   NtResumeThread  ... 1, ) == 0x0
 01186  1180   NtSetEventBoostPriority  (260, ...
 01185  1132   NtDuplicateObject  ... 324, ) == 0x0
 01187   252   NtWaitForSingleObject  (260, 0, 0x0, ...
 01188   948   NtTestAlert  (...
 01142   596   NtWaitForSingleObject  ... ) == 0x0
 01186  1180   NtSetEventBoostPriority  ... ) == 0x0
 01189  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01190  1132   NtWaitForSingleObject  (260, 0, 0x0, ...
 01191   596   NtSetEventBoostPriority  (260, ...
 01188   948   NtTestAlert  ... ) == 0x0
 01192  1168   NtWaitForSingleObject  (260, 0, 0x0, ...
 01189  1736   NtAllocateVirtualMemory  ... 38600704, 1048576, ) == 0x0
 01144   428   NtWaitForSingleObject  ... ) == 0x0
 01191   596   NtSetEventBoostPriority  ... ) == 0x0
 01193   948   NtContinue  (38599984, 1, ...
 01194   428   NtSetEventBoostPriority  (260, ...
 01195  1736   NtAllocateVirtualMemory  (-1, 39641088, 0, 8192, 4096, 4, ...
 01196   596   NtWaitForSingleObject  (260, 0, 0x0, ...
 01148   868   NtWaitForSingleObject  ... ) == 0x0
 01194   428   NtSetEventBoostPriority  ... ) == 0x0
 01197   948   NtRegisterThreadTerminatePort  (24, ...
 01195  1736   NtAllocateVirtualMemory  ... 39641088, 8192, ) == 0x0
 01198  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 01199   868   NtSetEventBoostPriority  (260, ...
 01200   428   NtWaitForSingleObject  (260, 0, 0x0, ...
 01197   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01150  1732   NtWaitForSingleObject  ... ) == 0x0
 01199   868   NtSetEventBoostPriority  ... ) == 0x0
 01201  1736   NtProtectVirtualMemory  (-1, (0x25ce000), 4096, 260, ...
 01202  1732   NtSetEventBoostPriority  (260, ...
 01203   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 01201  1736   NtProtectVirtualMemory  ... (0x25ce000), 4096, 4, ) == 0x0
 01152   748   NtWaitForSingleObject  ... ) == 0x0
 01202  1732   NtSetEventBoostPriority  ... ) == 0x0
 01204   748   NtSetEventBoostPriority  (260, ...
 01205  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01157   420   NtWaitForSingleObject  ... ) == 0x0
 01204   748   NtSetEventBoostPriority  ... ) == 0x0
 01206  1732   NtWaitForSingleObject  (260, 0, 0x0, ...
 01207   420   NtSetEventBoostPriority  (260, ...
 01205  1736   NtCreateThread  ... 328, {1636, 1064}, ) == 0x0
 01208   748   NtWaitForSingleObject  (260, 0, 0x0, ...
 01209   948   NtWaitForSingleObject  (260, 0, 0x0, ...
 01161  1300   NtWaitForSingleObject  ... ) == 0x0
 01207   420   NtSetEventBoostPriority  ... ) == 0x0
 01210  1736   NtQueryInformationThread  (328, Basic, 28, ...
 01211  1300   NtSetEventBoostPriority  (260, ...
 01212   420   NtSetEventBoostPriority  (304, ...
 01166  1024   NtWaitForSingleObject  ... ) == 0x0
 01211  1300   NtSetEventBoostPriority  ... ) == 0x0
 01210  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=1064,}, 0x0, ) == 0x0
 01213  1024   NtSetEventBoostPriority  (260, ...
 01214  1300   NtWaitForSingleObject  (260, 0, 0x0, ...
 01168  1356   NtWaitForSingleObject  ... ) == 0x0
 01212   420   NtSetEventBoostPriority  ... ) == 0x0
 01164   120   NtWaitForSingleObject  ... ) == 0x0
 01213  1024   NtSetEventBoostPriority  ... ) == 0x0
 01215  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0(\4\0\0" ...  ...
 01216  1356   NtWaitForSingleObject  (260, 0, 0x0, ...
 01217   120   NtSetEventBoostPriority  (260, ...
 01218   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01219  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01215  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0d\6\0\0(\4\0\0" )  ) == 0x0
 01175   500   NtWaitForSingleObject  ... ) == 0x0
 01218   420   NtWaitForSingleObject  ... ) == 0x102
 01217   120   NtSetEventBoostPriority  ... ) == 0x0
 01220  1736   NtResumeThread  (328, ...
 01221   500   NtSetEventBoostPriority  (260, ...
 01222   420   NtWaitForSingleObject  (140, 0, 0x0, ...
 01223   120   NtWaitForSingleObject  (304, 0, 0x0, ...
 01220  1736   NtResumeThread  ... 1, ) == 0x0
 01178  1096   NtWaitForSingleObject  ... ) == 0x0
 01221   500   NtSetEventBoostPriority  ... ) == 0x0
 01224  1096   NtSetEventBoostPriority  (260, ...
 01225  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01219  1024   NtDuplicateObject  ... 332, ) == 0x0
 01226  1064   NtTestAlert  (...
 01181   928   NtWaitForSingleObject  ... ) == 0x0
 01224  1096   NtSetEventBoostPriority  ... ) == 0x0
 01227   500   NtWaitForSingleObject  (260, 0, 0x0, ...
 01228  1024   NtWaitForSingleObject  (260, 0, 0x0, ...
 01229   928   NtSetEventBoostPriority  (260, ...
 01226  1064   NtTestAlert  ... ) == 0x0
 01230  1096   NtWaitForSingleObject  (260, 0, 0x0, ...
 01182   376   NtWaitForSingleObject  ... ) == 0x0
 01229   928   NtSetEventBoostPriority  ... ) == 0x0
 01231  1064   NtContinue  (39648560, 1, ...
 01225  1736   NtAllocateVirtualMemory  ... 39649280, 1048576, ) == 0x0
 01232   376   NtSetEventBoostPriority  (260, ...
 01233   928   NtWaitForSingleObject  (260, 0, 0x0, ...
 01234  1064   NtRegisterThreadTerminatePort  (24, ...
 01187   252   NtWaitForSingleObject  ... ) == 0x0
 01232   376   NtSetEventBoostPriority  ... ) == 0x0
 01235  1736   NtAllocateVirtualMemory  (-1, 40689664, 0, 8192, 4096, 4, ...
 01236   252   NtSetEventBoostPriority  (260, ...
 01234  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 01237   376   NtWaitForSingleObject  (260, 0, 0x0, ...
 01190  1132   NtWaitForSingleObject  ... ) == 0x0
 01236   252   NtSetEventBoostPriority  ... ) == 0x0
 01235  1736   NtAllocateVirtualMemory  ... 40689664, 8192, ) == 0x0
 01238  1064   NtWaitForSingleObject  (260, 0, 0x0, ...
 01239  1132   NtSetEventBoostPriority  (260, ...
 01240   252   NtWaitForSingleObject  (260, 0, 0x0, ...
 01241  1736   NtProtectVirtualMemory  (-1, (0x26ce000), 4096, 260, ...
 01192  1168   NtWaitForSingleObject  ... ) == 0x0
 01239  1132   NtSetEventBoostPriority  ... ) == 0x0
 01242  1168   NtSetEventBoostPriority  (260, ...
 01241  1736   NtProtectVirtualMemory  ... (0x26ce000), 4096, 4, ) == 0x0
 01196   596   NtWaitForSingleObject  ... ) == 0x0
 01242  1168   NtSetEventBoostPriority  ... ) == 0x0
 01243   596   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01244  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01243   596   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01245  1168   NtWaitForSingleObject  (260, 0, 0x0, ...
 01246  1132   NtWaitForSingleObject  (260, 0, 0x0, ...
 01247   596   NtSetEventBoostPriority  (260, ...
 01244  1736   NtCreateThread  ... 336, {1636, 1384}, ) == 0x0
 01200   428   NtWaitForSingleObject  ... ) == 0x0
 01248  1736   NtQueryInformationThread  (336, Basic, 28, ...
 01249   428   NtSetEventBoostPriority  (260, ...
 01248  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=1384,}, 0x0, ) == 0x0
 01203   868   NtWaitForSingleObject  ... ) == 0x0
 01250  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0d\6\0\0h\5\0\0" ...  ...
 01251   868   NtSetEventBoostPriority  (260, ...
 01250  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75516, 0}  ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0d\6\0\0h\5\0\0" )  ) == 0x0
 01206  1732   NtWaitForSingleObject  ... ) == 0x0
 01251   868   NtSetEventBoostPriority  ... ) == 0x0
 01249   428   NtSetEventBoostPriority  ... ) == 0x0
 01247   596   NtSetEventBoostPriority  ... ) == 0x0
 01252  1732   NtSetEventBoostPriority  (260, ...
 01253  1736   NtResumeThread  (336, ...
 01254   428   NtWaitForSingleObject  (304, 0, 0x0, ...
 01255   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 01209   948   NtWaitForSingleObject  ... ) == 0x0
 01253  1736   NtResumeThread  ... 1, ) == 0x0
 01256   948   NtSetEventBoostPriority  (260, ...
 01257  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01208   748   NtWaitForSingleObject  ... ) == 0x0
 01256   948   NtSetEventBoostPriority  ... ) == 0x0
 01258   748   NtSetEventBoostPriority  (260, ...
 01257  1736   NtAllocateVirtualMemory  ... 40697856, 1048576, ) == 0x0
 01216  1356   NtWaitForSingleObject  ... ) == 0x0
 01259   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01260  1736   NtAllocateVirtualMemory  (-1, 41738240, 0, 8192, 4096, 4, ...
 01261  1356   NtSetEventBoostPriority  (260, ...
 01258   748   NtSetEventBoostPriority  ... ) == 0x0
 01252  1732   NtSetEventBoostPriority  ... ) == 0x0
 01262   596   NtWaitForSingleObject  (304, 0, 0x0, ...
 01263  1384   NtTestAlert  (...
 01260  1736   NtAllocateVirtualMemory  ... 41738240, 8192, ) == 0x0
 01214  1300   NtWaitForSingleObject  ... ) == 0x0
 01261  1356   NtSetEventBoostPriority  ... ) == 0x0
 01264   748   NtWaitForSingleObject  (304, 0, 0x0, ...
 01265  1732   NtWaitForSingleObject  (304, 0, 0x0, ...
 01263  1384   NtTestAlert  ... ) == 0x0
 01259   948   NtDuplicateObject  ... 340, ) == 0x0
 01266  1300   NtSetEventBoostPriority  (260, ...
 01267  1736   NtProtectVirtualMemory  (-1, (0x27ce000), 4096, 260, ...
 01268  1384   NtContinue  (40697136, 1, ...
 01227   500   NtWaitForSingleObject  ... ) == 0x0
 01269   948   NtWaitForSingleObject  (260, 0, 0x0, ...
 01267  1736   NtProtectVirtualMemory  ... (0x27ce000), 4096, 4, ) == 0x0
 01270  1384   NtRegisterThreadTerminatePort  (24, ...
 01271   500   NtSetEventBoostPriority  (260, ...
 01272  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01270  1384   NtRegisterThreadTerminatePort  ... ) == 0x0
 01228  1024   NtWaitForSingleObject  ... ) == 0x0
 01271   500   NtSetEventBoostPriority  ... ) == 0x0
 01272  1736   NtCreateThread  ... 344, {1636, 188}, ) == 0x0
 01266  1300   NtSetEventBoostPriority  ... ) == 0x0
 01273  1356   NtSetEventBoostPriority  (304, ...
 01274  1024   NtSetEventBoostPriority  (260, ...
 01275   500   NtWaitForSingleObject  (304, 0, 0x0, ...
 01276  1736   NtQueryInformationThread  (344, Basic, 28, ...
 01277  1300   NtWaitForSingleObject  (304, 0, 0x0, ...
 01230  1096   NtWaitForSingleObject  ... ) == 0x0
 01274  1024   NtSetEventBoostPriority  ... ) == 0x0
 01223   120   NtWaitForSingleObject  ... ) == 0x0
 01273  1356   NtSetEventBoostPriority  ... ) == 0x0
 01278  1384   NtWaitForSingleObject  (260, 0, 0x0, ...
 01276  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=188,}, 0x0, ) == 0x0
 01279  1096   NtSetEventBoostPriority  (260, ...
 01280   120   NtSetEventBoostPriority  (304, ...
 01281  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01282  1024   NtWaitForSingleObject  (260, 0, 0x0, ...
 01233   928   NtWaitForSingleObject  ... ) == 0x0
 01254   428   NtWaitForSingleObject  ... ) == 0x0
 01280   120   NtSetEventBoostPriority  ... ) == 0x0
 01283   428   NtWaitForSingleObject  (260, 0, 0x0, ...
 01284   928   NtSetEventBoostPriority  (260, ...
 01279  1096   NtSetEventBoostPriority  ... ) == 0x0
 01285  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0d\6\0\0\274\0\0\0" ...  ...
 01238  1064   NtWaitForSingleObject  ... ) == 0x0
 01286  1096   NtWaitForSingleObject  (260, 0, 0x0, ...
 01285  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75517, 0}  ... {28, 56, reply, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\1\0\0d\6\0\0\274\0\0\0" )  ) == 0x0
 01287  1064   NtSetEventBoostPriority  (260, ...
 01288  1736   NtResumeThread  (344, ...
 01237   376   NtWaitForSingleObject  ... ) == 0x0
 01287  1064   NtSetEventBoostPriority  ... ) == 0x0
 01289   376   NtSetEventBoostPriority  (260, ...
 01288  1736   NtResumeThread  ... 1, ) == 0x0
 01240   252   NtWaitForSingleObject  ... ) == 0x0
 01290  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01291  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01292   252   NtSetEventBoostPriority  (260, ...
 01289   376   NtSetEventBoostPriority  ... ) == 0x0
 01284   928   NtSetEventBoostPriority  ... ) == 0x0
 01293   120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01294   188   NtTestAlert  (...
 01290  1064   NtDuplicateObject  ... 348, ) == 0x0
 01246  1132   NtWaitForSingleObject  ... ) == 0x0
 01295   376   NtWaitForSingleObject  (304, 0, 0x0, ...
 01296   928   NtWaitForSingleObject  (304, 0, 0x0, ...
 01293   120   NtWaitForSingleObject  ... ) == 0x102
 01294   188   NtTestAlert  ... ) == 0x0
 01297  1064   NtWaitForSingleObject  (260, 0, 0x0, ...
 01298  1132   NtSetEventBoostPriority  (260, ...
 01299   120   NtWaitForSingleObject  (140, 0, 0x0, ...
 01300   188   NtContinue  (41745712, 1, ...
 01245  1168   NtWaitForSingleObject  ... ) == 0x0
 01298  1132   NtSetEventBoostPriority  ... ) == 0x0
 01301  1168   NtSetEventBoostPriority  (260, ...
 01302   188   NtRegisterThreadTerminatePort  (24, ...
 01255   868   NtWaitForSingleObject  ... ) == 0x0
 01303  1132   NtWaitForSingleObject  (304, 0, 0x0, ...
 01302   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 01304   868   NtSetEventBoostPriority  (260, ...
 01301  1168   NtSetEventBoostPriority  ... ) == 0x0
 01292   252   NtSetEventBoostPriority  ... ) == 0x0
 01291  1736   NtAllocateVirtualMemory  ... 41746432, 1048576, ) == 0x0
 01269   948   NtWaitForSingleObject  ... ) == 0x0
 01304   868   NtSetEventBoostPriority  ... ) == 0x0
 01305  1168   NtWaitForSingleObject  (304, 0, 0x0, ...
 01306   252   NtWaitForSingleObject  (304, 0, 0x0, ...
 01307   948   NtSetEventBoostPriority  (260, ...
 01308  1736   NtAllocateVirtualMemory  (-1, 42786816, 0, 8192, 4096, 4, ...
 01309   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01278  1384   NtWaitForSingleObject  ... ) == 0x0
 01307   948   NtSetEventBoostPriority  ... ) == 0x0
 01308  1736   NtAllocateVirtualMemory  ... 42786816, 8192, ) == 0x0
 01310   188   NtWaitForSingleObject  (260, 0, 0x0, ...
 01311  1384   NtSetEventBoostPriority  (260, ...
 01309   868   NtCreateEvent  ... 352, ) == 0x0
 01312  1736   NtProtectVirtualMemory  (-1, (0x28ce000), 4096, 260, ...
 01282  1024   NtWaitForSingleObject  ... ) == 0x0
 01311  1384   NtSetEventBoostPriority  ... ) == 0x0
 01313   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01314  1024   NtSetEventBoostPriority  (260, ...
 01312  1736   NtProtectVirtualMemory  ... (0x28ce000), 4096, 4, ) == 0x0
 01315  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01283   428   NtWaitForSingleObject  ... ) == 0x0
 01314  1024   NtSetEventBoostPriority  ... ) == 0x0
 01313   868   NtDuplicateObject  ... 356, ) == 0x0
 01316  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01317   948   NtWaitForSingleObject  (304, 0, 0x0, ...
 01318   428   NtSetEventBoostPriority  (260, ...
 01319  1024   NtWaitForSingleObject  (304, 0, 0x0, ...
 01320   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 01315  1384   NtDuplicateObject  ... 360, ) == 0x0
 01286  1096   NtWaitForSingleObject  ... ) == 0x0
 01318   428   NtSetEventBoostPriority  ... ) == 0x0
 01316  1736   NtCreateThread  ... 364, {1636, 1600}, ) == 0x0
 01321  1096   NtSetEventBoostPriority  (260, ...
 01322  1384   NtWaitForSingleObject  (260, 0, 0x0, ...
 01297  1064   NtWaitForSingleObject  ... ) == 0x0
 01321  1096   NtSetEventBoostPriority  ... ) == 0x0
 01323  1736   NtQueryInformationThread  (364, Basic, 28, ...
 01324  1064   NtSetEventBoostPriority  (260, ...
 01325   428   NtSetEventBoostPriority  (304, ...
 01310   188   NtWaitForSingleObject  ... ) == 0x0
 01324  1064   NtSetEventBoostPriority  ... ) == 0x0
 01323  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=1600,}, 0x0, ) == 0x0
 01326   188   NtSetEventBoostPriority  (260, ...
 01262   596   NtWaitForSingleObject  ... ) == 0x0
 01325   428   NtSetEventBoostPriority  ... ) == 0x0
 01327  1096   NtWaitForSingleObject  (304, 0, 0x0, ...
 01320   868   NtWaitForSingleObject  ... ) == 0x0
 01328   596   NtWaitForSingleObject  (260, 0, 0x0, ...
 01326   188   NtSetEventBoostPriority  ... ) == 0x0
 01329  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\0@\6\0\0" ...  ...
 01330   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01331   868   NtSetEventBoostPriority  (260, ...
 01332   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01329  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75518, 0}  ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0d\6\0\0@\6\0\0" )  ) == 0x0
 01322  1384   NtWaitForSingleObject  ... ) == 0x0
 01331   868   NtSetEventBoostPriority  ... ) == 0x0
 01330   428   NtWaitForSingleObject  ... ) == 0x102
 01333  1064   NtWaitForSingleObject  (304, 0, 0x0, ...
 01332   188   NtDuplicateObject  ... 368, ) == 0x0
 01334  1384   NtSetEventBoostPriority  (260, ...
 01335  1736   NtResumeThread  (364, ...
 01336   428   NtWaitForSingleObject  (140, 0, 0x0, ...
 01328   596   NtWaitForSingleObject  ... ) == 0x0
 01334  1384   NtSetEventBoostPriority  ... ) == 0x0
 01337   188   NtWaitForSingleObject  (260, 0, 0x0, ...
 01335  1736   NtResumeThread  ... 1, ) == 0x0
 01338   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 01339   596   NtSetEventBoostPriority  (260, ...
 01340  1600   NtTestAlert  (...
 01341  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01337   188   NtWaitForSingleObject  ... ) == 0x0
 01339   596   NtSetEventBoostPriority  ... ) == 0x0
 01340  1600   NtTestAlert  ... ) == 0x0
 01342   188   NtSetEventBoostPriority  (260, ...
 01341  1736   NtAllocateVirtualMemory  ... 42795008, 1048576, ) == 0x0
 01343  1384   NtWaitForSingleObject  (304, 0, 0x0, ...
 01338   868   NtWaitForSingleObject  ... ) == 0x0
 01342   188   NtSetEventBoostPriority  ... ) == 0x0
 01344  1600   NtContinue  (42794288, 1, ...
 01345  1736   NtAllocateVirtualMemory  (-1, 43835392, 0, 8192, 4096, 4, ...
 01346   868   NtWaitForSingleObject  (304, 0, 0x0, ...
 01347   596   NtSetEventBoostPriority  (304, ...
 01348  1600   NtRegisterThreadTerminatePort  (24, ...
 01345  1736   NtAllocateVirtualMemory  ... 43835392, 8192, ) == 0x0
 01264   748   NtWaitForSingleObject  ... ) == 0x0
 01347   596   NtSetEventBoostPriority  ... ) == 0x0
 01348  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01349   188   NtWaitForSingleObject  (304, 0, 0x0, ...
 01350   748   NtSetEventBoostPriority  (304, ...
 01351   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01352  1736   NtProtectVirtualMemory  (-1, (0x29ce000), 4096, 260, ...
 01265  1732   NtWaitForSingleObject  ... ) == 0x0
 01350   748   NtSetEventBoostPriority  ... ) == 0x0
 01351   596   NtWaitForSingleObject  ... ) == 0x102
 01353  1732   NtSetEventBoostPriority  (304, ...
 01352  1736   NtProtectVirtualMemory  ... (0x29ce000), 4096, 4, ) == 0x0
 01354  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01277  1300   NtWaitForSingleObject  ... ) == 0x0
 01353  1732   NtSetEventBoostPriority  ... ) == 0x0
 01355   596   NtWaitForSingleObject  (140, 0, 0x0, ...
 01356  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01357  1300   NtSetEventBoostPriority  (304, ...
 01354  1600   NtDuplicateObject  ... 372, ) == 0x0
 01358   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01359  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01275   500   NtWaitForSingleObject  ... ) == 0x0
 01357  1300   NtSetEventBoostPriority  ... ) == 0x0
 01356  1736   NtCreateThread  ... 376, {1636, 1372}, ) == 0x0
 01360  1600   NtWaitForSingleObject  (304, 0, 0x0, ...
 01358   748   NtWaitForSingleObject  ... ) == 0x102
 01361   500   NtSetEventBoostPriority  (304, ...
 01359  1732   NtWaitForSingleObject  ... ) == 0x102
 01362  1736   NtQueryInformationThread  (376, Basic, 28, ...
 01281  1356   NtWaitForSingleObject  ... ) == 0x0
 01363   748   NtWaitForSingleObject  (140, 0, 0x0, ...
 01364  1732   NtWaitForSingleObject  (140, 0, 0x0, ...
 01362  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=1372,}, 0x0, ) == 0x0
 01365  1356   NtSetEventBoostPriority  (304, ...
 01361   500   NtSetEventBoostPriority  ... ) == 0x0
 01366  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01295   376   NtWaitForSingleObject  ... ) == 0x0
 01365  1356   NtSetEventBoostPriority  ... ) == 0x0
 01367   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01368   376   NtSetEventBoostPriority  (304, ...
 01366  1300   NtWaitForSingleObject  ... ) == 0x102
 01369  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0\\5\0\0" ...  ...
 01296   928   NtWaitForSingleObject  ... ) == 0x0
 01368   376   NtSetEventBoostPriority  ... ) == 0x0
 01370  1300   NtWaitForSingleObject  (140, 0, 0x0, ...
 01371   928   NtSetEventBoostPriority  (304, ...
 01369  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75519, 0}  ... {28, 56, reply, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0d\6\0\0\\5\0\0" )  ) == 0x0
 01372  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01367   500   NtWaitForSingleObject  ... ) == 0x102
 01303  1132   NtWaitForSingleObject  ... ) == 0x0
 01371   928   NtSetEventBoostPriority  ... ) == 0x0
 01373  1736   NtResumeThread  (376, ...
 01374  1132   NtSetEventBoostPriority  (304, ...
 01375   500   NtWaitForSingleObject  (140, 0, 0x0, ...
 01376   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01305  1168   NtWaitForSingleObject  ... ) == 0x0
 01373  1736   NtResumeThread  ... 1, ) == 0x0
 01376   376   NtWaitForSingleObject  ... ) == 0x102
 01377  1168   NtSetEventBoostPriority  (304, ...
 01378  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01379   376   NtWaitForSingleObject  (140, 0, 0x0, ...
 01306   252   NtWaitForSingleObject  ... ) == 0x0
 01377  1168   NtSetEventBoostPriority  ... ) == 0x0
 01374  1132   NtSetEventBoostPriority  ... ) == 0x0
 01380   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01381  1372   NtTestAlert  (...
 01382   252   NtSetEventBoostPriority  (304, ...
 01378  1736   NtAllocateVirtualMemory  ... 43843584, 1048576, ) == 0x0
 01383  1132   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01380   928   NtWaitForSingleObject  ... ) == 0x102
 01317   948   NtWaitForSingleObject  ... ) == 0x0
 01382   252   NtSetEventBoostPriority  ... ) == 0x0
 01381  1372   NtTestAlert  ... ) == 0x0
 01384  1736   NtAllocateVirtualMemory  (-1, 44883968, 0, 8192, 4096, 4, ...
 01385   948   NtSetEventBoostPriority  (304, ...
 01386   928   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01387  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01383  1132   NtWaitForSingleObject  ... ) == 0x102
 01388  1372   NtContinue  (43842864, 1, ...
 01319  1024   NtWaitForSingleObject  ... ) == 0x0
 01385   948   NtSetEventBoostPriority  ... ) == 0x0
 01384  1736   NtAllocateVirtualMemory  ... 44883968, 8192, ) == 0x0
 01386   928   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01387  1168   NtWaitForSingleObject  ... ) == 0x102
 01389  1132   NtWaitForSingleObject  (260, 0, 0x0, ...
 01390  1024   NtWaitForSingleObject  (260, 0, 0x0, ...
 01391  1372   NtRegisterThreadTerminatePort  (24, ...
 01392   948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01393  1736   NtProtectVirtualMemory  (-1, (0x2ace000), 4096, 260, ...
 01394   928   NtSetEventBoostPriority  (260, ...
 01395  1168   NtWaitForSingleObject  (260, 0, 0x0, ...
 01391  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01396   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01393  1736   NtProtectVirtualMemory  ... (0x2ace000), 4096, 4, ) == 0x0
 01392   948   NtWaitForSingleObject  ... ) == 0x102
 01390  1024   NtWaitForSingleObject  ... ) == 0x0
 01394   928   NtSetEventBoostPriority  ... ) == 0x0
 01396   252   NtWaitForSingleObject  ... ) == 0x102
 01397  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01398  1024   NtSetEventBoostPriority  (260, ...
 01399   948   NtWaitForSingleObject  (260, 0, 0x0, ...
 01400   928   NtWaitForSingleObject  (140, 0, 0x0, ...
 01401   252   NtWaitForSingleObject  (260, 0, 0x0, ...
 01402  1372   NtWaitForSingleObject  (260, 0, 0x0, ...
 01389  1132   NtWaitForSingleObject  ... ) == 0x0
 01403  1132   NtSetEventBoostPriority  (260, ...
 01395  1168   NtWaitForSingleObject  ... ) == 0x0
 01404  1168   NtSetEventBoostPriority  (260, ...
 01399   948   NtWaitForSingleObject  ... ) == 0x0
 01405   948   NtSetEventBoostPriority  (260, ...
 01401   252   NtWaitForSingleObject  ... ) == 0x0
 01406   252   NtSetEventBoostPriority  (260, ...
 01402  1372   NtWaitForSingleObject  ... ) == 0x0
 01407  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 380, ) == 0x0
 01408  1372   NtWaitForSingleObject  (304, 0, 0x0, ...
 01406   252   NtSetEventBoostPriority  ... ) == 0x0
 01405   948   NtSetEventBoostPriority  ... ) == 0x0
 01404  1168   NtSetEventBoostPriority  ... ) == 0x0
 01403  1132   NtSetEventBoostPriority  ... ) == 0x0
 01398  1024   NtSetEventBoostPriority  ... ) == 0x0
 01397  1736   NtCreateThread  ... 384, {1636, 2040}, ) == 0x0
 01409   252   NtWaitForSingleObject  (140, 0, 0x0, ...
 01410   948   NtWaitForSingleObject  (140, 0, 0x0, ...
 01411  1168   NtWaitForSingleObject  (140, 0, 0x0, ...
 01412  1132   NtWaitForSingleObject  (140, 0, 0x0, ...
 01413  1736   NtQueryInformationThread  (384, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=2040,}, 0x0, ) == 0x0
 01414  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\370\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\370\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0d\6\0\0\370\7\0\0" )  ) == 0x0
 01415  1736   NtResumeThread  (384, ... 1, ) == 0x0
 01416  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44892160, 1048576, ) == 0x0
 01417  1736   NtAllocateVirtualMemory  (-1, 45932544, 0, 8192, 4096, 4, ... 45932544, 8192, ) == 0x0
 01418  1024   NtSetEventBoostPriority  (304, ...
 01419  2040   NtTestAlert  (...
 01327  1096   NtWaitForSingleObject  ... ) == 0x0
 01418  1024   NtSetEventBoostPriority  ... ) == 0x0
 01420  1096   NtSetEventBoostPriority  (304, ...
 01419  2040   NtTestAlert  ... ) == 0x0
 01333  1064   NtWaitForSingleObject  ... ) == 0x0
 01420  1096   NtSetEventBoostPriority  ... ) == 0x0
 01421  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01422  1064   NtSetEventBoostPriority  (304, ...
 01423  2040   NtContinue  (44891440, 1, ...
 01424  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01343  1384   NtWaitForSingleObject  ... ) == 0x0
 01422  1064   NtSetEventBoostPriority  ... ) == 0x0
 01421  1024   NtWaitForSingleObject  ... ) == 0x102
 01425  2040   NtRegisterThreadTerminatePort  (24, ...
 01426  1736   NtProtectVirtualMemory  (-1, (0x2bce000), 4096, 260, ...
 01427  1384   NtSetEventBoostPriority  (304, ...
 01428  1064   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01429  1024   NtWaitForSingleObject  (140, 0, 0x0, ...
 01425  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 01346   868   NtWaitForSingleObject  ... ) == 0x0
 01427  1384   NtSetEventBoostPriority  ... ) == 0x0
 01426  1736   NtProtectVirtualMemory  ... (0x2bce000), 4096, 4, ) == 0x0
 01424  1096   NtWaitForSingleObject  ... ) == 0x102
 01428  1064   NtWaitForSingleObject  ... ) == 0x102
 01430   868   NtSetEventBoostPriority  (304, ...
 01431  1384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01432  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01433  1096   NtWaitForSingleObject  (140, 0, 0x0, ...
 01349   188   NtWaitForSingleObject  ... ) == 0x0
 01430   868   NtSetEventBoostPriority  ... ) == 0x0
 01434  1064   NtWaitForSingleObject  (140, 0, 0x0, ...
 01435  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01432  1736   NtCreateThread  ... 388, {1636, 216}, ) == 0x0
 01436   188   NtSetEventBoostPriority  (304, ...
 01431  1384   NtWaitForSingleObject  ... ) == 0x102
 01435  2040   NtDuplicateObject  ... 392, ) == 0x0
 01360  1600   NtWaitForSingleObject  ... ) == 0x0
 01436   188   NtSetEventBoostPriority  ... ) == 0x0
 01437  1736   NtQueryInformationThread  (388, Basic, 28, ...
 01438  1384   NtWaitForSingleObject  (140, 0, 0x0, ...
 01439  1600   NtSetEventBoostPriority  (304, ...
 01440  2040   NtWaitForSingleObject  (304, 0, 0x0, ...
 01441   188   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01437  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=216,}, 0x0, ) == 0x0
 01372  1356   NtWaitForSingleObject  ... ) == 0x0
 01439  1600   NtSetEventBoostPriority  ... ) == 0x0
 01442   868   NtWaitForSingleObject  (304, 0, 0x0, ...
 01441   188   NtWaitForSingleObject  ... ) == 0x102
 01443  1356   NtSetEventBoostPriority  (304, ...
 01444  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\330\0\0\0" ...  ...
 01408  1372   NtWaitForSingleObject  ... ) == 0x0
 01443  1356   NtSetEventBoostPriority  ... ) == 0x0
 01445   188   NtWaitForSingleObject  (140, 0, 0x0, ...
 01446  1372   NtSetEventBoostPriority  (304, ...
 01444  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75521, 0}  ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0d\6\0\0\330\0\0\0" )  ) == 0x0
 01447  1356   NtWaitForSingleObject  (304, 0, 0x0, ...
 01440  2040   NtWaitForSingleObject  ... ) == 0x0
 01448  1736   NtResumeThread  (388, ...
 01446  1372   NtSetEventBoostPriority  ... ) == 0x0
 01449  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01450  2040   NtSetEventBoostPriority  (304, ...
 01448  1736   NtResumeThread  ... 1, ) == 0x0
 01451  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01449  1600   NtWaitForSingleObject  ... ) == 0x102
 01442   868   NtWaitForSingleObject  ... ) == 0x0
 01450  2040   NtSetEventBoostPriority  ... ) == 0x0
 01452  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01453   868   NtSetEventBoostPriority  (304, ...
 01454  1600   NtWaitForSingleObject  (140, 0, 0x0, ...
 01455   216   NtTestAlert  (...
 01451  1372   NtWaitForSingleObject  ... ) == 0x102
 01456  2040   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01447  1356   NtWaitForSingleObject  ... ) == 0x0
 01453   868   NtSetEventBoostPriority  ... ) == 0x0
 01455   216   NtTestAlert  ... ) == 0x0
 01457  1372   NtWaitForSingleObject  (140, 0, 0x0, ...
 01458  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071600, ... }, 11071600, ...
 01456  2040   NtWaitForSingleObject  ... ) == 0x102
 01459   868   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01460   216   NtContinue  (45940016, 1, ...
 01458  1356   NtQueryAttributesFile  ... ) == 0x0
 01461  2040   NtWaitForSingleObject  (260, 0, 0x0, ...
 01452  1736   NtAllocateVirtualMemory  ... 45940736, 1048576, ) == 0x0
 01462  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01463   216   NtRegisterThreadTerminatePort  (24, ...
 01462  1356   NtOpenKey  ... 396, ) == 0x0
 01464  1736   NtAllocateVirtualMemory  (-1, 46981120, 0, 8192, 4096, 4, ...
 01463   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 01459   868   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01464  1736   NtAllocateVirtualMemory  ... 46981120, 8192, ) == 0x0
 01465  1356   NtQueryValueKey  (396,  (396, "Transports", Partial, 144, ... , Partial, 144, ...
 01466   868   NtSetEventBoostPriority  (260, ...
 01467  1736   NtProtectVirtualMemory  (-1, (0x2cce000), 4096, 260, ...
 01465  1356   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01461  2040   NtWaitForSingleObject  ... ) == 0x0
 01466   868   NtSetEventBoostPriority  ... ) == 0x0
 01467  1736   NtProtectVirtualMemory  ... (0x2cce000), 4096, 4, ) == 0x0
 01468  2040   NtWaitForSingleObject  (140, 0, 0x0, ...
 01469  1356   NtQueryValueKey  (396,  (396, "Transports", Partial, 144, ... , Partial, 144, ...
 01470   868   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01471  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01469  1356   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01470   868   NtOpenFile  ... 400, {status=0x0, info=0}, ) == 0x0
 01472   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01473  1356   NtClose  (396, ...
 01474   868   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "~\364r\343e\331\313\267\244\263\306\327\267\24tl\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01472   216   NtDuplicateObject  ... 404, ) == 0x0
 01473  1356   NtClose  ... ) == 0x0
 01471  1736   NtCreateThread  ... 396, {1636, 152}, ) == 0x0
 01475   216   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01476   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01477  1736   NtQueryInformationThread  (396, Basic, 28, ...
 01475   216   NtWaitForSingleObject  ... ) == 0x102
 01476   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01477  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=152,}, 0x0, ) == 0x0
 01478   216   NtWaitForSingleObject  (140, 0, 0x0, ...
 01479   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01480  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0d\6\0\0\230\0\0\0" ...  ...
 01481  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01479   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01480  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75522, 0}  ... {28, 56, reply, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0d\6\0\0\230\0\0\0" )  ) == 0x0
 01481  1356   NtOpenKey  ... 408, ) == 0x0
 01482   868   NtQuerySystemInformation  (Performance, 312, ...
 01483  1356   NtQueryValueKey  (408,  (408, "Mapping", Partial, 144, ... , Partial, 144, ...
 01482   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01483  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01484  1736   NtResumeThread  (396, ...
 01485  1356   NtQueryValueKey  (408,  (408, "Mapping", Partial, 144, ... , Partial, 144, ...
 01484  1736   NtResumeThread  ... 1, ) == 0x0
 01485  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01486  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01487   868   NtQuerySystemInformation  (Exception, 16, ...
 01488   152   NtTestAlert  (...
 01486  1736   NtAllocateVirtualMemory  ... 46989312, 1048576, ) == 0x0
 01487   868   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01488   152   NtTestAlert  ... ) == 0x0
 01489  1736   NtAllocateVirtualMemory  (-1, 48029696, 0, 8192, 4096, 4, ...
 01490   868   NtQuerySystemInformation  (Lookaside, 32, ...
 01491  1356   NtQueryValueKey  (408,  (408, "Mapping", Partial, 152, ... , Partial, 152, ...
 01489  1736   NtAllocateVirtualMemory  ... 48029696, 8192, ) == 0x0
 01490   868   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01491  1356   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01492   152   NtContinue  (46988592, 1, ...
 01493   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01494  1356   NtClose  (408, ...
 01495   152   NtRegisterThreadTerminatePort  (24, ...
 01493   868   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01494  1356   NtClose  ... ) == 0x0
 01495   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01496  1736   NtProtectVirtualMemory  (-1, (0x2dce000), 4096, 260, ...
 01497  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01498   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01496  1736   NtProtectVirtualMemory  ... (0x2dce000), 4096, 4, ) == 0x0
 01497  1356   NtOpenKey  ... 408, ) == 0x0
 01498   152   NtDuplicateObject  ... 412, ) == 0x0
 01499  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01500   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01501   152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01499  1736   NtCreateThread  ... 416, {1636, 900}, ) == 0x0
 01500   868   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01502  1356   NtQueryValueKey  (408,  (408, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01503  1736   NtQueryInformationThread  (416, Basic, 28, ...
 01504   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01502  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01503  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=900,}, 0x0, ) == 0x0
 01501   152   NtWaitForSingleObject  ... ) == 0x102
 01505  1356   NtQueryValueKey  (408,  (408, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01504   868   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01506   152   NtWaitForSingleObject  (140, 0, 0x0, ...
 01505  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01507   868   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\276\32\33\221\#\26\252\231\253\32\30p\7\236\350\353\21\10\344y\254\302f\346|\326\2514\177U\203\300\270\251\236q\177\325E\356\343\266\302\367\206\320\353\2627\357\266\\205%wh\2669J \215\372lR\232\33'\321\222s\372\205\230\231q\245j\332*", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\276\32\33\221\#\26\252\231\253\32\30p\7\236\350\353\21\10\344y\254\302f\346|\326\2514\177U\203\300\270\251\236q\177\325E\356\343\266\302\367\206\320\353\2627\357\266\\205%wh\2669J \215\372lR\232\33'\321\222s\372\205\230\231q\245j\332*", 80, ... , 80, ...
 01508  1356   NtQueryValueKey  (408,  (408, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01507   868   NtSetValueKey  ... ) == 0x0
 01508  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01509   868   NtClose  (-2147482576, ...
 01510  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0d\6\0\0\204\3\0\0" ...  ...
 01509   868   NtClose  ... ) == 0x0
 01510  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75525, 0}  ... {28, 56, reply, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0d\6\0\0\204\3\0\0" )  ) == 0x0
 01474   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\234Ce^\3\272\305x\220\341R4\206\224\1770\273\275\16\320f#T\307\375\376\326\3\270\315\357\233[\346\251~~0\275\227\202\240\373\3061Q8\356\213\227\300\307;\216\251\250G\300X0\371\3742fL\343.\352\17\365\224\273\352vm\307\205\15\377\0&1R\5\330\300\356XV\265WH\302\236\267a\236\36\340\312=\300\323R\0"V\203{I\356\326\246\177\14\355\272\327\356\376?x\2451\342P\371\336\267\27=J8\267\323\372hC\231\323QS\266^\10\23q\313Ev\247\20Qk\267*\216\14\263O\11\352\220%\256\376\305\221\346O\15\27\37\243\313\335\10\325\355v\266\233\262~\22A\10)0\3\300\305\317*\32\264\3\341x\250\261?*7\356\314\14\261\365\2754u\256\325\333\273rD\307\313\14\203\305.\227\23\373\236\311\310\307\224\377\251:\371\23\221V\32\315\241\23+\376;\22\341\350\177yt5\351\177\252", ) V\203{I\356\326\246\177\14\355\272\327\356\376?x\2451\342P\371\336\267\27=J8\267\323\372hC\231\323QS\266^\10\23q\313Ev\247\20Qk\267*\216\14\263O\11\352\220%\256\376\305\221\346O\15\27\37\243\313\335\10\325\355v\266\233\262~\22A\10)0\3\300\305\317*\32\264\3\341x\250\261?*7\356\314\14\261\365\2754u\256\325\333\273rD\307\313\14\203\305.\227\23\373\236\311\310\307\224\377\251:\371\23\221V\32\315\241\23+\376;\22\341\350\177yt5\351\177\252", ) == 0x0
 01511  1736   NtResumeThread  (416, ...
 01512  1356   NtQueryValueKey  (408,  (408, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01511  1736   NtResumeThread  ... 1, ) == 0x0
 01512  1356   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01513  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01514  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072556, ... }, 11072556, ...
 01515   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01516   900   NtWaitForSingleObject  (88, 0, 0x0, ...
 01514  1356   NtQueryAttributesFile  ... ) == 0x0
 01515   868   NtCreateEvent  ... 420, ) == 0x0
 01517  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01518   868   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01517  1356   NtOpenFile  ... 424, {status=0x0, info=1}, ) == 0x0
 01518   868   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01513  1736   NtAllocateVirtualMemory  ... 48037888, 1048576, ) == 0x0
 01519   868   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12119556, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12119556, 188, ...
 01520  1736   NtAllocateVirtualMemory  (-1, 49078272, 0, 8192, 4096, 4, ... 49078272, 8192, ) == 0x0
 01521  1736   NtProtectVirtualMemory  (-1, (0x2ece000), 4096, 260, ... (0x2ece000), 4096, 4, ) == 0x0
 01522  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01523  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 424, ... 428, ) == 0x0
 01524  1356   NtClose  (424, ... ) == 0x0
 01525  1356   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 20480, ) == 0x0
 01526  1356   NtClose  (428, ... ) == 0x0
 01522  1736   NtCreateThread  ... 428, {1636, 1388}, ) == 0x0
 01527  1736   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=1388,}, 0x0, ) == 0x0
 01528  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0l\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0d\6\0\0l\5\0\0" )  ) == 0x0
 01519   868   NtConnectPort  ... 424, 0x0, 0x0, 0x0, 188, ) == 0x0
 01529  1356   NtUnmapViewOfSection  (-1, 0x860000, ...
 01530   868   NtRequestWaitReplyPort  (424, {200, 224, new_msg, 0, 1384480, 12, 2, 1310721}  (424, {200, 224, new_msg, 0, 1384480, 12, 2, 1310721} "\0\1\24\0\274\0\0\0\374A\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0ZE\261\7\20\321\251#x\1\24\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\250\37\25\0\353\24e\23\330\1\24\0\310\37\25\0h\1\24\0\0\0\0\0\0\0\0\0\310\37\25\0P\0\0\0\320\37\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\270\0\372\31\221|\30\364\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01529  1356   NtUnmapViewOfSection  ... ) == 0x0
 01530   868   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 868, 75528, 0}  ... {200, 224, reply, 0, 1636, 868, 75528, 0} "\7\1\24\0\274\0\0\0\374A\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0ZE\261\7\20\321\251#x\1\24\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\250\37\25\0\353\24e\23\330\1\24\0\310\37\25\0h\1\24\0\0\0\0\0\0\0\0\0\310\37\25\0P\0\0\0\320\37\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\270\0\372\31\221|\30\364\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01531  1736   NtResumeThread  (428, ...
 01532   868   NtRequestWaitReplyPort  (424, {64, 88, new_msg, 0, 0, 0, 0, 0}  (424, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01531  1736   NtResumeThread  ... 1, ) == 0x0
 01533  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 49086464, 1048576, ) == 0x0
 01534  1736   NtAllocateVirtualMemory  (-1, 50126848, 0, 8192, 4096, 4, ... 50126848, 8192, ) == 0x0
 01535  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072864, ... }, 11072864, ...
 01536  1388   NtWaitForSingleObject  (88, 0, 0x0, ...
 01535  1356   NtQueryAttributesFile  ... ) == 0x0
 01537  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 432, {status=0x0, info=1}, ) }, 5, 96, ... 432, {status=0x0, info=1}, ) == 0x0
 01538  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 432, ... 436, ) == 0x0
 01539  1356   NtQuerySection  (436, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01540  1356   NtClose  (432, ... ) == 0x0
 01541  1356   NtMapViewOfSection  (436, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01542  1736   NtProtectVirtualMemory  (-1, (0x2fce000), 4096, 260, ... (0x2fce000), 4096, 4, ) == 0x0
 01543  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {1636, 1708}, ) == 0x0
 01544  1736   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1708,}, 0x0, ) == 0x0
 01545  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\254\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75530, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\254\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0\254\6\0\0" )  ) == 0x0
 01546  1736   NtResumeThread  (432, ... 1, ) == 0x0
 01547  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01548  1356   NtClose  (436, ...
 01549  1708   NtWaitForSingleObject  (88, 0, 0x0, ...
 01548  1356   NtClose  ... ) == 0x0
 01550  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01551  1356   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01552  1356   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01547  1736   NtAllocateVirtualMemory  ... 50135040, 1048576, ) == 0x0
 01553  1736   NtAllocateVirtualMemory  (-1, 51175424, 0, 8192, 4096, 4, ... 51175424, 8192, ) == 0x0
 01554  1736   NtProtectVirtualMemory  (-1, (0x30ce000), 4096, 260, ... (0x30ce000), 4096, 4, ) == 0x0
 01555  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01556  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557  1356   NtSetEventBoostPriority  (88, ...
 01516   900   NtWaitForSingleObject  ... ) == 0x0
 01558   900   NtSetEventBoostPriority  (88, ...
 01536  1388   NtWaitForSingleObject  ... ) == 0x0
 01559  1388   NtSetEventBoostPriority  (88, ...
 01549  1708   NtWaitForSingleObject  ... ) == 0x0
 01560  1708   NtTestAlert  (... ) == 0x0
 01559  1388   NtSetEventBoostPriority  ... ) == 0x0
 01558   900   NtSetEventBoostPriority  ... ) == 0x0
 01557  1356   NtSetEventBoostPriority  ... ) == 0x0
 01555  1736   NtCreateThread  ... 436, {1636, 1324}, ) == 0x0
 01561  1708   NtContinue  (50134320, 1, ...
 01562  1388   NtTestAlert  (...
 01532   868   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 868, 75529, 0}  ... {52, 76, reply, 0, 1636, 868, 75529, 0} "\2\332\243\201\1\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\270+\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01563  1356   NtClose  (408, ...
 01564  1736   NtQueryInformationThread  (436, Basic, 28, ...
 01565  1708   NtRegisterThreadTerminatePort  (24, ...
 01562  1388   NtTestAlert  ... ) == 0x0
 01566   868   NtClose  (420, ...
 01563  1356   NtClose  ... ) == 0x0
 01564  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=1324,}, 0x0, ) == 0x0
 01565  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01567  1388   NtContinue  (49085744, 1, ...
 01566   868   NtClose  ... ) == 0x0
 01568   900   NtTestAlert  (...
 01569  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0d\6\0\0,\5\0\0" ...  ...
 01570  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01571  1388   NtRegisterThreadTerminatePort  (24, ...
 01572   868   NtClose  (424, ...
 01568   900   NtTestAlert  ... ) == 0x0
 01569  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75531, 0}  ... {28, 56, reply, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0d\6\0\0,\5\0\0" )  ) == 0x0
 01570  1708   NtDuplicateObject  ... 420, ) == 0x0
 01571  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01572   868   NtClose  ... ) == 0x0
 01573   900   NtContinue  (48037168, 1, ...
 01574  1356   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11075200, 67, ... }, 0x0, 0, 3, 3, 0, 11075200, 67, ...
 01575  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01576  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01577   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01578   900   NtRegisterThreadTerminatePort  (24, ...
 01574  1356   NtCreateFile  ... 424, {status=0x0, info=0}, ) == 0x0
 01579  1736   NtResumeThread  (436, ...
 01575  1708   NtWaitForSingleObject  ... ) == 0x102
 01576  1388   NtDuplicateObject  ... 408, ) == 0x0
 01578   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01580  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x1207b,  (424, 112, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01579  1736   NtResumeThread  ... 1, ) == 0x0
 01581  1708   NtWaitForSingleObject  (140, 0, 0x0, ...
 01582  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01583   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01584  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01582  1388   NtWaitForSingleObject  ... ) == 0x102
 01577   868   NtCreateKey  ... 440, 2, ) == 0x0
 01585  1324   NtTestAlert  (...
 01580  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01584  1736   NtAllocateVirtualMemory  ... 51183616, 1048576, ) == 0x0
 01586  1388   NtWaitForSingleObject  (140, 0, 0x0, ...
 01587   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01585  1324   NtTestAlert  ... ) == 0x0
 01588  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x1207b,  (424, 112, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", 16, 16, ... , 16, 16, ...
 01589  1736   NtAllocateVirtualMemory  (-1, 52224000, 0, 8192, 4096, 4, ...
 01587   868   NtOpenKey  ... 444, ) == 0x0
 01590  1324   NtContinue  (51182896, 1, ...
 01588  1356   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0 \376\255\201", ) , ) == 0x0
 01589  1736   NtAllocateVirtualMemory  ... 52224000, 8192, ) == 0x0
 01591   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01592  1324   NtRegisterThreadTerminatePort  (24, ...
 01593  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x12047,  (424, 112, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01583   900   NtDuplicateObject  ... 448, ) == 0x0
 01591   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01593  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01594   900   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01595   868   NtQueryValueKey  (440,  (440, "Hostname", Partial, 144, ... , Partial, 144, ...
 01596  1736   NtProtectVirtualMemory  (-1, (0x31ce000), 4096, 260, ...
 01597  1356   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01594   900   NtWaitForSingleObject  ... ) == 0x102
 01598  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01596  1736   NtProtectVirtualMemory  ... (0x31ce000), 4096, 4, ) == 0x0
 01595   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01599   900   NtWaitForSingleObject  (140, 0, 0x0, ...
 01598  1324   NtDuplicateObject  ... 452, ) == 0x0
 01600  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01601   868   NtQueryValueKey  (440,  (440, "Hostname", Partial, 144, ... , Partial, 144, ...
 01602  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01600  1736   NtCreateThread  ... 456, {1636, 1884}, ) == 0x0
 01601   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01602  1324   NtWaitForSingleObject  ... ) == 0x102
 01603  1736   NtQueryInformationThread  (456, Basic, 28, ...
 01604   868   NtClose  (440, ...
 01605  1324   NtWaitForSingleObject  (140, 0, 0x0, ...
 01603  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=1884,}, 0x0, ) == 0x0
 01604   868   NtClose  ... ) == 0x0
 01597  1356   NtWaitForSingleObject  ... ) == 0x102
 01606   868   NtClose  (444, ...
 01607  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x12003,  (424, 112, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01608  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0d\6\0\0\\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0d\6\0\0\\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0d\6\0\0\\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0d\6\0\0\\7\0\0" )  ) == 0x0
 01609  1736   NtResumeThread  (456, ... 1, ) == 0x0
 01610  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52232192, 1048576, ) == 0x0
 01611  1736   NtAllocateVirtualMemory  (-1, 53272576, 0, 8192, 4096, 4, ... 53272576, 8192, ) == 0x0
 01612  1736   NtProtectVirtualMemory  (-1, (0x32ce000), 4096, 260, ... (0x32ce000), 4096, 4, ) == 0x0
 01613  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01607  1356   NtDeviceIoControlFile  ... {status=0x0, info=440},  ... {status=0x0, info=440}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01606   868   NtClose  ... ) == 0x0
 01614  1884   NtTestAlert  (...
 01615  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x12047,  (424, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01616   868   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "~\364r\343e\331\313F\313\20\300\320\316!\0t\32\336X\37\232\7Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01614  1884   NtTestAlert  ... ) == 0x0
 01615  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01617   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01618  1884   NtContinue  (52231472, 1, ...
 01619  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x12037,  (424, 112, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01617   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01620  1884   NtRegisterThreadTerminatePort  (24, ...
 01619  1356   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01621   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01620  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01622  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x1200b,  (424, 112, 0x0, 0x0, 0x1200b, "\0\376\250\0\5\0\0\0\0\262\24\0", 12, 0, ... , 12, 0, ...
 01621   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01613  1736   NtCreateThread  ... 444, {1636, 248}, ) == 0x0
 01623  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01622  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01624  1736   NtQueryInformationThread  (444, Basic, 28, ...
 01623  1884   NtDuplicateObject  ... 460, ) == 0x0
 01625  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x12047,  (424, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\250\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01624  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=248,}, 0x0, ) == 0x0
 01626  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01625  1356   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01627  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0\370\0\0\0" ...  ...
 01626  1884   NtWaitForSingleObject  ... ) == 0x102
 01627  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75534, 0}  ... {28, 56, reply, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0\370\0\0\0" )  ) == 0x0
 01629  1884   NtWaitForSingleObject  (140, 0, 0x0, ...
 01628  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01630   868   NtQuerySystemInformation  (Performance, 312, ...
 01631  1736   NtResumeThread  (444, ...
 01628  1356   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01630   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01631  1736   NtResumeThread  ... 1, ) == 0x0
 01632  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01633   868   NtQuerySystemInformation  (Exception, 16, ...
 01634  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01632  1356   NtCreateEvent  ... 464, ) == 0x0
 01633   868   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01634  1736   NtAllocateVirtualMemory  ... 53280768, 1048576, ) == 0x0
 01635  1356   NtWaitForSingleObject  (464, 0, 0x0, ...
 01636   868   NtQuerySystemInformation  (Lookaside, 32, ...
 01637  1736   NtAllocateVirtualMemory  (-1, 54321152, 0, 8192, 4096, 4, ...
 01636   868   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01637  1736   NtAllocateVirtualMemory  ... 54321152, 8192, ) == 0x0
 01638   248   NtTestAlert  (...
 01639   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01638   248   NtTestAlert  ... ) == 0x0
 01639   868   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01640   248   NtContinue  (53280048, 1, ...
 01641   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01642   248   NtRegisterThreadTerminatePort  (24, ...
 01641   868   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01642   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01643   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01644  1736   NtProtectVirtualMemory  (-1, (0x33ce000), 4096, 260, ...
 01643   868   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01644  1736   NtProtectVirtualMemory  ... (0x33ce000), 4096, 4, ) == 0x0
 01645   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01646  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01645   248   NtDuplicateObject  ... 468, ) == 0x0
 01646  1736   NtCreateThread  ... 472, {1636, 1652}, ) == 0x0
 01647   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01648  1736   NtQueryInformationThread  (472, Basic, 28, ...
 01647   248   NtWaitForSingleObject  ... ) == 0x102
 01648  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 01649   248   NtWaitForSingleObject  (140, 0, 0x0, ...
 01650   868   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\354i\37\310\236\243\224\323\204\245\332\377!@l\12\243\351\357\305\21N\302\354s\256:IwU\223\327\324\221\36\233\370\212\217\271\21Wu\352\245\354W\310\207\265{\200C.0\3\202\375\233\32.\340\257\204\25\217\354\336\20\275\240L\224\245\336\325\30^z\303", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\354i\37\310\236\243\224\323\204\245\332\377!@l\12\243\351\357\305\21N\302\354s\256:IwU\223\327\324\221\36\233\370\212\217\271\21Wu\352\245\354W\310\207\265{\200C.0\3\202\375\233\32.\340\257\204\25\217\354\336\20\275\240L\224\245\336\325\30^z\303", 80, ... , 80, ...
 01651  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0t\6\0\0" ...  ...
 01650   868   NtSetValueKey  ... ) == 0x0
 01651  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75535, 0}  ... {28, 56, reply, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 01652   868   NtClose  (-2147482564, ...
 01653  1736   NtResumeThread  (472, ...
 01652   868   NtClose  ... ) == 0x0
 01653  1736   NtResumeThread  ... 1, ) == 0x0
 01616   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\2\343\7\360\330\231e\27J\314\375\260\242\177Fk\17\177h~M\271\263Q\376\357C|\310\218d\254\223\16\243\356[\330\357\177\353\212\224\33\216\246\11mbQ\264\336\355\234)\352\23\13jp\376C\261\243\253\223*\217\207\24260\12\21/\22\335KqS]\307Y)*\201\341\0\255:\237\237K\214\303%7\300\232\314ax\250LDp\23\366\354t\370\0\356\201?\205\24\332\356'\33\367\332F\264\37o_pm\353\217Lz\370\332\371\223\227\25\323(q\2054m\225\23A@\260W\247\255\7\26\25\31\30;]\26;\3]\367\207\36=\323\303R\24\374\303B\300\372\316\10~\211Y\203 \305\213\260ko\323\370h\274\37\273r+\233LP\321\255\302\346\1\372\225>\234xLv,e\331<\25CN],\5\205\264\27\213\177\337?\215\233xJ\303CU\277F\364\255\367\5\316\345\202\352\304\347>>f\37<_", ) , ) == 0x0
 01654  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01655   868   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "~\364r\343e\331\313F\313\20\300\320\316!\361\33\271\330_f\257sI\32\336X\37\232\7Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01656  1652   NtTestAlert  (...
 01654  1736   NtAllocateVirtualMemory  ... 54329344, 1048576, ) == 0x0
 01656  1652   NtTestAlert  ... ) == 0x0
 01657  1736   NtAllocateVirtualMemory  (-1, 55369728, 0, 8192, 4096, 4, ...
 01658  1652   NtContinue  (54328624, 1, ...
 01657  1736   NtAllocateVirtualMemory  ... 55369728, 8192, ) == 0x0
 01659  1652   NtRegisterThreadTerminatePort  (24, ...
 01660  1736   NtProtectVirtualMemory  (-1, (0x34ce000), 4096, 260, ...
 01659  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01660  1736   NtProtectVirtualMemory  ... (0x34ce000), 4096, 4, ) == 0x0
 01661   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01662  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01661   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01663  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01664   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01663  1652   NtDuplicateObject  ... 476, ) == 0x0
 01664   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01665  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01666   868   NtQuerySystemInformation  (Performance, 312, ...
 01665  1652   NtWaitForSingleObject  ... ) == 0x102
 01666   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01667  1652   NtWaitForSingleObject  (140, 0, 0x0, ...
 01662  1736   NtCreateThread  ... 480, {1636, 588}, ) == 0x0
 01668   868   NtQuerySystemInformation  (Exception, 16, ...
 01669  1736   NtQueryInformationThread  (480, Basic, 28, ...
 01668   868   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01669  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=588,}, 0x0, ) == 0x0
 01670   868   NtQuerySystemInformation  (Lookaside, 32, ...
 01671  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0d\6\0\0L\2\0\0" ...  ...
 01670   868   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01671  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75536, 0}  ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0d\6\0\0L\2\0\0" )  ) == 0x0
 01672   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01673   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01674   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01675   868   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\246\331z\323\340~ Bi\225\336\255b=\31D\6m\237\120\20\214\13\346\266\35H\364cK\256\202\351q\35ZBM\311\30`\265pC\205K+F\371_\350\21\330\14hS\354r\267$\251//l^\0\237\36Hc\365\313\206(\316.C\225M", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\246\331z\323\340~ Bi\225\336\255b=\31D\6m\237\120\20\214\13\346\266\35H\364cK\256\202\351q\35ZBM\311\30`\265pC\205K+F\371_\350\21\330\14hS\354r\267$\251//l^\0\237\36Hc\365\313\206(\316.C\225M", 80, ... ) , 80, ... ) == 0x0
 01676  1736   NtResumeThread  (480, ... 1, ) == 0x0
 01677  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55377920, 1048576, ) == 0x0
 01678  1736   NtAllocateVirtualMemory  (-1, 56418304, 0, 8192, 4096, 4, ... 56418304, 8192, ) == 0x0
 01679  1736   NtProtectVirtualMemory  (-1, (0x35ce000), 4096, 260, ... (0x35ce000), 4096, 4, ) == 0x0
 01680  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 484, {1636, 440}, ) == 0x0
 01681  1736   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=440,}, 0x0, ) == 0x0
 01682   868   NtClose  (-2147482564, ...
 01683   588   NtTestAlert  (...
 01682   868   NtClose  ... ) == 0x0
 01683   588   NtTestAlert  ... ) == 0x0
 01655   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\317\210\214\31\1\221j\232LL\10.yt\11z"\310%\332\276\245\36\235\247\217\0\27\21\213\271\7\3717\363L\336\21\374\346,\261\312 \354\346\7\6\370\316\303\6$\241\11\312\32\337<\335YG\12S#\264\4\2\362\252\2129/\344\374\2443\301\243\37Rk\275\214\4\203\273V\12\215&\223\17\36M^(\31\204\333c\215M\260\213\311\370\21\11\240\374W\342\12\270\214]\332\14W\2579\376\31\237\262Z\16\263\10\202Ai\2133\312\213S\333\311-A\371\21\205$\211^\307\375i1-\250\365\242\251\21@\206w]\25.\344N\366\245q\251\237\330\360\370W\265\271!\340*\26\3412\370\257\3\331sm\227B\324b\377\257\360\200*\347\230\204\10jE\344I\245\210m\314}.u\322\37>[\361\336\14\252\351\10n\265\16\346\337\257\2\26&\373\203\367\26\323\364b\240\236\106\311P3\307\351\33\314\20\34\355+", ) \310%\332\276\245\36\235\247\217\0\27\21\213\271\7\3717\363L\336\21\374\346,\261\312 \354\346\7\6\370\316\303\6$\241\11\312\32\337<\335YG\12S#\264\4\2\362\252\2129/\344\374\2443\301\243\37Rk\275\214\4\203\273V\12\215&\223\17\36M^(\31\204\333c\215M\260\213\311\370\21\11\240\374W\342\12\270\214]\332\14W\2579\376\31\237\262Z\16\263\10\202Ai\2133\312\213S\333\311-A\371\21\205$\211^\307\375i1-\250\365\242\251\21@\206w]\25.\344N\366\245q\251\237\330\360\370W\265\271!\340*\26\3412\370\257\3\331sm\227B\324b\377\257\360\200*\347\230\204\10jE\344I\245\210m\314}.u\322\37>[\361\336\14\252\351\10n\265\16\346\337\257\2\26&\373\203\367\26\323\364b\240\236\106\311P3\307\351\33\314\20\34\355+", ) == 0x0
 01684   588   NtContinue  (55377200, 1, ...
 01685   868   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "~\364r\343e\331\313F\313\20\300\320\316!\361\33\271\330_f\257\202&\271\330_f\257sI\32\336X\37\232\7Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01686   588   NtRegisterThreadTerminatePort  (24, ...
 01687   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01686   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01687   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01688  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\270\1\0\0" ...  ...
 01689   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01688  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75537, 0}  ... {28, 56, reply, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0d\6\0\0\270\1\0\0" )  ) == 0x0
 01689   588   NtDuplicateObject  ... 488, ) == 0x0
 01690  1736   NtResumeThread  (484, ...
 01691   588   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01690  1736   NtResumeThread  ... 1, ) == 0x0
 01691   588   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01692  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01693   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01694   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01695   440   NtTestAlert  (...
 01694   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01695   440   NtTestAlert  ... ) == 0x0
 01696   868   NtQuerySystemInformation  (Performance, 312, ...
 01697   440   NtContinue  (56425776, 1, ...
 01696   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01698   440   NtRegisterThreadTerminatePort  (24, ...
 01699   868   NtQuerySystemInformation  (Exception, 16, ...
 01698   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01699   868   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01692  1736   NtAllocateVirtualMemory  ... 56426496, 1048576, ) == 0x0
 01693   588   NtWaitForSingleObject  ... ) == 0x102
 01700   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01701  1736   NtAllocateVirtualMemory  (-1, 57466880, 0, 8192, 4096, 4, ...
 01702   588   NtWaitForSingleObject  (140, 0, 0x0, ...
 01700   440   NtDuplicateObject  ... 492, ) == 0x0
 01701  1736   NtAllocateVirtualMemory  ... 57466880, 8192, ) == 0x0
 01703   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01704  1736   NtProtectVirtualMemory  (-1, (0x36ce000), 4096, 260, ...
 01703   440   NtWaitForSingleObject  ... ) == 0x102
 01704  1736   NtProtectVirtualMemory  ... (0x36ce000), 4096, 4, ) == 0x0
 01705   440   NtWaitForSingleObject  (140, 0, 0x0, ...
 01706  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01707   868   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01708   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01709   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01710   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01711   868   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\211\242H\321\372\266Y\347k\237t\273\332w\332\2\247\35&BZN\310\2370<\220\252\2117e\35\31[2A8\311\\227\31\374\256\266\201p\10\215=5\355\255`\\303\350\221NQ\224@\340r]\203\377v]q\260\261@\364\345\377\200\231RHA", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\211\242H\321\372\266Y\347k\237t\273\332w\332\2\247\35&BZN\310\2370<\220\252\2117e\35\31[2A8\311\\227\31\374\256\266\201p\10\215=5\355\255`\\303\350\221NQ\224@\340r]\203\377v]q\260\261@\364\345\377\200\231RHA", 80, ... ) , 80, ... ) == 0x0
 01712   868   NtClose  (-2147482564, ... ) == 0x0
 01706  1736   NtCreateThread  ... 496, {1636, 1296}, ) == 0x0
 01713  1736   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=1296,}, 0x0, ) == 0x0
 01714  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0\20\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0\20\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0d\6\0\0\20\5\0\0" )  ) == 0x0
 01715  1736   NtResumeThread  (496, ... 1, ) == 0x0
 01716  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57475072, 1048576, ) == 0x0
 01717  1736   NtAllocateVirtualMemory  (-1, 58515456, 0, 8192, 4096, 4, ... 58515456, 8192, ) == 0x0
 01685   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\307i\316i\2234\216\252\260\311\340\322\11\336\12\314\355\362\316\224\246\3437N\262|\320X\231Q3Q\357\263\22\276z\323@^\320\303\21\20\330\205\26\263E{s\26\305\321\343\244C\260MJ\307\315\340J\333N\204\25|<\344\31\273B+\334\346!Q\326\313\326\314\336D\356\7^3a\245M&\13\233\225f\263\256\343\325\307\241\327\352\265\206B\342\32(P\306\363-\244jp~\37v2\252\367"N*\242\361\233\2512-\326\12\361\314^\234%\360'h+/\324\366kj\263\241\252\310T^\266\16\235)W\375\263\2772:\240\37Fr\333_\267H\365\274\376B\2\354\6j\21\7WB\334@Q\243U#=\231\17$\1\326\1QD\262\202\205)\244\304\221\243\307r6j\260CT\202\233\301Z\32'*\14\273\222\243**\374(\201w\220\215B\21\340\336\201\234J\255\347+V\16s\226\206%;`\220C+\266", ) N*\242\361\233\2512-\326\12\361\314^\234%\360'h+/\324\366kj\263\241\252\310T^\266\16\235)W\375\263\2772:\240\37Fr\333_\267H\365\274\376B\2\354\6j\21\7WB\334@Q\243U#=\231\17$\1\326\1QD\262\202\205)\244\304\221\243\307r6j\260CT\202\233\301Z\32'*\14\273\222\243**\374(\201w\220\215B\21\340\336\201\234J\255\347+V\16s\226\206%;`\220C+\266", ) == 0x0
 01718  1296   NtTestAlert  (...
 01719   868   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "~\364r\343e\331\313F\313\20\300\320\316!\361\33\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257sI\32\336X\37\232\7Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01718  1296   NtTestAlert  ... ) == 0x0
 01720   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01721  1296   NtContinue  (57474352, 1, ...
 01720   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01722  1296   NtRegisterThreadTerminatePort  (24, ...
 01723   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01722  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01723   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01724  1736   NtProtectVirtualMemory  (-1, (0x37ce000), 4096, 260, ...
 01725  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01724  1736   NtProtectVirtualMemory  ... (0x37ce000), 4096, 4, ) == 0x0
 01725  1296   NtDuplicateObject  ... 500, ) == 0x0
 01726  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01727  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01726  1736   NtCreateThread  ... 504, {1636, 1620}, ) == 0x0
 01727  1296   NtWaitForSingleObject  ... ) == 0x102
 01728  1736   NtQueryInformationThread  (504, Basic, 28, ...
 01729  1296   NtWaitForSingleObject  (140, 0, 0x0, ...
 01728  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 01730   868   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01731   868   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01732   868   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01733   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01734   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01735   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01736  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0d\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0d\6\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0d\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 01737  1736   NtResumeThread  (504, ... 1, ) == 0x0
 01738  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58523648, 1048576, ) == 0x0
 01739  1736   NtAllocateVirtualMemory  (-1, 59564032, 0, 8192, 4096, 4, ... 59564032, 8192, ) == 0x0
 01740  1736   NtProtectVirtualMemory  (-1, (0x38ce000), 4096, 260, ... (0x38ce000), 4096, 4, ) == 0x0
 01741  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01742   868   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "b%`\307\337\0M\275\15\227W\35\247\225\302\30W\336\15+\21\241\236\331\32\253\25+\312V\347\363Z\k\231\353\235\360\206\335rWg\272\352\306\223\334\301\14\230\361j$\253\270\343\21By+\217\273\326\377\255\206\3520\245\273\6\3072e>\312\224", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "b%`\307\337\0M\275\15\227W\35\247\225\302\30W\336\15+\21\241\236\331\32\253\25+\312V\347\363Z\k\231\353\235\360\206\335rWg\272\352\306\223\334\301\14\230\361j$\253\270\343\21By+\217\273\326\377\255\206\3520\245\273\6\3072e>\312\224", 80, ... , 80, ...
 01743  1620   NtTestAlert  (...
 01742   868   NtSetValueKey  ... ) == 0x0
 01743  1620   NtTestAlert  ... ) == 0x0
 01744   868   NtClose  (-2147482564, ...
 01745  1620   NtContinue  (58522928, 1, ...
 01741  1736   NtCreateThread  ... 508, {1636, 1588}, ) == 0x0
 01746  1620   NtRegisterThreadTerminatePort  (24, ...
 01747  1736   NtQueryInformationThread  (508, Basic, 28, ...
 01746  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01747  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=1588,}, 0x0, ) == 0x0
 01744   868   NtClose  ... ) == 0x0
 01748  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\04\6\0\0" ...  ...
 01719   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\302yS\16\270)~Hq\177\331\310nX\355\313\177\200\313\36\324\371\25\3F\13\2710\275\327\363\366\332\217\317\373\3236W\262\317\225\345\341\15^g,\177oQ1{\23\316L\237\37\343\317\377\226d\311EV\1\215\\240\13\261\333\337(z\313\22\304\230\331d\30\366U\377Q\7xo\203\363\301S\250\206\307\232\217\336\217\222\3430.\31\313VT\320\342\224wWh\306\251\7#\6V\366\331\272\20|\16\5\332\227\267F\7\353#\264\356\377&\252\12\252>\207\305\\265t%J8\234\1\26X\254+:\30\205\371\343S\241\353I\5\313\364q7\347\177l\237V\317\363\177\10\26'm\221\341\233\267\353\15\6h\15\13\10\357o\262\7\376\332c\364\340\\362G\332d\334\37\327\332\205\370\234\10N$DE6\311\232\312\215\216\242\335]6G~O*\37\373\354\32\256#q\235N\374\262\7\23\350\317\257\2\203\343\13\223", ) , ) == 0x0
 01748  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75540, 0}  ... {28, 56, reply, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0d\6\0\04\6\0\0" )  ) == 0x0
 01749   868   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "~\364r\343e\331\313F\313\20\300\320\316!\361\33\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257sI\32\336X\37\232\7Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01750  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01751   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01750  1620   NtDuplicateObject  ... 512, ) == 0x0
 01751   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01752  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01753   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01752  1620   NtWaitForSingleObject  ... ) == 0x102
 01754  1736   NtResumeThread  (508, ...
 01755  1620   NtWaitForSingleObject  (140, 0, 0x0, ...
 01754  1736   NtResumeThread  ... 1, ) == 0x0
 01753   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01756  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01757   868   NtQuerySystemInformation  (Performance, 312, ...
 01756  1736   NtAllocateVirtualMemory  ... 59572224, 1048576, ) == 0x0
 01757   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01758  1736   NtAllocateVirtualMemory  (-1, 60612608, 0, 8192, 4096, 4, ...
 01759   868   NtQuerySystemInformation  (Exception, 16, ...
 01758  1736   NtAllocateVirtualMemory  ... 60612608, 8192, ) == 0x0
 01759   868   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01760  1588   NtTestAlert  (...
 01761   868   NtQuerySystemInformation  (Lookaside, 32, ...
 01760  1588   NtTestAlert  ... ) == 0x0
 01762  1736   NtProtectVirtualMemory  (-1, (0x39ce000), 4096, 260, ...
 01763  1588   NtContinue  (59571504, 1, ...
 01762  1736   NtProtectVirtualMemory  ... (0x39ce000), 4096, 4, ) == 0x0
 01764  1588   NtRegisterThreadTerminatePort  (24, ...
 01765  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01764  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01765  1736   NtCreateThread  ... 516, {1636, 2044}, ) == 0x0
 01761   868   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01766  1736   NtQueryInformationThread  (516, Basic, 28, ...
 01767   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01766  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=2044,}, 0x0, ) == 0x0
 01767   868   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01768  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01769   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01768  1588   NtDuplicateObject  ... 520, ) == 0x0
 01769   868   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01770  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01771   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01770  1588   NtWaitForSingleObject  ... ) == 0x102
 01772  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\374\7\0\0" ...  ...
 01773  1588   NtWaitForSingleObject  (140, 0, 0x0, ...
 01772  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75541, 0}  ... {28, 56, reply, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\0\374\7\0\0" )  ) == 0x0
 01771   868   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01774  1736   NtResumeThread  (516, ...
 01775   868   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\3\246zd\250\344\11\253Q\353\36Z\237\227#\265\311\364b4\357i\215{\251~=\226gM_/\352\2641\31\357M\353\35\201*\129\223\354\353\326\237f\306v\276\4\214\327-E\313&\265\6\255H>\226S\315F1}\310\264Mj9lzf3", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\3\246zd\250\344\11\253Q\353\36Z\237\227#\265\311\364b4\357i\215{\251~=\226gM_/\352\2641\31\357M\353\35\201*\129\223\354\353\326\237f\306v\276\4\214\327-E\313&\265\6\255H>\226S\315F1}\310\264Mj9lzf3", 80, ... , 80, ...
 01774  1736   NtResumeThread  ... 1, ) == 0x0
 01775   868   NtSetValueKey  ... ) == 0x0
 01776  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01777   868   NtClose  (-2147482564, ...
 01778  2044   NtTestAlert  (...
 01777   868   NtClose  ... ) == 0x0
 01778  2044   NtTestAlert  ... ) == 0x0
 01749   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\322\252\250\220\246S\225g.\276-\234\222\17\314\217\1\6\216\225\20|\260\224\221\355\374}\321(I\5'?\340\363\31\233\332\353\364\365x^\257\0\226\365\233\342\235c]\16\252\223\244t\212\23\271\227w3\252\334\24|\13\3\365\33\11g\2479\11\36\270+\326\361\267R]\312\371\4\302\376Js\344\354a\312\24\340\3166\322k"\311D\177\21\247\33\211\377w\203\370SEc\303\30h\330\333\232d\241\210\254\320\3703E\336{\351\25\357*xk\23\252\25:\373\17pB\314\13\0\330\255\30x\240*(\245P^\213\306\375N\5`\6\31\376\303;\346\377|\300\277\331w6\307\360\1Pn\366\224\216\341\265\227\275\242\16W\364", ) \311D\177\21\247\33\211\377w\203\370SEc\303\30h\330\333\232d\241\210\254\320\3703E\336{\351\25\357*xk\23\252\25:\373\17pB\314\13\0\330\255\30x\240*(\245P^\213\306\375N\5`\6\31\376\303;\346\377|\300\277\331w6\307\360\1Pn\366\224\216\341\265\227\275\242\16W\364", ) == 0x0
 01779  2044   NtContinue  (60620080, 1, ...
 01776  1736   NtAllocateVirtualMemory  ... 60620800, 1048576, ) == 0x0
 01780  2044   NtRegisterThreadTerminatePort  (24, ...
 01781  1736   NtAllocateVirtualMemory  (-1, 61661184, 0, 8192, 4096, 4, ...
 01780  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01781  1736   NtAllocateVirtualMemory  ... 61661184, 8192, ) == 0x0
 01782   868   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "~\364r\343e\331\313F\313\20\300\320\316!\361\33\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257sI\32\336X\37\232\7Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01783  1736   NtProtectVirtualMemory  (-1, (0x3ace000), 4096, 260, ...
 01784   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01783  1736   NtProtectVirtualMemory  ... (0x3ace000), 4096, 4, ) == 0x0
 01784   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01785  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01786   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01787  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01786   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01787  2044   NtDuplicateObject  ... 524, ) == 0x0
 01788   868   NtQuerySystemInformation  (Performance, 312, ...
 01789  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01785  1736   NtCreateThread  ... 528, {1636, 1308}, ) == 0x0
 01789  2044   NtWaitForSingleObject  ... ) == 0x102
 01790  1736   NtQueryInformationThread  (528, Basic, 28, ...
 01791  2044   NtWaitForSingleObject  (140, 0, 0x0, ...
 01790  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1308,}, 0x0, ) == 0x0
 01788   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01792  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\34\5\0\0" ...  ...
 01793   868   NtQuerySystemInformation  (Exception, 16, ...
 01792  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75542, 0}  ... {28, 56, reply, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0d\6\0\0\34\5\0\0" )  ) == 0x0
 01793   868   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01794   868   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01795   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01796   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01797   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482564, 2, ) }, 0, 0x0, 0, ... -2147482564, 2, ) == 0x0
 01798   868   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\227\317"\235B\345\302\362*h\09\261a\270\1"=VU\270{/\262\361v\264\340\213\334\215\252H\21\362&\256/re\304\362\205\335{\346\222\322'G\224L\363p\14\226j\266\213d\342\0\245\204\0O\237A\3334C}SH\36 \3357\245\275", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\227\317"\235B\345\302\362*h\09\261a\270\1"=VU\270{/\262\361v\264\340\213\334\215\252H\21\362&\256/re\304\362\205\335{\346\222\322'G\224L\363p\14\226j\266\213d\342\0\245\204\0O\237A\3334C}SH\36 \3357\245\275", 80, ... \235B\345\302\362*h\09\261a\270\1 (-2147482564, "Seed", 0, 3, "\227\317"\235B\345\302\362*h\09\261a\270\1"=VU\270{/\262\361v\264\340\213\334\215\252H\21\362&\256/re\304\362\205\335{\346\222\322'G\224L\363p\14\226j\266\213d\342\0\245\204\0O\237A\3334C}SH\36 \3357\245\275", 80, ... , 80, ...
 01799  1736   NtResumeThread  (528, ... 1, ) == 0x0
 01800  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61669376, 1048576, ) == 0x0
 01801  1736   NtAllocateVirtualMemory  (-1, 62709760, 0, 8192, 4096, 4, ... 62709760, 8192, ) == 0x0
 01802  1736   NtProtectVirtualMemory  (-1, (0x3bce000), 4096, 260, ... (0x3bce000), 4096, 4, ) == 0x0
 01803  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {1636, 1676}, ) == 0x0
 01804  1736   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=1676,}, 0x0, ) == 0x0
 01798   868   NtSetValueKey  ... ) == 0x0
 01805  1308   NtTestAlert  (...
 01806   868   NtClose  (-2147482564, ...
 01805  1308   NtTestAlert  ... ) == 0x0
 01806   868   NtClose  ... ) == 0x0
 01807  1308   NtContinue  (61668656, 1, ...
 01782   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "5*\217.\365\261\370\222\2L\13~\341\242\32\324\317\177$\315q\266\211\357Q\17&\242\245$Q\2047\22\212i[I\26\201\347\33\4\256\213\310\233J\2153\301\234\215\314\14\266\234\333\13\13\372!\25\362@,\270}\264KF\22\356hHF\370\322\230\223\247\227\266P<\310bM\354\2lw\364'>&\3060\323x\35\346vZ\350M\13\32[\\331?\6\231t$r\18\271\353.J\210\356!\36\7\366\2756Q\304\335\373\265\3\377|!(\32\370\13i\26\323\260&\213e\26=\230 \216\252Lu\266\203\361n\304\323\243\241'S\4+\24)\223\244{~\342u\357\371\252j\1\327q8\257\337#\341\310\375L|\237\323\363Jn\363h\11"\6-\377\33\13V\210n\270~\360W;\212\331x\265=\365\16\363fa\261\346J\214\346\244\374\53\213\216\376{\354\210\235\345Ji\216\221^\23\336\311\3403o\236", ) \6-\377\33\13V\210n\270~\360W;\212\331x\265=\365\16\363fa\261\346J\214\346\244\374\53\213\216\376{\354\210\235\345Ji\216\221^\23\336\311\3403o\236", ) == 0x0
 01808  1308   NtRegisterThreadTerminatePort  (24, ...
 01809   868   NtDeviceIoControlFile  (400, 0, 0x0, 0x0, 0x390008,  (400, 0, 0x0, 0x0, 0x390008, "~\364r\343e\331\313F\313\20\300\320\316!\361\33\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257\202&\271\330_f\257sI\32\336X\37\232\7Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01808  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01810   868   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01811  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\214\6\0\0" ...  ...
 01812  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01811  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75543, 0}  ... {28, 56, reply, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0d\6\0\0\214\6\0\0" )  ) == 0x0
 01812  1308   NtDuplicateObject  ... 536, ) == 0x0
 01813  1736   NtResumeThread  (532, ...
 01814  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01813  1736   NtResumeThread  ... 1, ) == 0x0
 01814  1308   NtWaitForSingleObject  ... ) == 0x102
 01815  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01816  1308   NtWaitForSingleObject  (140, 0, 0x0, ...
 01810   868   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01817  1676   NtTestAlert  (...
 01815  1736   NtAllocateVirtualMemory  ... 62717952, 1048576, ) == 0x0
 01818   868   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01817  1676   NtTestAlert  ... ) == 0x0
 01819  1736   NtAllocateVirtualMemory  (-1, 63758336, 0, 8192, 4096, 4, ...
 01818   868   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01820  1676   NtContinue  (62717232, 1, ...
 01819  1736   NtAllocateVirtualMemory  ... 63758336, 8192, ) == 0x0
 01821   868   NtQuerySystemInformation  (Performance, 312, ...
 01822  1676   NtRegisterThreadTerminatePort  (24, ...
 01823  1736   NtProtectVirtualMemory  (-1, (0x3cce000), 4096, 260, ...
 01821   868   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01822  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01823  1736   NtProtectVirtualMemory  ... (0x3cce000), 4096, 4, ) == 0x0
 01824   868   NtQuerySystemInformation  (Exception, 16, ...
 01825  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01826  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01824   868   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01826  1676   NtDuplicateObject  ... 540, ) == 0x0
 01827   868   NtQuerySystemInformation  (Lookaside, 32, ...
 01828  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01827   868   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01828  1676   NtWaitForSingleObject  ... ) == 0x102
 01829   868   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01830  1676   NtWaitForSingleObject  (140, 0, 0x0, ...
 01829   868   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01825  1736   NtCreateThread  ... 544, {1636, 1376}, ) == 0x0
 01831   868   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01832  1736   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 01833  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 01834  1736   NtResumeThread  (544, ... 1, ) == 0x0
 01835  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 63766528, 1048576, ) == 0x0
 01836  1736   NtAllocateVirtualMemory  (-1, 64806912, 0, 8192, 4096, 4, ... 64806912, 8192, ) == 0x0
 01831   868   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01837  1376   NtTestAlert  (...
 01838   868   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01837  1376   NtTestAlert  ... ) == 0x0
 01838   868   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01839  1376   NtContinue  (63765808, 1, ...
 01840   868   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\355\310\203\310\366B\350w\16\2228J\363\301;EG\13\255\357\262\206z_^\253\2\370\15v\274\325\251\247\312\254{\316z\370\274\317\215\210\210\2443\272\213\12\325u\245\11\35\333\200\365]\240\364b\244\270\262\301\351\227{\14\30w\315\0\340\35\22\215K\335", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\355\310\203\310\366B\350w\16\2228J\363\301;EG\13\255\357\262\206z_^\253\2\370\15v\274\325\251\247\312\254{\316z\370\274\317\215\210\210\2443\272\213\12\325u\245\11\35\333\200\365]\240\364b\244\270\262\301\351\227{\14\30w\315\0\340\35\22\215K\335", 80, ... , 80, ...
 01841  1376   NtRegisterThreadTerminatePort  (24, ...
 01840   868   NtSetValueKey  ... ) == 0x0
 01841  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01842   868   NtClose  (-2147482564, ...
 01843  1736   NtProtectVirtualMemory  (-1, (0x3dce000), 4096, 260, ...
 01844  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01843  1736   NtProtectVirtualMemory  ... (0x3dce000), 4096, 4, ) == 0x0
 01844  1376   NtDuplicateObject  ... 548, ) == 0x0
 01845  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01846  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01845  1736   NtCreateThread  ... 552, {1636, 1436}, ) == 0x0
 01846  1376   NtWaitForSingleObject  ... ) == 0x102
 01847  1736   NtQueryInformationThread  (552, Basic, 28, ...
 01848  1376   NtWaitForSingleObject  (140, 0, 0x0, ...
 01847  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=1436,}, 0x0, ) == 0x0
 01842   868   NtClose  ... ) == 0x0
 01809   868   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\1\362\361\3562\333+\303\360\251\320\76\315 %i\262\201\252\22!\250?\311\321\332H\255Y\350Fv\364F\324\2721s\25Scp\203\353\222\3069\234\32E\316\177\330E\5]{[\21\355\30\217\211`\362\370\207\2413h\3012\251\327.\225,\0\244\11\330\330s\2739f|MA \332\337\376\313>m\347\375V\11\246\226X\371\357\224W?\370\226\37\305\336\30=\240\25\21\357\272p\360\300\331\253\223\272+9\312\273/\177\203<\273cy\204\214l\277\201K\354A\320\217\307\26\12\246\265\10I?\347\324\253\11\351_\374h\0\322/;R\312\253)a\30\253\13\301\2\233\240Z[l\0t(D-\33\337H'\334]^\374P\227\334(S\13\366\10\247\330C\2468\361\5\0\16\315\263\361Lu}=\22u>C\2138a\333#\205\37\203\213\210\272\204Q\32\215g+d\215\232C\360MXM\373\260\22\0\327", ) , ) == 0x0
 01849   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 556, ) == 0x0
 01850   868   NtSetEventBoostPriority  (464, ...
 01635  1356   NtWaitForSingleObject  ... ) == 0x0
 01851  1356   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01850   868   NtSetEventBoostPriority  ... ) == 0x0
 01852  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0\234\5\0\0" ...  ...
 01853  1356   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 01852  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75545, 0}  ... {28, 56, reply, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0\234\5\0\0" )  ) == 0x0
 01853  1356   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 01854   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 01855  1356   NtSetEventBoostPriority  (260, ...
 01854   868   NtWaitForSingleObject  ... ) == 0x0
 01856   868   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12119404, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12119404, 188, ...
 01855  1356   NtSetEventBoostPriority  ... ) == 0x0
 01857  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 560, ) == 0x0
 01856   868   NtConnectPort  ... 564, 0x0, 0x0, 0x0, 188, ) == 0x0
 01858  1736   NtResumeThread  (552, ...
 01859  1356   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ...
 01858  1736   NtResumeThread  ... 1, ) == 0x0
 01860  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64815104, 1048576, ) == 0x0
 01861  1736   NtAllocateVirtualMemory  (-1, 65855488, 0, 8192, 4096, 4, ... 65855488, 8192, ) == 0x0
 01862  1736   NtProtectVirtualMemory  (-1, (0x3ece000), 4096, 260, ... (0x3ece000), 4096, 4, ) == 0x0
 01863  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {1636, 724}, ) == 0x0
 01864  1736   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=724,}, 0x0, ) == 0x0
 01865   868   NtRequestWaitReplyPort  (564, {200, 224, new_msg, 0, 1384480, 12, 2, 1310721}  (564, {200, 224, new_msg, 0, 1384480, 12, 2, 1310721} "\0\3\24\0\274\0\0\0\34C\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0o\10\330\13\361\236\237j\340Q\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\08>\25\0\300\246]CH\3\24\0\330Q\25\0h\1\24\0\0\0\0\0\0\0\0\0\330Q\25\0P\0\0\0\340Q\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\270\0\372\31\221|\200\363\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01866  1436   NtTestAlert  (...
 01859  1356   NtConnectPort  ... 572, 0x0, 0x0, 0x0, 188, ) == 0x0
 01866  1436   NtTestAlert  ... ) == 0x0
 01867  1356   NtRequestWaitReplyPort  (572, {200, 224, new_msg, 0, 2883626, 1356856, 12, 2}  (572, {200, 224, new_msg, 0, 2883626, 1356856, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\230@\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\215\353%TH\272\3\336 U\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\370T\25\0\241\313S\345x\1\24\0\30U\25\0h\1\24\0\0\0\0\0\0\0\0\0\30U\25\0P\0\0\0 U\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01865   868   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 868, 75548, 0}  ... {200, 224, reply, 0, 1636, 868, 75548, 0} "\7\3\24\0\274\0\0\0\34C\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0o\10\330\13\361\236\237j\340Q\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\08>\25\0\300\246]CH\3\24\0\330Q\25\0h\1\24\0\0\0\0\0\0\0\0\0\330Q\25\0P\0\0\0\340Q\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\270\0\372\31\221|\200\363\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01868  1436   NtContinue  (64814384, 1, ...
 01869   868   NtRequestWaitReplyPort  (564, {44, 68, new_msg, 0, 1636, 868, 75529, 0}  (564, {44, 68, new_msg, 0, 1636, 868, 75529, 0} "\1\332\0\0A\2\4\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01870  1436   NtRegisterThreadTerminatePort  (24, ...
 01867  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75549, 0}  ... {200, 224, reply, 0, 1636, 1356, 75549, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\230@\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\215\353%TH\272\3\336 U\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\370T\25\0\241\313S\345x\1\24\0\30U\25\0h\1\24\0\0\0\0\0\0\0\0\0\30U\25\0P\0\0\0 U\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01870  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01871  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\324\2\0\0" ...  ...
 01869   868   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 868, 75550, 0}  ... {40, 64, reply, 0, 1636, 868, 75550, 0} "\2\332\243\201\4\0\0\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200X\373`\371t\333\243\201\320\1\0\0X-\12\0" )  ) == 0x0
 01872  1356   NtRequestWaitReplyPort  (572, {44, 68, new_msg, 56, 0, 0, 0, 0}  (572, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\200V\25\0\322\0\0\0" ...  ...
 01871  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75551, 0}  ... {28, 56, reply, 0, 1636, 1736, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0d\6\0\0\324\2\0\0" )  ) == 0x0
 01873  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01874  1736   NtResumeThread  (568, ...
 01873  1436   NtDuplicateObject  ... 576, ) == 0x0
 01872  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75552, 0}  ... {40, 64, reply, 0, 1636, 1356, 75552, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01874  1736   NtResumeThread  ... 1, ) == 0x0
 01875  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01876  1356   NtRequestWaitReplyPort  (572, {64, 88, new_msg, 56, 1310720, 11071988, 1398392, 0}  (572, {64, 88, new_msg, 56, 1310720, 11071988, 1398392, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0([\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01877  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01878   868   NtRequestWaitReplyPort  (564, {64, 88, new_msg, 56, 1374552, 12119916, 12120016, 0}  (564, {64, 88, new_msg, 56, 1374552, 12119916, 12120016, 0} "\10\357\270\0@\0\24\0\346\277\347w\320\357\270\0l\357\270\0\20\0\0\0\250.\362v\314\371\24\0\1\0\0\0\10]\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\200\360\24\0" ...  ...
 01879   724   NtAllocateVirtualMemory  (-1, 8871936, 0, 4096, 4096, 4, ...
 01876  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75553, 0}  ... {64, 88, reply, 56, 1636, 1356, 75553, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0([\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01875  1436   NtWaitForSingleObject  ... ) == 0x102
 01879   724   NtAllocateVirtualMemory  ... 8871936, 4096, ) == 0x0
 01878   868   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 868, 75554, 0}  ... {64, 88, reply, 56, 1636, 868, 75554, 0} "\10\357\270\0@\0\24\0\346\277\347w\320\357\270\0l\357\270\0\20\0\0\0\250.\362v\314\371\24\0\1\0\0\0\10]\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\200\360\24\0" )  ) == 0x0
 01877  1736   NtAllocateVirtualMemory  ... 65863680, 1048576, ) == 0x0
 01880  1436   NtWaitForSingleObject  (140, 0, 0x0, ...
 01881  1356   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 01882   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 01883  1736   NtAllocateVirtualMemory  (-1, 66904064, 0, 8192, 4096, 4, ...
 01881  1356   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 01883  1736   NtAllocateVirtualMemory  ... 66904064, 8192, ) == 0x0
 01884  1356   NtSetEventBoostPriority  (260, ...
 01885  1736   NtProtectVirtualMemory  (-1, (0x3fce000), 4096, 260, ...
 01882   868   NtWaitForSingleObject  ... ) == 0x0
 01884  1356   NtSetEventBoostPriority  ... ) == 0x0
 01886   868   NtWaitForSingleObject  (304, 0, 0x0, ...
 01885  1736   NtProtectVirtualMemory  ... (0x3fce000), 4096, 4, ) == 0x0
 01887  1356   NtSetEventBoostPriority  (304, ...
 01888  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01886   868   NtWaitForSingleObject  ... ) == 0x0
 01887  1356   NtSetEventBoostPriority  ... ) == 0x0
 01889   724   NtTestAlert  (...
 01890   868   NtClose  (556, ...
 01888  1736   NtCreateThread  ... 580, {1636, 1276}, ) == 0x0
 01890   868   NtClose  ... ) == 0x0
 01889   724   NtTestAlert  ... ) == 0x0
 01891  1736   NtQueryInformationThread  (580, Basic, 28, ...
 01892  1356   NtRequestWaitReplyPort  (572, {44, 68, new_msg, 56, 1636, 1356, 75552, 0}  (572, {44, 68, new_msg, 56, 1636, 1356, 75552, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\200V\25\0\322\0\0\0" ...  ...
 01893   724   NtContinue  (65862960, 1, ...
 01891  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=1276,}, 0x0, ) == 0x0
 01894   724   NtRegisterThreadTerminatePort  (24, ...
 01892  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75555, 0}  ... {40, 64, reply, 0, 1636, 1356, 75555, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 01895   868   NtClose  (564, ...
 01894   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 01896  1356   NtRequestWaitReplyPort  (572, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (572, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\350k\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01895   868   NtClose  ... ) == 0x0
 01897   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01898   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01899  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75551, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\374\4\0\0" ...  ...
 01896  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75557, 0}  ... {64, 88, reply, 56, 1636, 1356, 75557, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\350k\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01898   868   NtCreateKey  ... 564, 2, ) == 0x0
 01899  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75558, 0}  ... {28, 56, reply, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0d\6\0\0\374\4\0\0" )  ) == 0x0
 01897   724   NtDuplicateObject  ... 556, ) == 0x0
 01900   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01901  1736   NtResumeThread  (580, ...
 01902   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01900   868   NtOpenKey  ... 584, ) == 0x0
 01901  1736   NtResumeThread  ... 1, ) == 0x0
 01902   724   NtWaitForSingleObject  ... ) == 0x102
 01903  1356   NtRequestWaitReplyPort  (572, {44, 68, new_msg, 56, 1636, 1356, 75555, 0}  (572, {44, 68, new_msg, 56, 1636, 1356, 75555, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\200V\25\0\322\0\0\0" ...  ...
 01904  1276   NtTestAlert  (...
 01905  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01906   724   NtWaitForSingleObject  (140, 0, 0x0, ...
 01904  1276   NtTestAlert  ... ) == 0x0
 01903  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75559, 0}  ... {40, 64, reply, 0, 1636, 1356, 75559, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 01907   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01908  1276   NtContinue  (66911536, 1, ...
 01909  1356   NtRequestWaitReplyPort  (572, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (572, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\330I\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01907   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910  1276   NtRegisterThreadTerminatePort  (24, ...
 01911   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 01910  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 01909  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75560, 0}  ... {64, 88, reply, 56, 1636, 1356, 75560, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\330I\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01911   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01905  1736   NtAllocateVirtualMemory  ... 66912256, 1048576, ) == 0x0
 01912  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01913   868   NtQueryValueKey  (564,  (564, "Domain", Partial, 144, ... , Partial, 144, ...
 01914  1736   NtAllocateVirtualMemory  (-1, 67952640, 0, 8192, 4096, 4, ...
 01912  1276   NtDuplicateObject  ... 588, ) == 0x0
 01913   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01914  1736   NtAllocateVirtualMemory  ... 67952640, 8192, ) == 0x0
 01915  1276   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01916  1356   NtClose  (560, ...
 01917  1736   NtProtectVirtualMemory  (-1, (0x40ce000), 4096, 260, ...
 01915  1276   NtWaitForSingleObject  ... ) == 0x102
 01916  1356   NtClose  ... ) == 0x0
 01917  1736   NtProtectVirtualMemory  ... (0x40ce000), 4096, 4, ) == 0x0
 01918  1276   NtWaitForSingleObject  (140, 0, 0x0, ...
 01919  1356   NtClose  (572, ...
 01920  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01921   868   NtQueryValueKey  (564,  (564, "Domain", Partial, 144, ... , Partial, 144, ...
 01919  1356   NtClose  ... ) == 0x0
 01921   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01922  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01923   868   NtClose  (564, ...
 01922  1356   NtCreateEvent  ... 572, ) == 0x0
 01923   868   NtClose  ... ) == 0x0
 01920  1736   NtCreateThread  ... 564, {1636, 1368}, ) == 0x0
 01924   868   NtClose  (584, ...
 01925  1736   NtQueryInformationThread  (564, Basic, 28, ...
 01924   868   NtClose  ... ) == 0x0
 01925  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=1368,}, 0x0, ) == 0x0
 01926  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01927   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01926  1356   NtOpenKey  ... 584, ) == 0x0
 01927   868   NtOpenKey  ... 560, ) == 0x0
 01928  1356   NtOpenKey  (0x20019, {24, 584, 0x40, 0, 0,  (0x20019, {24, 584, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01929   868   NtQueryValueKey  (560,  (560, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 01928  1356   NtOpenKey  ... 592, ) == 0x0
 01929   868   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01930  1356   NtQueryValueKey  (592,  (592, "ComputerName", Full, 108, ... , Full, 108, ...
 01931   868   NtClose  (560, ...
 01930  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01931   868   NtClose  ... ) == 0x0
 01932  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0X\5\0\0" ...  ...
 01933  1356   NtClose  (592, ...
 01932  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75562, 0}  ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0X\5\0\0" )  ) == 0x0
 01933  1356   NtClose  ... ) == 0x0
 01934  1736   NtResumeThread  (564, ...
 01935  1356   NtClose  (584, ...
 01934  1736   NtResumeThread  ... 1, ) == 0x0
 01935  1356   NtClose  ... ) == 0x0
 01936  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01937  1356   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01938   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12118992, ... }, 12118992, ...
 01939  1368   NtWaitForSingleObject  (88, 0, 0x0, ...
 01937  1356   NtCreateIoCompletion  ... 584, ) == 0x0
 01938   868   NtQueryAttributesFile  ... ) == 0x0
 01936  1736   NtAllocateVirtualMemory  ... 67960832, 1048576, ) == 0x0
 01940   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01941  1736   NtAllocateVirtualMemory  (-1, 69001216, 0, 8192, 4096, 4, ...
 01940   868   NtOpenFile  ... 592, {status=0x0, info=1}, ) == 0x0
 01941  1736   NtAllocateVirtualMemory  ... 69001216, 8192, ) == 0x0
 01942   868   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 592, ...
 01943  1736   NtProtectVirtualMemory  (-1, (0x41ce000), 4096, 260, ...
 01942   868   NtCreateSection  ... 560, ) == 0x0
 01943  1736   NtProtectVirtualMemory  ... (0x41ce000), 4096, 4, ) == 0x0
 01944  1356   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01945  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01944  1356   NtCreateIoCompletion  ... 596, ) == 0x0
 01946   868   NtClose  (592, ...
 01947  1356   NtDuplicateObject  (-1, 584, -1, 0x0, 0, 2, ...
 01946   868   NtClose  ... ) == 0x0
 01947  1356   NtDuplicateObject  ... 592, ) == 0x0
 01948   868   NtMapViewOfSection  (560, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01949  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01948   868   NtMapViewOfSection  ... (0x860000), 0x0, 20480, ) == 0x0
 01949  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01950   868   NtClose  (560, ...
 01945  1736   NtCreateThread  ... 600, {1636, 704}, ) == 0x0
 01950   868   NtClose  ... ) == 0x0
 01951  1736   NtQueryInformationThread  (600, Basic, 28, ...
 01952  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01951  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=704,}, 0x0, ) == 0x0
 01952  1356   NtCreateEvent  ... 560, ) == 0x0
 01953  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0\300\2\0\0" ...  ...
 01954  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01953  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75563, 0}  ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0d\6\0\0\300\2\0\0" )  ) == 0x0
 01954  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01955  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01956  1356   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11071680,  (0xc0100080, {24, 0, 0x40, 0, 11071680, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 604, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 604, {status=0x0, info=1}, ) == 0x0
 01957  1356   NtSetInformationFile  (604, 11071736, 8, Pipe, ...
 01958  1736   NtResumeThread  (600, ...
 01959   868   NtUnmapViewOfSection  (-1, 0x860000, ...
 01958  1736   NtResumeThread  ... 1, ) == 0x0
 01959   868   NtUnmapViewOfSection  ... ) == 0x0
 01960  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01961   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12119300, ... }, 12119300, ...
 01960  1736   NtAllocateVirtualMemory  ... 69009408, 1048576, ) == 0x0
 01961   868   NtQueryAttributesFile  ... ) == 0x0
 01962  1736   NtAllocateVirtualMemory  (-1, 70049792, 0, 8192, 4096, 4, ...
 01957  1356   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01963   704   NtWaitForSingleObject  (88, 0, 0x0, ...
 01962  1736   NtAllocateVirtualMemory  ... 70049792, 8192, ) == 0x0
 01964  1356   NtSetInformationFile  (604, 11071724, 8, Completion, ...
 01965   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01964  1356   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01965   868   NtOpenFile  ... 608, {status=0x0, info=1}, ) == 0x0
 01966  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01967   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 608, ...
 01966  1356   NtSetInformationThread  ... ) == 0x0
 01967   868   NtCreateSection  ... 612, ) == 0x0
 01968  1356   NtWriteFile  (604, 241, 0, 0,  (604, 241, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01969   868   NtQuerySection  (612, Image, 48, ...
 01970  1736   NtProtectVirtualMemory  (-1, (0x42ce000), 4096, 260, ...
 01969   868   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01970  1736   NtProtectVirtualMemory  ... (0x42ce000), 4096, 4, ) == 0x0
 01968  1356   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01971  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01972  1356   NtReadFile  (604, 241, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (604, 241, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01973  1356   NtFsControlFile  (604, 241, 0x0, 0x0, 0x11c017,  (604, 241, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\250\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (604, 241, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\250\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01974  1356   NtFsControlFile  (604, 241, 0x0, 0x0, 0x11c017,  (604, 241, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\1\0\0\0\1\0\0\0&\0(\0\270o\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , 136, 1024, ... {status=0x103, info=48},  (604, 241, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\1\0\0\0\1\0\0\0&\0(\0\270o\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 01975  1356   NtFsControlFile  (604, 241, 0x0, 0x0, 0x11c017,  (604, 241, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0`K\25\0\1\0\0\0lK\25\0 \0\0\0\1\0\0\0\30\0\32\0xK\25\0\224K\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0(j\25\0\1\0\0\0\5\0\15\08j\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=156},  (604, 241, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0`K\25\0\1\0\0\0lK\25\0 \0\0\0\1\0\0\0\30\0\32\0xK\25\0\224K\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0(j\25\0\1\0\0\0\5\0\15\08j\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01976  1356   NtClose  (560, ... ) == 0x0
 01977  1356   NtClose  (604, ... ) == 0x0
 01978  1356   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1384480, 0x0, 11073604, 188, ... , {12, 2, 1, 1}, 0x0, 1384480, 0x0, 11073604, 188, ...
 01979   868   NtClose  (608, ... ) == 0x0
 01980   868   NtMapViewOfSection  (612, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 32768, ) == 0x0
 01981   868   NtClose  (612, ... ) == 0x0
 01971  1736   NtCreateThread  ... 612, {1636, 1568}, ) == 0x0
 01978  1356   NtSecureConnectPort  ... 608, 0x0, 0x0, 0x0, 188, ) == 0x0
 01982   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01983  1736   NtQueryInformationThread  (612, Basic, 28, ...
 01984  1356   NtOpenThreadToken  (-2, 0xc, 1, ...
 01982   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01983  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=1568,}, 0x0, ) == 0x0
 01984  1356   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01985   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01986  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0 \6\0\0" ...  ...
 01987  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01985   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01986  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75565, 0}  ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0 \6\0\0" )  ) == 0x0
 01987  1356   NtSetInformationThread  ... ) == 0x0
 01988   868   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01989  1356   NtRequestWaitReplyPort  (608, {200, 224, new_msg, 0, 1356856, 12, 2, 1310977}  (608, {200, 224, new_msg, 0, 1356856, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\03a\224M(\374o\362\3402N\353\366\365?\34\12\0\0\0}(\262\367;DK]\0\0\0\0\370_\25\0A\221\235\26\255\262p\24(\0\0\0\263\254\0\251\0\0\24\0\240\366\250\0\343.\46\0\0\0\0 U\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01988   868   NtFlushInstructionCache  ... ) == 0x0
 01990  1736   NtResumeThread  (612, ...
 01991   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01990  1736   NtResumeThread  ... 1, ) == 0x0
 01991   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01992  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01993   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01992  1736   NtAllocateVirtualMemory  ... 70057984, 1048576, ) == 0x0
 01993   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01994  1736   NtAllocateVirtualMemory  (-1, 71098368, 0, 8192, 4096, 4, ...
 01989  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75566, 0}  ... {200, 224, reply, 0, 1636, 1356, 75566, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\03a\224M(\374o\362\3402N\353\366\365?\34\12\0\0\0}(\262\367;DK]\0\0\0\0\370_\25\0A\221\235\26\255\262p\24(\0\0\0\263\254\0\251\0\0\24\0\240\366\250\0\343.\46\0\0\0\0 U\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01995  1568   NtWaitForSingleObject  (88, 0, 0x0, ...
 01994  1736   NtAllocateVirtualMemory  ... 71098368, 8192, ) == 0x0
 01996  1356   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01997   868   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01996  1356   NtSetInformationThread  ... ) == 0x0
 01997   868   NtFlushInstructionCache  ... ) == 0x0
 01998  1356   NtRequestWaitReplyPort  (608, {56, 80, new_msg, 0, 44, 3, 20, 0}  (608, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0b\363\222I\243j\304#\242z\321\340\1\0\0\0\0\0\0\0&\0(\0\250\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01999   868   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 604, ) }, ... 604, ) == 0x0
 02000   868   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02001  1736   NtProtectVirtualMemory  (-1, (0x43ce000), 4096, 260, ... (0x43ce000), 4096, 4, ) == 0x0
 02002  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 560, {1636, 1104}, ) == 0x0
 02003  1736   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=1104,}, 0x0, ) == 0x0
 02004  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0d\6\0\0P\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0d\6\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0d\6\0\0P\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0d\6\0\0P\4\0\0" )  ) == 0x0
 02005  1736   NtResumeThread  (560, ... 1, ) == 0x0
 02006  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02007   868   NtClose  (604, ...
 02008  1104   NtWaitForSingleObject  (88, 0, 0x0, ...
 02007   868   NtClose  ... ) == 0x0
 02009   868   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02010   868   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02011   868   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02012   868   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02013   868   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02006  1736   NtAllocateVirtualMemory  ... 71106560, 1048576, ) == 0x0
 02014  1736   NtAllocateVirtualMemory  (-1, 72146944, 0, 8192, 4096, 4, ... 72146944, 8192, ) == 0x0
 02015  1736   NtProtectVirtualMemory  (-1, (0x44ce000), 4096, 260, ... (0x44ce000), 4096, 4, ) == 0x0
 02016  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1636, 784}, ) == 0x0
 02017  1736   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=784,}, 0x0, ) == 0x0
 02018  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\20\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\20\3\0\0" )  ) == 0x0
 02019   868   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01998  1356   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1636, 1356, 75567, 0}  ... {44, 68, reply, 0, 1636, 1356, 75567, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02019   868   NtFlushInstructionCache  ... ) == 0x0
 02020  1356   NtRaiseException  (11074064, 11073324, 1, ...
 02021   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02022  1356   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02021   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02022  1356   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02023   868   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02024  1356   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02023   868   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02024  1356   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02025  1736   NtResumeThread  (604, ...
 02026   868   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02025  1736   NtResumeThread  ... 1, ) == 0x0
 02026   868   NtFlushInstructionCache  ... ) == 0x0
 02027  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02028   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... }, ...
 02027  1736   NtAllocateVirtualMemory  ... 72155136, 1048576, ) == 0x0
 02028   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02029  1736   NtAllocateVirtualMemory  (-1, 73195520, 0, 8192, 4096, 4, ...
 02030   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02029  1736   NtAllocateVirtualMemory  ... 73195520, 8192, ) == 0x0
 02030   868   NtCreateEvent  ... 616, ) == 0x0
 02031  1356   NtContinue  (11072292, 0, ...
 02032   784   NtWaitForSingleObject  (88, 0, 0x0, ...
 02033  1736   NtProtectVirtualMemory  (-1, (0x45ce000), 4096, 260, ... (0x45ce000), 4096, 4, ) == 0x0
 02034  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02035  1356   NtDeviceIoControlFile  (424, 112, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 02036  1356   NtWaitForSingleObject  (112, 1, {-5000000, -1}, ...
 02034  1736   NtCreateThread  ... 620, {1636, 1792}, ) == 0x0
 02037  1736   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=1792,}, 0x0, ) == 0x0
 02038  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0\0\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0d\6\0\0\0\7\0\0" )  ) == 0x0
 02039   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 624, ) }, ... 624, ) == 0x0
 02040   868   NtQueryValueKey  (624,  (624, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (624, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02041   868   NtClose  (624, ... ) == 0x0
 02042   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   868   NtQueryPerformanceCounter  (... {1108493743, 16}, {3579545, 0}, ) == 0x0
 02044  1736   NtResumeThread  (620, ... 1, ) == 0x0
 02045  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73203712, 1048576, ) == 0x0
 02046  1736   NtAllocateVirtualMemory  (-1, 74244096, 0, 8192, 4096, 4, ... 74244096, 8192, ) == 0x0
 02047  1736   NtProtectVirtualMemory  (-1, (0x46ce000), 4096, 260, ... (0x46ce000), 4096, 4, ) == 0x0
 02048  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1636, 192}, ) == 0x0
 02049  1736   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=192,}, 0x0, ) == 0x0
 02050   868   NtSetEventBoostPriority  (88, ...
 02051  1792   NtWaitForSingleObject  (88, 0, 0x0, ...
 01939  1368   NtWaitForSingleObject  ... ) == 0x0
 02050   868   NtSetEventBoostPriority  ... ) == 0x0
 02052  1368   NtSetEventBoostPriority  (88, ...
 01963   704   NtWaitForSingleObject  ... ) == 0x0
 02053   704   NtSetEventBoostPriority  (88, ...
 01995  1568   NtWaitForSingleObject  ... ) == 0x0
 02054  1568   NtSetEventBoostPriority  (88, ...
 02008  1104   NtWaitForSingleObject  ... ) == 0x0
 02055  1104   NtSetEventBoostPriority  (88, ...
 02032   784   NtWaitForSingleObject  ... ) == 0x0
 02056   784   NtSetEventBoostPriority  (88, ...
 02051  1792   NtWaitForSingleObject  ... ) == 0x0
 02057  1792   NtTestAlert  (... ) == 0x0
 02056   784   NtSetEventBoostPriority  ... ) == 0x0
 02055  1104   NtSetEventBoostPriority  ... ) == 0x0
 02054  1568   NtSetEventBoostPriority  ... ) == 0x0
 02053   704   NtSetEventBoostPriority  ... ) == 0x0
 02052  1368   NtSetEventBoostPriority  ... ) == 0x0
 02058   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12118992, ... }, 12118992, ...
 02059  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0\300\0\0\0" ...  ...
 02060  1792   NtContinue  (73202992, 1, ...
 02061   784   NtTestAlert  (...
 02062  1104   NtTestAlert  (...
 02063  1568   NtTestAlert  (...
 02064   704   NtTestAlert  (...
 02058   868   NtQueryAttributesFile  ... ) == 0x0
 02059  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75571, 0}  ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0d\6\0\0\300\0\0\0" )  ) == 0x0
 02065  1792   NtRegisterThreadTerminatePort  (24, ...
 02061   784   NtTestAlert  ... ) == 0x0
 02062  1104   NtTestAlert  ... ) == 0x0
 02063  1568   NtTestAlert  ... ) == 0x0
 02064   704   NtTestAlert  ... ) == 0x0
 02066   868   NtQuerySystemInformation  (Basic, 44, ...
 02067  1736   NtResumeThread  (624, ...
 02065  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02068   784   NtContinue  (72154416, 1, ...
 02069  1104   NtContinue  (71105840, 1, ...
 02070  1568   NtContinue  (70057264, 1, ...
 02071   704   NtContinue  (69008688, 1, ...
 02066   868   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02067  1736   NtResumeThread  ... 1, ) == 0x0
 02072  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02073   784   NtRegisterThreadTerminatePort  (24, ...
 02074  1104   NtRegisterThreadTerminatePort  (24, ...
 02075  1568   NtRegisterThreadTerminatePort  (24, ...
 02076   704   NtRegisterThreadTerminatePort  (24, ...
 02077  1368   NtTestAlert  (...
 02078   192   NtTestAlert  (...
 02079  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02072  1792   NtDuplicateObject  ... 628, ) == 0x0
 02073   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02074  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02075  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 02076   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 02077  1368   NtTestAlert  ... ) == 0x0
 02078   192   NtTestAlert  ... ) == 0x0
 02080   868   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02081  1792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02082   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02083  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02084  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02085   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02086  1368   NtContinue  (67960112, 1, ...
 02087   192   NtContinue  (74251568, 1, ...
 02080   868   NtAllocateVirtualMemory  ... 8781824, 65536, ) == 0x0
 02079  1736   NtAllocateVirtualMemory  ... 74252288, 1048576, ) == 0x0
 02081  1792   NtWaitForSingleObject  ... ) == 0x102
 02082   784   NtDuplicateObject  ... 632, ) == 0x0
 02083  1104   NtDuplicateObject  ... 636, ) == 0x0
 02084  1568   NtDuplicateObject  ... 640, ) == 0x0
 02088  1368   NtRegisterThreadTerminatePort  (24, ...
 02089   192   NtRegisterThreadTerminatePort  (24, ...
 02090   868   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ...
 02091  1736   NtAllocateVirtualMemory  (-1, 75292672, 0, 8192, 4096, 4, ...
 02092  1792   NtWaitForSingleObject  (140, 0, 0x0, ...
 02093   784   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02094  1104   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02095  1568   NtWaitForSingleObject  (260, 0, 0x0, ...
 02088  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 02089   192   NtRegisterThreadTerminatePort  ... ) == 0x0
 02090   868   NtAllocateVirtualMemory  ... 8781824, 4096, ) == 0x0
 02091  1736   NtAllocateVirtualMemory  ... 75292672, 8192, ) == 0x0
 02093   784   NtWaitForSingleObject  ... ) == 0x102
 02094  1104   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02096  1368   NtWaitForSingleObject  (260, 0, 0x0, ...
 02085   704   NtDuplicateObject  ... 644, ) == 0x0
 02097   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02098  1736   NtProtectVirtualMemory  (-1, (0x47ce000), 4096, 260, ...
 02099   784   NtWaitForSingleObject  (260, 0, 0x0, ...
 02100  1104   NtSetEventBoostPriority  (260, ...
 02101   192   NtWaitForSingleObject  (260, 0, 0x0, ...
 02102   704   NtWaitForSingleObject  (260, 0, 0x0, ...
 02098  1736   NtProtectVirtualMemory  ... (0x47ce000), 4096, 4, ) == 0x0
 02095  1568   NtWaitForSingleObject  ... ) == 0x0
 02100  1104   NtSetEventBoostPriority  ... ) == 0x0
 02103  1568   NtSetEventBoostPriority  (260, ...
 02104  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02097   868   NtWaitForSingleObject  ... ) == 0x0
 02103  1568   NtSetEventBoostPriority  ... ) == 0x0
 02105  1104   NtWaitForSingleObject  (304, 0, 0x0, ...
 02106   868   NtSetEventBoostPriority  (260, ...
 02104  1736   NtCreateThread  ... 648, {1636, 1120}, ) == 0x0
 02107  1568   NtWaitForSingleObject  (260, 0, 0x0, ...
 02099   784   NtWaitForSingleObject  ... ) == 0x0
 02106   868   NtSetEventBoostPriority  ... ) == 0x0
 02108  1736   NtQueryInformationThread  (648, Basic, 28, ...
 02109   784   NtSetEventBoostPriority  (260, ...
 02101   192   NtWaitForSingleObject  ... ) == 0x0
 02110   192   NtSetEventBoostPriority  (260, ...
 02102   704   NtWaitForSingleObject  ... ) == 0x0
 02111   704   NtSetEventBoostPriority  (260, ...
 02096  1368   NtWaitForSingleObject  ... ) == 0x0
 02112  1368   NtSetEventBoostPriority  (260, ...
 02107  1568   NtWaitForSingleObject  ... ) == 0x0
 02113  1568   NtWaitForSingleObject  (304, 0, 0x0, ...
 02111   704   NtSetEventBoostPriority  ... ) == 0x0
 02110   192   NtSetEventBoostPriority  ... ) == 0x0
 02109   784   NtSetEventBoostPriority  ... ) == 0x0
 02108  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=1120,}, 0x0, ) == 0x0
 02112  1368   NtSetEventBoostPriority  ... ) == 0x0
 02114   868   NtSetEventBoostPriority  (304, ...
 02115   192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02116   704   NtWaitForSingleObject  (304, 0, 0x0, ...
 02117  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0`\4\0\0" ...  ...
 02118  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02105  1104   NtWaitForSingleObject  ... ) == 0x0
 02114   868   NtSetEventBoostPriority  ... ) == 0x0
 02119   784   NtWaitForSingleObject  (140, 0, 0x0, ...
 02117  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75572, 0}  ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0d\6\0\0`\4\0\0" )  ) == 0x0
 02120  1104   NtSetEventBoostPriority  (304, ...
 02118  1368   NtDuplicateObject  ... 652, ) == 0x0
 02121   868   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ...
 02115   192   NtDuplicateObject  ... 656, ) == 0x0
 02113  1568   NtWaitForSingleObject  ... ) == 0x0
 02120  1104   NtSetEventBoostPriority  ... ) == 0x0
 02122  1736   NtResumeThread  (648, ...
 02121   868   NtAllocateVirtualMemory  ... 8785920, 8192, ) == 0x0
 02123   192   NtWaitForSingleObject  (304, 0, 0x0, ...
 02124  1568   NtSetEventBoostPriority  (304, ...
 02125  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02122  1736   NtResumeThread  ... 1, ) == 0x0
 02126   868   NtWaitForSingleObject  (304, 0, 0x0, ...
 02116   704   NtWaitForSingleObject  ... ) == 0x0
 02124  1568   NtSetEventBoostPriority  ... ) == 0x0
 02127  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02128   704   NtSetEventBoostPriority  (304, ...
 02129  1368   NtWaitForSingleObject  (304, 0, 0x0, ...
 02130  1120   NtTestAlert  (...
 02125  1104   NtWaitForSingleObject  ... ) == 0x102
 02123   192   NtWaitForSingleObject  ... ) == 0x0
 02128   704   NtSetEventBoostPriority  ... ) == 0x0
 02127  1736   NtAllocateVirtualMemory  ... 75300864, 1048576, ) == 0x0
 02130  1120   NtTestAlert  ... ) == 0x0
 02131   192   NtSetEventBoostPriority  (304, ...
 02132  1104   NtWaitForSingleObject  (140, 0, 0x0, ...
 02133   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02134  1736   NtAllocateVirtualMemory  (-1, 76341248, 0, 8192, 4096, 4, ...
 02126   868   NtWaitForSingleObject  ... ) == 0x0
 02131   192   NtSetEventBoostPriority  ... ) == 0x0
 02135  1120   NtContinue  (75300144, 1, ...
 02136  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02137   868   NtSetEventBoostPriority  (304, ...
 02134  1736   NtAllocateVirtualMemory  ... 76341248, 8192, ) == 0x0
 02133   704   NtWaitForSingleObject  ... ) == 0x102
 02138  1120   NtRegisterThreadTerminatePort  (24, ...
 02129  1368   NtWaitForSingleObject  ... ) == 0x0
 02137   868   NtSetEventBoostPriority  ... ) == 0x0
 02136  1568   NtWaitForSingleObject  ... ) == 0x102
 02139   192   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02140   704   NtWaitForSingleObject  (140, 0, 0x0, ...
 02141  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02138  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02142  1736   NtProtectVirtualMemory  (-1, (0x48ce000), 4096, 260, ...
 02143  1568   NtWaitForSingleObject  (140, 0, 0x0, ...
 02139   192   NtWaitForSingleObject  ... ) == 0x102
 02141  1368   NtWaitForSingleObject  ... ) == 0x102
 02144   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12118992, ... }, 12118992, ...
 02142  1736   NtProtectVirtualMemory  ... (0x48ce000), 4096, 4, ) == 0x0
 02145   192   NtWaitForSingleObject  (140, 0, 0x0, ...
 02146  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02144   868   NtQueryAttributesFile  ... ) == 0x0
 02147  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02146  1120   NtDuplicateObject  ... 660, ) == 0x0
 02148   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02147  1736   NtCreateThread  ... 664, {1636, 1612}, ) == 0x0
 02149  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02148   868   NtOpenFile  ... 668, {status=0x0, info=1}, ) == 0x0
 02150  1736   NtQueryInformationThread  (664, Basic, 28, ...
 02149  1120   NtWaitForSingleObject  ... ) == 0x102
 02151   868   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 668, ...
 02150  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=1612,}, 0x0, ) == 0x0
 02152  1120   NtWaitForSingleObject  (140, 0, 0x0, ...
 02151   868   NtCreateSection  ... 672, ) == 0x0
 02153  1368   NtWaitForSingleObject  (140, 0, 0x0, ...
 02154  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0L\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0L\6\0\0" )  ) == 0x0
 02155  1736   NtResumeThread  (664, ... 1, ) == 0x0
 02156  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76349440, 1048576, ) == 0x0
 02157  1736   NtAllocateVirtualMemory  (-1, 77389824, 0, 8192, 4096, 4, ... 77389824, 8192, ) == 0x0
 02158  1736   NtProtectVirtualMemory  (-1, (0x49ce000), 4096, 260, ... (0x49ce000), 4096, 4, ) == 0x0
 02159  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02160   868   NtClose  (668, ...
 02161  1612   NtWaitForSingleObject  (88, 0, 0x0, ...
 02160   868   NtClose  ... ) == 0x0
 02162   868   NtMapViewOfSection  (672, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb90000), 0x0, 110592, ) == 0x0
 02163   868   NtClose  (672, ... ) == 0x0
 02159  1736   NtCreateThread  ... 672, {1636, 1628}, ) == 0x0
 02164  1736   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=1628,}, 0x0, ) == 0x0
 02165  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0\\6\0\0" )  ) == 0x0
 02166   868   NtUnmapViewOfSection  (-1, 0xb90000, ... ) == 0x0
 02167   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12119300, ... ) }, 12119300, ... ) == 0x0
 02168   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 668, {status=0x0, info=1}, ) }, 5, 96, ... 668, {status=0x0, info=1}, ) == 0x0
 02169   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 668, ... 676, ) == 0x0
 02170   868   NtQuerySection  (676, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02171  1736   NtResumeThread  (672, ... 1, ) == 0x0
 02172  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77398016, 1048576, ) == 0x0
 02173  1736   NtAllocateVirtualMemory  (-1, 78438400, 0, 8192, 4096, 4, ... 78438400, 8192, ) == 0x0
 02174  1736   NtProtectVirtualMemory  (-1, (0x4ace000), 4096, 260, ... (0x4ace000), 4096, 4, ) == 0x0
 02175  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1636, 1316}, ) == 0x0
 02176  1736   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=1316,}, 0x0, ) == 0x0
 02177   868   NtClose  (668, ...
 02178  1628   NtWaitForSingleObject  (88, 0, 0x0, ...
 02177   868   NtClose  ... ) == 0x0
 02179   868   NtMapViewOfSection  (676, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02180   868   NtClose  (676, ... ) == 0x0
 02181   868   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02182  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0$\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0$\5\0\0" )  ) == 0x0
 02183  1736   NtResumeThread  (680, ... 1, ) == 0x0
 02184  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02185   868   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02186  1316   NtWaitForSingleObject  (88, 0, 0x0, ...
 02185   868   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02187   868   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02188   868   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02189   868   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02190   868   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02191   868   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02184  1736   NtAllocateVirtualMemory  ... 78446592, 1048576, ) == 0x0
 02192  1736   NtAllocateVirtualMemory  (-1, 79486976, 0, 8192, 4096, 4, ... 79486976, 8192, ) == 0x0
 02193  1736   NtProtectVirtualMemory  (-1, (0x4bce000), 4096, 260, ... (0x4bce000), 4096, 4, ) == 0x0
 02194  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1636, 644}, ) == 0x0
 02195  1736   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1636,Tid=644,}, 0x0, ) == 0x0
 02196  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\204\2\0\0" )  ) == 0x0
 02197   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 12118476, ... }, 12118476, ...
 02198  1736   NtResumeThread  (676, ... 1, ) == 0x0
 02199  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79495168, 1048576, ) == 0x0
 02200  1736   NtAllocateVirtualMemory  (-1, 80535552, 0, 8192, 4096, 4, ... 80535552, 8192, ) == 0x0
 02201   644   NtWaitForSingleObject  (88, 0, 0x0, ...
 02202  1736   NtProtectVirtualMemory  (-1, (0x4cce000), 4096, 260, ... (0x4cce000), 4096, 4, ) == 0x0
 02203  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1636, 1288}, ) == 0x0
 02204  1736   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1636,Tid=1288,}, 0x0, ) == 0x0
 02197   868   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 12118476, ... ) }, 12118476, ... ) == 0x0
 02206   868   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 684, {status=0x0, info=1}, ) }, 5, 96, ... 684, {status=0x0, info=1}, ) == 0x0
 02207   868   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 684, ... 688, ) == 0x0
 02208   868   NtQuerySection  (688, Image, 48, ...
 02209  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\10\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0\10\5\0\0" )  ) == 0x0
 02210  1736   NtResumeThread  (668, ... 1, ) == 0x0
 02211  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80543744, 1048576, ) == 0x0
 02212  1736   NtAllocateVirtualMemory  (-1, 81584128, 0, 8192, 4096, 4, ... 81584128, 8192, ) == 0x0
 02213  1736   NtProtectVirtualMemory  (-1, (0x4dce000), 4096, 260, ... (0x4dce000), 4096, 4, ) == 0x0
 02214  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02208   868   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02215  1288   NtWaitForSingleObject  (88, 0, 0x0, ...
 02216   868   NtClose  (684, ... ) == 0x0
 02217   868   NtMapViewOfSection  (688, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02218   868   NtClose  (688, ... ) == 0x0
 02219   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02220   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02221   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ...
 02214  1736   NtCreateThread  ... 688, {1636, 624}, ) == 0x0
 02222  1736   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1636,Tid=624,}, 0x0, ) == 0x0
 02223  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0p\2\0\0" )  ) == 0x0
 02224  1736   NtResumeThread  (688, ... 1, ) == 0x0
 02225  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81592320, 1048576, ) == 0x0
 02226  1736   NtAllocateVirtualMemory  (-1, 82632704, 0, 8192, 4096, 4, ... 82632704, 8192, ) == 0x0
 02221   868   NtFlushInstructionCache  ... ) == 0x0
 02227   624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02228   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02229   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02230   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02231   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02232   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02233   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ...
 02234  1736   NtProtectVirtualMemory  (-1, (0x4ece000), 4096, 260, ... (0x4ece000), 4096, 4, ) == 0x0
 02235  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1636, 380}, ) == 0x0
 02236  1736   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1636,Tid=380,}, 0x0, ) == 0x0
 02237  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0|\1\0\0" )  ) == 0x0
 02238  1736   NtResumeThread  (684, ... 1, ) == 0x0
 02239  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02233   868   NtFlushInstructionCache  ... ) == 0x0
 02240   380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02241   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02242   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02243   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02244   868   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02245   868   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02246   868   NtFlushInstructionCache  (-1, 2006061056, 1368, ...
 02239  1736   NtAllocateVirtualMemory  ... 82640896, 1048576, ) == 0x0
 02247  1736   NtAllocateVirtualMemory  (-1, 83681280, 0, 8192, 4096, 4, ... 83681280, 8192, ) == 0x0
 02248  1736   NtProtectVirtualMemory  (-1, (0x4fce000), 4096, 260, ... (0x4fce000), 4096, 4, ) == 0x0
 02249  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1636, 312}, ) == 0x0
 02250  1736   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1636,Tid=312,}, 0x0, ) == 0x0
 02251  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\08\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\08\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\08\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\08\1\0\0" )  ) == 0x0
 02246   868   NtFlushInstructionCache  ... ) == 0x0
 02252   868   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02253   868   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02254   868   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02255  1736   NtResumeThread  (692, ... 1, ) == 0x0
 02256  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83689472, 1048576, ) == 0x0
 02257  1736   NtAllocateVirtualMemory  (-1, 84729856, 0, 8192, 4096, 4, ... 84729856, 8192, ) == 0x0
 02258   312   NtWaitForSingleObject  (88, 0, 0x0, ...
 02259   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   868   NtQueryDefaultUILanguage  (2090319928, ...
 02261   868   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02262   868   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482564, ) == 0x0
 02263   868   NtQueryInformationToken  (-2147482564, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02264  1736   NtProtectVirtualMemory  (-1, (0x50ce000), 4096, 260, ... (0x50ce000), 4096, 4, ) == 0x0
 02265  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1636, 1404}, ) == 0x0
 02266  1736   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1636,Tid=1404,}, 0x0, ) == 0x0
 02267  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0|\5\0\0" )  ) == 0x0
 02268  1736   NtResumeThread  (696, ... 1, ) == 0x0
 02269  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02270   868   NtClose  (-2147482564, ...
 02271  1404   NtWaitForSingleObject  (88, 0, 0x0, ...
 02270   868   NtClose  ... ) == 0x0
 02272   868   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482564, ) }, ... -2147482564, ) == 0x0
 02273   868   NtOpenKey  (0x80000000, {24, -2147482564, 0x240, 0, 0,  (0x80000000, {24, -2147482564, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274   868   NtOpenKey  (0x80000000, {24, -2147482564, 0x640, 0, 0,  (0x80000000, {24, -2147482564, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481440, ) }, ... -2147481440, ) == 0x0
 02275   868   NtQueryValueKey  (-2147481440,  (-2147481440, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   868   NtClose  (-2147481440, ... ) == 0x0
 02269  1736   NtAllocateVirtualMemory  ... 84738048, 1048576, ) == 0x0
 02277  1736   NtAllocateVirtualMemory  (-1, 85778432, 0, 8192, 4096, 4, ... 85778432, 8192, ) == 0x0
 02278  1736   NtProtectVirtualMemory  (-1, (0x51ce000), 4096, 260, ... (0x51ce000), 4096, 4, ) == 0x0
 02279  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1636, 476}, ) == 0x0
 02280  1736   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1636,Tid=476,}, 0x0, ) == 0x0
 02281  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\334\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\334\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\334\1\0\0" )  ) == 0x0
 02282   868   NtClose  (-2147482564, ... ) == 0x0
 02260   868   NtQueryDefaultUILanguage  ... ) == 0x0
 02283   868   NtAllocateVirtualMemory  (-1, 12107776, 0, 4096, 4096, 260, ... 12107776, 4096, ) == 0x0
 02284   868   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02285   868   NtQueryDefaultLocale  (1, 12119196, ... ) == 0x0
 02286  1736   NtResumeThread  (700, ... 1, ) == 0x0
 02287  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85786624, 1048576, ) == 0x0
 02288  1736   NtAllocateVirtualMemory  (-1, 86827008, 0, 8192, 4096, 4, ... 86827008, 8192, ) == 0x0
 02289  1736   NtProtectVirtualMemory  (-1, (0x52ce000), 4096, 260, ... (0x52ce000), 4096, 4, ) == 0x0
 02290  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1636, 740}, ) == 0x0
 02291  1736   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1636,Tid=740,}, 0x0, ) == 0x0
 02292   868   NtQueryInformationProcess  (-1, Wow64, 4, ...
 02293   476   NtWaitForSingleObject  (88, 0, 0x0, ...
 02292   868   NtQueryInformationProcess  ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02294   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 708, ) }, ... 708, ) == 0x0
 02295   868   NtQueryValueKey  (708,  (708, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (708, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02296   868   NtClose  (708, ... ) == 0x0
 02297   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 708, ) == 0x0
 02298   868   NtCallbackReturn  (0, 0, 0, ...
 02299   868   NtUserGetProcessWindowStation  (...
 02300  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\344\2\0\0" )  ) == 0x0
 02301  1736   NtResumeThread  (704, ... 1, ) == 0x0
 02302  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86835200, 1048576, ) == 0x0
 02303  1736   NtAllocateVirtualMemory  (-1, 87875584, 0, 8192, 4096, 4, ... 87875584, 8192, ) == 0x0
 02304  1736   NtProtectVirtualMemory  (-1, (0x53ce000), 4096, 260, ... (0x53ce000), 4096, 4, ) == 0x0
 02305  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02299   868   NtUserGetProcessWindowStation  ... ) == 0x20
 02306   740   NtWaitForSingleObject  (88, 0, 0x0, ...
 02307   868   NtUserGetObjectInformation  (32, 1, 12118792, 12, 12118804, ... ) == 0x1
 02308   868   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02309   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 712, ) }, ... 712, ) == 0x0
 02310   868   NtQueryValueKey  (712,  (712, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (712, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02311   868   NtClose  (712, ... ) == 0x0
 02312   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... }, ...
 02305  1736   NtCreateThread  ... 712, {1636, 1624}, ) == 0x0
 02313  1736   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1636,Tid=1624,}, 0x0, ) == 0x0
 02314  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0X\6\0\0" )  ) == 0x0
 02315  1736   NtResumeThread  (712, ... 1, ) == 0x0
 02316  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87883776, 1048576, ) == 0x0
 02317  1736   NtAllocateVirtualMemory  (-1, 88924160, 0, 8192, 4096, 4, ... 88924160, 8192, ) == 0x0
 02312   868   NtOpenKey  ... 716, ) == 0x0
 02318  1624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02319   868   NtQueryValueKey  (716,  (716, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02320   868   NtQueryValueKey  (716,  (716, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02321   868   NtClose  (716, ... ) == 0x0
 02322   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 716, ) }, ... 716, ) == 0x0
 02323   868   NtQueryValueKey  (716,  (716, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02324   868   NtQueryValueKey  (716,  (716, "SystemPartition", Partial, 144, ... , Partial, 144, ...
 02325  1736   NtProtectVirtualMemory  (-1, (0x54ce000), 4096, 260, ... (0x54ce000), 4096, 4, ) == 0x0
 02326  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1636, 1440}, ) == 0x0
 02327  1736   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1636,Tid=1440,}, 0x0, ) == 0x0
 02328  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\240\5\0\0" )  ) == 0x0
 02329  1736   NtResumeThread  (720, ... 1, ) == 0x0
 02330  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02324   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02331  1440   NtWaitForSingleObject  (88, 0, 0x0, ...
 02332   868   NtClose  (716, ... ) == 0x0
 02333   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 716, ) }, ... 716, ) == 0x0
 02334   868   NtQueryValueKey  (716,  (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02335   868   NtQueryValueKey  (716,  (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (716, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02336   868   NtClose  (716, ... ) == 0x0
 02337   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02330  1736   NtAllocateVirtualMemory  ... 88932352, 1048576, ) == 0x0
 02338  1736   NtAllocateVirtualMemory  (-1, 89972736, 0, 8192, 4096, 4, ... 89972736, 8192, ) == 0x0
 02339  1736   NtProtectVirtualMemory  (-1, (0x55ce000), 4096, 260, ... (0x55ce000), 4096, 4, ) == 0x0
 02340  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1636, 1664}, ) == 0x0
 02341  1736   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1636,Tid=1664,}, 0x0, ) == 0x0
 02342  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\200\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\200\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0\200\6\0\0" )  ) == 0x0
 02337   868   NtOpenKey  ... 724, ) == 0x0
 02343   868   NtQueryValueKey  (724,  (724, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (724, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02344   868   NtQueryValueKey  (724,  (724, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (724, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02345   868   NtClose  (724, ... ) == 0x0
 02346   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 724, ) }, ... 724, ) == 0x0
 02347   868   NtQueryValueKey  (724,  (724, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (724, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02348   868   NtQueryValueKey  (724,  (724, "ServicePackCachePath", Partial, 144, ... , Partial, 144, ...
 02349  1736   NtResumeThread  (716, ... 1, ) == 0x0
 02350  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89980928, 1048576, ) == 0x0
 02351  1736   NtAllocateVirtualMemory  (-1, 91021312, 0, 8192, 4096, 4, ... 91021312, 8192, ) == 0x0
 02352  1736   NtProtectVirtualMemory  (-1, (0x56ce000), 4096, 260, ... (0x56ce000), 4096, 4, ) == 0x0
 02353  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1636, 1972}, ) == 0x0
 02354  1736   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1636,Tid=1972,}, 0x0, ) == 0x0
 02348   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02355  1664   NtWaitForSingleObject  (88, 0, 0x0, ...
 02356   868   NtClose  (724, ... ) == 0x0
 02357   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 724, ) }, ... 724, ) == 0x0
 02358   868   NtQueryValueKey  (724,  (724, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (724, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02359   868   NtQueryValueKey  (724,  (724, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (724, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02360   868   NtClose  (724, ... ) == 0x0
 02361   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... }, ...
 02362  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\264\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\264\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0\264\7\0\0" )  ) == 0x0
 02363  1736   NtResumeThread  (728, ... 1, ) == 0x0
 02364  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91029504, 1048576, ) == 0x0
 02365  1736   NtAllocateVirtualMemory  (-1, 92069888, 0, 8192, 4096, 4, ... 92069888, 8192, ) == 0x0
 02366  1736   NtProtectVirtualMemory  (-1, (0x57ce000), 4096, 260, ... (0x57ce000), 4096, 4, ) == 0x0
 02367  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02361   868   NtOpenKey  ... 724, ) == 0x0
 02368  1972   NtWaitForSingleObject  (88, 0, 0x0, ...
 02369   868   NtQueryValueKey  (724,  (724, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02370   868   NtQueryValueKey  (724,  (724, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (724, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02371   868   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02372   868   NtClose  (724, ... ) == 0x0
 02373   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 724, ) == 0x0
 02374   868   NtCreateMutant  (0x1f0001, 0x0, 0, ...
 02367  1736   NtCreateThread  ... 732, {1636, 1656}, ) == 0x0
 02375  1736   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1636,Tid=1656,}, 0x0, ) == 0x0
 02376  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0x\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0x\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0x\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0x\6\0\0" )  ) == 0x0
 02377  1736   NtResumeThread  (732, ... 1, ) == 0x0
 02378  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92078080, 1048576, ) == 0x0
 02379  1736   NtAllocateVirtualMemory  (-1, 93118464, 0, 8192, 4096, 4, ... 93118464, 8192, ) == 0x0
 02374   868   NtCreateMutant  ... 736, ) == 0x0
 02380  1656   NtWaitForSingleObject  (88, 0, 0x0, ...
 02381   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 740, ) == 0x0
 02382   868   NtCreateMutant  (0x1f0001, 0x0, 0, ... 744, ) == 0x0
 02383   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 748, ) == 0x0
 02384   868   NtCreateMutant  (0x1f0001, 0x0, 0, ... 752, ) == 0x0
 02385   868   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 756, ) }, ... 756, ) == 0x0
 02386   868   NtQueryValueKey  (756,  (756, "LogLevel", Partial, 144, ... , Partial, 144, ...
 02387  1736   NtProtectVirtualMemory  (-1, (0x58ce000), 4096, 260, ... (0x58ce000), 4096, 4, ) == 0x0
 02388  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1636, 1036}, ) == 0x0
 02389  1736   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1636,Tid=1036,}, 0x0, ) == 0x0
 02390  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\14\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\14\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\14\4\0\0" )  ) == 0x0
 02391  1736   NtResumeThread  (760, ... 1, ) == 0x0
 02392  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02386   868   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02393  1036   NtWaitForSingleObject  (88, 0, 0x0, ...
 02394   868   NtQueryValueKey  (756,  (756, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (756, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02395   868   NtQueryValueKey  (756,  (756, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02396   868   NtOpenKey  (0x1, {24, 756, 0x40, 0, 0,  (0x1, {24, 756, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02397   868   NtClose  (756, ... ) == 0x0
 02398   868   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 12118708, ... ) }, 12118708, ... ) == 0x0
 02399   868   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... }, ...
 02392  1736   NtAllocateVirtualMemory  ... 93126656, 1048576, ) == 0x0
 02400  1736   NtAllocateVirtualMemory  (-1, 94167040, 0, 8192, 4096, 4, ... 94167040, 8192, ) == 0x0
 02401  1736   NtProtectVirtualMemory  (-1, (0x59ce000), 4096, 260, ... (0x59ce000), 4096, 4, ) == 0x0
 02402  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1636, 760}, ) == 0x0
 02403  1736   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1636,Tid=760,}, 0x0, ) == 0x0
 02404  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\370\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\370\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\370\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0\370\2\0\0" )  ) == 0x0
 02399   868   NtOpenKey  ... 764, ) == 0x0
 02405   868   NtQueryValueKey  (764,  (764, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (764, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (764, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02406   868   NtClose  (764, ... ) == 0x0
 02407   868   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 764, ) }, ... 764, ) == 0x0
 02408   868   NtQueryValueKey  (764,  (764, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (764, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (764, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02409   868   NtClose  (764, ... ) == 0x0
 02410   868   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... }, ...
 02411  1736   NtResumeThread  (756, ... 1, ) == 0x0
 02412  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94175232, 1048576, ) == 0x0
 02413  1736   NtAllocateVirtualMemory  (-1, 95215616, 0, 8192, 4096, 4, ... 95215616, 8192, ) == 0x0
 02414  1736   NtProtectVirtualMemory  (-1, (0x5ace000), 4096, 260, ... (0x5ace000), 4096, 4, ) == 0x0
 02415  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1636, 484}, ) == 0x0
 02416  1736   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1636,Tid=484,}, 0x0, ) == 0x0
 02410   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02417   760   NtWaitForSingleObject  (88, 0, 0x0, ...
 02418   868   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 768, ) }, ... 768, ) == 0x0
 02419   868   NtQueryValueKey  (768,  (768, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (768, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (768, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02420   868   NtClose  (768, ... ) == 0x0
 02421   868   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02422   868   NtSetEventBoostPriority  (88, ...
 02161  1612   NtWaitForSingleObject  ... ) == 0x0
 02423  1612   NtSetEventBoostPriority  (88, ...
 02178  1628   NtWaitForSingleObject  ... ) == 0x0
 02424  1628   NtSetEventBoostPriority  (88, ...
 02186  1316   NtWaitForSingleObject  ... ) == 0x0
 02425  1316   NtSetEventBoostPriority  (88, ...
 02201   644   NtWaitForSingleObject  ... ) == 0x0
 02426   644   NtSetEventBoostPriority  (88, ...
 02215  1288   NtWaitForSingleObject  ... ) == 0x0
 02427  1288   NtSetEventBoostPriority  (88, ...
 02227   624   NtWaitForSingleObject  ... ) == 0x0
 02428   624   NtSetEventBoostPriority  (88, ...
 02240   380   NtWaitForSingleObject  ... ) == 0x0
 02429   380   NtSetEventBoostPriority  (88, ...
 02258   312   NtWaitForSingleObject  ... ) == 0x0
 02430   312   NtSetEventBoostPriority  (88, ...
 02271  1404   NtWaitForSingleObject  ... ) == 0x0
 02431  1404   NtSetEventBoostPriority  (88, ...
 02293   476   NtWaitForSingleObject  ... ) == 0x0
 02432   476   NtSetEventBoostPriority  (88, ...
 02306   740   NtWaitForSingleObject  ... ) == 0x0
 02433   740   NtSetEventBoostPriority  (88, ...
 02318  1624   NtWaitForSingleObject  ... ) == 0x0
 02434  1624   NtSetEventBoostPriority  (88, ...
 02331  1440   NtWaitForSingleObject  ... ) == 0x0
 02435  1440   NtSetEventBoostPriority  (88, ...
 02355  1664   NtWaitForSingleObject  ... ) == 0x0
 02436  1664   NtSetEventBoostPriority  (88, ...
 02368  1972   NtWaitForSingleObject  ... ) == 0x0
 02437  1972   NtSetEventBoostPriority  (88, ...
 02380  1656   NtWaitForSingleObject  ... ) == 0x0
 02438  1656   NtSetEventBoostPriority  (88, ...
 02393  1036   NtWaitForSingleObject  ... ) == 0x0
 02439  1036   NtAllocateVirtualMemory  (-1, 8876032, 0, 4096, 4096, 4, ... 8876032, 4096, ) == 0x0
 02438  1656   NtSetEventBoostPriority  ... ) == 0x0
 02437  1972   NtSetEventBoostPriority  ... ) == 0x0
 02436  1664   NtSetEventBoostPriority  ... ) == 0x0
 02435  1440   NtSetEventBoostPriority  ... ) == 0x0
 02434  1624   NtSetEventBoostPriority  ... ) == 0x0
 02433   740   NtSetEventBoostPriority  ... ) == 0x0
 02432   476   NtSetEventBoostPriority  ... ) == 0x0
 02431  1404   NtSetEventBoostPriority  ... ) == 0x0
 02430   312   NtSetEventBoostPriority  ... ) == 0x0
 02429   380   NtSetEventBoostPriority  ... ) == 0x0
 02428   624   NtSetEventBoostPriority  ... ) == 0x0
 02427  1288   NtSetEventBoostPriority  ... ) == 0x0
 02426   644   NtSetEventBoostPriority  ... ) == 0x0
 02425  1316   NtSetEventBoostPriority  ... ) == 0x0
 02424  1628   NtSetEventBoostPriority  ... ) == 0x0
 02423  1612   NtSetEventBoostPriority  ... ) == 0x0
 02422   868   NtSetEventBoostPriority  ... ) == 0x0
 02440  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0d\6\0\0\344\1\0\0" ...  ...
 02441  1036   NtSetEventBoostPriority  (88, ...
 02442  1656   NtTestAlert  (...
 02443  1972   NtTestAlert  (...
 02444  1664   NtTestAlert  (...
 02445  1440   NtTestAlert  (...
 02446  1624   NtTestAlert  (...
 02447   740   NtTestAlert  (...
 02448   476   NtTestAlert  (...
 02449  1404   NtTestAlert  (...
 02450   312   NtTestAlert  (...
 02451   380   NtTestAlert  (...
 02452   624   NtTestAlert  (...
 02453  1288   NtTestAlert  (...
 02454   644   NtTestAlert  (...
 02455  1316   NtTestAlert  (...
 02456  1628   NtTestAlert  (...
 02457   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 02440  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75591, 0}  ... {28, 56, reply, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0d\6\0\0\344\1\0\0" )  ) == 0x0
 02417   760   NtWaitForSingleObject  ... ) == 0x0
 02441  1036   NtSetEventBoostPriority  ... ) == 0x0
 02442  1656   NtTestAlert  ... ) == 0x0
 02443  1972   NtTestAlert  ... ) == 0x0
 02444  1664   NtTestAlert  ... ) == 0x0
 02445  1440   NtTestAlert  ... ) == 0x0
 02446  1624   NtTestAlert  ... ) == 0x0
 02447   740   NtTestAlert  ... ) == 0x0
 02448   476   NtTestAlert  ... ) == 0x0
 02449  1404   NtTestAlert  ... ) == 0x0
 02450   312   NtTestAlert  ... ) == 0x0
 02451   380   NtTestAlert  ... ) == 0x0
 02452   624   NtTestAlert  ... ) == 0x0
 02453  1288   NtTestAlert  ... ) == 0x0
 02454   644   NtTestAlert  ... ) == 0x0
 02455  1316   NtTestAlert  ... ) == 0x0
 02456  1628   NtTestAlert  ... ) == 0x0
 02458  1612   NtTestAlert  (...
 02459   760   NtSetEventBoostPriority  (88, ...
 02460  1736   NtResumeThread  (764, ...
 02461  1036   NtTestAlert  (...
 02462  1656   NtContinue  (92077360, 1, ...
 02463  1972   NtContinue  (91028784, 1, ...
 02464  1664   NtContinue  (89980208, 1, ...
 02465  1440   NtContinue  (88931632, 1, ...
 02466  1624   NtContinue  (87883056, 1, ...
 02467   740   NtContinue  (86834480, 1, ...
 02468   476   NtContinue  (85785904, 1, ...
 02469  1404   NtContinue  (84737328, 1, ...
 02470   312   NtContinue  (83688752, 1, ...
 02471   380   NtContinue  (82640176, 1, ...
 02472   624   NtContinue  (81591600, 1, ...
 02473  1288   NtContinue  (80543024, 1, ...
 02474   644   NtContinue  (79494448, 1, ...
 02475  1316   NtContinue  (78445872, 1, ...
 02476  1628   NtContinue  (77397296, 1, ...
 02459   760   NtSetEventBoostPriority  ... ) == 0x0
 02458  1612   NtTestAlert  ... ) == 0x0
 02460  1736   NtResumeThread  ... 1, ) == 0x0
 02461  1036   NtTestAlert  ... ) == 0x0
 02477  1656   NtRegisterThreadTerminatePort  (24, ...
 02478  1972   NtRegisterThreadTerminatePort  (24, ...
 02479  1664   NtRegisterThreadTerminatePort  (24, ...
 02480  1440   NtRegisterThreadTerminatePort  (24, ...
 02481  1624   NtRegisterThreadTerminatePort  (24, ...
 02482   740   NtRegisterThreadTerminatePort  (24, ...
 02483   476   NtRegisterThreadTerminatePort  (24, ...
 02484  1404   NtRegisterThreadTerminatePort  (24, ...
 02485   312   NtRegisterThreadTerminatePort  (24, ...
 02486   380   NtRegisterThreadTerminatePort  (24, ...
 02487   624   NtRegisterThreadTerminatePort  (24, ...
 02488  1288   NtRegisterThreadTerminatePort  (24, ...
 02489   644   NtRegisterThreadTerminatePort  (24, ...
 02490  1316   NtRegisterThreadTerminatePort  (24, ...
 02491  1628   NtRegisterThreadTerminatePort  (24, ...
 02457   868   NtWaitForSingleObject  ... ) == 0x0
 02492   484   NtWaitForSingleObject  (88, 0, 0x0, ...
 02493  1612   NtContinue  (76348720, 1, ...
 02494  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02495  1036   NtContinue  (93125936, 1, ...
 02477  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 02478  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 02479  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 02480  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02481  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02482   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02483   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 02484  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 02485   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02486   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02487   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02488  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 02489   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02490  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 02491  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 02496   868   NtSetEventBoostPriority  (88, ...
 02497  1612   NtRegisterThreadTerminatePort  (24, ...
 02498   760   NtTestAlert  (...
 02499  1036   NtRegisterThreadTerminatePort  (24, ...
 02500  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02501  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02502  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02503  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02504  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02505   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02506   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02507  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02508   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02509   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02510   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02511  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02512   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02513  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02514  1628   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02492   484   NtWaitForSingleObject  ... ) == 0x0
 02496   868   NtSetEventBoostPriority  ... ) == 0x0
 02497  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 02498   760   NtTestAlert  ... ) == 0x0
 02494  1736   NtAllocateVirtualMemory  ... 95223808, 1048576, ) == 0x0
 02499  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 02500  1656   NtDuplicateObject  ... 768, ) == 0x0
 02501  1972   NtDuplicateObject  ... 772, ) == 0x0
 02502  1664   NtDuplicateObject  ... 776, ) == 0x0
 02503  1440   NtDuplicateObject  ... 780, ) == 0x0
 02504  1624   NtDuplicateObject  ... 784, ) == 0x0
 02505   740   NtDuplicateObject  ... 788, ) == 0x0
 02506   476   NtDuplicateObject  ... 792, ) == 0x0
 02507  1404   NtDuplicateObject  ... 796, ) == 0x0
 02508   312   NtDuplicateObject  ... 800, ) == 0x0
 02509   380   NtDuplicateObject  ... 804, ) == 0x0
 02510   624   NtDuplicateObject  ... 808, ) == 0x0
 02511  1288   NtDuplicateObject  ... 812, ) == 0x0
 02512   644   NtDuplicateObject  ... 816, ) == 0x0
 02513  1316   NtDuplicateObject  ... 820, ) == 0x0
 02515   484   NtTestAlert  (...
 02516   868   NtSetEventBoostPriority  (140, ...
 02517  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02518   760   NtContinue  (94174512, 1, ...
 02519  1736   NtAllocateVirtualMemory  (-1, 96264192, 0, 8192, 4096, 4, ...
 02520  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02521  1656   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02522  1972   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02523  1664   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02524  1440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02525  1624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02526   740   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02527   476   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02528  1404   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02529   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02530   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02531   624   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02532  1288   NtWaitForSingleObject  (260, 0, 0x0, ...
 02533   644   NtWaitForSingleObject  (260, 0, 0x0, ...
 02515   484   NtTestAlert  ... ) == 0x0
 02534  1316   NtWaitForSingleObject  (260, 0, 0x0, ...
 00712   808   NtWaitForSingleObject  ... ) == 0x0
 02516   868   NtSetEventBoostPriority  ... ) == 0x0
 02514  1628   NtDuplicateObject  ... 824, ) == 0x0
 02535   760   NtRegisterThreadTerminatePort  (24, ...
 02519  1736   NtAllocateVirtualMemory  ... 96264192, 8192, ) == 0x0
 02520  1036   NtDuplicateObject  ... 828, ) == 0x0
 02521  1656   NtWaitForSingleObject  ... ) == 0x102
 02522  1972   NtWaitForSingleObject  ... ) == 0x102
 02523  1664   NtWaitForSingleObject  ... ) == 0x102
 02524  1440   NtWaitForSingleObject  ... ) == 0x102
 02525  1624   NtWaitForSingleObject  ... ) == 0x102
 02526   740   NtWaitForSingleObject  ... ) == 0x102
 02527   476   NtWaitForSingleObject  ... ) == 0x102
 02528  1404   NtWaitForSingleObject  ... ) == 0x102
 02529   312   NtWaitForSingleObject  ... ) == 0x102
 02530   380   NtWaitForSingleObject  ... ) == 0x102
 02531   624   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02517  1612   NtDuplicateObject  ... 832, ) == 0x0
 02536   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02537   484   NtContinue  (95223088, 1, ...
 02538  1628   NtWaitForSingleObject  (260, 0, 0x0, ...
 02535   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 02539  1736   NtProtectVirtualMemory  (-1, (0x5bce000), 4096, 260, ...
 02540  1036   NtWaitForSingleObject  (260, 0, 0x0, ...
 02541  1656   NtWaitForSingleObject  (260, 0, 0x0, ...
 02542  1972   NtWaitForSingleObject  (260, 0, 0x0, ...
 02543  1664   NtWaitForSingleObject  (260, 0, 0x0, ...
 02544  1440   NtWaitForSingleObject  (260, 0, 0x0, ...
 02545  1624   NtWaitForSingleObject  (260, 0, 0x0, ...
 02546   740   NtWaitForSingleObject  (260, 0, 0x0, ...
 02547   476   NtWaitForSingleObject  (260, 0, 0x0, ...
 02548  1404   NtWaitForSingleObject  (260, 0, 0x0, ...
 02549   312   NtWaitForSingleObject  (260, 0, 0x0, ...
 02550   380   NtWaitForSingleObject  (260, 0, 0x0, ...
 02551   624   NtSetEventBoostPriority  (260, ...
 02552  1612   NtWaitForSingleObject  (260, 0, 0x0, ...
 02553   484   NtRegisterThreadTerminatePort  (24, ...
 02554   760   NtWaitForSingleObject  (260, 0, 0x0, ...
 02539  1736   NtProtectVirtualMemory  ... (0x5bce000), 4096, 4, ) == 0x0
 02532  1288   NtWaitForSingleObject  ... ) == 0x0
 02551   624   NtSetEventBoostPriority  ... ) == 0x0
 02553   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02555   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02556  1288   NtSetEventBoostPriority  (260, ...
 02557  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02558   624   NtWaitForSingleObject  (260, 0, 0x0, ...
 02559   484   NtWaitForSingleObject  (260, 0, 0x0, ...
 02533   644   NtWaitForSingleObject  ... ) == 0x0
 02556  1288   NtSetEventBoostPriority  ... ) == 0x0
 02557  1736   NtCreateThread  ... 836, {1636, 1480}, ) == 0x0
 02560   644   NtSetEventBoostPriority  (260, ...
 02534  1316   NtWaitForSingleObject  ... ) == 0x0
 02561  1316   NtSetEventBoostPriority  (260, ...
 02536   808   NtWaitForSingleObject  ... ) == 0x0
 02562   808   NtSetEventBoostPriority  (260, ...
 02538  1628   NtWaitForSingleObject  ... ) == 0x0
 02563  1628   NtSetEventBoostPriority  (260, ...
 02540  1036   NtWaitForSingleObject  ... ) == 0x0
 02564  1036   NtSetEventBoostPriority  (260, ...
 02541  1656   NtWaitForSingleObject  ... ) == 0x0
 02565  1656   NtSetEventBoostPriority  (260, ...
 02542  1972   NtWaitForSingleObject  ... ) == 0x0
 02566  1972   NtSetEventBoostPriority  (260, ...
 02543  1664   NtWaitForSingleObject  ... ) == 0x0
 02567  1664   NtSetEventBoostPriority  (260, ...
 02544  1440   NtWaitForSingleObject  ... ) == 0x0
 02568  1440   NtSetEventBoostPriority  (260, ...
 02545  1624   NtWaitForSingleObject  ... ) == 0x0
 02569  1624   NtSetEventBoostPriority  (260, ...
 02546   740   NtWaitForSingleObject  ... ) == 0x0
 02570   740   NtSetEventBoostPriority  (260, ...
 02547   476   NtWaitForSingleObject  ... ) == 0x0
 02571   476   NtSetEventBoostPriority  (260, ...
 02548  1404   NtWaitForSingleObject  ... ) == 0x0
 02572  1404   NtSetEventBoostPriority  (260, ...
 02549   312   NtWaitForSingleObject  ... ) == 0x0
 02573   312   NtSetEventBoostPriority  (260, ...
 02550   380   NtWaitForSingleObject  ... ) == 0x0
 02574   380   NtSetEventBoostPriority  (260, ...
 02552  1612   NtWaitForSingleObject  ... ) == 0x0
 02575  1612   NtSetEventBoostPriority  (260, ...
 02555   868   NtWaitForSingleObject  ... ) == 0x0
 02576   868   NtSetEventBoostPriority  (260, ...
 02554   760   NtWaitForSingleObject  ... ) == 0x0
 02577   760   NtSetEventBoostPriority  (260, ...
 02559   484   NtWaitForSingleObject  ... ) == 0x0
 02578   484   NtSetEventBoostPriority  (260, ...
 02558   624   NtWaitForSingleObject  ... ) == 0x0
 02579   624   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02580   624   NtWaitForSingleObject  (140, 0, 0x0, ...
 02578   484   NtSetEventBoostPriority  ... ) == 0x0
 02576   868   NtSetEventBoostPriority  ... ) == 0x0
 02575  1612   NtSetEventBoostPriority  ... ) == 0x0
 02574   380   NtSetEventBoostPriority  ... ) == 0x0
 02573   312   NtSetEventBoostPriority  ... ) == 0x0
 02572  1404   NtSetEventBoostPriority  ... ) == 0x0
 02571   476   NtSetEventBoostPriority  ... ) == 0x0
 02570   740   NtSetEventBoostPriority  ... ) == 0x0
 02569  1624   NtSetEventBoostPriority  ... ) == 0x0
 02568  1440   NtSetEventBoostPriority  ... ) == 0x0
 02567  1664   NtSetEventBoostPriority  ... ) == 0x0
 02566  1972   NtSetEventBoostPriority  ... ) == 0x0
 02565  1656   NtSetEventBoostPriority  ... ) == 0x0
 02564  1036   NtSetEventBoostPriority  ... ) == 0x0
 02563  1628   NtSetEventBoostPriority  ... ) == 0x0
 02562   808   NtSetEventBoostPriority  ... ) == 0x0
 02561  1316   NtSetEventBoostPriority  ... ) == 0x0
 02560   644   NtSetEventBoostPriority  ... ) == 0x0
 02581  1736   NtQueryInformationThread  (836, Basic, 28, ...
 02577   760   NtSetEventBoostPriority  ... ) == 0x0
 02582  1288   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 02583   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02584   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02585  1612   NtWaitForSingleObject  (260, 0, 0x0, ...
 02586   380   NtWaitForSingleObject  (140, 0, 0x0, ...
 02587   312   NtWaitForSingleObject  (140, 0, 0x0, ...
 02588  1404   NtWaitForSingleObject  (140, 0, 0x0, ...
 02589   476   NtWaitForSingleObject  (140, 0, 0x0, ...
 02590   740   NtWaitForSingleObject  (140, 0, 0x0, ...
 02591  1624   NtWaitForSingleObject  (140, 0, 0x0, ...
 02592  1440   NtWaitForSingleObject  (140, 0, 0x0, ...
 02593  1664   NtWaitForSingleObject  (140, 0, 0x0, ...
 02594  1972   NtWaitForSingleObject  (140, 0, 0x0, ...
 02595  1656   NtWaitForSingleObject  (140, 0, 0x0, ...
 02596  1036   NtWaitForSingleObject  (260, 0, 0x0, ...
 02597  1628   NtWaitForSingleObject  (260, 0, 0x0, ...
 02598   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02599  1316   NtWaitForSingleObject  (260, 0, 0x0, ...
 02581  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1636,Tid=1480,}, 0x0, ) == 0x0
 02600   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02582  1288   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 02601   644   NtWaitForSingleObject  (260, 0, 0x0, ...
 02584   484   NtDuplicateObject  ... 840, ) == 0x0
 02602  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0d\6\0\0\310\5\0\0" ...  ...
 02600   760   NtDuplicateObject  ... 844, ) == 0x0
 02603  1288   NtSetEventBoostPriority  (260, ...
 02604   484   NtWaitForSingleObject  (260, 0, 0x0, ...
 02602  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75592, 0}  ... {28, 56, reply, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0d\6\0\0\310\5\0\0" )  ) == 0x0
 02585  1612   NtWaitForSingleObject  ... ) == 0x0
 02603  1288   NtSetEventBoostPriority  ... ) == 0x0
 02605   760   NtWaitForSingleObject  (260, 0, 0x0, ...
 02606  1612   NtSetEventBoostPriority  (260, ...
 02607  1288   NtWaitForSingleObject  (260, 0, 0x0, ...
 02596  1036   NtWaitForSingleObject  ... ) == 0x0
 02606  1612   NtSetEventBoostPriority  ... ) == 0x0
 02608  1036   NtSetEventBoostPriority  (260, ...
 02597  1628   NtWaitForSingleObject  ... ) == 0x0
 02609  1628   NtSetEventBoostPriority  (260, ...
 02598   808   NtWaitForSingleObject  ... ) == 0x0
 02610   808   NtSetEventBoostPriority  (260, ...
 02599  1316   NtWaitForSingleObject  ... ) == 0x0
 02611  1316   NtSetEventBoostPriority  (260, ...
 02601   644   NtWaitForSingleObject  ... ) == 0x0
 02612   644   NtSetEventBoostPriority  (260, ...
 02583   868   NtWaitForSingleObject  ... ) == 0x0
 02613   868   NtSetEventBoostPriority  (260, ...
 02604   484   NtWaitForSingleObject  ... ) == 0x0
 02614   484   NtSetEventBoostPriority  (260, ...
 02605   760   NtWaitForSingleObject  ... ) == 0x0
 02615   760   NtSetEventBoostPriority  (260, ...
 02607  1288   NtWaitForSingleObject  ... ) == 0x0
 02616  1288   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02615   760   NtSetEventBoostPriority  ... ) == 0x0
 02617   760   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02614   484   NtSetEventBoostPriority  ... ) == 0x0
 02612   644   NtSetEventBoostPriority  ... ) == 0x0
 02611  1316   NtSetEventBoostPriority  ... ) == 0x0
 02610   808   NtSetEventBoostPriority  ... ) == 0x0
 02609  1628   NtSetEventBoostPriority  ... ) == 0x0
 02608  1036   NtSetEventBoostPriority  ... ) == 0x0
 02618  1612   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02613   868   NtSetEventBoostPriority  ... ) == 0x0
 02619  1736   NtResumeThread  (836, ...
 02616  1288   NtWaitForSingleObject  ... ) == 0x102
 02617   760   NtWaitForSingleObject  ... ) == 0x102
 02620   644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02621  1316   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02622   808   NtSetEventBoostPriority  (140, ...
 02623  1628   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02624  1036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02625   484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02626   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02619  1736   NtResumeThread  ... 1, ) == 0x0
 02627  1288   NtWaitForSingleObject  (140, 0, 0x0, ...
 02628   760   NtWaitForSingleObject  (140, 0, 0x0, ...
 02618  1612   NtWaitForSingleObject  ... ) == 0x102
 02629  1480   NtTestAlert  (...
 02620   644   NtWaitForSingleObject  ... ) == 0x102
 02621  1316   NtWaitForSingleObject  ... ) == 0x102
 00716  1252   NtWaitForSingleObject  ... ) == 0x0
 02622   808   NtSetEventBoostPriority  ... ) == 0x0
 02623  1628   NtWaitForSingleObject  ... ) == 0x102
 02625   484   NtWaitForSingleObject  ... ) == 0x102
 02626   868   NtCreateEvent  ... 848, ) == 0x0
 02630  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02631  1612   NtWaitForSingleObject  (140, 0, 0x0, ...
 02629  1480   NtTestAlert  ... ) == 0x0
 02632   644   NtWaitForSingleObject  (140, 0, 0x0, ...
 02633  1316   NtWaitForSingleObject  (140, 0, 0x0, ...
 02634  1252   NtSetEventBoostPriority  (140, ...
 02635   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02636  1628   NtWaitForSingleObject  (140, 0, 0x0, ...
 02637   484   NtWaitForSingleObject  (140, 0, 0x0, ...
 02624  1036   NtWaitForSingleObject  ... ) == 0x102
 02630  1736   NtAllocateVirtualMemory  ... 96272384, 1048576, ) == 0x0
 02638  1480   NtContinue  (96271664, 1, ...
 00717  2016   NtWaitForSingleObject  ... ) == 0x0
 02634  1252   NtSetEventBoostPriority  ... ) == 0x0
 02635   808   NtCreateEvent  ... 852, ) == 0x0
 02639  1036   NtWaitForSingleObject  (140, 0, 0x0, ...
 02640  1736   NtAllocateVirtualMemory  (-1, 97312768, 0, 8192, 4096, 4, ...
 02641  2016   NtSetEventBoostPriority  (140, ...
 02642  1480   NtRegisterThreadTerminatePort  (24, ...
 02643   868   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12119220, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12119220, 188, ...
 02644   808   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 00720  2020   NtWaitForSingleObject  ... ) == 0x0
 02640  1736   NtAllocateVirtualMemory  ... 97312768, 8192, ) == 0x0
 02642  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 02644   808   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02645  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02643   868   NtConnectPort  ... 856, 0x0, 0x0, 0x0, 188, ) == 0x0
 02641  2016   NtSetEventBoostPriority  ... ) == 0x0
 02646  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02647  1736   NtProtectVirtualMemory  (-1, (0x5cce000), 4096, 260, ...
 02648   808   NtSetEventBoostPriority  (260, ...
 02649   868   NtRequestWaitReplyPort  (856, {200, 224, new_msg, 0, 1382944, 12, 2, 1310721}  (856, {200, 224, new_msg, 0, 1382944, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\342I\325\340F\207\2\305\360\242\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\310\242\25\0\254\11\364\375x\1\24\0\350\242\25\0h\1\24\0\0\0\0\0\0\0\0\0\350\242\25\0P\0\0\0\360\242\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\270\0\372\31\221|\310\362\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02650  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02646  1252   NtCreateEvent  ... 860, ) == 0x0
 02647  1736   NtProtectVirtualMemory  ... (0x5cce000), 4096, 4, ) == 0x0
 02651  1480   NtWaitForSingleObject  (260, 0, 0x0, ...
 02650  2016   NtCreateEvent  ... 864, ) == 0x0
 02652  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02649   868   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 868, 75594, 0}  ... {200, 224, reply, 0, 1636, 868, 75594, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\342I\325\340F\207\2\305\360\242\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\310\242\25\0\254\11\364\375x\1\24\0\350\242\25\0h\1\24\0\0\0\0\0\0\0\0\0\350\242\25\0P\0\0\0\360\242\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\270\0\372\31\221|\310\362\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02653  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02645  2020   NtWaitForSingleObject  ... ) == 0x0
 02648   808   NtSetEventBoostPriority  ... ) == 0x0
 02654  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02653  1736   NtCreateThread  ... 868, {1636, 2060}, ) == 0x0
 02655  2020   NtSetEventBoostPriority  (260, ...
 02656   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02657  1736   NtQueryInformationThread  (868, Basic, 28, ...
 02651  1480   NtWaitForSingleObject  ... ) == 0x0
 02655  2020   NtSetEventBoostPriority  ... ) == 0x0
 02658  1480   NtSetEventBoostPriority  (260, ...
 02657  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1636,Tid=2060,}, 0x0, ) == 0x0
 02659   868   NtRequestWaitReplyPort  (856, {64, 88, new_msg, 0, 1636, 868, 75550, 0}  (856, {64, 88, new_msg, 0, 1636, 868, 75550, 0} "\1\332\0\0A\2\10\0\200Y\274\201Ni\257\341\264\311\275\201:\332R\200\377\377\377\377t\333\243\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02652  1252   NtWaitForSingleObject  ... ) == 0x0
 02658  1480   NtSetEventBoostPriority  ... ) == 0x0
 02660  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02661  1252   NtSetEventBoostPriority  (260, ...
 02662  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02654  2016   NtWaitForSingleObject  ... ) == 0x0
 02661  1252   NtSetEventBoostPriority  ... ) == 0x0
 02663  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0d\6\0\0\14\10\0\0" ...  ...
 02659   868   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 868, 75595, 0}  ... {52, 76, reply, 0, 1636, 868, 75595, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02664  2016   NtSetEventBoostPriority  (260, ...
 02662  1480   NtDuplicateObject  ... 872, ) == 0x0
 02663  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75596, 0}  ... {28, 56, reply, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0d\6\0\0\14\10\0\0" )  ) == 0x0
 02656   808   NtWaitForSingleObject  ... ) == 0x0
 02664  2016   NtSetEventBoostPriority  ... ) == 0x0
 02665   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02666  1480   NtWaitForSingleObject  (260, 0, 0x0, ...
 02667   808   NtSetEventBoostPriority  (260, ...
 02668  1736   NtResumeThread  (868, ...
 02669  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02660  2020   NtWaitForSingleObject  ... ) == 0x0
 02667   808   NtSetEventBoostPriority  ... ) == 0x0
 02668  1736   NtResumeThread  ... 1, ) == 0x0
 02670  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02671  2020   NtSetEventBoostPriority  (260, ...
 02672  2060   NtWaitForSingleObject  (260, 0, 0x0, ...
 02673  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02665   868   NtWaitForSingleObject  ... ) == 0x0
 02671  2020   NtSetEventBoostPriority  ... ) == 0x0
 02674   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02675   868   NtSetEventBoostPriority  (260, ...
 02676  2020   NtSetEventBoostPriority  (140, ...
 02666  1480   NtWaitForSingleObject  ... ) == 0x0
 02675   868   NtSetEventBoostPriority  ... ) == 0x0
 02673  1736   NtAllocateVirtualMemory  ... 97320960, 1048576, ) == 0x0
 02677  1480   NtSetEventBoostPriority  (260, ...
 00722   896   NtWaitForSingleObject  ... ) == 0x0
 02676  2020   NtSetEventBoostPriority  ... ) == 0x0
 02669  2016   NtWaitForSingleObject  ... ) == 0x0
 02677  1480   NtSetEventBoostPriority  ... ) == 0x0
 02678  1736   NtAllocateVirtualMemory  (-1, 98361344, 0, 8192, 4096, 4, ...
 02679   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 02680  2016   NtSetEventBoostPriority  (260, ...
 02681  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02682   868   NtClose  (848, ...
 02678  1736   NtAllocateVirtualMemory  ... 98361344, 8192, ) == 0x0
 02670  1252   NtWaitForSingleObject  ... ) == 0x0
 02681  2020   NtCreateEvent  ... 876, ) == 0x0
 02682   868   NtClose  ... ) == 0x0
 02683  1736   NtProtectVirtualMemory  (-1, (0x5dce000), 4096, 260, ...
 02684  1252   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 02685  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02686   868   NtClose  (856, ...
 02683  1736   NtProtectVirtualMemory  ... (0x5dce000), 4096, 4, ) == 0x0
 02684  1252   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 02686   868   NtClose  ... ) == 0x0
 02687  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02688  1252   NtSetEventBoostPriority  (260, ...
 02689   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02680  2016   NtSetEventBoostPriority  ... ) == 0x0
 02690  1480   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02687  1736   NtCreateThread  ... 856, {1636, 2076}, ) == 0x0
 02691  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02690  1480   NtWaitForSingleObject  ... ) == 0x102
 02692  1736   NtQueryInformationThread  (856, Basic, 28, ...
 02693  1480   NtWaitForSingleObject  (140, 0, 0x0, ...
 02692  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1636,Tid=2076,}, 0x0, ) == 0x0
 02694  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0d\6\0\0\34\10\0\0" ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0d\6\0\0\34\10\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0d\6\0\0\34\10\0\0" ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0d\6\0\0\34\10\0\0" )  ) == 0x0
 02695  1736   NtResumeThread  (856, ... 1, ) == 0x0
 02696  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98369536, 1048576, ) == 0x0
 02697  1736   NtAllocateVirtualMemory  (-1, 99409920, 0, 8192, 4096, 4, ... 99409920, 8192, ) == 0x0
 02672  2060   NtWaitForSingleObject  ... ) == 0x0
 02688  1252   NtSetEventBoostPriority  ... ) == 0x0
 02698  2076   NtWaitForSingleObject  (88, 0, 0x0, ...
 02699  2060   NtSetEventBoostPriority  (260, ...
 02700  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02674   808   NtWaitForSingleObject  ... ) == 0x0
 02699  2060   NtSetEventBoostPriority  ... ) == 0x0
 02701   808   NtSetEventBoostPriority  (260, ...
 02702  1736   NtProtectVirtualMemory  (-1, (0x5ece000), 4096, 260, ...
 02679   896   NtWaitForSingleObject  ... ) == 0x0
 02701   808   NtSetEventBoostPriority  ... ) == 0x0
 02703   896   NtSetEventBoostPriority  (260, ...
 02702  1736   NtProtectVirtualMemory  ... (0x5ece000), 4096, 4, ) == 0x0
 02685  2020   NtWaitForSingleObject  ... ) == 0x0
 02703   896   NtSetEventBoostPriority  ... ) == 0x0
 02704   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02705  2020   NtSetEventBoostPriority  (260, ...
 02706  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02707  2060   NtSetEventBoostPriority  (88, ...
 02708   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 02689   868   NtWaitForSingleObject  ... ) == 0x0
 02705  2020   NtSetEventBoostPriority  ... ) == 0x0
 02706  1736   NtCreateThread  ... 848, {1636, 2084}, ) == 0x0
 02698  2076   NtWaitForSingleObject  ... ) == 0x0
 02707  2060   NtSetEventBoostPriority  ... ) == 0x0
 02709   868   NtSetEventBoostPriority  (260, ...
 02710  2076   NtTestAlert  (...
 02711  1736   NtQueryInformationThread  (848, Basic, 28, ...
 02691  2016   NtWaitForSingleObject  ... ) == 0x0
 02710  2076   NtTestAlert  ... ) == 0x0
 02709   868   NtSetEventBoostPriority  ... ) == 0x0
 02712  2060   NtTestAlert  (...
 02713  2016   NtSetEventBoostPriority  (260, ...
 02711  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1636,Tid=2084,}, 0x0, ) == 0x0
 02714  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02715  2076   NtContinue  (98368816, 1, ...
 02700  1252   NtWaitForSingleObject  ... ) == 0x0
 02713  2016   NtSetEventBoostPriority  ... ) == 0x0
 02712  2060   NtTestAlert  ... ) == 0x0
 02716   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02717  1252   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 02718  2076   NtRegisterThreadTerminatePort  (24, ...
 02719  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0d\6\0\0$\10\0\0" ...  ...
 02720  2060   NtContinue  (97320240, 1, ...
 02717  1252   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 02716   868   NtCreateKey  ... 880, 2, ) == 0x0
 02718  2076   NtRegisterThreadTerminatePort  ... ) == 0x0
 02719  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75599, 0}  ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0d\6\0\0$\10\0\0" )  ) == 0x0
 02721  2060   NtRegisterThreadTerminatePort  (24, ...
 02722  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02723   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02724  2076   NtWaitForSingleObject  (260, 0, 0x0, ...
 02725  1736   NtResumeThread  (848, ...
 02726  1252   NtSetEventBoostPriority  (260, ...
 02723   868   NtOpenKey  ... 884, ) == 0x0
 02725  1736   NtResumeThread  ... 1, ) == 0x0
 02708   896   NtWaitForSingleObject  ... ) == 0x0
 02726  1252   NtSetEventBoostPriority  ... ) == 0x0
 02727   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02728   896   NtSetEventBoostPriority  (260, ...
 02729  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02730  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02704   808   NtWaitForSingleObject  ... ) == 0x0
 02728   896   NtSetEventBoostPriority  ... ) == 0x0
 02727   868   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02721  2060   NtRegisterThreadTerminatePort  ... ) == 0x0
 02731  2084   NtTestAlert  (...
 02732   808   NtSetEventBoostPriority  (260, ...
 02733   896   NtSetEventBoostPriority  (140, ...
 02729  1736   NtAllocateVirtualMemory  ... 99418112, 1048576, ) == 0x0
 02734  2060   NtWaitForSingleObject  (260, 0, 0x0, ...
 02714  2020   NtWaitForSingleObject  ... ) == 0x0
 02731  2084   NtTestAlert  ... ) == 0x0
 02732   808   NtSetEventBoostPriority  ... ) == 0x0
 02735   868   NtQueryValueKey  (880,  (880, "Hostname", Partial, 144, ... , Partial, 144, ...
 02736  1736   NtAllocateVirtualMemory  (-1, 100458496, 0, 8192, 4096, 4, ...
 02737  2020   NtSetEventBoostPriority  (260, ...
 02738  2084   NtContinue  (99417392, 1, ...
 02739   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02735   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02736  1736   NtAllocateVirtualMemory  ... 100458496, 8192, ) == 0x0
 02722  2016   NtWaitForSingleObject  ... ) == 0x0
 02737  2020   NtSetEventBoostPriority  ... ) == 0x0
 02740  2084   NtRegisterThreadTerminatePort  (24, ...
 02741   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02742  2016   NtSetEventBoostPriority  (260, ...
 02743  1736   NtProtectVirtualMemory  (-1, (0x5fce000), 4096, 260, ...
 02744  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02740  2084   NtRegisterThreadTerminatePort  ... ) == 0x0
 02724  2076   NtWaitForSingleObject  ... ) == 0x0
 02742  2016   NtSetEventBoostPriority  ... ) == 0x0
 02743  1736   NtProtectVirtualMemory  ... (0x5fce000), 4096, 4, ) == 0x0
 00803   384   NtWaitForSingleObject  ... ) == 0x0
 02733   896   NtSetEventBoostPriority  ... ) == 0x0
 02745  2076   NtSetEventBoostPriority  (260, ...
 02746  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02747  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02748   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 02730  1252   NtWaitForSingleObject  ... ) == 0x0
 02745  2076   NtSetEventBoostPriority  ... ) == 0x0
 02749   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02750  2084   NtWaitForSingleObject  (260, 0, 0x0, ...
 02751  1252   NtSetEventBoostPriority  (260, ...
 02747  1736   NtCreateThread  ... 888, {1636, 2104}, ) == 0x0
 02749   896   NtCreateEvent  ... 892, ) == 0x0
 02734  2060   NtWaitForSingleObject  ... ) == 0x0
 02751  1252   NtSetEventBoostPriority  ... ) == 0x0
 02752  1736   NtQueryInformationThread  (888, Basic, 28, ...
 02753  2060   NtSetEventBoostPriority  (260, ...
 02754   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 02755  2076   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02739   808   NtWaitForSingleObject  ... ) == 0x0
 02753  2060   NtSetEventBoostPriority  ... ) == 0x0
 02752  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1636,Tid=2104,}, 0x0, ) == 0x0
 02756   808   NtSetEventBoostPriority  (260, ...
 02755  2076   NtDuplicateObject  ... 896, ) == 0x0
 02757  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02741   868   NtWaitForSingleObject  ... ) == 0x0
 02756   808   NtSetEventBoostPriority  ... ) == 0x0
 02758  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0d\6\0\08\10\0\0" ...  ...
 02759  2076   NtWaitForSingleObject  (260, 0, 0x0, ...
 02760   868   NtSetEventBoostPriority  (260, ...
 02761  2060   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02758  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75600, 0}  ... {28, 56, reply, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0d\6\0\08\10\0\0" )  ) == 0x0
 02744  2020   NtWaitForSingleObject  ... ) == 0x0
 02760   868   NtSetEventBoostPriority  ... ) == 0x0
 02761  2060   NtDuplicateObject  ... 900, ) == 0x0
 02762   808   NtAllocateVirtualMemory  (-1, 13422592, 0, 4096, 4096, 260, ...
 02763  2020   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 02764  1736   NtResumeThread  (888, ...
 02765  2060   NtWaitForSingleObject  (260, 0, 0x0, ...
 02763  2020   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 02762   808   NtAllocateVirtualMemory  ... 13422592, 4096, ) == 0x0
 02764  1736   NtResumeThread  ... 1, ) == 0x0
 02766  2020   NtSetEventBoostPriority  (260, ...
 02767   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02746  2016   NtWaitForSingleObject  ... ) == 0x0
 02768  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02769  2016   NtSetEventBoostPriority  (260, ...
 02768  1736   NtAllocateVirtualMemory  ... 100466688, 1048576, ) == 0x0
 02748   384   NtWaitForSingleObject  ... ) == 0x0
 02770  1736   NtAllocateVirtualMemory  (-1, 101507072, 0, 8192, 4096, 4, ...
 02771   384   NtSetEventBoostPriority  (260, ...
 02770  1736   NtAllocateVirtualMemory  ... 101507072, 8192, ) == 0x0
 02750  2084   NtWaitForSingleObject  ... ) == 0x0
 02771   384   NtSetEventBoostPriority  ... ) == 0x0
 02769  2016   NtSetEventBoostPriority  ... ) == 0x0
 02766  2020   NtSetEventBoostPriority  ... ) == 0x0
 02772   868   NtQueryValueKey  (880,  (880, "Hostname", Partial, 144, ... , Partial, 144, ...
 02773  2104   NtWaitForSingleObject  (260, 0, 0x0, ...
 02774  2084   NtSetEventBoostPriority  (260, ...
 02775  1736   NtProtectVirtualMemory  (-1, (0x60ce000), 4096, 260, ...
 02776  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02777   384   NtSetEventBoostPriority  (140, ...
 02772   868   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02754   896   NtWaitForSingleObject  ... ) == 0x0
 02774  2084   NtSetEventBoostPriority  ... ) == 0x0
 02775  1736   NtProtectVirtualMemory  ... (0x60ce000), 4096, 4, ) == 0x0
 00812  1028   NtWaitForSingleObject  ... ) == 0x0
 02777   384   NtSetEventBoostPriority  ... ) == 0x0
 02778   896   NtSetEventBoostPriority  (260, ...
 02779   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02780  2084   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02781  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 02782  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02757  1252   NtWaitForSingleObject  ... ) == 0x0
 02778   896   NtSetEventBoostPriority  ... ) == 0x0
 02783   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02784  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02785  1252   NtSetEventBoostPriority  (260, ...
 02782  1736   NtCreateThread  ... 904, {1636, 2120}, ) == 0x0
 02780  2084   NtDuplicateObject  ... 908, ) == 0x0
 02783   384   NtCreateEvent  ... 912, ) == 0x0
 02759  2076   NtWaitForSingleObject  ... ) == 0x0
 02785  1252   NtSetEventBoostPriority  ... ) == 0x0
 02786  1736   NtQueryInformationThread  (904, Basic, 28, ...
 02787  2084   NtWaitForSingleObject  (260, 0, 0x0, ...
 02788  2076   NtSetEventBoostPriority  (260, ...
 02789   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 02790  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02786  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1636,Tid=2120,}, 0x0, ) == 0x0
 02765  2060   NtWaitForSingleObject  ... ) == 0x0
 02788  2076   NtSetEventBoostPriority  ... ) == 0x0
 02791   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 02792  2060   NtSetEventBoostPriority  (260, ...
 02793  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0d\6\0\0H\10\0\0" ...  ...
 02767   808   NtWaitForSingleObject  ... ) == 0x0
 02792  2060   NtSetEventBoostPriority  ... ) == 0x0
 02794   808   NtSetEventBoostPriority  (260, ...
 02793  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75601, 0}  ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0d\6\0\0H\10\0\0" )  ) == 0x0
 02795  2076   NtWaitForSingleObject  (260, 0, 0x0, ...
 02773  2104   NtWaitForSingleObject  ... ) == 0x0
 02794   808   NtSetEventBoostPriority  ... ) == 0x0
 02796  1736   NtResumeThread  (904, ...
 02797  2104   NtSetEventBoostPriority  (260, ...
 02798  2060   NtWaitForSingleObject  (260, 0, 0x0, ...
 02776  2016   NtWaitForSingleObject  ... ) == 0x0
 02797  2104   NtSetEventBoostPriority  ... ) == 0x0
 02796  1736   NtResumeThread  ... 1, ) == 0x0
 02799  2016   NtSetEventBoostPriority  (260, ...
 02800   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02801  2120   NtWaitForSingleObject  (88, 0, 0x0, ...
 02779   868   NtWaitForSingleObject  ... ) == 0x0
 02799  2016   NtSetEventBoostPriority  ... ) == 0x0
 02802  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02803   868   NtSetEventBoostPriority  (260, ...
 02804  2104   NtSetEventBoostPriority  (88, ...
 02805  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02781  1028   NtWaitForSingleObject  ... ) == 0x0
 02803   868   NtSetEventBoostPriority  ... ) == 0x0
 02801  2120   NtWaitForSingleObject  ... ) == 0x0
 02804  2104   NtSetEventBoostPriority  ... ) == 0x0
 02806  1028   NtSetEventBoostPriority  (260, ...
 02802  1736   NtAllocateVirtualMemory  ... 101515264, 1048576, ) == 0x0
 02807  2120   NtWaitForSingleObject  (260, 0, 0x0, ...
 02784  2020   NtWaitForSingleObject  ... ) == 0x0
 02806  1028   NtSetEventBoostPriority  ... ) == 0x0
 02808  2104   NtTestAlert  (...
 02809  2020   NtSetEventBoostPriority  (260, ...
 02810  1736   NtAllocateVirtualMemory  (-1, 102555648, 0, 8192, 4096, 4, ...
 02811   868   NtClose  (880, ...
 02787  2084   NtWaitForSingleObject  ... ) == 0x0
 02809  2020   NtSetEventBoostPriority  ... ) == 0x0
 02808  2104   NtTestAlert  ... ) == 0x0
 02810  1736   NtAllocateVirtualMemory  ... 102555648, 8192, ) == 0x0
 02812  2084   NtSetEventBoostPriority  (260, ...
 02811   868   NtClose  ... ) == 0x0
 02813  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02814  2104   NtContinue  (100465968, 1, ...
 02789   384   NtWaitForSingleObject  ... ) == 0x0
 02812  2084   NtSetEventBoostPriority  ... ) == 0x0
 02815  1736   NtProtectVirtualMemory  (-1, (0x61ce000), 4096, 260, ...
 02816   868   NtClose  (884, ...
 02817  1028   NtSetEventBoostPriority  (140, ...
 02818   384   NtSetEventBoostPriority  (260, ...
 02819  2104   NtRegisterThreadTerminatePort  (24, ...
 02815  1736   NtProtectVirtualMemory  ... (0x61ce000), 4096, 4, ) == 0x0
 02816   868   NtClose  ... ) == 0x0
 02790  1252   NtWaitForSingleObject  ... ) == 0x0
 02818   384   NtSetEventBoostPriority  ... ) == 0x0
 00813  2012   NtWaitForSingleObject  ... ) == 0x0
 02817  1028   NtSetEventBoostPriority  ... ) == 0x0
 02820  2084   NtWaitForSingleObject  (260, 0, 0x0, ...
 02821  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02822  1252   NtSetEventBoostPriority  (260, ...
 02823   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02819  2104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02824  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 02825  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02826   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 02791   896   NtWaitForSingleObject  ... ) == 0x0
 02827  2104   NtWaitForSingleObject  (260, 0, 0x0, ...
 02825  1028   NtCreateEvent  ... 884, ) == 0x0
 02828   896   NtSetEventBoostPriority  (260, ...
 02829  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 02795  2076   NtWaitForSingleObject  ... ) == 0x0
 02828   896   NtSetEventBoostPriority  ... ) == 0x0
 02830  2076   NtSetEventBoostPriority  (260, ...
 02798  2060   NtWaitForSingleObject  ... ) == 0x0
 02831  2060   NtSetEventBoostPriority  (260, ...
 02800   808   NtWaitForSingleObject  ... ) == 0x0
 02832   808   NtSetEventBoostPriority  (260, ...
 02805  2016   NtWaitForSingleObject  ... ) == 0x0
 02833  2016   NtSetEventBoostPriority  (260, ...
 02807  2120   NtWaitForSingleObject  ... ) == 0x0
 02834  2120   NtSetEventBoostPriority  (260, ...
 02813  2020   NtWaitForSingleObject  ... ) == 0x0
 02835  2020   NtSetEventBoostPriority  (260, ...
 02820  2084   NtWaitForSingleObject  ... ) == 0x0
 02836  2084   NtSetEventBoostPriority  (260, ...
 02823   868   NtWaitForSingleObject  ... ) == 0x0
 02837   868   NtSetEventBoostPriority  (260, ...
 02824  2012   NtWaitForSingleObject  ... ) == 0x0
 02838  2012   NtSetEventBoostPriority  (260, ...
 02826   384   NtWaitForSingleObject  ... ) == 0x0
 02839   384   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 02840   384   NtSetEventBoostPriority  (260, ...
 02838  2012   NtSetEventBoostPriority  ... ) == 0x0
 02837   868   NtSetEventBoostPriority  ... ) == 0x0
 02836  2084   NtSetEventBoostPriority  ... ) == 0x0
 02834  2120   NtSetEventBoostPriority  ... ) == 0x0
 02833  2016   NtSetEventBoostPriority  ... ) == 0x0
 02832   808   NtSetEventBoostPriority  ... ) == 0x0
 02831  2060   NtSetEventBoostPriority  ... ) == 0x0
 02830  2076   NtSetEventBoostPriority  ... ) == 0x0
 02841   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 02835  2020   NtSetEventBoostPriority  ... ) == 0x0
 02822  1252   NtSetEventBoostPriority  ... ) == 0x0
 02821  1736   NtCreateThread  ... 880, {1636, 2140}, ) == 0x0
 02827  2104   NtWaitForSingleObject  ... ) == 0x0
 02840   384   NtSetEventBoostPriority  ... ) == 0x0
 02842  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 02843  2084   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02844   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02845  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02846   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02847  2060   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02848  2076   NtWaitForSingleObject  (260, 0, 0x0, ...
 02849  2120   NtTestAlert  (...
 02850  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02851  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02852  1736   NtQueryInformationThread  (880, Basic, 28, ...
 02853  2104   NtSetEventBoostPriority  (260, ...
 02854   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 02843  2084   NtWaitForSingleObject  ... ) == 0x102
 02847  2060   NtWaitForSingleObject  ... ) == 0x102
 02849  2120   NtTestAlert  ... ) == 0x0
 02852  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1636,Tid=2140,}, 0x0, ) == 0x0
 02829  1028   NtWaitForSingleObject  ... ) == 0x0
 02853  2104   NtSetEventBoostPriority  ... ) == 0x0
 02855  2084   NtWaitForSingleObject  (140, 0, 0x0, ...
 02856  2060   NtWaitForSingleObject  (140, 0, 0x0, ...
 02857  2120   NtContinue  (101514544, 1, ...
 02858  1028   NtSetEventBoostPriority  (260, ...
 02859  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0d\6\0\0\\10\0\0" ...  ...
 02842  2012   NtWaitForSingleObject  ... ) == 0x0
 02858  1028   NtSetEventBoostPriority  ... ) == 0x0
 02860  2120   NtRegisterThreadTerminatePort  (24, ...
 02861  2012   NtSetEventBoostPriority  (260, ...
 02859  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75602, 0}  ... {28, 56, reply, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0d\6\0\0\\10\0\0" )  ) == 0x0
 02862  2104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02841   896   NtWaitForSingleObject  ... ) == 0x0
 02861  2012   NtSetEventBoostPriority  ... ) == 0x0
 02860  2120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02863  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 02864   896   NtSetEventBoostPriority  (260, ...
 02862  2104   NtDuplicateObject  ... 916, ) == 0x0
 02865  2012   NtSetEventBoostPriority  (140, ...
 02866  2120   NtWaitForSingleObject  (260, 0, 0x0, ...
 02844   868   NtWaitForSingleObject  ... ) == 0x0
 02867  2104   NtWaitForSingleObject  (260, 0, 0x0, ...
 02864   896   NtSetEventBoostPriority  ... ) == 0x0
 02868  1736   NtResumeThread  (880, ...
 01198  1180   NtWaitForSingleObject  ... ) == 0x0
 02865  2012   NtSetEventBoostPriority  ... ) == 0x0
 02869   868   NtSetEventBoostPriority  (260, ...
 02870   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 02868  1736   NtResumeThread  ... 1, ) == 0x0
 02871  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 02872  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02845  2016   NtWaitForSingleObject  ... ) == 0x0
 02869   868   NtSetEventBoostPriority  ... ) == 0x0
 02873  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02874  2016   NtSetEventBoostPriority  (260, ...
 02872  2012   NtCreateEvent  ... 920, ) == 0x0
 02875   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02846   808   NtWaitForSingleObject  ... ) == 0x0
 02873  1736   NtAllocateVirtualMemory  ... 102563840, 1048576, ) == 0x0
 02876  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 02874  2016   NtSetEventBoostPriority  ... ) == 0x0
 02877  2140   NtWaitForSingleObject  (260, 0, 0x0, ...
 02878   808   NtSetEventBoostPriority  (260, ...
 02879  1736   NtAllocateVirtualMemory  (-1, 103604224, 0, 8192, 4096, 4, ...
 02880  2016   NtAllocateVirtualMemory  (-1, 17616896, 0, 4096, 4096, 260, ...
 02850  2020   NtWaitForSingleObject  ... ) == 0x0
 02879  1736   NtAllocateVirtualMemory  ... 103604224, 8192, ) == 0x0
 02880  2016   NtAllocateVirtualMemory  ... 17616896, 4096, ) == 0x0
 02881  2020   NtSetEventBoostPriority  (260, ...
 02878   808   NtSetEventBoostPriority  ... ) == 0x0
 02882  1736   NtProtectVirtualMemory  (-1, (0x62ce000), 4096, 260, ...
 02851  1252   NtWaitForSingleObject  ... ) == 0x0
 02881  2020   NtSetEventBoostPriority  ... ) == 0x0
 02883   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02884  1252   NtSetEventBoostPriority  (260, ...
 02882  1736   NtProtectVirtualMemory  ... (0x62ce000), 4096, 4, ) == 0x0
 02885  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02854   384   NtWaitForSingleObject  ... ) == 0x0
 02884  1252   NtSetEventBoostPriority  ... ) == 0x0
 02883   808   NtCreateEvent  ... 924, ) == 0x0
 02886  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02887   384   NtSetEventBoostPriority  (260, ...
 02888  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02889  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02848  2076   NtWaitForSingleObject  ... ) == 0x0
 02887   384   NtSetEventBoostPriority  ... ) == 0x0
 02886  1736   NtCreateThread  ... 928, {1636, 2164}, ) == 0x0
 02890  2076   NtSetEventBoostPriority  (260, ...
 02891   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02863  1028   NtWaitForSingleObject  ... ) == 0x0
 02892  1736   NtQueryInformationThread  (928, Basic, 28, ...
 02891   808   NtDuplicateObject  ... 932, ) == 0x0
 02893  1028   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 02892  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1636,Tid=2164,}, 0x0, ) == 0x0
 02894   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02893  1028   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 02890  2076   NtSetEventBoostPriority  ... ) == 0x0
 02895   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 02896  1028   NtSetEventBoostPriority  (260, ...
 02897  2076   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02898  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0t\10\0\0" ... {28, 56, reply, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0t\10\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75603, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0t\10\0\0" ... {28, 56, reply, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0t\10\0\0" )  ) == 0x0
 02899  1736   NtResumeThread  (928, ... 1, ) == 0x0
 02900  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103612416, 1048576, ) == 0x0
 02901  1736   NtAllocateVirtualMemory  (-1, 104652800, 0, 8192, 4096, 4, ... 104652800, 8192, ) == 0x0
 02902  1736   NtProtectVirtualMemory  (-1, (0x63ce000), 4096, 260, ... (0x63ce000), 4096, 4, ) == 0x0
 02903  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02867  2104   NtWaitForSingleObject  ... ) == 0x0
 02896  1028   NtSetEventBoostPriority  ... ) == 0x0
 02897  2076   NtWaitForSingleObject  ... ) == 0x102
 02904  2164   NtWaitForSingleObject  (88, 0, 0x0, ...
 02905  2104   NtSetEventBoostPriority  (260, ...
 02906  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 02907  2076   NtWaitForSingleObject  (260, 0, 0x0, ...
 02870   896   NtWaitForSingleObject  ... ) == 0x0
 02905  2104   NtSetEventBoostPriority  ... ) == 0x0
 02908   896   NtSetEventBoostPriority  (260, ...
 02903  1736   NtCreateThread  ... 936, {1636, 2172}, ) == 0x0
 02871  1180   NtWaitForSingleObject  ... ) == 0x0
 02908   896   NtSetEventBoostPriority  ... ) == 0x0
 02909  1180   NtSetEventBoostPriority  (260, ...
 02910  1736   NtQueryInformationThread  (936, Basic, 28, ...
 02911  2104   NtWaitForSingleObject  (260, 0, 0x0, ...
 02866  2120   NtWaitForSingleObject  ... ) == 0x0
 02909  1180   NtSetEventBoostPriority  ... ) == 0x0
 02910  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1636,Tid=2172,}, 0x0, ) == 0x0
 02912  2120   NtSetEventBoostPriority  (260, ...
 02913   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 02876  2012   NtWaitForSingleObject  ... ) == 0x0
 02914  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0d\6\0\0|\10\0\0" ...  ...
 02915  2012   NtSetEventBoostPriority  (260, ...
 02914  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75604, 0}  ... {28, 56, reply, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0d\6\0\0|\10\0\0" )  ) == 0x0
 02877  2140   NtWaitForSingleObject  ... ) == 0x0
 02915  2012   NtSetEventBoostPriority  ... ) == 0x0
 02912  2120   NtSetEventBoostPriority  ... ) == 0x0
 02916  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 02917  2140   NtSetEventBoostPriority  (260, ...
 02918  1736   NtResumeThread  (936, ...
 02919  2120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02875   868   NtWaitForSingleObject  ... ) == 0x0
 02917  2140   NtSetEventBoostPriority  ... ) == 0x0
 02918  1736   NtResumeThread  ... 1, ) == 0x0
 02920   868   NtSetEventBoostPriority  (260, ...
 02919  2120   NtDuplicateObject  ... 940, ) == 0x0
 02921  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 02922  2172   NtWaitForSingleObject  (88, 0, 0x0, ...
 02885  2016   NtWaitForSingleObject  ... ) == 0x0
 02923  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02920   868   NtSetEventBoostPriority  ... ) == 0x0
 02924  2140   NtSetEventBoostPriority  (88, ...
 02925  2016   NtSetEventBoostPriority  (260, ...
 02923  1736   NtAllocateVirtualMemory  ... 104660992, 1048576, ) == 0x0
 02926   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02904  2164   NtWaitForSingleObject  ... ) == 0x0
 02924  2140   NtSetEventBoostPriority  ... ) == 0x0
 02888  2020   NtWaitForSingleObject  ... ) == 0x0
 02925  2016   NtSetEventBoostPriority  ... ) == 0x0
 02927  1736   NtAllocateVirtualMemory  (-1, 105701376, 0, 8192, 4096, 4, ...
 02928  2164   NtWaitForSingleObject  (260, 0, 0x0, ...
 02929  2020   NtSetEventBoostPriority  (260, ...
 02930  2140   NtTestAlert  (...
 02931  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02889  1252   NtWaitForSingleObject  ... ) == 0x0
 02929  2020   NtSetEventBoostPriority  ... ) == 0x0
 02927  1736   NtAllocateVirtualMemory  ... 105701376, 8192, ) == 0x0
 02930  2140   NtTestAlert  ... ) == 0x0
 02932  2120   NtWaitForSingleObject  (260, 0, 0x0, ...
 02933  1252   NtSetEventBoostPriority  (260, ...
 02934  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02935  2140   NtContinue  (102563120, 1, ...
 02894   808   NtWaitForSingleObject  ... ) == 0x0
 02933  1252   NtSetEventBoostPriority  ... ) == 0x0
 02936  1736   NtProtectVirtualMemory  (-1, (0x64ce000), 4096, 260, ...
 02937   808   NtSetEventBoostPriority  (260, ...
 02938  2140   NtRegisterThreadTerminatePort  (24, ...
 02939  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02895   384   NtWaitForSingleObject  ... ) == 0x0
 02937   808   NtSetEventBoostPriority  ... ) == 0x0
 02936  1736   NtProtectVirtualMemory  ... (0x64ce000), 4096, 4, ) == 0x0
 02938  2140   NtRegisterThreadTerminatePort  ... ) == 0x0
 02940   384   NtSetEventBoostPriority  (260, ...
 02941  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02906  1028   NtWaitForSingleObject  ... ) == 0x0
 02940   384   NtSetEventBoostPriority  ... ) == 0x0
 02942  2140   NtWaitForSingleObject  (260, 0, 0x0, ...
 02943  1028   NtSetEventBoostPriority  (260, ...
 02941  1736   NtCreateThread  ... 944, {1636, 2192}, ) == 0x0
 02944   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 02907  2076   NtWaitForSingleObject  ... ) == 0x0
 02943  1028   NtSetEventBoostPriority  ... ) == 0x0
 02945  1736   NtQueryInformationThread  (944, Basic, 28, ...
 02946   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 02947  2076   NtSetEventBoostPriority  (260, ...
 02945  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1636,Tid=2192,}, 0x0, ) == 0x0
 02911  2104   NtWaitForSingleObject  ... ) == 0x0
 02947  2076   NtSetEventBoostPriority  ... ) == 0x0
 02948  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 02949  2104   NtSetEventBoostPriority  (260, ...
 02950  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0d\6\0\0\220\10\0\0" ...  ...
 02913   896   NtWaitForSingleObject  ... ) == 0x0
 02949  2104   NtSetEventBoostPriority  ... ) == 0x0
 02951   896   NtSetEventBoostPriority  (260, ...
 02950  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75605, 0}  ... {28, 56, reply, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0d\6\0\0\220\10\0\0" )  ) == 0x0
 02916  1180   NtWaitForSingleObject  ... ) == 0x0
 02951   896   NtSetEventBoostPriority  ... ) == 0x0
 02952  2104   NtWaitForSingleObject  (260, 0, 0x0, ...
 02953  1180   NtSetEventBoostPriority  (260, ...
 02954  1736   NtResumeThread  (944, ...
 02955   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 02956  2076   NtWaitForSingleObject  (140, 0, 0x0, ...
 02921  2012   NtWaitForSingleObject  ... ) == 0x0
 02953  1180   NtSetEventBoostPriority  ... ) == 0x0
 02954  1736   NtResumeThread  ... 1, ) == 0x0
 02957  2012   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ...
 02958  1180   NtSetEventBoostPriority  (140, ...
 02957  2012   NtAllocateVirtualMemory  ... 1445888, 4096, ) == 0x0
 02959  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02960  2192   NtWaitForSingleObject  (88, 0, 0x0, ...
 02961  2012   NtSetEventBoostPriority  (260, ...
 01222   420   NtWaitForSingleObject  ... ) == 0x0
 02958  1180   NtSetEventBoostPriority  ... ) == 0x0
 02959  1736   NtAllocateVirtualMemory  ... 105709568, 1048576, ) == 0x0
 02962   420   NtWaitForSingleObject  (260, 0, 0x0, ...
 02963  1180   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02964  1736   NtAllocateVirtualMemory  (-1, 106749952, 0, 8192, 4096, 4, ...
 02963  1180   NtCreateEvent  ... 948, ) == 0x0
 02964  1736   NtAllocateVirtualMemory  ... 106749952, 8192, ) == 0x0
 02965  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 02966  1736   NtProtectVirtualMemory  (-1, (0x65ce000), 4096, 260, ... (0x65ce000), 4096, 4, ) == 0x0
 02967  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 952, {1636, 2204}, ) == 0x0
 02968  1736   NtQueryInformationThread  (952, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1636,Tid=2204,}, 0x0, ) == 0x0
 02969  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\234\10\0\0" ... {28, 56, reply, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\234\10\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75606, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\234\10\0\0" ... {28, 56, reply, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\234\10\0\0" )  ) == 0x0
 02926   868   NtWaitForSingleObject  ... ) == 0x0
 02961  2012   NtSetEventBoostPriority  ... ) == 0x0
 02970   868   NtSetEventBoostPriority  (260, ...
 02971  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 02928  2164   NtWaitForSingleObject  ... ) == 0x0
 02970   868   NtSetEventBoostPriority  ... ) == 0x0
 02972  2164   NtSetEventBoostPriority  (260, ...
 02973  1736   NtResumeThread  (952, ...
 02931  2016   NtWaitForSingleObject  ... ) == 0x0
 02972  2164   NtSetEventBoostPriority  ... ) == 0x0
 02974  2016   NtSetEventBoostPriority  (260, ...
 02973  1736   NtResumeThread  ... 1, ) == 0x0
 02975   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 02932  2120   NtWaitForSingleObject  ... ) == 0x0
 02976  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02977  2120   NtSetEventBoostPriority  (260, ...
 02976  1736   NtAllocateVirtualMemory  ... 106758144, 1048576, ) == 0x0
 02934  2020   NtWaitForSingleObject  ... ) == 0x0
 02977  2120   NtSetEventBoostPriority  ... ) == 0x0
 02978  2020   NtSetEventBoostPriority  (260, ...
 02979  1736   NtAllocateVirtualMemory  (-1, 107798528, 0, 8192, 4096, 4, ...
 02939  1252   NtWaitForSingleObject  ... ) == 0x0
 02980  2120   NtWaitForSingleObject  (260, 0, 0x0, ...
 02979  1736   NtAllocateVirtualMemory  ... 107798528, 8192, ) == 0x0
 02981  1252   NtSetEventBoostPriority  (260, ...
 02978  2020   NtSetEventBoostPriority  ... ) == 0x0
 02974  2016   NtSetEventBoostPriority  ... ) == 0x0
 02982  2164   NtSetEventBoostPriority  (88, ...
 02983  2204   NtWaitForSingleObject  (88, 0, 0x0, ...
 02942  2140   NtWaitForSingleObject  ... ) == 0x0
 02984  2020   NtAllocateVirtualMemory  (-1, 14471168, 0, 4096, 4096, 260, ...
 02985  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02922  2172   NtWaitForSingleObject  ... ) == 0x0
 02982  2164   NtSetEventBoostPriority  ... ) == 0x0
 02986  2140   NtSetEventBoostPriority  (260, ...
 02984  2020   NtAllocateVirtualMemory  ... 14471168, 4096, ) == 0x0
 02987  2172   NtWaitForSingleObject  (260, 0, 0x0, ...
 02988  2164   NtTestAlert  (...
 02944   384   NtWaitForSingleObject  ... ) == 0x0
 02986  2140   NtSetEventBoostPriority  ... ) == 0x0
 02981  1252   NtSetEventBoostPriority  ... ) == 0x0
 02989  1736   NtProtectVirtualMemory  (-1, (0x66ce000), 4096, 260, ...
 02990   384   NtSetEventBoostPriority  (260, ...
 02988  2164   NtTestAlert  ... ) == 0x0
 02991  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02992  1252   NtAllocateVirtualMemory  (-1, 16568320, 0, 4096, 4096, 260, ...
 02946   808   NtWaitForSingleObject  ... ) == 0x0
 02989  1736   NtProtectVirtualMemory  ... (0x66ce000), 4096, 4, ) == 0x0
 02993  2164   NtContinue  (103611696, 1, ...
 02992  1252   NtAllocateVirtualMemory  ... 16568320, 4096, ) == 0x0
 02994   808   NtSetEventBoostPriority  (260, ...
 02995  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02996  2164   NtRegisterThreadTerminatePort  (24, ...
 02990   384   NtSetEventBoostPriority  ... ) == 0x0
 02997  2140   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02948  1028   NtWaitForSingleObject  ... ) == 0x0
 02994   808   NtSetEventBoostPriority  ... ) == 0x0
 02995  1736   NtCreateThread  ... 956, {1636, 2216}, ) == 0x0
 02998  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 02999   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 03000  1028   NtSetEventBoostPriority  (260, ...
 02997  2140   NtDuplicateObject  ... 960, ) == 0x0
 03001   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 03002  1736   NtQueryInformationThread  (956, Basic, 28, ...
 02952  2104   NtWaitForSingleObject  ... ) == 0x0
 03000  1028   NtSetEventBoostPriority  ... ) == 0x0
 03003  2140   NtWaitForSingleObject  (260, 0, 0x0, ...
 02996  2164   NtRegisterThreadTerminatePort  ... ) == 0x0
 03004  2104   NtSetEventBoostPriority  (260, ...
 03002  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1636,Tid=2216,}, 0x0, ) == 0x0
 03005  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 02955   896   NtWaitForSingleObject  ... ) == 0x0
 03006  2164   NtWaitForSingleObject  (260, 0, 0x0, ...
 03004  2104   NtSetEventBoostPriority  ... ) == 0x0
 03007  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0d\6\0\0\250\10\0\0" ...  ...
 03008   896   NtSetEventBoostPriority  (260, ...
 03009  2104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03007  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75607, 0}  ... {28, 56, reply, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0d\6\0\0\250\10\0\0" )  ) == 0x0
 02962   420   NtWaitForSingleObject  ... ) == 0x0
 03010  1736   NtResumeThread  (956, ...
 03011   420   NtSetEventBoostPriority  (260, ...
 03010  1736   NtResumeThread  ... 1, ) == 0x0
 02965  1180   NtWaitForSingleObject  ... ) == 0x0
 03011   420   NtSetEventBoostPriority  ... ) == 0x0
 03012  1180   NtSetEventBoostPriority  (260, ...
 03013  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03008   896   NtSetEventBoostPriority  ... ) == 0x0
 03009  2104   NtWaitForSingleObject  ... ) == 0x102
 03014  2216   NtWaitForSingleObject  (88, 0, 0x0, ...
 02971  2012   NtWaitForSingleObject  ... ) == 0x0
 03012  1180   NtSetEventBoostPriority  ... ) == 0x0
 03015   420   NtSetEventBoostPriority  (140, ...
 03016   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 03017  2104   NtWaitForSingleObject  (140, 0, 0x0, ...
 03018  2012   NtSetEventBoostPriority  (260, ...
 03013  1736   NtAllocateVirtualMemory  ... 107806720, 1048576, ) == 0x0
 01299   120   NtWaitForSingleObject  ... ) == 0x0
 03015   420   NtSetEventBoostPriority  ... ) == 0x0
 02975   868   NtWaitForSingleObject  ... ) == 0x0
 03018  2012   NtSetEventBoostPriority  ... ) == 0x0
 03019   120   NtWaitForSingleObject  (260, 0, 0x0, ...
 03020  1736   NtAllocateVirtualMemory  (-1, 108847104, 0, 8192, 4096, 4, ...
 03021   868   NtSetEventBoostPriority  (260, ...
 03022   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03023  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 02980  2120   NtWaitForSingleObject  ... ) == 0x0
 03021   868   NtSetEventBoostPriority  ... ) == 0x0
 03020  1736   NtAllocateVirtualMemory  ... 108847104, 8192, ) == 0x0
 03022   420   NtCreateEvent  ... 964, ) == 0x0
 03024  2120   NtSetEventBoostPriority  (260, ...
 03025  1736   NtProtectVirtualMemory  (-1, (0x67ce000), 4096, 260, ...
 02985  2016   NtWaitForSingleObject  ... ) == 0x0
 03026   420   NtWaitForSingleObject  (260, 0, 0x0, ...
 03025  1736   NtProtectVirtualMemory  ... (0x67ce000), 4096, 4, ) == 0x0
 03027  2016   NtSetEventBoostPriority  (260, ...
 03028  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02987  2172   NtWaitForSingleObject  ... ) == 0x0
 03027  2016   NtSetEventBoostPriority  ... ) == 0x0
 03024  2120   NtSetEventBoostPriority  ... ) == 0x0
 03029  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 03030   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 03031  2172   NtSetEventBoostPriority  (260, ...
 03028  1736   NtCreateThread  ... 968, {1636, 2228}, ) == 0x0
 03032  2120   NtWaitForSingleObject  (260, 0, 0x0, ...
 02991  2020   NtWaitForSingleObject  ... ) == 0x0
 03031  2172   NtSetEventBoostPriority  ... ) == 0x0
 03033  1736   NtQueryInformationThread  (968, Basic, 28, ...
 03034  2020   NtSetEventBoostPriority  (260, ...
 03035  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 02998  1252   NtWaitForSingleObject  ... ) == 0x0
 03034  2020   NtSetEventBoostPriority  ... ) == 0x0
 03033  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1636,Tid=2228,}, 0x0, ) == 0x0
 03036  1252   NtSetEventBoostPriority  (260, ...
 03037  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 02999   384   NtWaitForSingleObject  ... ) == 0x0
 03036  1252   NtSetEventBoostPriority  ... ) == 0x0
 03038  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0d\6\0\0\264\10\0\0" ...  ...
 03039  2172   NtSetEventBoostPriority  (88, ...
 03040   384   NtSetEventBoostPriority  (260, ...
 03041  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 03038  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75608, 0}  ... {28, 56, reply, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0d\6\0\0\264\10\0\0" )  ) == 0x0
 03003  2140   NtWaitForSingleObject  ... ) == 0x0
 03040   384   NtSetEventBoostPriority  ... ) == 0x0
 02960  2192   NtWaitForSingleObject  ... ) == 0x0
 03039  2172   NtSetEventBoostPriority  ... ) == 0x0
 03042  2140   NtSetEventBoostPriority  (260, ...
 03043  1736   NtResumeThread  (968, ...
 03044  2192   NtSetEventBoostPriority  (88, ...
 03001   808   NtWaitForSingleObject  ... ) == 0x0
 03042  2140   NtSetEventBoostPriority  ... ) == 0x0
 03045  2172   NtTestAlert  (...
 02983  2204   NtWaitForSingleObject  ... ) == 0x0
 03046   808   NtSetEventBoostPriority  (260, ...
 03044  2192   NtSetEventBoostPriority  ... ) == 0x0
 03043  1736   NtResumeThread  ... 1, ) == 0x0
 03047   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 03048  2204   NtWaitForSingleObject  (260, 0, 0x0, ...
 03006  2164   NtWaitForSingleObject  ... ) == 0x0
 03045  2172   NtTestAlert  ... ) == 0x0
 03046   808   NtSetEventBoostPriority  ... ) == 0x0
 03049  2140   NtWaitForSingleObject  (304, 0, 0x0, ...
 03050  2228   NtWaitForSingleObject  (88, 0, 0x0, ...
 03051  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03052  2164   NtSetEventBoostPriority  (260, ...
 03053  2172   NtContinue  (104660272, 1, ...
 03054   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 03051  1736   NtAllocateVirtualMemory  ... 108855296, 1048576, ) == 0x0
 03005  1028   NtWaitForSingleObject  ... ) == 0x0
 03052  2164   NtSetEventBoostPriority  ... ) == 0x0
 03055  2172   NtRegisterThreadTerminatePort  (24, ...
 03056  1028   NtSetEventBoostPriority  (260, ...
 03057  1736   NtAllocateVirtualMemory  (-1, 109895680, 0, 8192, 4096, 4, ...
 03058  2192   NtTestAlert  (...
 03059  2164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03016   896   NtWaitForSingleObject  ... ) == 0x0
 03057  1736   NtAllocateVirtualMemory  ... 109895680, 8192, ) == 0x0
 03058  2192   NtTestAlert  ... ) == 0x0
 03059  2164   NtDuplicateObject  ... 972, ) == 0x0
 03060   896   NtSetEventBoostPriority  (260, ...
 03056  1028   NtSetEventBoostPriority  ... ) == 0x0
 03055  2172   NtRegisterThreadTerminatePort  ... ) == 0x0
 03061  2192   NtContinue  (105708848, 1, ...
 03062  2164   NtWaitForSingleObject  (260, 0, 0x0, ...
 03019   120   NtWaitForSingleObject  ... ) == 0x0
 03060   896   NtSetEventBoostPriority  ... ) == 0x0
 03063  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 03064  2172   NtWaitForSingleObject  (260, 0, 0x0, ...
 03065  2192   NtRegisterThreadTerminatePort  (24, ...
 03066   120   NtSetEventBoostPriority  (260, ...
 03067  1736   NtProtectVirtualMemory  (-1, (0x68ce000), 4096, 260, ...
 03023  1180   NtWaitForSingleObject  ... ) == 0x0
 03066   120   NtSetEventBoostPriority  ... ) == 0x0
 03065  2192   NtRegisterThreadTerminatePort  ... ) == 0x0
 03068  1180   NtSetEventBoostPriority  (260, ...
 03067  1736   NtProtectVirtualMemory  ... (0x68ce000), 4096, 4, ) == 0x0
 03069   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 03026   420   NtWaitForSingleObject  ... ) == 0x0
 03068  1180   NtSetEventBoostPriority  ... ) == 0x0
 03070  2192   NtWaitForSingleObject  (260, 0, 0x0, ...
 03071  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03072   420   NtSetEventBoostPriority  (260, ...
 03073  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 03074   120   NtSetEventBoostPriority  (140, ...
 03029  2012   NtWaitForSingleObject  ... ) == 0x0
 03072   420   NtSetEventBoostPriority  ... ) == 0x0
 03071  1736   NtCreateThread  ... 976, {1636, 2248}, ) == 0x0
 03075  2012   NtSetEventBoostPriority  (260, ...
 01336   428   NtWaitForSingleObject  ... ) == 0x0
 03074   120   NtSetEventBoostPriority  ... ) == 0x0
 03030   868   NtWaitForSingleObject  ... ) == 0x0
 03076   428   NtWaitForSingleObject  (260, 0, 0x0, ...
 03075  2012   NtSetEventBoostPriority  ... ) == 0x0
 03077  1736   NtQueryInformationThread  (976, Basic, 28, ...
 03078   868   NtSetEventBoostPriority  (260, ...
 03079   120   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03080  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 03032  2120   NtWaitForSingleObject  ... ) == 0x0
 03078   868   NtSetEventBoostPriority  ... ) == 0x0
 03077  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1636,Tid=2248,}, 0x0, ) == 0x0
 03079   120   NtCreateEvent  ... 980, ) == 0x0
 03081   420   NtWaitForSingleObject  (260, 0, 0x0, ...
 03082  2120   NtSetEventBoostPriority  (260, ...
 03083   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 03084   120   NtWaitForSingleObject  (260, 0, 0x0, ...
 03035  2016   NtWaitForSingleObject  ... ) == 0x0
 03082  2120   NtSetEventBoostPriority  ... ) == 0x0
 03085  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75608, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0d\6\0\0\310\10\0\0" ...  ...
 03086  2016   NtSetEventBoostPriority  (260, ...
 03037  2020   NtWaitForSingleObject  ... ) == 0x0
 03087  2020   NtSetEventBoostPriority  (260, ...
 03041  1252   NtWaitForSingleObject  ... ) == 0x0
 03088  1252   NtSetEventBoostPriority  (260, ...
 03048  2204   NtWaitForSingleObject  ... ) == 0x0
 03089  2204   NtSetEventBoostPriority  (260, ...
 03047   384   NtWaitForSingleObject  ... ) == 0x0
 03090   384   NtSetEventBoostPriority  (260, ...
 03054   808   NtWaitForSingleObject  ... ) == 0x0
 03091   808   NtSetEventBoostPriority  (260, ...
 03062  2164   NtWaitForSingleObject  ... ) == 0x0
 03092  2164   NtSetEventBoostPriority  (260, ...
 03063  1028   NtWaitForSingleObject  ... ) == 0x0
 03093  1028   NtSetEventBoostPriority  (260, ...
 03064  2172   NtWaitForSingleObject  ... ) == 0x0
 03094  2172   NtSetEventBoostPriority  (260, ...
 03069   896   NtWaitForSingleObject  ... ) == 0x0
 03095   896   NtSetEventBoostPriority  (260, ...
 03070  2192   NtWaitForSingleObject  ... ) == 0x0
 03096  2192   NtSetEventBoostPriority  (260, ...
 03073  1180   NtWaitForSingleObject  ... ) == 0x0
 03097  1180   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ... 1449984, 4096, ) == 0x0
 03098  1180   NtSetEventBoostPriority  (260, ...
 03076   428   NtWaitForSingleObject  ... ) == 0x0
 03099   428   NtSetEventBoostPriority  (260, ...
 03080  2012   NtWaitForSingleObject  ... ) == 0x0
 03100  2012   NtSetEventBoostPriority  (260, ...
 03081   420   NtWaitForSingleObject  ... ) == 0x0
 03101   420   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ... 1454080, 4096, ) == 0x0
 03102   420   NtSetEventBoostPriority  (260, ...
 03095   896   NtSetEventBoostPriority  ... ) == 0x0
 03094  2172   NtSetEventBoostPriority  ... ) == 0x0
 03093  1028   NtSetEventBoostPriority  ... ) == 0x0
 03092  2164   NtSetEventBoostPriority  ... ) == 0x0
 03091   808   NtSetEventBoostPriority  ... ) == 0x0
 03090   384   NtSetEventBoostPriority  ... ) == 0x0
 03089  2204   NtSetEventBoostPriority  ... ) == 0x0
 03086  2016   NtSetEventBoostPriority  ... ) == 0x0
 03085  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75609, 0}  ... {28, 56, reply, 0, 1636, 1736, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0d\6\0\0\310\10\0\0" )  ) == 0x0
 03100  2012   NtSetEventBoostPriority  ... ) == 0x0
 03099   428   NtSetEventBoostPriority  ... ) == 0x0
 03098  1180   NtSetEventBoostPriority  ... ) == 0x0
 03096  2192   NtSetEventBoostPriority  ... ) == 0x0
 03088  1252   NtSetEventBoostPriority  ... ) == 0x0
 03087  2020   NtSetEventBoostPriority  ... ) == 0x0
 03103  2120   NtSetEventBoostPriority  (304, ...
 03104   896   NtAllocateVirtualMemory  (-1, 15519744, 0, 4096, 4096, 260, ...
 03084   120   NtWaitForSingleObject  ... ) == 0x0
 03102   420   NtSetEventBoostPriority  ... ) == 0x0
 03105  2172   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03106  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 03107  2164   NtWaitForSingleObject  (260, 0, 0x0, ...
 03108   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 03109   808   NtWaitForSingleObject  (304, 0, 0x0, ...
 03110  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03111  1736   NtResumeThread  (976, ...
 03112  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 03113  2204   NtSetEventBoostPriority  (88, ...
 03114   428   NtSetEventBoostPriority  (140, ...
 03115  2192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03116  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 03117  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 03049  2140   NtWaitForSingleObject  ... ) == 0x0
 03103  2120   NtSetEventBoostPriority  ... ) == 0x0
 03118  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 03119   120   NtSetEventBoostPriority  (260, ...
 03120   420   NtWaitForSingleObject  (260, 0, 0x0, ...
 03105  2172   NtDuplicateObject  ... 984, ) == 0x0
 03104   896   NtAllocateVirtualMemory  ... 15519744, 4096, ) == 0x0
 03111  1736   NtResumeThread  ... 1, ) == 0x0
 03014  2216   NtWaitForSingleObject  ... ) == 0x0
 03113  2204   NtSetEventBoostPriority  ... ) == 0x0
 01355   596   NtWaitForSingleObject  ... ) == 0x0
 03114   428   NtSetEventBoostPriority  ... ) == 0x0
 03115  2192   NtDuplicateObject  ... 988, ) == 0x0
 03121  2140   NtSetEventBoostPriority  (304, ...
 03122  2120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03083   868   NtWaitForSingleObject  ... ) == 0x0
 03119   120   NtSetEventBoostPriority  ... ) == 0x0
 03123  2172   NtWaitForSingleObject  (260, 0, 0x0, ...
 03124   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 03125  2216   NtWaitForSingleObject  (260, 0, 0x0, ...
 03126  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03127   596   NtSetEventBoostPriority  (140, ...
 03128  2204   NtTestAlert  (...
 03129   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03110  2016   NtCreateEvent  ... 992, ) == 0x0
 03130  2248   NtWaitForSingleObject  (88, 0, 0x0, ...
 03109   808   NtWaitForSingleObject  ... ) == 0x0
 03121  2140   NtSetEventBoostPriority  ... ) == 0x0
 03131   868   NtSetEventBoostPriority  (260, ...
 03122  2120   NtWaitForSingleObject  ... ) == 0x102
 03132  2192   NtWaitForSingleObject  (260, 0, 0x0, ...
 03133   120   NtWaitForSingleObject  (260, 0, 0x0, ...
 01363   748   NtWaitForSingleObject  ... ) == 0x0
 03128  2204   NtTestAlert  ... ) == 0x0
 03129   428   NtCreateEvent  ... 996, ) == 0x0
 03134  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03135   808   NtWaitForSingleObject  (260, 0, 0x0, ...
 03106  1028   NtWaitForSingleObject  ... ) == 0x0
 03136  2140   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03137  2120   NtWaitForSingleObject  (140, 0, 0x0, ...
 03138   748   NtWaitForSingleObject  (260, 0, 0x0, ...
 03139  2204   NtContinue  (106757424, 1, ...
 03140   428   NtWaitForSingleObject  (260, 0, 0x0, ...
 03134  2016   NtDuplicateObject  ... 1000, ) == 0x0
 03141  1028   NtSetEventBoostPriority  (260, ...
 03131   868   NtSetEventBoostPriority  ... ) == 0x0
 03127   596   NtSetEventBoostPriority  ... ) == 0x0
 03126  1736   NtAllocateVirtualMemory  ... 109903872, 1048576, ) == 0x0
 03136  2140   NtWaitForSingleObject  ... ) == 0x102
 03142  2204   NtRegisterThreadTerminatePort  (24, ...
 03143  2016   NtWaitForSingleObject  (260, 0, 0x0, ...
 03107  2164   NtWaitForSingleObject  ... ) == 0x0
 03141  1028   NtSetEventBoostPriority  ... ) == 0x0
 03144   868   NtWaitForSingleObject  (260, 0, 0x0, ...
 03145   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03146  1736   NtAllocateVirtualMemory  (-1, 110944256, 0, 8192, 4096, 4, ...
 03147  2140   NtWaitForSingleObject  (260, 0, 0x0, ...
 03148  2164   NtSetEventBoostPriority  (260, ...
 03149  1028   NtWaitForSingleObject  (260, 0, 0x0, ...
 03145   596   NtCreateEvent  ... 1004, ) == 0x0
 03146  1736   NtAllocateVirtualMemory  ... 110944256, 8192, ) == 0x0
 03108   384   NtWaitForSingleObject  ... ) == 0x0
 03148  2164   NtSetEventBoostPriority  ... ) == 0x0
 03142  2204   NtRegisterThreadTerminatePort  ... ) == 0x0
 03150   384   NtSetEventBoostPriority  (260, ...
 03151  1736   NtProtectVirtualMemory  (-1, (0x69ce000), 4096, 260, ...
 03152  2164   NtWaitForSingleObject  (304, 0, 0x0, ...
 03112  2012   NtWaitForSingleObject  ... ) == 0x0
 03153  2204   NtWaitForSingleObject  (260, 0, 0x0, ...
 03151  1736   NtProtectVirtualMemory  ... (0x69ce000), 4096, 4, ) == 0x0
 03150   384   NtSetEventBoostPriority  ... ) == 0x0
 03154   596   NtWaitForSingleObject  (260, 0, 0x0, ...
 03155  2012   NtSetEventBoostPriority  (260, ...
 03156  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03157   384   NtWaitForSingleObject  (260, 0, 0x0, ...
 03116  1252   NtWaitForSingleObject  ... ) == 0x0
 03155  2012   NtSetEventBoostPriority  ... ) == 0x0
 03158  1252   NtSetEventBoostPriority  (260, ...
 03156  1736   NtCreateThread  ... 1008, {1636, 2280}, ) == 0x0
 03117  2020   NtWaitForSingleObject  ... ) == 0x0
 03158  1252   NtSetEventBoostPriority  ... ) == 0x0
 03159  2020   NtSetEventBoostPriority  (260, ...
 03160  1736   NtQueryInformationThread  (1008, Basic, 28, ...
 03161  2012   NtWaitForSingleObject  (260, 0, 0x0, ...
 03118  1180   NtWaitForSingleObject  ... ) == 0x0
 03159  2020   NtSetEventBoostPriority  ... ) == 0x0
 03160  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1636,Tid=2280,}, 0x0, ) == 0x0
 03162  1180   NtSetEventBoostPriority  (260, ...
 03163  1252   NtWaitForSingleObject  (260, 0, 0x0, ...
 03120   420   NtWaitForSingleObject  ... ) == 0x0
 03162  1180   NtSetEventBoostPriority  ... ) == 0x0
 03164  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75609, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0d\6\0\0\350\10\0\0" ...  ...
 03165   420   NtSetEventBoostPriority  (260, ...
 03166  1180   NtWaitForSingleObject  (260, 0, 0x0, ...
 03123  2172   NtWaitForSingleObject  ... ) == 0x0
 03165   420   NtSetEventBoostPriority  ... ) == 0x0
 03164  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75610, 0}  ... {28, 56, reply, 0, 1636, 1736, 75610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0d\6\0\0\350\10\0\0" )  ) == 0x0
 03167  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03168  2172   NtSetEventBoostPriority  (260, ...
 03169   420   NtWaitForSingleObject  (260, 0, 0x0, ...
 03125  2216   NtWaitForSingleObject  ... ) == 0x0
 03168  2172   NtSetEventBoostPriority  ... ) == 0x0
 03167  2020   NtCreateEvent  ... 1012, ) == 0x0
 03170  2216   NtSetEventBoostPriority  (260, ...
 03171  1736   NtResumeThread  (1008, ...
 03124   896   NtWaitForSingleObject  ... ) == 0x0
 03170  2216   NtSetEventBoostPriority  ... ) == 0x0
 03172  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03173   896   NtSetEventBoostPriority  (260, ...
 03171  1736   NtResumeThread  ... 1, ) == 0x0
 03174  2172   NtWaitForSingleObject  (304, 0, 0x0, ...
 03132  2192   NtWaitForSingleObject  ... ) == 0x0
 03173   896   NtSetEventBoostPriority  ... ) == 0x0
 03172  2020   NtDuplicateObject  ... 1016, ) == 0x0
 03175  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03176  2192   NtSetEventBoostPriority  (260, ...
 03177  2216   NtSetEventBoostPriority  (88, ...
 03178  2280   NtWaitForSingleObject  (88, 0, 0x0, ...
 03179  2020   NtWaitForSingleObject  (260, 0, 0x0, ...
 03133   120   NtWaitForSingleObject  ... ) == 0x0
 03176  2192   NtSetEventBoostPriority  ... ) == 0x0
 03175  1736   NtAllocateVirtualMemory  ... 110952448, 1048576, ) == 0x0
 03050  2228   NtWaitForSingleObject  ... ) == 0x0
 03177  2216   NtSetEventBoostPriority  ... ) == 0x0
 03180   120   NtSetEventBoostPriority  (260, ...
 03181  2192   NtWaitForSingleObject  (304, 0, 0x0, ...
 03182  2228   NtWaitForSingleObject  (260, 0, 0x0, ...
 03183  1736   NtAllocateVirtualMemory  (-1, 111992832, 0, 8192, 4096, 4, ...
 03135   808   NtWaitForSingleObject  ... ) == 0x0
 03180   120   NtSetEventBoostPriority  ... ) == 0x0
 03184  2216   NtTestAlert  (...
 03185   896   NtWaitForSingleObject  (260, 0, 0x0, ...
 03186   808   NtSetEventBoostPriority  (260, ...
 03183  1736   NtAllocateVirtualMemory  ... 111992832, 8192, ) == 0x0