Summary:





NtAccessCheck(>)  1 
NtOpenDirectoryObject(>)  2 
NtSetInformationThread(>)  8 
NtMapViewOfSection(>)  41 


NtCreateProcessEx(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtQueryAttributesFile(>)  47 


NtDuplicateToken(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtSetInformationFile(>)  9 
NtCreateEvent(>)  48 


NtGdiCreateBitmap(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtFlushInstructionCache(>)  57 


NtGdiInit(>)  1 
NtQuerySystemTime(>)  2 
NtOpenThreadToken(>)  11 
NtCreateSection(>)  77 


NtGdiQueryFontAssocInfo(>)  1 
NtReadVirtualMemory(>)  2 
NtUnmapViewOfSection(>)  11 
NtQuerySystemInformation(>)  129 


NtGdiSelectBitmap(>)  1 
NtSetInformationObject(>)  2 
NtQueryDefaultLocale(>)  13 
NtContinue(>)  148 


NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryInformationFile(>)  13 
NtOpenKey(>)  177 


NtQueryDebugFilterState(>)  1 
NtReadFile(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtResumeThread(>)  184 


NtQueryInformationJobObject(>)  1 
NtSecureConnectPort(>)  3 
NtQuerySection(>)  15 
NtQueryInformationThread(>)  192 


NtQueryInstallUILanguage(>)  1 
NtCreateIoCompletion(>)  4 
NtSetValueKey(>)  15 
NtCreateThread(>)  200 


NtQueryObject(>)  1 
NtFreeVirtualMemory(>)  4 
NtQueryInformationProcess(>)  17 
NtRegisterThreadTerminatePort(>)  200 


NtQueryPerformanceCounter(>)  1 
NtOpenProcessToken(>)  4 
NtCreateKey(>)  18 
NtTestAlert(>)  201 


NtUserCallNoParam(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  21 
NtDuplicateObject(>)  207 


NtUserGetObjectInformation(>)  1 
NtGdiGetStockObject(>)  5 
NtOpenProcessTokenEx(>)  21 
NtRequestWaitReplyPort(>)  223 


NtUserGetProcessWindowStation(>)  1 
NtQueryVirtualMemory(>)  5 
NtOpenThreadTokenEx(>)  21 
NtQueryValueKey(>)  269 


NtUserGetThreadDesktop(>)  1 
NtSetInformationProcess(>)  5 
NtOpenSection(>)  23 
NtSetEventBoostPriority(>)  278 


NtCallbackReturn(>)  2 
NtConnectPort(>)  6 
NtQueryInformationToken(>)  27 
NtProtectVirtualMemory(>)  309 


NtCreateMutant(>)  2 
NtWriteFile(>)  7 
NtQueryDirectoryFile(>)  31 
NtClose(>)  360 


NtGdiCreateSolidBrush(>)  2 
NtEnumerateKey(>)  8 
NtDeviceIoControlFile(>)  34 
NtAllocateVirtualMemory(>)  516 


NtNotifyChangeKey(>)  2 
NtFsControlFile(>)  8 
NtOpenFile(>)  39 
NtWaitForSingleObject(>)  650 





Trace:

 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482756, {status=0x0, info=1}, ) }, 0, 32, ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147482756, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147482756, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147482756, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147482756, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147482756, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147482756, 0, 0x0, 0x0, 0x90120,  (-2147482756, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147482764, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147482764, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147482764, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147482764, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147482764, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037   896   NtClose  (-2147482688, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053   896   NtClose  (-2147482760, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055   896   NtClose  (-2147481628, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057   896   NtClose  (-2147481484, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00059   896   NtClose  (-2147482104, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482592, ) == 0x0
 00061   896   NtClose  (-2147482592, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482592, ... -2147481624, ) == 0x0
 00063   896   NtClose  (-2147481624, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481624, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147482764, ... ) == 0x0
 00093   896   NtClose  (-2147482688, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147482760, ... ) == 0x0
 00102   896   NtClose  (-2147481628, ... ) == 0x0
 00103   896   NtClose  (-2147481484, ... ) == 0x0
 00104   896   NtClose  (-2147482104, ... ) == 0x0
 00105   896   NtClose  (-2147482592, ... ) == 0x0
 00106   896   NtClose  (-2147481624, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481624, ) == 0x0
 00145   896   NtClose  (-2147481624, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481624, ... -2147482592, ) == 0x0
 00147   896   NtClose  (-2147482592, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482592, ... -2147482104, ) == 0x0
 00149   896   NtClose  (-2147482104, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482104, ... -2147481484, ) == 0x0
 00151   896   NtClose  (-2147481484, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153   896   NtClose  (-2147481628, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155   896   NtClose  (-2147482760, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147481624, ... ) == 0x0
 00178   896   NtClose  (-2147482592, ... ) == 0x0
 00179   896   NtClose  (-2147482104, ... ) == 0x0
 00180   896   NtClose  (-2147481484, ... ) == 0x0
 00181   896   NtClose  (-2147481628, ... ) == 0x0
 00182   896   NtClose  (-2147482760, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147482756, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81831, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81832, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81833, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x409000), 110608, 4, ... (0x409000), 114688, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x409000), 114688, 128, ... (0x409000), 114688, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 4231168, 110608, ... ) == 0x0
 00249   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00251   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00252   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00253   896   NtClose  (16, ... ) == 0x0
 00254   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00255   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   896   NtClose  (16, ... ) == 0x0
 00257   896   NtTestAlert  (... ) == 0x0
 00258   896   NtContinue  (1244464, 1, ...
 00259   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x419010,}, 4, ... ) == 0x0
 00260   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00261   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00262   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp"}, 1243644, ... ) }, 1243644, ... ) == 0x0
 00263   896   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1243996, 2089881233, 1312264, 2089878893}  (24, {20, 48, new_msg, 0, 1243996, 2089881233, 1312264, 2089878893} "\0\0\0\0\2\0\1\0\260/\24\0\0\0\0\0\2\0\0\0" ... {20, 48, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\0\0\0\0\3\0\0\0" )  ... {20, 48, reply, 0, 1252, 896, 81834, 0}  (24, {20, 48, new_msg, 0, 1243996, 2089881233, 1312264, 2089878893} "\0\0\0\0\2\0\1\0\260/\24\0\0\0\0\0\2\0\0\0" ... {20, 48, reply, 0, 1252, 896, 81834, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\0\0\0\0\3\0\0\0" )  ) == 0x0
 00264   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243652,  (0x80100080, {24, 0, 0x40, 0, 1243652, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00265   896   NtQueryDirectoryFile  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1,  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00266   896   NtClose  (-2147482756, ... ) == 0x0
 00267   896   NtQueryDirectoryFile  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1,  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00268   896   NtClose  (-2147482756, ... ) == 0x0
 00269   896   NtQueryDirectoryFile  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1,  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00270   896   NtClose  (-2147482756, ... ) == 0x0
 00271   896   NtQueryDirectoryFile  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1,  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1, "~3.tmp", 1, ... {status=0x0, info=24}, ) , 1, ... {status=0x0, info=24}, ) == 0x0
 00272   896   NtClose  (-2147482756, ... ) == 0x0
 00264   896   NtCreateFile  ... 16, {status=0x0, info=2}, ) == 0x0
 00273   896   NtClose  (16, ... ) == 0x0
 00274   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp.exe"}, 1242856, ... ) }, 1242856, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   896   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243632,  (0xc0100080, {24, 0, 0x40, 0, 1243632, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp.exe"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 00276   896   NtClose  (-2147482756, ... ) == 0x0
 00277   896   NtQueryDirectoryFile  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1,  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00278   896   NtClose  (-2147482756, ... ) == 0x0
 00279   896   NtQueryDirectoryFile  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1,  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00280   896   NtClose  (-2147482756, ... ) == 0x0
 00281   896   NtQueryDirectoryFile  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1,  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00282   896   NtClose  (-2147482756, ... ) == 0x0
 00283   896   NtQueryDirectoryFile  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1,  (-2147482756, 0, 0, 0, -518787072, 4096, Names, 1, "~3.tmp.exe", 1, ... ) , 1, ... ) == STATUS_NO_SUCH_FILE
 00284   896   NtClose  (-2147482756, ... ) == 0x0
 00275   896   NtCreateFile  ... 16, {status=0x0, info=2}, ) == 0x0
 00285   896   NtQueryVolumeInformationFile  (16, 1243816, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00286   896   NtQueryInformationFile  (16, 1243684, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00287   896   NtWriteFile  (16, 0, 0, 0,  (16, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 43520, 0x0, 0, ... , 43520, 0x0, 0, ...
 00288   896   NtContinue  (-142418476, 0, ...
 00287   896   NtWriteFile  ... {status=0x0, info=43520}, ) == 0x0
 00289   896   NtClose  (16, ... ) == 0x0
 00290   896   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00291   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp.exe"}, 1240232, ... ) }, 1240232, ... ) == 0x0
 00292   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp.exe"}, 1240968, ... ) }, 1240968, ... ) == 0x0
 00293   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00294   896   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   896   NtClose  (16, ... ) == 0x0
 00296   896   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00297   896   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00298   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 32, ) }, ... 32, ) == 0x0
 00300   896   NtQueryValueKey  (32,  (32, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   896   NtClose  (32, ... ) == 0x0
 00302   896   NtQueryVolumeInformationFile  (16, 1240244, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00303   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00304   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238176, ... ) }, 1238176, ... ) == 0x0
 00305   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00306   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 36, ) == 0x0
 00307   896   NtClose  (32, ... ) == 0x0
 00308   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x320000), 0x0, 126976, ) == 0x0
 00309   896   NtClose  (36, ... ) == 0x0
 00310   896   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00311   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238484, ... ) }, 1238484, ... ) == 0x0
 00312   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00313   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 32, ) == 0x0
 00314   896   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00315   896   NtOpenProcessToken  (-1, 0x8, ... 40, ) == 0x0
 00316   896   NtQueryInformationToken  (40, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00317   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 44, ) }, ... 44, ) == 0x0
 00319   896   NtQueryValueKey  (44,  (44, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (44, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00320   896   NtClose  (44, ... ) == 0x0
 00321   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00322   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 44, ) == 0x0
 00323   896   NtQueryInformationToken  (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00324   896   NtClose  (44, ... ) == 0x0
 00325   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   896   NtClose  (40, ... ) == 0x0
 00327   896   NtClose  (36, ... ) == 0x0
 00328   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 00329   896   NtClose  (32, ... ) == 0x0
 00330   896   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 00331   896   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 00332   896   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 00333   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00337   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) == 0x0
 00338   896   NtQueryInformationFile  (32, 1238500, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00339   896   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 32, ... 36, ) == 0x0
 00340   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1191936, ) == 0x0
 00341   896   NtQueryInformationFile  (32, 1238600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00342   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00343   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00344   896   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00345   896   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   896   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 40, ) }, ... 40, ) == 0x0
 00347   896   NtQueryValueKey  (40,  (40, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (40, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00348   896   NtClose  (40, ... ) == 0x0
 00349   896   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00350   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0
 00351   896   NtQueryDirectoryFile  (40, 0, 0, 0, 1236196, 616, BothDirectory, 1,  (40, 0, 0, 0, 1236196, 616, BothDirectory, 1, "~3.tmp.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00352   896   NtClose  (40, ... ) == 0x0
 00353   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00354   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00355   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp.exe"}, 1236572, ... ) }, 1236572, ... ) == 0x0
 00356   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0
 00357   896   NtQueryDirectoryFile  (40, 0, 0, 0, 1236000, 616, BothDirectory, 1,  (40, 0, 0, 0, 1236000, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00358   896   NtClose  (40, ... ) == 0x0
 00359   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0
 00360   896   NtQueryDirectoryFile  (40, 0, 0, 0, 1236000, 616, BothDirectory, 1,  (40, 0, 0, 0, 1236000, 616, BothDirectory, 1, "MARTIM~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00361   896   NtClose  (40, ... ) == 0x0
 00362   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0
 00363   896   NtQueryDirectoryFile  (40, 0, 0, 0, 1236000, 616, BothDirectory, 1,  (40, 0, 0, 0, 1236000, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00364   896   NtClose  (40, ... ) == 0x0
 00365   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0
 00366   896   NtQueryDirectoryFile  (40, 0, 0, 0, 1236000, 616, BothDirectory, 1,  (40, 0, 0, 0, 1236000, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00367   896   NtClose  (40, ... ) == 0x0
 00368   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00369   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00370   896   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00371   896   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00373   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00374   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00375   896   NtClose  (40, ... ) == 0x0
 00376   896   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   896   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   896   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00379   896   NtClose  (36, ... ) == 0x0
 00380   896   NtClose  (32, ... ) == 0x0
 00381   896   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00382   896   NtOpenProcessToken  (-1, 0xa, ... 32, ) == 0x0
 00383   896   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00384   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00386   896   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00387   896   NtQueryValueKey  (36,  (36, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00388   896   NtClose  (36, ... ) == 0x0
 00389   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00390   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00391   896   NtClose  (36, ... ) == 0x0
 00392   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00393   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00394   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00395   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00396   896   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00397   896   NtClose  (36, ... ) == 0x0
 00398   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00399   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00400   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00401   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00402   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00403   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00404   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00405   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00406   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00407   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00408   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00409   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00410   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00412   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00413   896   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00414   896   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00415   896   NtClose  (36, ... ) == 0x0
 00416   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00417   896   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   896   NtClose  (36, ... ) == 0x0
 00419   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00420   896   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00421   896   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00422   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00423   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00424   896   NtQueryValueKey  (40,  (40, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425   896   NtClose  (40, ... ) == 0x0
 00426   896   NtQueryDefaultUILanguage  (2090319928, ...
 00427   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00428   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 00429   896   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00430   896   NtClose  (-2147482756, ... ) == 0x0
 00431   896   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00432   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00433   896   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00434   896   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00435   896   NtClose  (-2147481452, ... ) == 0x0
 00436   896   NtClose  (-2147482756, ... ) == 0x0
 00426   896   NtQueryDefaultUILanguage  ... ) == 0x0
 00437   896   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00438   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00439   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00440   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00441   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00442   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00443   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00444   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00445   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00446   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00447   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00448   896   NtQueryDefaultLocale  (1, 1239672, ... ) == 0x0
 00449   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 40, ) }, ... 40, ) == 0x0
 00450   896   NtEnumerateKey  (40, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (40, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00451   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 44, ) }, ... 44, ) == 0x0
 00452   896   NtQueryValueKey  (44,  (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00453   896   NtQueryValueKey  (44,  (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00454   896   NtClose  (44, ... ) == 0x0
 00455   896   NtEnumerateKey  (40, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00456   896   NtClose  (40, ... ) == 0x0
 00457   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 40, ) }, ... 40, ) == 0x0
 00458   896   NtEnumerateKey  (40, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 00459   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 44, ) }, ... 44, ) == 0x0
 00460   896   NtQueryValueKey  (44,  (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 00461   896   NtQueryValueKey  (44,  (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 00462   896   NtQueryValueKey  (44,  (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 00463   896   NtQueryValueKey  (44,  (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00464   896   NtClose  (44, ... ) == 0x0
 00465   896   NtEnumerateKey  (40, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 00466   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 44, ) }, ... 44, ) == 0x0
 00467   896   NtQueryValueKey  (44,  (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 00468   896   NtQueryValueKey  (44,  (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 00469   896   NtQueryValueKey  (44,  (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 00470   896   NtQueryValueKey  (44,  (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00471   896   NtClose  (44, ... ) == 0x0
 00472   896   NtEnumerateKey  (40, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 00473   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 44, ) }, ... 44, ) == 0x0
 00474   896   NtQueryValueKey  (44,  (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 00475   896   NtQueryValueKey  (44,  (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 00476   896   NtQueryValueKey  (44,  (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 00477   896   NtQueryValueKey  (44,  (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00478   896   NtClose  (44, ... ) == 0x0
 00479   896   NtEnumerateKey  (40, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 00480   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 44, ) }, ... 44, ) == 0x0
 00481   896   NtQueryValueKey  (44,  (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 00482   896   NtQueryValueKey  (44,  (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 00483   896   NtQueryValueKey  (44,  (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 00484   896   NtQueryValueKey  (44,  (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00485   896   NtClose  (44, ... ) == 0x0
 00486   896   NtEnumerateKey  (40, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 00487   896   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 44, ) }, ... 44, ) == 0x0
 00488   896   NtQueryValueKey  (44,  (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 00489   896   NtQueryValueKey  (44,  (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 00490   896   NtQueryValueKey  (44,  (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 00491   896   NtQueryValueKey  (44,  (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00492   896   NtClose  (44, ... ) == 0x0
 00493   896   NtEnumerateKey  (40, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00494   896   NtClose  (40, ... ) == 0x0
 00495   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00499   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00500   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00501   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00502   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00504   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00505   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00506   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00507   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00508   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00509   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00510   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00511   896   NtClose  (40, ... ) == 0x0
 00512   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00514   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00515   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00516   896   NtClose  (40, ... ) == 0x0
 00517   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00519   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00520   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00521   896   NtClose  (40, ... ) == 0x0
 00522   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00524   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00525   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00526   896   NtClose  (40, ... ) == 0x0
 00527   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00529   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00530   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00531   896   NtClose  (40, ... ) == 0x0
 00532   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00534   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00535   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00536   896   NtClose  (40, ... ) == 0x0
 00537   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00539   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00540   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00541   896   NtClose  (40, ... ) == 0x0
 00542   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00543   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00544   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00545   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00546   896   NtClose  (40, ... ) == 0x0
 00547   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00549   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00550   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00551   896   NtClose  (40, ... ) == 0x0
 00552   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00553   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00554   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00555   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00556   896   NtClose  (40, ... ) == 0x0
 00557   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00559   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00560   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00561   896   NtClose  (40, ... ) == 0x0
 00562   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00564   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00565   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00566   896   NtClose  (40, ... ) == 0x0
 00567   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00568   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00569   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00570   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00571   896   NtClose  (40, ... ) == 0x0
 00572   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00574   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00575   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00576   896   NtClose  (40, ... ) == 0x0
 00577   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00579   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00580   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00581   896   NtClose  (40, ... ) == 0x0
 00582   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00584   896   NtQueryValueKey  (40,  (40, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (40, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (40, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00585   896   NtClose  (40, ... ) == 0x0
 00586   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00587   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00588   896   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00589   896   NtClose  (40, ... ) == 0x0
 00590   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   896   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00592   896   NtOpenProcessToken  (-1, 0xa, ... 40, ) == 0x0
 00593   896   NtDuplicateToken  (40, 0xc, {24, 0, 0x0, 0, 1240104, 0x0}, 0, 2, ... 44, ) == 0x0
 00594   896   NtClose  (40, ... ) == 0x0
 00595   896   NtAccessCheck  (1335072, 44, 0x1, 1240180, 1240232, 56, 1240212, ... (0x1), ) == 0x0
 00596   896   NtClose  (44, ... ) == 0x0
 00597   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 44, ) }, ... 44, ) == 0x0
 00598   896   NtQueryValueKey  (44,  (44, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (44, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00599   896   NtClose  (44, ... ) == 0x0
 00600   896   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 44, ) }, ... 44, ) == 0x0
 00601   896   NtQuerySymbolicLinkObject  (44, ...  (44, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00602   896   NtClose  (44, ... ) == 0x0
 00603   896   NtQueryVolumeInformationFile  (16, 1237936, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00604   896   NtQueryInformationFile  (16, 1238052, 528, Name, ... {status=0x0, info=90}, ) == 0x0
 00605   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00606   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00607   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp.exe"}, 1237224, ... ) }, 1237224, ... ) == 0x0
 00608   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0
 00609   896   NtQueryDirectoryFile  (44, 0, 0, 0, 1236652, 616, BothDirectory, 1,  (44, 0, 0, 0, 1236652, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 00610   896   NtClose  (44, ... ) == 0x0
 00611   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0
 00612   896   NtQueryDirectoryFile  (44, 0, 0, 0, 1236652, 616, BothDirectory, 1,  (44, 0, 0, 0, 1236652, 616, BothDirectory, 1, "MARTIM~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00613   896   NtClose  (44, ... ) == 0x0
 00614   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0
 00615   896   NtQueryDirectoryFile  (44, 0, 0, 0, 1236652, 616, BothDirectory, 1,  (44, 0, 0, 0, 1236652, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 00616   896   NtClose  (44, ... ) == 0x0
 00617   896   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0
 00618   896   NtQueryDirectoryFile  (44, 0, 0, 0, 1236652, 616, BothDirectory, 1,  (44, 0, 0, 0, 1236652, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0
 00619   896   NtClose  (44, ... ) == 0x0
 00620   896   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00621   896   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00622   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00623   896   NtQueryInformationFile  (16, 1240092, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00624   896   NtCreateSection  (0xf0005, 0x0, {43520, 0}, 2, 134217728, 16, ... 44, ) == 0x0
 00625   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, {0, 0}, 43520, 1, 0, 2, ... (0x320000), {0, 0}, 45056, ) == 0x0
 00626   896   NtClose  (44, ... ) == 0x0
 00627   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00628   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 44, ) == 0x0
 00629   896   NtQueryInformationToken  (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00630   896   NtClose  (44, ... ) == 0x0
 00631   896   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 44, ) }, ... 44, ) == 0x0
 00632   896   NtOpenKey  (0x20019, {24, 44, 0x40, 0, 0,  (0x20019, {24, 44, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 40, ) }, ... 40, ) == 0x0
 00633   896   NtClose  (44, ... ) == 0x0
 00634   896   NtQueryValueKey  (40,  (40, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00635   896   NtQueryValueKey  (40,  (40, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (40, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 00636   896   NtClose  (40, ... ) == 0x0
 00637   896   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00638   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 3276800, 4096, ) == 0x0
 00639   896   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00640   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00641   896   NtQueryValueKey  (40,  (40, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   896   NtClose  (40, ... ) == 0x0
 00643   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   896   NtQueryInformationToken  (32, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00645   896   NtQueryInformationToken  (32, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00646   896   NtClose  (32, ... ) == 0x0
 00647   896   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00648   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~3.tmp.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649   896   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 00650   896   NtCreateProcessEx  (1242016, 2035711, 0, -1, 0, 28, 0, 0, 0, ... ) == 0x0
 00651   896   NtQueryInformationProcess  (32, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd7000,AffinityMask=0x1,BasePriority=8,Pid=2016,ParentPid=1252,}, 0x0, ) == 0x0
 00652   896   NtReadVirtualMemory  (32, 0x7ffd7008, 4, ...  (32, 0x7ffd7008, 4, ... "\0\0\200\11", 0x0, ) , 0x0, ) == 0x0
 00653   896   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\~3.tmp.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00654   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00655   896   NtReadVirtualMemory  (32, 0x9800000, 4096, ...  (32, 0x9800000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\310\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\7\361\203\330C\220\355\213C\220\355\213C\220\355\213\300\230\260\213@\220\355\213C\220\354\213B\220\355\213C\220\355\213B\220\355\213F\234\267\213B\220\355\213RichC\220\355\213\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\206\23\36C\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0\0\0\0\0\246\0\0\0L\0\0\317\23\1\0\0\20\0\0\0\20\0\0\0\0\200\11\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\10`\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.bss\0\0\0\0\34J\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rdata\0\0T\0\0\0", 4096, ) , 4096, ) == 0x0
 00656   896   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00657   896   NtQueryInformationProcess  (32, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd7000,AffinityMask=0x1,BasePriority=8,Pid=2016,ParentPid=1252,}, 0x0, ) == 0x0
 00658   896   NtAllocateVirtualMemory  (-1, 0, 0, 2532, 4096, 4, ... 3342336, 4096, ) == 0x0
 00659   896   NtAllocateVirtualMemory  (32, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 00660   896   NtWriteVirtualMemory  (32, 0x10000,  (32, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 00661   896   NtAllocateVirtualMemory  (32, 0, 0, 2532, 4096, 4, ... 131072, 4096, ) == 0x0
 00662   896   NtWriteVirtualMemory  (32, 0x20000,  (32, 0x20000, "\0\20\0\0\344\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\22\4\24\4\230\4\0\0Z\0\\0\254\10\0\0Z\0\\0\10\11\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0Z\0\\0d\11\0\0\36\0 \0\300\11\0\0\0\0\2\0\340\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2532, ... 0x0, ) , 2532, ... 0x0, ) == 0x0
 00663   896   NtWriteVirtualMemory  (32, 0x7ffd7010,  (32, 0x7ffd7010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00664   896   NtWriteVirtualMemory  (32, 0x7ffd71e8,  (32, 0x7ffd71e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00665   896   NtFreeVirtualMemory  (-1, (0x330000), 0, 32768, ... (0x330000), 4096, ) == 0x0
 00666   896   NtAllocateVirtualMemory  (32, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00667   896   NtAllocateVirtualMemory  (32, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00668   896   NtProtectVirtualMemory  (32, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00669   896   NtCreateThread  (0x1f03ff, 0x0, 32, 1242024, 1241688, 1, ... 40, {2016, 596}, ) == 0x0
 00670   896   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 34078810, 69, 1124073472}  (24, {168, 196, new_msg, 0, 0, 34078810, 69, 1124073472} "\0\0\0\0\0\0\1\0\3\0\0\0\272\367\22\0#\0\0\0(\0\0\0\340\7\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0N\11\221|\34\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 1252, 896, 81835, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\272\367\22\0 \0\0\0(\0\0\0\340\7\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0N\11\221|\34\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 1252, 896, 81835, 0}  (24, {168, 196, new_msg, 0, 0, 34078810, 69, 1124073472} "\0\0\0\0\0\0\1\0\3\0\0\0\272\367\22\0#\0\0\0(\0\0\0\340\7\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0N\11\221|\34\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 1252, 896, 81835, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\272\367\22\0 \0\0\0(\0\0\0\340\7\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0N\11\221|\34\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00671   896   NtResumeThread  (40, ... 1, ) == 0x0
 00672   896   NtClose  (16, ... ) == 0x0
 00673   896   NtClose  (28, ... ) == 0x0
 00674   896   NtClose  (32, ... ) == 0x0
 00675   896   NtClose  (40, ... ) == 0x0
 00676   896   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00677   896   NtContinue  (1244400, 0, ...
 00678   896   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3342336, 4096, ) == 0x0
 00679   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00680   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00681   896   NtClose  (40, ... ) == 0x0
 00682   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00683   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00684   896   NtClose  (40, ... ) == 0x0
 00685   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00686   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00687   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00688   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00689   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00690   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00691   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00692   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00693   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00694   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00695   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00696   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00697   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00698   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00699   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00700   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00701   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00702   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00703   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00704   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00706   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 4096, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 4096, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81844, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81844, 0}  (24, {28, 56, new_msg, 0, 2089900645, 4096, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81844, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00707   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00708   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00709   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 40, ... 32, ) == 0x0
 00710   896   NtClose  (40, ... ) == 0x0
 00711   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00712   896   NtClose  (32, ... ) == 0x0
 00713   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00714   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00715   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00716   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 40, ) == 0x0
 00717   896   NtClose  (32, ... ) == 0x0
 00718   896   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00719   896   NtClose  (40, ... ) == 0x0
 00720   896   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00721   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00722   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00723   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 32, ) == 0x0
 00724   896   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00725   896   NtClose  (40, ... ) == 0x0
 00726   896   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00727   896   NtClose  (32, ... ) == 0x0
 00728   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00729   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00730   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00731   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00732   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00733   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00734   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00735   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00736   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00737   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00739   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00740   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00741   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00742   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00743   896   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00744   896   NtClose  (32, ... ) == 0x0
 00745   896   NtMapViewOfSection  (-2147482756, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00746   896   NtClose  (-2147482756, ... ) == 0x0
 00747   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00748   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00749   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482756, ) == 0x0
 00750   896   NtQueryInformationToken  (-2147482756, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00751   896   NtQueryInformationToken  (-2147482756, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00752   896   NtClose  (-2147482756, ... ) == 0x0
 00753   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00754   896   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00755   896   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 16, ) == 0x0
 00756   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00757   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   896   NtClose  (-2147482756, ... ) == 0x0
 00759   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00760   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   896   NtClose  (-2147482756, ... ) == 0x0
 00762   896   NtQueryDefaultLocale  (0, -142137012, ... ) == 0x0
 00763   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00764   896   NtUserCallNoParam  (24, ... ) == 0x0
 00765   896   NtGdiCreateCompatibleDC  (0, ...
 00766   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00765   896   NtGdiCreateCompatibleDC  ... ) == 0x64010596
 00767   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00768   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00769   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x740505de
 00770   896   NtGdiCreateSolidBrush  (0, 0, ...
 00771   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00770   896   NtGdiCreateSolidBrush  ... ) == 0xc9100697
 00772   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00773   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xb90106e8
 00774   896   NtGdiSelectBitmap  (-1191115032, 1946486238, ... ) == 0x185000f
 00775   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x1c
 00776   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00777   896   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00778   896   NtClose  (44, ... ) == 0x0
 00779   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00780   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8177c017
 00781   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00782   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8177c01c
 00783   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00784   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8177c01e
 00785   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00786   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81778002
 00787   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00788   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8177c018
 00789   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00790   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8177c01a
 00791   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00792   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8177c01d
 00793   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00794   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8177c026
 00795   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00796   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8177c019
 00797   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c020
 00798   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c022
 00799   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c023
 00800   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c024
 00801   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c025
 00802   896   NtCallbackReturn  (0, 0, 0, ...
 00803   896   NtGdiInit  (... ) == 0x1
 00804   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00805   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00806   896   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 3538944, 28672, ) == 0x0
 00807   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00810   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00811   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00812   896   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00813   896   NtClose  (44, ... ) == 0x0
 00814   896   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00815   896   NtClose  (48, ... ) == 0x0
 00816   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00817   896   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00818   896   NtClose  (48, ... ) == 0x0
 00819   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00820   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00821   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00822   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00823   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00824   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00825   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00827   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00828   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00829   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00830   896   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00831   896   NtClose  (48, ... ) == 0x0
 00832   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00833   896   NtClose  (44, ... ) == 0x0
 00834   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00835   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00836   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00837   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00838   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00839   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00840   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00841   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00842   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00843   896   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00844   896   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00845   896   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00846   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00847   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 12288, ) == 0x0
 00848   896   NtClose  (44, ... ) == 0x0
 00849   896   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00850   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00851   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00852   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00853   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00854   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00857   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00858   896   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 28672, ) == 0x0
 00859   896   NtFreeVirtualMemory  (-1, (0x330144), 0, 32768, ... (0x330000), 4096, ) == 0x0
 00860   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00861   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3342336, 65536, ) == 0x0
 00862   896   NtAllocateVirtualMemory  (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
 00863   896   NtAllocateVirtualMemory  (-1, 3346432, 0, 20480, 4096, 4, ... 3346432, 20480, ) == 0x0
 00864   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9502720, 1048576, ) == 0x0
 00865   896   NtAllocateVirtualMemory  (-1, 9502720, 0, 32768, 4096, 4, ... 9502720, 32768, ) == 0x0
 00866   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00867   896   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00868   896   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00869   896   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00870   896   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00871   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00872   896   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00873   896   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00874   896   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00875   896   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00876   896   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877   896   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00878   896   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00879   896   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00880   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00881   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00882   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00883   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0t\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0t\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0u\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0v\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0t\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0t\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0u\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0v\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0t\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0t\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0u\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0v\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00884   896   NtClose  (68, ... ) == 0x0
 00885   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00886   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00887   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00888   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0y\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0z\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0{\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0y\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0z\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0{\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0y\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0z\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0{\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0{\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0|\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00889   896   NtClose  (68, ... ) == 0x0
 00890   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00891   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00892   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00893   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\177\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\200\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\177\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\200\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0~\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\177\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\200\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\200\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\201\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00894   896   NtClose  (68, ... ) == 0x0
 00895   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00896   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00897   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00898   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\203\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\204\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\203\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\204\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\203\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\203\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\204\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\205\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\205\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\206\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00899   896   NtClose  (68, ... ) == 0x0
 00900   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00901   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00902   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00903   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\210\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\211\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\210\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\211\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\210\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\210\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\211\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\212\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00904   896   NtClose  (68, ... ) == 0x0
 00905   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00906   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00907   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00908   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\215\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\216\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\215\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\216\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\215\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\215\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\216\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\217\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00909   896   NtClose  (68, ... ) == 0x0
 00910   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00911   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00912   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00913   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\222\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\222\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\223\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\224\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\222\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\222\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\223\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\224\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\222\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\222\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\223\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\224\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00914   896   NtClose  (68, ... ) == 0x0
 00915   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00916   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00917   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00918   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\227\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\227\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\230\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\231\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\227\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\227\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\230\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\231\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0\227\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\227\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\230\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\231\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\231\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\232\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00919   896   NtClose  (68, ... ) == 0x0
 00920   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00921   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00922   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00923   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00924   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\236\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\236\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\235\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\235\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\236\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\236\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\237\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\237\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\240\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00925   896   NtClose  (68, ... ) == 0x0
 00926   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00927   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00928   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00929   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\242\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\243\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\242\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\243\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\242\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\242\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\243\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\244\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\244\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\245\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00930   896   NtClose  (68, ... ) == 0x0
 00931   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00932   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00933   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00934   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\247\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\247\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\250\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\251\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\247\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\247\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\250\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\251\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\247\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\247\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\250\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\250\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\251\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\251\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\252\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00935   896   NtClose  (68, ... ) == 0x0
 00936   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00937   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00938   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00939   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\254\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\254\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\255\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\256\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\254\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\254\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\255\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\256\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\254\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\254\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\255\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\255\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\256\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\256\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\257\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00940   896   NtClose  (68, ... ) == 0x0
 00941   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00942   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00943   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00944   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00945   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\263\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\263\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\262\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\262\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\263\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\264\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\264\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00946   896   NtClose  (68, ... ) == 0x0
 00947   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00948   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00949   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00950   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\267\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\270\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\267\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\270\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\267\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\267\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\270\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\271\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\271\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00951   896   NtClose  (68, ... ) == 0x0
 00952   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00953   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00954   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00955   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\274\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\275\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\274\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\275\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\274\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\274\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\275\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\275\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\276\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\276\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\277\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00956   896   NtClose  (68, ... ) == 0x0
 00957   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00958   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00959   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00960   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\301\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\301\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\302\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\303\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\301\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\301\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\302\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\303\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\301\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\301\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\302\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\303\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\303\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\304\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00961   896   NtClose  (68, ... ) == 0x0
 00962   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00963   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00964   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00965   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\306\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\306\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\307\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\310\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\306\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\306\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\307\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\310\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\306\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\306\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\307\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\307\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\310\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\310\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\311\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00966   896   NtClose  (68, ... ) == 0x0
 00967   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00968   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00969   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00970   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00971   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\314\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\314\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\315\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\316\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\316\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\317\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\314\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\314\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\315\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\316\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\316\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\317\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\316\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\317\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\314\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\314\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\315\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\315\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\316\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\316\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\317\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00972   896   NtClose  (68, ... ) == 0x0
 00973   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00974   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00975   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00976   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\321\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\321\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\322\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\323\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\321\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\321\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\322\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\323\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\321\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\321\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\322\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\322\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\323\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\323\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\324\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00977   896   NtClose  (68, ... ) == 0x0
 00978   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00979   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00980   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00981   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\326\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\326\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\327\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\330\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\326\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\326\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\327\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\330\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\326\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\326\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\327\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\327\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\330\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\330\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\331\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00982   896   NtClose  (68, ... ) == 0x0
 00983   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00984   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00985   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00986   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\333\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\333\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\334\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\335\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\333\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\333\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\334\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\335\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\333\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\333\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\10l\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\334\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\335\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\335\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\336\3\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00987   896   NtClose  (68, ... ) == 0x0
 00988   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00989   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00990   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00991   896   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00992   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\341\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\341\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\342\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\343\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\344\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\344\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\345\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\330k\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\341\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\341\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\342\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\343\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\344\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\344\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\345\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\330k\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\341\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\341\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\342\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\342\3\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\343\3\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\344\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\344\3\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\345\3\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\330k\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00993   896   NtClose  (68, ... ) == 0x0
 00994   896   NtClose  (64, ... ) == 0x0
 00995   896   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00996   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00997   896   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00998   896   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00999   896   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 01000   896   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 01001   896   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   896   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01003   896   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 01004   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 01005   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01006   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01007   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01008   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01009   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01010   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01011   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01012   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01014   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01015   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01016   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01017   896   NtClose  (76, ... ) == 0x0
 01018   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 01019   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01020   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01021   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01022   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01023   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01024   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01025   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01026   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01028   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01029   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01030   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01031   896   NtClose  (76, ... ) == 0x0
 01032   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 01033   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01034   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01035   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01036   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01037   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01038   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01039   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01040   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01042   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01043   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01044   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01045   896   NtClose  (76, ... ) == 0x0
 01046   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 01047   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01048   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01049   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01050   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01051   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01052   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 01053   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 01054   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01056   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01057   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01058   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01059   896   NtClose  (76, ... ) == 0x0
 01060   896   NtClose  (72, ... ) == 0x0
 01061   896   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01062   896   NtClose  (52, ... ) == 0x0
 01063   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01064   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01065   896   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 01066   896   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   896   NtClose  (52, ... ) == 0x0
 01068   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 01069   896   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01070   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 01071   896   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01072   896   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01073   896   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01074   896   NtQueryInformationFile  (72, 1363752, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01075   896   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01076   896   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01077   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01078   896   NtClose  (-2147482756, ... ) == 0x0
 01077   896   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 01079   896   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01080   896   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01081   896   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01082   896   NtQueryVolumeInformationFile  (72, 1239912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01083   896   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01084   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 01085   896   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x390000), {0, 0}, 126976, ) == 0x0
 01086   896   NtClose  (80, ... ) == 0x0
 01087   896   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\20\220\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0P\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\20\220\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0P\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01088   896   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01089   896   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1040, 0x0, 0, ... {status=0x0, info=1040}, ) , 1040, 0x0, 0, ... {status=0x0, info=1040}, ) == 0x0
 01090   896   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01091   896   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01092   896   NtClose  (72, ... ) == 0x0
 01093   896   NtClose  (76, ... ) == 0x0
 01094   896   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 01095   896   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01096   896   NtSetInformationFile  (-2147482448, -142137552, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01097   896   NtSetInformationFile  (-2147482448, -142137644, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01098   896   NtSetInformationFile  (-2147482448, -142137952, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01099   896   NtSetInformationFile  (-2147482448, -142138048, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01095   896   NtSetValueKey  ... ) == 0x0
 01100   896   NtClose  (76, ... ) == 0x0
 01101   896   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 01102   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10551296, 1048576, ) == 0x0
 01103   896   NtAllocateVirtualMemory  (-1, 11591680, 0, 8192, 4096, 4, ... 11591680, 8192, ) == 0x0
 01104   896   NtProtectVirtualMemory  (-1, (0xb0e000), 4096, 260, ... (0xb0e000), 4096, 4, ) == 0x0
 01105   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1252, 1708}, ) == 0x0
 01106   896   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1252,Tid=1708,}, 0x0, ) == 0x0
 01107   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81875, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81875, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81875, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\254\6\0\0" )  ) == 0x0
 01108   896   NtResumeThread  (72, ... 1, ) == 0x0
 01109   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11599872, 1048576, ) == 0x0
 01110   896   NtAllocateVirtualMemory  (-1, 12640256, 0, 8192, 4096, 4, ...
 01111  1708   NtTestAlert  (... ) == 0x0
 01112  1708   NtContinue  (11599152, 1, ...
 01113  1708   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01114  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 01115  1708   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 01116  1708   NtAllocateVirtualMemory  (-1, 11587584, 0, 4096, 4096, 260, ...
 01110   896   NtAllocateVirtualMemory  ... 12640256, 8192, ) == 0x0
 01117   896   NtProtectVirtualMemory  (-1, (0xc0e000), 4096, 260, ... (0xc0e000), 4096, 4, ) == 0x0
 01118   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1252, 1024}, ) == 0x0
 01119   896   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1252,Tid=1024,}, 0x0, ) == 0x0
 01120   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81875, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81875, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81876, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81876, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81875, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0\0\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81876, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0\0\4\0\0" )  ) == 0x0
 01121   896   NtResumeThread  (84, ... 1, ) == 0x0
 01116  1708   NtAllocateVirtualMemory  ... 11587584, 4096, ) == 0x0
 01122  1024   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01123  1708   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596276, ... }, 11596276, ...
 01122  1024   NtCreateEvent  ... 88, ) == 0x0
 01123  1708   NtQueryAttributesFile  ... ) == 0x0
 01124  1024   NtWaitForSingleObject  (88, 0, 0x0, ...
 01125  1708   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 01126  1708   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 01127  1708   NtClose  (92, ... ) == 0x0
 01128  1708   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 245760, ) == 0x0
 01129  1708   NtClose  (96, ...
 01130   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12648448, 1048576, ) == 0x0
 01131   896   NtAllocateVirtualMemory  (-1, 13688832, 0, 8192, 4096, 4, ... 13688832, 8192, ) == 0x0
 01132   896   NtProtectVirtualMemory  (-1, (0xd0e000), 4096, 260, ... (0xd0e000), 4096, 4, ) == 0x0
 01133   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1252, 1324}, ) == 0x0
 01134   896   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1252,Tid=1324,}, 0x0, ) == 0x0
 01135   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81876, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81876, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0,\5\0\0" ...  ...
 01129  1708   NtClose  ... ) == 0x0
 01136  1708   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01137  1708   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11596584, ... ) }, 11596584, ... ) == 0x0
 01138  1708   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01135   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81877, 0}  ... {28, 56, reply, 0, 1252, 896, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0,\5\0\0" )  ) == 0x0
 01139   896   NtResumeThread  (92, ... 1, ) == 0x0
 01140   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 01141   896   NtAllocateVirtualMemory  (-1, 14737408, 0, 8192, 4096, 4, ... 14737408, 8192, ) == 0x0
 01142   896   NtProtectVirtualMemory  (-1, (0xe0e000), 4096, 260, ... (0xe0e000), 4096, 4, ) == 0x0
 01143   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1252, 1776}, ) == 0x0
 01144   896   NtQueryInformationThread  (96, Basic, 28, ...
 01138  1708   NtOpenFile  ... 100, {status=0x0, info=1}, ) == 0x0
 01145  1324   NtWaitForSingleObject  (88, 0, 0x0, ...
 01146  1708   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 104, ) == 0x0
 01147  1708   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01148  1708   NtClose  (100, ... ) == 0x0
 01149  1708   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 01150  1708   NtClose  (104, ... ) == 0x0
 01151  1708   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01144   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1252,Tid=1776,}, 0x0, ) == 0x0
 01152   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81877, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\4\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81878, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\4\0\0\360\6\0\0" )  ) == 0x0
 01153   896   NtResumeThread  (96, ... 1, ) == 0x0
 01154   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14745600, 1048576, ) == 0x0
 01155   896   NtAllocateVirtualMemory  (-1, 15785984, 0, 8192, 4096, 4, ... 15785984, 8192, ) == 0x0
 01156   896   NtProtectVirtualMemory  (-1, (0xf0e000), 4096, 260, ... (0xf0e000), 4096, 4, ) == 0x0
 01151  1708   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01157  1776   NtWaitForSingleObject  (88, 0, 0x0, ...
 01158  1708   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01159  1708   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01160  1708   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 01161  1708   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01162  1708   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01163  1708   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 01164   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1252, 248}, ) == 0x0
 01165   896   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1252,Tid=248,}, 0x0, ) == 0x0
 01166   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81879, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\370\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\370\0\0\0" )  ) == 0x0
 01167   896   NtResumeThread  (104, ... 1, ) == 0x0
 01168   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15794176, 1048576, ) == 0x0
 01169   896   NtAllocateVirtualMemory  (-1, 16834560, 0, 8192, 4096, 4, ...
 01163  1708   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 01170   248   NtWaitForSingleObject  (88, 0, 0x0, ...
 01171  1708   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 01172  1708   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 01173  1708   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174  1708   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01175  1708   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01176  1708   NtSetEventBoostPriority  (88, ...
 01169   896   NtAllocateVirtualMemory  ... 16834560, 8192, ) == 0x0
 01177   896   NtProtectVirtualMemory  (-1, (0x100e000), 4096, 260, ... (0x100e000), 4096, 4, ) == 0x0
 01178   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1252, 1884}, ) == 0x0
 01179   896   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1252,Tid=1884,}, 0x0, ) == 0x0
 01180   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81879, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\344\4\0\0\\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\344\4\0\0\\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81880, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81879, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\344\4\0\0\\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\344\4\0\0\\7\0\0" )  ) == 0x0
 01181   896   NtResumeThread  (100, ... 1, ) == 0x0
 01124  1024   NtWaitForSingleObject  ... ) == 0x0
 01176  1708   NtSetEventBoostPriority  ... ) == 0x0
 01182  1884   NtWaitForSingleObject  (88, 0, 0x0, ...
 01183  1024   NtSetEventBoostPriority  (88, ...
 01184  1708   NtWaitForSingleObject  (88, 0, 0x0, ...
 01145  1324   NtWaitForSingleObject  ... ) == 0x0
 01183  1024   NtSetEventBoostPriority  ... ) == 0x0
 01185  1324   NtSetEventBoostPriority  (88, ...
 01186   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01157  1776   NtWaitForSingleObject  ... ) == 0x0
 01185  1324   NtSetEventBoostPriority  ... ) == 0x0
 01187  1776   NtSetEventBoostPriority  (88, ...
 01186   896   NtAllocateVirtualMemory  ... 16842752, 1048576, ) == 0x0
 01188  1024   NtTestAlert  (...
 01170   248   NtWaitForSingleObject  ... ) == 0x0
 01187  1776   NtSetEventBoostPriority  ... ) == 0x0
 01189   896   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ...
 01190   248   NtSetEventBoostPriority  (88, ...
 01188  1024   NtTestAlert  ... ) == 0x0
 01191  1324   NtTestAlert  (...
 01182  1884   NtWaitForSingleObject  ... ) == 0x0
 01190   248   NtSetEventBoostPriority  ... ) == 0x0
 01189   896   NtAllocateVirtualMemory  ... 17883136, 8192, ) == 0x0
 01192  1024   NtContinue  (12647728, 1, ...
 01193  1884   NtSetEventBoostPriority  (88, ...
 01191  1324   NtTestAlert  ... ) == 0x0
 01194  1776   NtTestAlert  (...
 01195   896   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ...
 01184  1708   NtWaitForSingleObject  ... ) == 0x0
 01193  1884   NtSetEventBoostPriority  ... ) == 0x0
 01196  1024   NtRegisterThreadTerminatePort  (24, ...
 01197  1324   NtContinue  (13696304, 1, ...
 01194  1776   NtTestAlert  ... ) == 0x0
 01198  1708   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01195   896   NtProtectVirtualMemory  ... (0x110e000), 4096, 4, ) == 0x0
 01199   248   NtTestAlert  (...
 01196  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01200  1324   NtRegisterThreadTerminatePort  (24, ...
 01198  1708   NtCreateEvent  ... 108, ) == 0x0
 01201  1776   NtContinue  (14744880, 1, ...
 01202  1884   NtTestAlert  (...
 01199   248   NtTestAlert  ... ) == 0x0
 01203  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01200  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01204   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01205  1776   NtRegisterThreadTerminatePort  (24, ...
 01202  1884   NtTestAlert  ... ) == 0x0
 01206   248   NtContinue  (15793456, 1, ...
 01207  1708   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 01208  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01204   896   NtCreateThread  ... 112, {1252, 1308}, ) == 0x0
 01205  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01209  1884   NtContinue  (16842032, 1, ...
 01210   248   NtRegisterThreadTerminatePort  (24, ...
 01207  1708   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203  1024   NtDuplicateObject  ... 116, ) == 0x0
 01211   896   NtQueryInformationThread  (112, Basic, 28, ...
 01212  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01213  1884   NtRegisterThreadTerminatePort  (24, ...
 01210   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01214  1708   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01215  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01211   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1252,Tid=1308,}, 0x0, ) == 0x0
 01208  1324   NtDuplicateObject  ... 120, ) == 0x0
 01213  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01216   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01215  1024   NtWaitForSingleObject  ... ) == 0x102
 01217   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\4\0\0\34\5\0\0" ...  ...
 01218  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01219  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01212  1776   NtDuplicateObject  ... 124, ) == 0x0
 01220  1024   NtAllocateVirtualMemory  (-1, 12636160, 0, 4096, 4096, 260, ...
 01218  1324   NtWaitForSingleObject  ... ) == 0x102
 01216   248   NtDuplicateObject  ... 128, ) == 0x0
 01217   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81881, 0}  ... {28, 56, reply, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\0\0\0\344\4\0\0\34\5\0\0" )  ) == 0x0
 01221  1776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01220  1024   NtAllocateVirtualMemory  ... 12636160, 4096, ) == 0x0
 01222  1324   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01223   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01224   896   NtResumeThread  (112, ...
 01221  1776   NtWaitForSingleObject  ... ) == 0x102
 01219  1884   NtDuplicateObject  ... 132, ) == 0x0
 01222  1324   NtCreateEvent  ... 136, ) == 0x0
 01223   248   NtWaitForSingleObject  ... ) == 0x102
 01224   896   NtResumeThread  ... 1, ) == 0x0
 01225  1776   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01226  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01227  1024   NtWaitForSingleObject  (88, 0, 0x0, ...
 01228  1308   NtWaitForSingleObject  (88, 0, 0x0, ...
 01229   248   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01230   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01225  1776   NtCreateEvent  ... 140, ) == 0x0
 01226  1884   NtWaitForSingleObject  ... ) == 0x102
 01229   248   NtCreateEvent  ... 144, ) == 0x0
 01230   896   NtAllocateVirtualMemory  ... 17891328, 1048576, ) == 0x0
 01231  1324   NtWaitForSingleObject  (136, 0, 0x0, ...
 01214  1708   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232  1884   NtWaitForSingleObject  (136, 0, 0x0, ...
 01233  1776   NtClose  (140, ...
 01234   896   NtAllocateVirtualMemory  (-1, 18931712, 0, 8192, 4096, 4, ...
 01235  1708   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11596196, ... }, 11596196, ...
 01233  1776   NtClose  ... ) == 0x0
 01236   248   NtClose  (144, ...
 01235  1708   NtQueryAttributesFile  ... ) == 0x0
 01237  1776   NtWaitForSingleObject  (136, 0, 0x0, ...
 01236   248   NtClose  ... ) == 0x0
 01238  1708   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... }, 5, 96, ...
 01239   248   NtWaitForSingleObject  (136, 0, 0x0, ...
 01238  1708   NtOpenFile  ... 144, {status=0x0, info=1}, ) == 0x0
 01240  1708   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 140, ) == 0x0
 01241  1708   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01242  1708   NtClose  (144, ... ) == 0x0
 01243  1708   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01234   896   NtAllocateVirtualMemory  ... 18931712, 8192, ) == 0x0
 01244   896   NtProtectVirtualMemory  (-1, (0x120e000), 4096, 260, ... (0x120e000), 4096, 4, ) == 0x0
 01245   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1252, 1296}, ) == 0x0
 01246   896   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1252,Tid=1296,}, 0x0, ) == 0x0
 01247   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81881, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\20\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81882, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\20\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\20\5\0\0" )  ) == 0x0
 01248   896   NtResumeThread  (144, ... 1, ) == 0x0
 01243  1708   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 01249  1296   NtWaitForSingleObject  (88, 0, 0x0, ...
 01250  1708   NtClose  (140, ... ) == 0x0
 01251  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01252  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01253  1708   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01254  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01255  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01256   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18939904, 1048576, ) == 0x0
 01257   896   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01258   896   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01259   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 140, {1252, 440}, ) == 0x0
 01260   896   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1252,Tid=440,}, 0x0, ) == 0x0
 01261   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0\270\1\0\0" ...  ...
 01255  1708   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01262  1708   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01263  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01264  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01261   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81883, 0}  ... {28, 56, reply, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\344\4\0\0\270\1\0\0" )  ) == 0x0
 01265   896   NtResumeThread  (140, ... 1, ) == 0x0
 01266   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19988480, 1048576, ) == 0x0
 01267   896   NtAllocateVirtualMemory  (-1, 21028864, 0, 8192, 4096, 4, ... 21028864, 8192, ) == 0x0
 01268   896   NtProtectVirtualMemory  (-1, (0x140e000), 4096, 260, ... (0x140e000), 4096, 4, ) == 0x0
 01269   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1252, 1588}, ) == 0x0
 01270   896   NtQueryInformationThread  (148, Basic, 28, ...
 01264  1708   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01271   440   NtWaitForSingleObject  (88, 0, 0x0, ...
 01272  1708   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01273  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01274  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 01275  1708   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01276  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 01277  1708   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 01270   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1252,Tid=1588,}, 0x0, ) == 0x0
 01278   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\04\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81884, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\04\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\04\6\0\0" )  ) == 0x0
 01279   896   NtResumeThread  (148, ... 1, ) == 0x0
 01280   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21037056, 1048576, ) == 0x0
 01281   896   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 01282   896   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01277  1708   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 01283  1588   NtWaitForSingleObject  (88, 0, 0x0, ...
 01284  1708   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 01285  1708   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286  1708   NtSetEventBoostPriority  (88, ...
 01227  1024   NtWaitForSingleObject  ... ) == 0x0
 01287  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12643280, ... ) }, 12643280, ... ) == 0x0
 01288  1024   NtSetEventBoostPriority  (88, ...
 01228  1308   NtWaitForSingleObject  ... ) == 0x0
 01289  1308   NtSetEventBoostPriority  (88, ...
 01249  1296   NtWaitForSingleObject  ... ) == 0x0
 01290  1296   NtSetEventBoostPriority  (88, ...
 01271   440   NtWaitForSingleObject  ... ) == 0x0
 01291   440   NtSetEventBoostPriority  (88, ...
 01283  1588   NtWaitForSingleObject  ... ) == 0x0
 01292  1588   NtTestAlert  (... ) == 0x0
 01291   440   NtSetEventBoostPriority  ... ) == 0x0
 01290  1296   NtSetEventBoostPriority  ... ) == 0x0
 01289  1308   NtSetEventBoostPriority  ... ) == 0x0
 01288  1024   NtSetEventBoostPriority  ... ) == 0x0
 01286  1708   NtSetEventBoostPriority  ... ) == 0x0
 01293   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01294  1588   NtContinue  (21036336, 1, ...
 01295   440   NtTestAlert  (...
 01296  1296   NtTestAlert  (...
 01297  1024   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01298  1708   NtQuerySystemInformation  (Basic, 44, ...
 01293   896   NtCreateThread  ... 152, {1252, 2044}, ) == 0x0
 01299  1588   NtRegisterThreadTerminatePort  (24, ...
 01295   440   NtTestAlert  ... ) == 0x0
 01296  1296   NtTestAlert  ... ) == 0x0
 01297  1024   NtCreateEvent  ... 156, ) == 0x0
 01298  1708   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01300   896   NtQueryInformationThread  (152, Basic, 28, ...
 01299  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01301   440   NtContinue  (19987760, 1, ...
 01302  1296   NtContinue  (18939184, 1, ...
 01303  1024   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01304  1708   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01300   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1252,Tid=2044,}, 0x0, ) == 0x0
 01305  1588   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01306   440   NtRegisterThreadTerminatePort  (24, ...
 01307  1296   NtRegisterThreadTerminatePort  (24, ...
 01303  1024   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01304  1708   NtCreateEvent  ... 160, ) == 0x0
 01308   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\4\0\0\374\7\0\0" ...  ...
 01305  1588   NtCreateEvent  ... 164, ) == 0x0
 01306   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01307  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01309  1024   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01310  1708   NtWaitForSingleObject  (160, 0, 0x0, ...
 01311  1588   NtClose  (164, ...
 01312   440   NtWaitForSingleObject  (160, 0, 0x0, ...
 01313  1296   NtWaitForSingleObject  (160, 0, 0x0, ...
 01314  1308   NtTestAlert  (...
 01308   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81885, 0}  ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\4\0\0\374\7\0\0" )  ) == 0x0
 01309  1024   NtCreateEvent  ... 168, ) == 0x0
 01311  1588   NtClose  ... ) == 0x0
 01314  1308   NtTestAlert  ... ) == 0x0
 01315   896   NtResumeThread  (152, ...
 01316  1024   NtClose  (168, ...
 01317  1588   NtWaitForSingleObject  (160, 0, 0x0, ...
 01318  1308   NtContinue  (17890608, 1, ...
 01315   896   NtResumeThread  ... 1, ) == 0x0
 01316  1024   NtClose  ... ) == 0x0
 01319  1308   NtRegisterThreadTerminatePort  (24, ...
 01320   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01321  1024   NtSetEventBoostPriority  (160, ...
 01319  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01320   896   NtAllocateVirtualMemory  ... 22085632, 1048576, ) == 0x0
 01310  1708   NtWaitForSingleObject  ... ) == 0x0
 01321  1024   NtSetEventBoostPriority  ... ) == 0x0
 01322  1308   NtWaitForSingleObject  (160, 0, 0x0, ...
 01323  1708   NtSetEventBoostPriority  (160, ...
 01324   896   NtAllocateVirtualMemory  (-1, 23126016, 0, 8192, 4096, 4, ...
 01325  1024   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01326  2044   NtWaitForSingleObject  (88, 0, 0x0, ...
 01312   440   NtWaitForSingleObject  ... ) == 0x0
 01323  1708   NtSetEventBoostPriority  ... ) == 0x0
 01324   896   NtAllocateVirtualMemory  ... 23126016, 8192, ) == 0x0
 01327   440   NtSetEventBoostPriority  (160, ...
 01328  1708   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01329   896   NtProtectVirtualMemory  (-1, (0x160e000), 4096, 260, ...
 01317  1588   NtWaitForSingleObject  ... ) == 0x0
 01328  1708   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   896   NtProtectVirtualMemory  ... (0x160e000), 4096, 4, ) == 0x0
 01330  1588   NtSetEventBoostPriority  (160, ...
 01327   440   NtSetEventBoostPriority  ... ) == 0x0
 01325  1024   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01313  1296   NtWaitForSingleObject  ... ) == 0x0
 01330  1588   NtSetEventBoostPriority  ... ) == 0x0
 01332   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01333  1024   NtWaitForSingleObject  (160, 0, 0x0, ...
 01334  1296   NtSetEventBoostPriority  (160, ...
 01331   896   NtCreateThread  ... 168, {1252, 1436}, ) == 0x0
 01335  1708   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01332   440   NtDuplicateObject  ... 164, ) == 0x0
 01322  1308   NtWaitForSingleObject  ... ) == 0x0
 01336   896   NtQueryInformationThread  (168, Basic, 28, ...
 01335  1708   NtOpenKey  ... 172, ) == 0x0
 01334  1296   NtSetEventBoostPriority  ... ) == 0x0
 01337  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01338  1308   NtSetEventBoostPriority  (160, ...
 01339   440   NtWaitForSingleObject  (160, 0, 0x0, ...
 01340  1708   NtQueryValueKey  (172,  (172, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01341  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01337  1588   NtDuplicateObject  ... 176, ) == 0x0
 01333  1024   NtWaitForSingleObject  ... ) == 0x0
 01340  1708   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341  1296   NtDuplicateObject  ... 180, ) == 0x0
 01342  1588   NtWaitForSingleObject  (160, 0, 0x0, ...
 01343  1024   NtSetEventBoostPriority  (160, ...
 01344  1708   NtClose  (172, ...
 01338  1308   NtSetEventBoostPriority  ... ) == 0x0
 01336   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1252,Tid=1436,}, 0x0, ) == 0x0
 01339   440   NtWaitForSingleObject  ... ) == 0x0
 01343  1024   NtSetEventBoostPriority  ... ) == 0x0
 01344  1708   NtClose  ... ) == 0x0
 01345  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01346   440   NtSetEventBoostPriority  (160, ...
 01347   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\4\0\0\234\5\0\0" ...  ...
 01348  1296   NtWaitForSingleObject  (160, 0, 0x0, ...
 01349  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12643384, ... }, 12643384, ...
 01342  1588   NtWaitForSingleObject  ... ) == 0x0
 01346   440   NtSetEventBoostPriority  ... ) == 0x0
 01345  1308   NtDuplicateObject  ... 172, ) == 0x0
 01347   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81896, 0}  ... {28, 56, reply, 0, 1252, 896, 81896, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\344\4\0\0\234\5\0\0" )  ) == 0x0
 01350  1588   NtSetEventBoostPriority  (160, ...
 01351   440   NtWaitForSingleObject  (160, 0, 0x0, ...
 01352  1708   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01348  1296   NtWaitForSingleObject  ... ) == 0x0
 01350  1588   NtSetEventBoostPriority  ... ) == 0x0
 01353   896   NtResumeThread  (168, ...
 01354  1308   NtWaitForSingleObject  (160, 0, 0x0, ...
 01355  1296   NtSetEventBoostPriority  (160, ...
 01352  1708   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   896   NtResumeThread  ... 1, ) == 0x0
 01351   440   NtWaitForSingleObject  ... ) == 0x0
 01355  1296   NtSetEventBoostPriority  ... ) == 0x0
 01356  1708   NtWaitForSingleObject  (160, 0, 0x0, ...
 01357  1588   NtWaitForSingleObject  (160, 0, 0x0, ...
 01349  1024   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01358  1436   NtWaitForSingleObject  (88, 0, 0x0, ...
 01359   440   NtSetEventBoostPriority  (160, ...
 01360  1296   NtWaitForSingleObject  (160, 0, 0x0, ...
 01361  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 12643384, ... }, 12643384, ...
 01354  1308   NtWaitForSingleObject  ... ) == 0x0
 01359   440   NtSetEventBoostPriority  ... ) == 0x0
 01362   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01363  1308   NtSetEventBoostPriority  (160, ...
 01364   440   NtWaitForSingleObject  (160, 0, 0x0, ...
 01362   896   NtAllocateVirtualMemory  ... 23134208, 1048576, ) == 0x0
 01356  1708   NtWaitForSingleObject  ... ) == 0x0
 01363  1308   NtSetEventBoostPriority  ... ) == 0x0
 01365  1708   NtSetEventBoostPriority  (160, ...
 01366   896   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ...
 01357  1588   NtWaitForSingleObject  ... ) == 0x0
 01365  1708   NtSetEventBoostPriority  ... ) == 0x0
 01367  1308   NtWaitForSingleObject  (160, 0, 0x0, ...
 01368  1588   NtSetEventBoostPriority  (160, ...
 01366   896   NtAllocateVirtualMemory  ... 24174592, 8192, ) == 0x0
 01361  1024   NtQueryAttributesFile  ... ) == 0x0
 01369  1708   NtWaitForSingleObject  (160, 0, 0x0, ...
 01360  1296   NtWaitForSingleObject  ... ) == 0x0
 01368  1588   NtSetEventBoostPriority  ... ) == 0x0
 01370   896   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ...
 01371  1024   NtWaitForSingleObject  (160, 0, 0x0, ...
 01372  1296   NtSetEventBoostPriority  (160, ...
 01373  1588   NtWaitForSingleObject  (160, 0, 0x0, ...
 01370   896   NtProtectVirtualMemory  ... (0x170e000), 4096, 4, ) == 0x0
 01364   440   NtWaitForSingleObject  ... ) == 0x0
 01372  1296   NtSetEventBoostPriority  ... ) == 0x0
 01374   440   NtSetEventBoostPriority  (160, ...
 01375  1296   NtWaitForSingleObject  (160, 0, 0x0, ...
 01369  1708   NtWaitForSingleObject  ... ) == 0x0
 01374   440   NtSetEventBoostPriority  ... ) == 0x0
 01376  1708   NtSetEventBoostPriority  (160, ...
 01377   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01371  1024   NtWaitForSingleObject  ... ) == 0x0
 01376  1708   NtSetEventBoostPriority  ... ) == 0x0
 01378  1024   NtSetEventBoostPriority  (160, ...
 01377   896   NtCreateThread  ... 184, {1252, 1228}, ) == 0x0
 01367  1308   NtWaitForSingleObject  ... ) == 0x0
 01378  1024   NtSetEventBoostPriority  ... ) == 0x0
 01379  1708   NtWaitForSingleObject  (160, 0, 0x0, ...
 01380  1308   NtSetEventBoostPriority  (160, ...
 01381   896   NtQueryInformationThread  (184, Basic, 28, ...
 01382   440   NtWaitForSingleObject  (160, 0, 0x0, ...
 01383  1024   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01373  1588   NtWaitForSingleObject  ... ) == 0x0
 01381   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1252,Tid=1228,}, 0x0, ) == 0x0
 01383  1024   NtOpenFile  ... 188, {status=0x0, info=1}, ) == 0x0
 01384  1588   NtSetEventBoostPriority  (160, ...
 01385   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81896, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81896, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\4\0\0\314\4\0\0" ...  ...
 01386  1024   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 188, ...
 01375  1296   NtWaitForSingleObject  ... ) == 0x0
 01386  1024   NtCreateSection  ... 192, ) == 0x0
 01387  1296   NtSetEventBoostPriority  (160, ...
 01388  1024   NtQuerySection  (192, Image, 48, ...
 01382   440   NtWaitForSingleObject  ... ) == 0x0
 01387  1296   NtSetEventBoostPriority  ... ) == 0x0
 01389   440   NtSetEventBoostPriority  (160, ...
 01388  1024   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01384  1588   NtSetEventBoostPriority  ... ) == 0x0
 01380  1308   NtSetEventBoostPriority  ... ) == 0x0
 01385   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81926, 0}  ... {28, 56, reply, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\0\0\0\344\4\0\0\314\4\0\0" )  ) == 0x0
 01379  1708   NtWaitForSingleObject  ... ) == 0x0
 01389   440   NtSetEventBoostPriority  ... ) == 0x0
 01390  1296   NtWaitForSingleObject  (160, 0, 0x0, ...
 01391  1588   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01392  1308   NtWaitForSingleObject  (160, 0, 0x0, ...
 01393  1708   NtSetEventBoostPriority  (160, ...
 01394   896   NtResumeThread  (184, ...
 01395   440   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01391  1588   NtCreateEvent  ... 196, ) == 0x0
 01390  1296   NtWaitForSingleObject  ... ) == 0x0
 01394   896   NtResumeThread  ... 1, ) == 0x0
 01393  1708   NtSetEventBoostPriority  ... ) == 0x0
 01396  1024   NtClose  (188, ...
 01395   440   NtCreateEvent  ... 200, ) == 0x0
 01397  1228   NtWaitForSingleObject  (88, 0, 0x0, ...
 01398  1296   NtSetEventBoostPriority  (160, ...
 01399   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01400  1708   NtWaitForSingleObject  (160, 0, 0x0, ...
 01396  1024   NtClose  ... ) == 0x0
 01401   440   NtWaitForSingleObject  (200, 0, 0x0, ...
 01392  1308   NtWaitForSingleObject  ... ) == 0x0
 01398  1296   NtSetEventBoostPriority  ... ) == 0x0
 01399   896   NtAllocateVirtualMemory  ... 24182784, 1048576, ) == 0x0
 01402  1024   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01403  1308   NtSetEventBoostPriority  (160, ...
 01404  1296   NtSetEventBoostPriority  (200, ...
 01405   896   NtAllocateVirtualMemory  (-1, 25223168, 0, 8192, 4096, 4, ...
 01400  1708   NtWaitForSingleObject  ... ) == 0x0
 01403  1308   NtSetEventBoostPriority  ... ) == 0x0
 01402  1024   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 01406  1588   NtClose  (196, ...
 01401   440   NtWaitForSingleObject  ... ) == 0x0
 01404  1296   NtSetEventBoostPriority  ... ) == 0x0
 01407  1708   NtWaitForSingleObject  (200, 0, 0x0, ...
 01405   896   NtAllocateVirtualMemory  ... 25223168, 8192, ) == 0x0
 01408  1024   NtClose  (192, ...
 01406  1588   NtClose  ... ) == 0x0
 01409   440   NtSetEventBoostPriority  (200, ...
 01410  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01411   896   NtProtectVirtualMemory  (-1, (0x180e000), 4096, 260, ...
 01408  1024   NtClose  ... ) == 0x0
 01412  1588   NtWaitForSingleObject  (200, 0, 0x0, ...
 01407  1708   NtWaitForSingleObject  ... ) == 0x0
 01409   440   NtSetEventBoostPriority  ... ) == 0x0
 01410  1296   NtWaitForSingleObject  ... ) == 0x102
 01411   896   NtProtectVirtualMemory  ... (0x180e000), 4096, 4, ) == 0x0
 01413  1308   NtWaitForSingleObject  (200, 0, 0x0, ...
 01414  1708   NtSetEventBoostPriority  (200, ...
 01415  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01416  1296   NtWaitForSingleObject  (136, 0, 0x0, ...
 01417   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01412  1588   NtWaitForSingleObject  ... ) == 0x0
 01414  1708   NtSetEventBoostPriority  ... ) == 0x0
 01415  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01418  1588   NtSetEventBoostPriority  (200, ...
 01417   896   NtCreateThread  ... 192, {1252, 1120}, ) == 0x0
 01419   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01413  1308   NtWaitForSingleObject  ... ) == 0x0
 01418  1588   NtSetEventBoostPriority  ... ) == 0x0
 01420  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01421   896   NtQueryInformationThread  (192, Basic, 28, ...
 01422  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01419   440   NtWaitForSingleObject  ... ) == 0x102
 01423  1708   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01420  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01424  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01422  1308   NtWaitForSingleObject  ... ) == 0x102
 01425   440   NtWaitForSingleObject  (136, 0, 0x0, ...
 01423  1708   NtCreateEvent  ... 196, ) == 0x0
 01426  1024   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01424  1588   NtWaitForSingleObject  ... ) == 0x102
 01421   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1252,Tid=1120,}, 0x0, ) == 0x0
 01427  1708   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01426  1024   NtFlushInstructionCache  ... ) == 0x0
 01428  1588   NtWaitForSingleObject  (136, 0, 0x0, ...
 01429   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\344\4\0\0`\4\0\0" ...  ...
 01427  1708   NtCreateEvent  ... 188, ) == 0x0
 01430  1308   NtWaitForSingleObject  (136, 0, 0x0, ...
 01429   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81927, 0}  ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\344\4\0\0`\4\0\0" )  ) == 0x0
 01431  1708   NtQuerySystemTime  (...
 01432   896   NtResumeThread  (192, ...
 01431  1708   NtQuerySystemTime  ... {1427891664, 29929616}, ) == 0x0
 01432   896   NtResumeThread  ... 1, ) == 0x0
 01433  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01434  1708   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01435  1120   NtWaitForSingleObject  (88, 0, 0x0, ...
 01433  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01434  1708   NtCreateEvent  ... 204, ) == 0x0
 01436  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01437  1708   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 01436  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01437  1708   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438  1024   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01439  1708   NtQuerySystemInformation  (Performance, 312, ...
 01438  1024   NtFlushInstructionCache  ... ) == 0x0
 01439  1708   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01440   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01441  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01440   896   NtAllocateVirtualMemory  ... 25231360, 1048576, ) == 0x0
 01441  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01442   896   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ...
 01443  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01442   896   NtAllocateVirtualMemory  ... 26271744, 8192, ) == 0x0
 01443  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01444   896   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ...
 01445  1024   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01444   896   NtProtectVirtualMemory  ... (0x190e000), 4096, 4, ) == 0x0
 01445  1024   NtFlushInstructionCache  ... ) == 0x0
 01446  1708   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 01447   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01446  1708   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01447   896   NtCreateThread  ... 208, {1252, 860}, ) == 0x0
 01448  1708   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01449   896   NtQueryInformationThread  (208, Basic, 28, ...
 01448  1708   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01449   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1252,Tid=860,}, 0x0, ) == 0x0
 01450  1708   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01451   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\4\0\0\\3\0\0" ...  ...
 01450  1708   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01451   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81928, 0}  ... {28, 56, reply, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\344\4\0\0\\3\0\0" )  ) == 0x0
 01452  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01453   896   NtResumeThread  (208, ...
 01452  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01453   896   NtResumeThread  ... 1, ) == 0x0
 01454  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01455   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01454  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01455   896   NtAllocateVirtualMemory  ... 26279936, 1048576, ) == 0x0
 01456  1024   NtFlushInstructionCache  (-1, 1995575296, 616, ...
 01457   896   NtAllocateVirtualMemory  (-1, 27320320, 0, 8192, 4096, 4, ...
 01456  1024   NtFlushInstructionCache  ... ) == 0x0
 01458  1708   NtWaitForSingleObject  (88, 0, 0x0, ...
 01459   860   NtWaitForSingleObject  (88, 0, 0x0, ...
 01457   896   NtAllocateVirtualMemory  ... 27320320, 8192, ) == 0x0
 01460   896   NtProtectVirtualMemory  (-1, (0x1a0e000), 4096, 260, ... (0x1a0e000), 4096, 4, ) == 0x0
 01461   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1252, 780}, ) == 0x0
 01462   896   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1252,Tid=780,}, 0x0, ) == 0x0
 01463   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81929, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\14\3\0\0" )  ) == 0x0
 01464   896   NtResumeThread  (212, ... 1, ) == 0x0
 01465  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01466   780   NtWaitForSingleObject  (88, 0, 0x0, ...
 01465  1024   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01467  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01468  1024   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01469  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01470  1024   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01471  1024   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01472   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27328512, 1048576, ) == 0x0
 01473   896   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ... 28368896, 8192, ) == 0x0
 01474   896   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ... (0x1b0e000), 4096, 4, ) == 0x0
 01475   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1252, 940}, ) == 0x0
 01476   896   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1252,Tid=940,}, 0x0, ) == 0x0
 01477   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\254\3\0\0" ...  ...
 01478  1024   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479  1024   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 220, 2, ) }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 220, 2, ) , 0, ... 220, 2, ) == 0x0
 01480  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 01477   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81930, 0}  ... {28, 56, reply, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\254\3\0\0" )  ) == 0x0
 01481   896   NtResumeThread  (216, ... 1, ) == 0x0
 01482   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28377088, 1048576, ) == 0x0
 01483   896   NtAllocateVirtualMemory  (-1, 29417472, 0, 8192, 4096, 4, ... 29417472, 8192, ) == 0x0
 01484   896   NtProtectVirtualMemory  (-1, (0x1c0e000), 4096, 260, ... (0x1c0e000), 4096, 4, ) == 0x0
 01485   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1252, 644}, ) == 0x0
 01486   896   NtQueryInformationThread  (228, Basic, 28, ...
 01487  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01488   940   NtWaitForSingleObject  (88, 0, 0x0, ...
 01487  1024   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489  1024   NtQueryValueKey  (224,  (224, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490  1024   NtQueryValueKey  (220,  (220, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491  1024   NtQueryValueKey  (224,  (224, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492  1024   NtQueryValueKey  (220,  (220, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (220, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01493  1024   NtQueryValueKey  (224,  (224, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1252,Tid=644,}, 0x0, ) == 0x0
 01494   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\204\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81931, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\204\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\344\4\0\0\204\2\0\0" )  ) == 0x0
 01495   896   NtResumeThread  (228, ... 1, ) == 0x0
 01496   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29425664, 1048576, ) == 0x0
 01497   896   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ... 30466048, 8192, ) == 0x0
 01498   896   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ... (0x1d0e000), 4096, 4, ) == 0x0
 01499  1024   NtQueryValueKey  (220,  (220, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01500   644   NtWaitForSingleObject  (88, 0, 0x0, ...
 01499  1024   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501  1024   NtQueryValueKey  (224,  (224, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502  1024   NtQueryValueKey  (220,  (220, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503  1024   NtQueryValueKey  (224,  (224, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1024   NtQueryValueKey  (224,  (224, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505  1024   NtQueryValueKey  (224,  (224, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1252, 320}, ) == 0x0
 01507   896   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1252,Tid=320,}, 0x0, ) == 0x0
 01508   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81931, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0@\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0@\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0@\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0@\1\0\0" )  ) == 0x0
 01509   896   NtResumeThread  (232, ... 1, ) == 0x0
 01510   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30474240, 1048576, ) == 0x0
 01511   896   NtAllocateVirtualMemory  (-1, 31514624, 0, 8192, 4096, 4, ...
 01512  1024   NtQueryValueKey  (224,  (224, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 01513   320   NtWaitForSingleObject  (88, 0, 0x0, ...
 01512  1024   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514  1024   NtQueryValueKey  (224,  (224, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515  1024   NtQueryValueKey  (224,  (224, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516  1024   NtQueryValueKey  (224,  (224, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517  1024   NtQueryValueKey  (224,  (224, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518  1024   NtQueryValueKey  (224,  (224, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   896   NtAllocateVirtualMemory  ... 31514624, 8192, ) == 0x0
 01519   896   NtProtectVirtualMemory  (-1, (0x1e0e000), 4096, 260, ... (0x1e0e000), 4096, 4, ) == 0x0
 01520   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1252, 380}, ) == 0x0
 01521   896   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1252,Tid=380,}, 0x0, ) == 0x0
 01522   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0|\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81933, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0|\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0|\1\0\0" )  ) == 0x0
 01523   896   NtResumeThread  (236, ... 1, ) == 0x0
 01524  1024   NtQueryValueKey  (220,  (220, "DisableDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 01525   380   NtWaitForSingleObject  (88, 0, 0x0, ...
 01524  1024   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526  1024   NtQueryValueKey  (224,  (224, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527  1024   NtQueryValueKey  (224,  (224, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528  1024   NtQueryValueKey  (220,  (220, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529  1024   NtQueryValueKey  (224,  (224, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01530  1024   NtQueryValueKey  (220,  (220, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31522816, 1048576, ) == 0x0
 01532   896   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 01533   896   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ... (0x1f0e000), 4096, 4, ) == 0x0
 01534   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1252, 1336}, ) == 0x0
 01535   896   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1252,Tid=1336,}, 0x0, ) == 0x0
 01536   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\08\5\0\0" ...  ...
 01537  1024   NtQueryValueKey  (224,  (224, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538  1024   NtQueryValueKey  (220,  (220, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539  1024   NtQueryValueKey  (224,  (224, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81934, 0}  ... {28, 56, reply, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\08\5\0\0" )  ) == 0x0
 01540   896   NtResumeThread  (240, ... 1, ) == 0x0
 01541   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32571392, 1048576, ) == 0x0
 01542   896   NtAllocateVirtualMemory  (-1, 33611776, 0, 8192, 4096, 4, ... 33611776, 8192, ) == 0x0
 01543   896   NtProtectVirtualMemory  (-1, (0x200e000), 4096, 260, ... (0x200e000), 4096, 4, ) == 0x0
 01544   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1252, 1808}, ) == 0x0
 01545   896   NtQueryInformationThread  (244, Basic, 28, ...
 01546  1024   NtQueryValueKey  (220,  (220, "DefaultRegistrationTTL", Partial, 144, ... , Partial, 144, ...
 01547  1336   NtWaitForSingleObject  (88, 0, 0x0, ...
 01546  1024   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548  1024   NtQueryValueKey  (224,  (224, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549  1024   NtQueryValueKey  (220,  (220, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550  1024   NtQueryValueKey  (224,  (224, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551  1024   NtQueryValueKey  (220,  (220, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552  1024   NtQueryValueKey  (224,  (224, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1252,Tid=1808,}, 0x0, ) == 0x0
 01553   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\20\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81935, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\20\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0\20\7\0\0" )  ) == 0x0
 01554   896   NtResumeThread  (244, ... 1, ) == 0x0
 01555   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33619968, 1048576, ) == 0x0
 01556   896   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ... 34660352, 8192, ) == 0x0
 01557   896   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ... (0x210e000), 4096, 4, ) == 0x0
 01558  1024   NtQueryValueKey  (220,  (220, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 01559  1808   NtWaitForSingleObject  (88, 0, 0x0, ...
 01558  1024   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01560  1024   NtQueryValueKey  (224,  (224, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561  1024   NtQueryValueKey  (224,  (224, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562  1024   NtQueryValueKey  (224,  (224, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563  1024   NtQueryValueKey  (224,  (224, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564  1024   NtQueryValueKey  (224,  (224, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1252, 752}, ) == 0x0
 01566   896   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1252,Tid=752,}, 0x0, ) == 0x0
 01567   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81936, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\360\2\0\0" )  ) == 0x0
 01568   896   NtResumeThread  (248, ... 1, ) == 0x0
 01569   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34668544, 1048576, ) == 0x0
 01570   896   NtAllocateVirtualMemory  (-1, 35708928, 0, 8192, 4096, 4, ...
 01571  1024   NtQueryValueKey  (224,  (224, "MaxNegativeCacheTtl", Partial, 144, ... , Partial, 144, ...
 01572   752   NtWaitForSingleObject  (88, 0, 0x0, ...
 01571  1024   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573  1024   NtQueryValueKey  (224,  (224, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574  1024   NtQueryValueKey  (224,  (224, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575  1024   NtQueryValueKey  (224,  (224, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576  1024   NtQueryValueKey  (224,  (224, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577  1024   NtQueryValueKey  (224,  (224, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   896   NtAllocateVirtualMemory  ... 35708928, 8192, ) == 0x0
 01578   896   NtProtectVirtualMemory  (-1, (0x220e000), 4096, 260, ... (0x220e000), 4096, 4, ) == 0x0
 01579   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1252, 1512}, ) == 0x0
 01580   896   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1252,Tid=1512,}, 0x0, ) == 0x0
 01581   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0\350\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0\350\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81937, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0\350\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0\350\5\0\0" )  ) == 0x0
 01582   896   NtResumeThread  (252, ... 1, ) == 0x0
 01583  1024   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\Setup"}, ... }, ...
 01584  1512   NtWaitForSingleObject  (88, 0, 0x0, ...
 01583  1024   NtOpenKey  ... 256, ) == 0x0
 01585  1024   NtQueryValueKey  (256,  (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01586  1024   NtClose  (256, ... ) == 0x0
 01587  1024   NtClose  (220, ... ) == 0x0
 01588  1024   NtClose  (224, ... ) == 0x0
 01589  1024   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 224, ) }, ... 224, ) == 0x0
 01590   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35717120, 1048576, ) == 0x0
 01591   896   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ... 36757504, 8192, ) == 0x0
 01592   896   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ... (0x230e000), 4096, 4, ) == 0x0
 01593   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1252, 1564}, ) == 0x0
 01594   896   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1252,Tid=1564,}, 0x0, ) == 0x0
 01595   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0\34\6\0\0" ...  ...
 01596  1024   NtQueryValueKey  (224,  (224, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597  1024   NtQueryValueKey  (224,  (224, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598  1024   NtQueryValueKey  (224,  (224, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81940, 0}  ... {28, 56, reply, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0\34\6\0\0" )  ) == 0x0
 01599   896   NtResumeThread  (220, ... 1, ) == 0x0
 01600   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36765696, 1048576, ) == 0x0
 01601   896   NtAllocateVirtualMemory  (-1, 37806080, 0, 8192, 4096, 4, ... 37806080, 8192, ) == 0x0
 01602   896   NtProtectVirtualMemory  (-1, (0x240e000), 4096, 260, ... (0x240e000), 4096, 4, ) == 0x0
 01603   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1252, 312}, ) == 0x0
 01604   896   NtQueryInformationThread  (256, Basic, 28, ...
 01605  1024   NtClose  (224, ...
 01606  1564   NtWaitForSingleObject  (88, 0, 0x0, ...
 01605  1024   NtClose  ... ) == 0x0
 01607  1024   NtSetEventBoostPriority  (88, ...
 01326  2044   NtWaitForSingleObject  ... ) == 0x0
 01608  2044   NtSetEventBoostPriority  (88, ...
 01358  1436   NtWaitForSingleObject  ... ) == 0x0
 01609  1436   NtSetEventBoostPriority  (88, ...
 01397  1228   NtWaitForSingleObject  ... ) == 0x0
 01610  1228   NtSetEventBoostPriority  (88, ...
 01435  1120   NtWaitForSingleObject  ... ) == 0x0
 01611  1120   NtSetEventBoostPriority  (88, ...
 01458  1708   NtWaitForSingleObject  ... ) == 0x0
 01612  1708   NtSetEventBoostPriority  (88, ...
 01459   860   NtWaitForSingleObject  ... ) == 0x0
 01613   860   NtSetEventBoostPriority  (88, ...
 01466   780   NtWaitForSingleObject  ... ) == 0x0
 01614   780   NtSetEventBoostPriority  (88, ...
 01488   940   NtWaitForSingleObject  ... ) == 0x0
 01615   940   NtSetEventBoostPriority  (88, ...
 01500   644   NtWaitForSingleObject  ... ) == 0x0
 01616   644   NtSetEventBoostPriority  (88, ...
 01513   320   NtWaitForSingleObject  ... ) == 0x0
 01617   320   NtSetEventBoostPriority  (88, ...
 01525   380   NtWaitForSingleObject  ... ) == 0x0
 01618   380   NtSetEventBoostPriority  (88, ...
 01547  1336   NtWaitForSingleObject  ... ) == 0x0
 01619  1336   NtSetEventBoostPriority  (88, ...
 01559  1808   NtWaitForSingleObject  ... ) == 0x0
 01620  1808   NtSetEventBoostPriority  (88, ...
 01572   752   NtWaitForSingleObject  ... ) == 0x0
 01621   752   NtSetEventBoostPriority  (88, ...
 01584  1512   NtWaitForSingleObject  ... ) == 0x0
 01622  1512   NtSetEventBoostPriority  (88, ...
 01606  1564   NtWaitForSingleObject  ... ) == 0x0
 01623  1564   NtAllocateVirtualMemory  (-1, 3624960, 0, 4096, 4096, 4, ... 3624960, 4096, ) == 0x0
 01622  1512   NtSetEventBoostPriority  ... ) == 0x0
 01621   752   NtSetEventBoostPriority  ... ) == 0x0
 01620  1808   NtSetEventBoostPriority  ... ) == 0x0
 01619  1336   NtSetEventBoostPriority  ... ) == 0x0
 01618   380   NtSetEventBoostPriority  ... ) == 0x0
 01617   320   NtSetEventBoostPriority  ... ) == 0x0
 01616   644   NtSetEventBoostPriority  ... ) == 0x0
 01615   940   NtSetEventBoostPriority  ... ) == 0x0
 01614   780   NtSetEventBoostPriority  ... ) == 0x0
 01613   860   NtSetEventBoostPriority  ... ) == 0x0
 01612  1708   NtSetEventBoostPriority  ... ) == 0x0
 01611  1120   NtSetEventBoostPriority  ... ) == 0x0
 01610  1228   NtSetEventBoostPriority  ... ) == 0x0
 01609  1436   NtSetEventBoostPriority  ... ) == 0x0
 01608  2044   NtSetEventBoostPriority  ... ) == 0x0
 01607  1024   NtSetEventBoostPriority  ... ) == 0x0
 01604   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1252,Tid=312,}, 0x0, ) == 0x0
 01624  1564   NtTestAlert  (...
 01625  1512   NtTestAlert  (...
 01626   752   NtTestAlert  (...
 01627  1808   NtTestAlert  (...
 01628  1336   NtTestAlert  (...
 01629   380   NtTestAlert  (...
 01630   320   NtTestAlert  (...
 01631   644   NtTestAlert  (...
 01632   940   NtTestAlert  (...
 01633   780   NtTestAlert  (...
 01634  1708   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01635   860   NtTestAlert  (...
 01636  1120   NtTestAlert  (...
 01637  1228   NtTestAlert  (...
 01638  1436   NtTestAlert  (...
 01639  1024   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01640   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\4\0\08\1\0\0" ...  ...
 01624  1564   NtTestAlert  ... ) == 0x0
 01625  1512   NtTestAlert  ... ) == 0x0
 01626   752   NtTestAlert  ... ) == 0x0
 01627  1808   NtTestAlert  ... ) == 0x0
 01628  1336   NtTestAlert  ... ) == 0x0
 01629   380   NtTestAlert  ... ) == 0x0
 01630   320   NtTestAlert  ... ) == 0x0
 01631   644   NtTestAlert  ... ) == 0x0
 01632   940   NtTestAlert  ... ) == 0x0
 01633   780   NtTestAlert  ... ) == 0x0
 01641  2044   NtTestAlert  (...
 01635   860   NtTestAlert  ... ) == 0x0
 01636  1120   NtTestAlert  ... ) == 0x0
 01637  1228   NtTestAlert  ... ) == 0x0
 01638  1436   NtTestAlert  ... ) == 0x0
 01639  1024   NtCreateEvent  ... 224, ) == 0x0
 01640   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81941, 0}  ... {28, 56, reply, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\4\0\08\1\0\0" )  ) == 0x0
 01642  1564   NtContinue  (36764976, 1, ...
 01643  1512   NtContinue  (35716400, 1, ...
 01644   752   NtContinue  (34667824, 1, ...
 01645  1808   NtContinue  (33619248, 1, ...
 01646  1336   NtContinue  (32570672, 1, ...
 01647   380   NtContinue  (31522096, 1, ...
 01648   320   NtContinue  (30473520, 1, ...
 01649   644   NtContinue  (29424944, 1, ...
 01650   940   NtContinue  (28376368, 1, ...
 01651   780   NtContinue  (27327792, 1, ...
 01641  2044   NtTestAlert  ... ) == 0x0
 01652   860   NtContinue  (26279216, 1, ...
 01653  1120   NtContinue  (25230640, 1, ...
 01654  1228   NtContinue  (24182064, 1, ...
 01655  1436   NtContinue  (23133488, 1, ...
 01634  1708   NtCreateEvent  ... 260, ) == 0x0
 01656   896   NtResumeThread  (256, ...
 01657  1564   NtRegisterThreadTerminatePort  (24, ...
 01658  1512   NtRegisterThreadTerminatePort  (24, ...
 01659   752   NtRegisterThreadTerminatePort  (24, ...
 01660  1808   NtRegisterThreadTerminatePort  (24, ...
 01661  1336   NtRegisterThreadTerminatePort  (24, ...
 01662   380   NtRegisterThreadTerminatePort  (24, ...
 01663   320   NtRegisterThreadTerminatePort  (24, ...
 01664   644   NtRegisterThreadTerminatePort  (24, ...
 01665   940   NtRegisterThreadTerminatePort  (24, ...
 01666   780   NtRegisterThreadTerminatePort  (24, ...
 01667  2044   NtContinue  (22084912, 1, ...
 01668   860   NtRegisterThreadTerminatePort  (24, ...
 01669  1120   NtRegisterThreadTerminatePort  (24, ...
 01670  1228   NtRegisterThreadTerminatePort  (24, ...
 01671  1436   NtRegisterThreadTerminatePort  (24, ...
 01672  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01656   896   NtResumeThread  ... 1, ) == 0x0
 01657  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 01658  1512   NtRegisterThreadTerminatePort  ... ) == 0x0
 01659   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 01660  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01661  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 01662   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 01663   320   NtRegisterThreadTerminatePort  ... ) == 0x0
 01664   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 01665   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01666   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01673  2044   NtRegisterThreadTerminatePort  (24, ...
 01668   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 01669  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 01670  1228   NtRegisterThreadTerminatePort  ... ) == 0x0
 01671  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01672  1708   NtDuplicateObject  ... 264, ) == 0x0
 01674  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01675   312   NtTestAlert  (...
 01676  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01677  1512   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01678   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01679  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01680  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01681   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01682   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01683   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01684   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01685   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01673  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01686   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01687  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01688  1228   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01689  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01690  1708   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01674  1024   NtDuplicateObject  ... 268, ) == 0x0
 01675   312   NtTestAlert  ... ) == 0x0
 01691   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01676  1564   NtDuplicateObject  ... 272, ) == 0x0
 01677  1512   NtDuplicateObject  ... 276, ) == 0x0
 01678   752   NtDuplicateObject  ... 280, ) == 0x0
 01679  1808   NtDuplicateObject  ... 284, ) == 0x0
 01680  1336   NtDuplicateObject  ... 288, ) == 0x0
 01681   380   NtDuplicateObject  ... 292, ) == 0x0
 01682   320   NtDuplicateObject  ... 296, ) == 0x0
 01683   644   NtDuplicateObject  ... 300, ) == 0x0
 01684   940   NtDuplicateObject  ... 304, ) == 0x0
 01692  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01685   780   NtDuplicateObject  ... 308, ) == 0x0
 01686   860   NtDuplicateObject  ... 312, ) == 0x0
 01687  1120   NtDuplicateObject  ... 316, ) == 0x0
 01688  1228   NtDuplicateObject  ... 320, ) == 0x0
 01690  1708   NtOpenKey  ... 324, ) == 0x0
 01693  1024   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01694   312   NtContinue  (37813552, 1, ...
 01691   896   NtAllocateVirtualMemory  ... 37814272, 1048576, ) == 0x0
 01695  1564   NtWaitForSingleObject  (160, 0, 0x0, ...
 01696  1512   NtWaitForSingleObject  (160, 0, 0x0, ...
 01697   752   NtWaitForSingleObject  (160, 0, 0x0, ...
 01698  1808   NtWaitForSingleObject  (160, 0, 0x0, ...
 01699  1336   NtWaitForSingleObject  (160, 0, 0x0, ...
 01700   380   NtWaitForSingleObject  (160, 0, 0x0, ...
 01701   320   NtWaitForSingleObject  (160, 0, 0x0, ...
 01702   644   NtWaitForSingleObject  (160, 0, 0x0, ...
 01703   940   NtWaitForSingleObject  (160, 0, 0x0, ...
 01689  1436   NtDuplicateObject  ... 328, ) == 0x0
 01704   780   NtWaitForSingleObject  (160, 0, 0x0, ...
 01705   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01706  1120   NtWaitForSingleObject  (160, 0, 0x0, ...
 01707  1228   NtWaitForSingleObject  (160, 0, 0x0, ...
 01708  1708   NtQueryValueKey  (324,  (324, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01693  1024   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01709   312   NtRegisterThreadTerminatePort  (24, ...
 01710   896   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ...
 01711  1436   NtWaitForSingleObject  (160, 0, 0x0, ...
 01692  2044   NtDuplicateObject  ... 332, ) == 0x0
 01712  1024   NtSetEventBoostPriority  (160, ...
 01709   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 01710   896   NtAllocateVirtualMemory  ... 38854656, 8192, ) == 0x0
 01713  2044   NtWaitForSingleObject  (160, 0, 0x0, ...
 01695  1564   NtWaitForSingleObject  ... ) == 0x0
 01712  1024   NtSetEventBoostPriority  ... ) == 0x0
 01708  1708   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01714   896   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ...
 01715  1564   NtSetEventBoostPriority  (160, ...
 01716   312   NtWaitForSingleObject  (160, 0, 0x0, ...
 01717  1708   NtClose  (324, ...
 01696  1512   NtWaitForSingleObject  ... ) == 0x0
 01715  1564   NtSetEventBoostPriority  ... ) == 0x0
 01714   896   NtProtectVirtualMemory  ... (0x250e000), 4096, 4, ) == 0x0
 01718  1512   NtSetEventBoostPriority  (160, ...
 01717  1708   NtClose  ... ) == 0x0
 01719  1024   NtWaitForSingleObject  (160, 0, 0x0, ...
 01720  1564   NtWaitForSingleObject  (160, 0, 0x0, ...
 01697   752   NtWaitForSingleObject  ... ) == 0x0
 01718  1512   NtSetEventBoostPriority  ... ) == 0x0
 01721  1708   NtWaitForSingleObject  (160, 0, 0x0, ...
 01722   752   NtSetEventBoostPriority  (160, ...
 01723   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01698  1808   NtWaitForSingleObject  ... ) == 0x0
 01722   752   NtSetEventBoostPriority  ... ) == 0x0
 01724  1808   NtSetEventBoostPriority  (160, ...
 01723   896   NtCreateThread  ... 324, {1252, 1964}, ) == 0x0
 01725  1512   NtWaitForSingleObject  (160, 0, 0x0, ...
 01699  1336   NtWaitForSingleObject  ... ) == 0x0
 01724  1808   NtSetEventBoostPriority  ... ) == 0x0
 01726   896   NtQueryInformationThread  (324, Basic, 28, ...
 01727  1336   NtSetEventBoostPriority  (160, ...
 01728   752   NtWaitForSingleObject  (160, 0, 0x0, ...
 01700   380   NtWaitForSingleObject  ... ) == 0x0
 01727  1336   NtSetEventBoostPriority  ... ) == 0x0
 01726   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1252,Tid=1964,}, 0x0, ) == 0x0
 01729   380   NtSetEventBoostPriority  (160, ...
 01730  1808   NtWaitForSingleObject  (160, 0, 0x0, ...
 01701   320   NtWaitForSingleObject  ... ) == 0x0
 01729   380   NtSetEventBoostPriority  ... ) == 0x0
 01731   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0\254\7\0\0" ...  ...
 01732   320   NtSetEventBoostPriority  (160, ...
 01733  1336   NtWaitForSingleObject  (160, 0, 0x0, ...
 01702   644   NtWaitForSingleObject  ... ) == 0x0
 01732   320   NtSetEventBoostPriority  ... ) == 0x0
 01734   644   NtSetEventBoostPriority  (160, ...
 01735   380   NtWaitForSingleObject  (160, 0, 0x0, ...
 01731   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81942, 0}  ... {28, 56, reply, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\344\4\0\0\254\7\0\0" )  ) == 0x0
 01703   940   NtWaitForSingleObject  ... ) == 0x0
 01734   644   NtSetEventBoostPriority  ... ) == 0x0
 01736   940   NtSetEventBoostPriority  (160, ...
 01737   896   NtResumeThread  (324, ...
 01738   320   NtWaitForSingleObject  (160, 0, 0x0, ...
 01704   780   NtWaitForSingleObject  ... ) == 0x0
 01736   940   NtSetEventBoostPriority  ... ) == 0x0
 01737   896   NtResumeThread  ... 1, ) == 0x0
 01739   780   NtSetEventBoostPriority  (160, ...
 01740   644   NtWaitForSingleObject  (160, 0, 0x0, ...
 01741  1964   NtTestAlert  (...
 01705   860   NtWaitForSingleObject  ... ) == 0x0
 01739   780   NtSetEventBoostPriority  ... ) == 0x0
 01742   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01743   860   NtSetEventBoostPriority  (160, ...
 01741  1964   NtTestAlert  ... ) == 0x0
 01744   940   NtWaitForSingleObject  (160, 0, 0x0, ...
 01706  1120   NtWaitForSingleObject  ... ) == 0x0
 01743   860   NtSetEventBoostPriority  ... ) == 0x0
 01742   896   NtAllocateVirtualMemory  ... 38862848, 1048576, ) == 0x0
 01745  1964   NtContinue  (38862128, 1, ...
 01746  1120   NtSetEventBoostPriority  (160, ...
 01747   780   NtWaitForSingleObject  (160, 0, 0x0, ...
 01748   896   NtAllocateVirtualMemory  (-1, 39903232, 0, 8192, 4096, 4, ...
 01707  1228   NtWaitForSingleObject  ... ) == 0x0
 01746  1120   NtSetEventBoostPriority  ... ) == 0x0
 01749  1964   NtRegisterThreadTerminatePort  (24, ...
 01750   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01751  1228   NtSetEventBoostPriority  (160, ...
 01748   896   NtAllocateVirtualMemory  ... 39903232, 8192, ) == 0x0
 01749  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 01711  1436   NtWaitForSingleObject  ... ) == 0x0
 01751  1228   NtSetEventBoostPriority  ... ) == 0x0
 01752   896   NtProtectVirtualMemory  (-1, (0x260e000), 4096, 260, ...
 01753  1120   NtWaitForSingleObject  (160, 0, 0x0, ...
 01754  1436   NtSetEventBoostPriority  (160, ...
 01755  1964   NtWaitForSingleObject  (160, 0, 0x0, ...
 01752   896   NtProtectVirtualMemory  ... (0x260e000), 4096, 4, ) == 0x0
 01713  2044   NtWaitForSingleObject  ... ) == 0x0
 01754  1436   NtSetEventBoostPriority  ... ) == 0x0
 01756  2044   NtSetEventBoostPriority  (160, ...
 01757   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01758  1228   NtWaitForSingleObject  (160, 0, 0x0, ...
 01716   312   NtWaitForSingleObject  ... ) == 0x0
 01756  2044   NtSetEventBoostPriority  ... ) == 0x0
 01757   896   NtCreateThread  ... 336, {1252, 1568}, ) == 0x0
 01759   312   NtSetEventBoostPriority  (160, ...
 01760  1436   NtWaitForSingleObject  (160, 0, 0x0, ...
 01719  1024   NtWaitForSingleObject  ... ) == 0x0
 01759   312   NtSetEventBoostPriority  ... ) == 0x0
 01761   896   NtQueryInformationThread  (336, Basic, 28, ...
 01762  1024   NtSetEventBoostPriority  (160, ...
 01763   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01764  2044   NtWaitForSingleObject  (160, 0, 0x0, ...
 01720  1564   NtWaitForSingleObject  ... ) == 0x0
 01762  1024   NtSetEventBoostPriority  ... ) == 0x0
 01761   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1252,Tid=1568,}, 0x0, ) == 0x0
 01765  1564   NtSetEventBoostPriority  (160, ...
 01766  1024   NtWaitForSingleObject  (160, 0, 0x0, ...
 01721  1708   NtWaitForSingleObject  ... ) == 0x0
 01765  1564   NtSetEventBoostPriority  ... ) == 0x0
 01767   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0 \6\0\0" ...  ...
 01763   312   NtDuplicateObject  ... 340, ) == 0x0
 01768  1708   NtSetEventBoostPriority  (160, ...
 01769  1564   NtWaitForSingleObject  (160, 0, 0x0, ...
 01767   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81943, 0}  ... {28, 56, reply, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\344\4\0\0 \6\0\0" )  ) == 0x0
 01725  1512   NtWaitForSingleObject  ... ) == 0x0
 01768  1708   NtSetEventBoostPriority  ... ) == 0x0
 01770   312   NtWaitForSingleObject  (160, 0, 0x0, ...
 01771  1512   NtSetEventBoostPriority  (160, ...
 01772   896   NtResumeThread  (336, ...
 01728   752   NtWaitForSingleObject  ... ) == 0x0
 01771  1512   NtSetEventBoostPriority  ... ) == 0x0
 01773   752   NtSetEventBoostPriority  (160, ...
 01772   896   NtResumeThread  ... 1, ) == 0x0
 01730  1808   NtWaitForSingleObject  ... ) == 0x0
 01773   752   NtSetEventBoostPriority  ... ) == 0x0
 01774  1512   NtWaitForSingleObject  (160, 0, 0x0, ...
 01775  1708   NtOpenThreadToken  (-2, 0xc, 1, ...
 01776  1568   NtTestAlert  (...
 01777  1808   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01778   752   NtWaitForSingleObject  (160, 0, 0x0, ...
 01779   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01775  1708   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01777  1808   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01776  1568   NtTestAlert  ... ) == 0x0
 01779   896   NtAllocateVirtualMemory  ... 39911424, 1048576, ) == 0x0
 01780  1808   NtSetEventBoostPriority  (160, ...
 01781  1708   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01782  1568   NtContinue  (39910704, 1, ...
 01783   896   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ...
 01781  1708   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01784  1568   NtRegisterThreadTerminatePort  (24, ...
 01783   896   NtAllocateVirtualMemory  ... 40951808, 8192, ) == 0x0
 01785  1708   NtWaitForSingleObject  (160, 0, 0x0, ...
 01784  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 01786   896   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 01733  1336   NtWaitForSingleObject  ... ) == 0x0
 01780  1808   NtSetEventBoostPriority  ... ) == 0x0
 01786   896   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 01787  1336   NtSetEventBoostPriority  (160, ...
 01788  1808   NtWaitForSingleObject  (160, 0, 0x0, ...
 01789  1568   NtWaitForSingleObject  (160, 0, 0x0, ...
 01735   380   NtWaitForSingleObject  ... ) == 0x0
 01787  1336   NtSetEventBoostPriority  ... ) == 0x0
 01790   380   NtSetEventBoostPriority  (160, ...
 01738   320   NtWaitForSingleObject  ... ) == 0x0
 01791   320   NtSetEventBoostPriority  (160, ...
 01740   644   NtWaitForSingleObject  ... ) == 0x0
 01792   644   NtSetEventBoostPriority  (160, ...
 01744   940   NtWaitForSingleObject  ... ) == 0x0
 01793   940   NtSetEventBoostPriority  (160, ...
 01747   780   NtWaitForSingleObject  ... ) == 0x0
 01794   780   NtSetEventBoostPriority  (160, ...
 01750   860   NtWaitForSingleObject  ... ) == 0x0
 01795   860   NtSetEventBoostPriority  (160, ...
 01753  1120   NtWaitForSingleObject  ... ) == 0x0
 01796  1120   NtSetEventBoostPriority  (160, ...
 01755  1964   NtWaitForSingleObject  ... ) == 0x0
 01797  1964   NtSetEventBoostPriority  (160, ...
 01758  1228   NtWaitForSingleObject  ... ) == 0x0
 01798  1228   NtSetEventBoostPriority  (160, ...
 01760  1436   NtWaitForSingleObject  ... ) == 0x0
 01799  1436   NtSetEventBoostPriority  (160, ...
 01764  2044   NtWaitForSingleObject  ... ) == 0x0
 01800  2044   NtSetEventBoostPriority  (160, ...
 01766  1024   NtWaitForSingleObject  ... ) == 0x0
 01801  1024   NtSetEventBoostPriority  (160, ...
 01769  1564   NtWaitForSingleObject  ... ) == 0x0
 01802  1564   NtSetEventBoostPriority  (160, ...
 01770   312   NtWaitForSingleObject  ... ) == 0x0
 01803   312   NtSetEventBoostPriority  (160, ...
 01774  1512   NtWaitForSingleObject  ... ) == 0x0
 01804  1512   NtSetEventBoostPriority  (160, ...
 01778   752   NtWaitForSingleObject  ... ) == 0x0
 01805   752   NtSetEventBoostPriority  (160, ...
 01785  1708   NtWaitForSingleObject  ... ) == 0x0
 01806  1708   NtSetEventBoostPriority  (160, ...
 01788  1808   NtWaitForSingleObject  ... ) == 0x0
 01807  1808   NtSetEventBoostPriority  (160, ...
 01789  1568   NtWaitForSingleObject  ... ) == 0x0
 01808  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 344, ) == 0x0
 01809  1568   NtWaitForSingleObject  (200, 0, 0x0, ...
 01807  1808   NtSetEventBoostPriority  ... ) == 0x0
 01806  1708   NtSetEventBoostPriority  ... ) == 0x0
 01803   312   NtSetEventBoostPriority  ... ) == 0x0
 01800  2044   NtSetEventBoostPriority  ... ) == 0x0
 01799  1436   NtSetEventBoostPriority  ... ) == 0x0
 01798  1228   NtSetEventBoostPriority  ... ) == 0x0
 01797  1964   NtSetEventBoostPriority  ... ) == 0x0
 01796  1120   NtSetEventBoostPriority  ... ) == 0x0
 01795   860   NtSetEventBoostPriority  ... ) == 0x0
 01794   780   NtSetEventBoostPriority  ... ) == 0x0
 01793   940   NtSetEventBoostPriority  ... ) == 0x0
 01792   644   NtSetEventBoostPriority  ... ) == 0x0
 01791   320   NtSetEventBoostPriority  ... ) == 0x0
 01790   380   NtSetEventBoostPriority  ... ) == 0x0
 01810  1336   NtWaitForSingleObject  (200, 0, 0x0, ...
 01805   752   NtSetEventBoostPriority  ... ) == 0x0
 01804  1512   NtSetEventBoostPriority  ... ) == 0x0
 01802  1564   NtSetEventBoostPriority  ... ) == 0x0
 01801  1024   NtSetEventBoostPriority  ... ) == 0x0
 01811   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01812  1808   NtWaitForSingleObject  (200, 0, 0x0, ...
 01813  1708   NtWaitForSingleObject  (200, 0, 0x0, ...
 01814  2044   NtWaitForSingleObject  (200, 0, 0x0, ...
 01815  1436   NtWaitForSingleObject  (200, 0, 0x0, ...
 01816  1228   NtWaitForSingleObject  (200, 0, 0x0, ...
 01817  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01818  1120   NtWaitForSingleObject  (200, 0, 0x0, ...
 01819   860   NtWaitForSingleObject  (200, 0, 0x0, ...
 01820   780   NtWaitForSingleObject  (200, 0, 0x0, ...
 01821   940   NtWaitForSingleObject  (200, 0, 0x0, ...
 01822   644   NtWaitForSingleObject  (200, 0, 0x0, ...
 01823   320   NtWaitForSingleObject  (200, 0, 0x0, ...
 01824   380   NtWaitForSingleObject  (200, 0, 0x0, ...
 01825   312   NtWaitForSingleObject  (200, 0, 0x0, ...
 01826   752   NtWaitForSingleObject  (200, 0, 0x0, ...
 01827  1512   NtWaitForSingleObject  (200, 0, 0x0, ...
 01828  1564   NtWaitForSingleObject  (200, 0, 0x0, ...
 01829  1024   NtSetEventBoostPriority  (200, ...
 01811   896   NtCreateThread  ... 348, {1252, 1972}, ) == 0x0
 01817  1964   NtDuplicateObject  ... 352, ) == 0x0
 01809  1568   NtWaitForSingleObject  ... ) == 0x0
 01829  1024   NtSetEventBoostPriority  ... ) == 0x0
 01830   896   NtQueryInformationThread  (348, Basic, 28, ...
 01831  1568   NtSetEventBoostPriority  (200, ...
 01832  1964   NtWaitForSingleObject  (200, 0, 0x0, ...
 01812  1808   NtWaitForSingleObject  ... ) == 0x0
 01830   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1252,Tid=1972,}, 0x0, ) == 0x0
 01833  1808   NtSetEventBoostPriority  (200, ...
 01834   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\264\7\0\0" ...  ...
 01813  1708   NtWaitForSingleObject  ... ) == 0x0
 01833  1808   NtSetEventBoostPriority  ... ) == 0x0
 01835  1708   NtSetEventBoostPriority  (200, ...
 01810  1336   NtWaitForSingleObject  ... ) == 0x0
 01836  1336   NtSetEventBoostPriority  (200, ...
 01814  2044   NtWaitForSingleObject  ... ) == 0x0
 01837  2044   NtSetEventBoostPriority  (200, ...
 01815  1436   NtWaitForSingleObject  ... ) == 0x0
 01838  1436   NtSetEventBoostPriority  (200, ...
 01816  1228   NtWaitForSingleObject  ... ) == 0x0
 01839  1228   NtSetEventBoostPriority  (200, ...
 01818  1120   NtWaitForSingleObject  ... ) == 0x0
 01840  1120   NtSetEventBoostPriority  (200, ...
 01819   860   NtWaitForSingleObject  ... ) == 0x0
 01841   860   NtSetEventBoostPriority  (200, ...
 01820   780   NtWaitForSingleObject  ... ) == 0x0
 01842   780   NtSetEventBoostPriority  (200, ...
 01821   940   NtWaitForSingleObject  ... ) == 0x0
 01843   940   NtSetEventBoostPriority  (200, ...
 01822   644   NtWaitForSingleObject  ... ) == 0x0
 01844   644   NtSetEventBoostPriority  (200, ...
 01823   320   NtWaitForSingleObject  ... ) == 0x0
 01845   320   NtSetEventBoostPriority  (200, ...
 01825   312   NtWaitForSingleObject  ... ) == 0x0
 01846   312   NtSetEventBoostPriority  (200, ...
 01826   752   NtWaitForSingleObject  ... ) == 0x0
 01847   752   NtSetEventBoostPriority  (200, ...
 01827  1512   NtWaitForSingleObject  ... ) == 0x0
 01848  1512   NtSetEventBoostPriority  (200, ...
 01828  1564   NtWaitForSingleObject  ... ) == 0x0
 01849  1564   NtSetEventBoostPriority  (200, ...
 01824   380   NtWaitForSingleObject  ... ) == 0x0
 01850   380   NtSetEventBoostPriority  (200, ...
 01832  1964   NtWaitForSingleObject  ... ) == 0x0
 01851  1964   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01849  1564   NtSetEventBoostPriority  ... ) == 0x0
 01848  1512   NtSetEventBoostPriority  ... ) == 0x0
 01847   752   NtSetEventBoostPriority  ... ) == 0x0
 01846   312   NtSetEventBoostPriority  ... ) == 0x0
 01835  1708   NtSetEventBoostPriority  ... ) == 0x0
 01852  1808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01850   380   NtSetEventBoostPriority  ... ) == 0x0
 01845   320   NtSetEventBoostPriority  ... ) == 0x0
 01844   644   NtSetEventBoostPriority  ... ) == 0x0
 01843   940   NtSetEventBoostPriority  ... ) == 0x0
 01842   780   NtSetEventBoostPriority  ... ) == 0x0
 01841   860   NtSetEventBoostPriority  ... ) == 0x0
 01840  1120   NtSetEventBoostPriority  ... ) == 0x0
 01839  1228   NtSetEventBoostPriority  ... ) == 0x0
 01838  1436   NtSetEventBoostPriority  ... ) == 0x0
 01837  2044   NtSetEventBoostPriority  ... ) == 0x0
 01836  1336   NtSetEventBoostPriority  ... ) == 0x0
 01831  1568   NtSetEventBoostPriority  ... ) == 0x0
 01853  1024   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01834   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81944, 0}  ... {28, 56, reply, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\344\4\0\0\264\7\0\0" )  ) == 0x0
 01851  1964   NtWaitForSingleObject  ... ) == 0x102
 01854  1564   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01855  1512   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01856   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01857  1708   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11595888, ... }, 11595888, ...
 01858   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01859   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01860   320   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01861   644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01862   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01863   780   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01864   860   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01865  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01866  1228   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01867  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01868  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01869  1336   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01870  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01853  1024   NtOpenFile  ... 356, {status=0x0, info=0}, ) == 0x0
 01871   896   NtResumeThread  (348, ...
 01872  1964   NtWaitForSingleObject  (136, 0, 0x0, ...
 01854  1564   NtWaitForSingleObject  ... ) == 0x102
 01855  1512   NtWaitForSingleObject  ... ) == 0x102
 01852  1808   NtWaitForSingleObject  ... ) == 0x102
 01856   312   NtWaitForSingleObject  ... ) == 0x102
 01858   752   NtWaitForSingleObject  ... ) == 0x102
 01873  1024   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254M\210\237\265\346'\4=Qq\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01871   896   NtResumeThread  ... 1, ) == 0x0
 01874  1564   NtWaitForSingleObject  (136, 0, 0x0, ...
 01875  1512   NtWaitForSingleObject  (136, 0, 0x0, ...
 01876  1808   NtWaitForSingleObject  (136, 0, 0x0, ...
 01877   312   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01878   752   NtWaitForSingleObject  (160, 0, 0x0, ...
 01879  1024   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01880   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01877   312   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01879  1024   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01880   896   NtAllocateVirtualMemory  ... 40960000, 1048576, ) == 0x0
 01881   312   NtSetEventBoostPriority  (160, ...
 01882  1024   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01883   896   NtAllocateVirtualMemory  (-1, 42000384, 0, 8192, 4096, 4, ...
 01878   752   NtWaitForSingleObject  ... ) == 0x0
 01881   312   NtSetEventBoostPriority  ... ) == 0x0
 01857  1708   NtQueryAttributesFile  ... ) == 0x0
 01859   380   NtWaitForSingleObject  ... ) == 0x102
 01860   320   NtWaitForSingleObject  ... ) == 0x102
 01861   644   NtWaitForSingleObject  ... ) == 0x102
 01862   940   NtWaitForSingleObject  ... ) == 0x102
 01863   780   NtWaitForSingleObject  ... ) == 0x102
 01864   860   NtWaitForSingleObject  ... ) == 0x102
 01865  1120   NtWaitForSingleObject  ... ) == 0x102
 01866  1228   NtWaitForSingleObject  ... ) == 0x102
 01867  1436   NtWaitForSingleObject  ... ) == 0x102
 01868  2044   NtWaitForSingleObject  ... ) == 0x102
 01869  1336   NtWaitForSingleObject  ... ) == 0x102
 01870  1568   NtWaitForSingleObject  ... ) == 0x102
 01884  1972   NtWaitForSingleObject  (88, 0, 0x0, ...
 01882  1024   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01885   752   NtWaitForSingleObject  (136, 0, 0x0, ...
 01883   896   NtAllocateVirtualMemory  ... 42000384, 8192, ) == 0x0
 01886  1708   NtSetEventBoostPriority  (88, ...
 01887   380   NtWaitForSingleObject  (136, 0, 0x0, ...
 01888   320   NtWaitForSingleObject  (136, 0, 0x0, ...
 01889   644   NtWaitForSingleObject  (136, 0, 0x0, ...
 01890   940   NtWaitForSingleObject  (136, 0, 0x0, ...
 01891   780   NtWaitForSingleObject  (136, 0, 0x0, ...
 01892   860   NtWaitForSingleObject  (136, 0, 0x0, ...
 01893  1120   NtWaitForSingleObject  (136, 0, 0x0, ...
 01894  1228   NtWaitForSingleObject  (136, 0, 0x0, ...
 01895  1436   NtWaitForSingleObject  (136, 0, 0x0, ...
 01896  2044   NtWaitForSingleObject  (136, 0, 0x0, ...
 01897  1336   NtWaitForSingleObject  (136, 0, 0x0, ...
 01898  1568   NtWaitForSingleObject  (136, 0, 0x0, ...
 01899  1024   NtQuerySystemInformation  (Performance, 312, ...
 01900   896   NtProtectVirtualMemory  (-1, (0x280e000), 4096, 260, ...
 01884  1972   NtWaitForSingleObject  ... ) == 0x0
 01886  1708   NtSetEventBoostPriority  ... ) == 0x0
 01899  1024   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01901  1972   NtTestAlert  (...
 01900   896   NtProtectVirtualMemory  ... (0x280e000), 4096, 4, ) == 0x0
 01902  1708   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01901  1972   NtTestAlert  ... ) == 0x0
 01903  1024   NtQuerySystemInformation  (Exception, 16, ...
 01904   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01902  1708   NtOpenKey  ... 360, ) == 0x0
 01905   312   NtWaitForSingleObject  (136, 0, 0x0, ...
 01903  1024   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01906  1708   NtQueryValueKey  (360,  (360, "Transports", Partial, 144, ... , Partial, 144, ...
 01907  1024   NtQuerySystemInformation  (Lookaside, 32, ...
 01904   896   NtCreateThread  ... 364, {1252, 1248}, ) == 0x0
 01908  1972   NtContinue  (40959280, 1, ...
 01906  1708   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01909   896   NtQueryInformationThread  (364, Basic, 28, ...
 01910  1972   NtRegisterThreadTerminatePort  (24, ...
 01911  1708   NtQueryValueKey  (360,  (360, "Transports", Partial, 144, ... , Partial, 144, ...
 01909   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1252,Tid=1248,}, 0x0, ) == 0x0
 01910  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 01911  1708   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01912   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\340\4\0\0" ...  ...
 01913  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01914  1708   NtClose  (360, ...
 01912   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81945, 0}  ... {28, 56, reply, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\344\4\0\0\340\4\0\0" )  ) == 0x0
 01913  1972   NtDuplicateObject  ... 368, ) == 0x0
 01914  1708   NtClose  ... ) == 0x0
 01907  1024   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01915  1972   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01916  1708   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01917  1024   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01918   896   NtResumeThread  (364, ...
 01915  1972   NtWaitForSingleObject  ... ) == 0x102
 01917  1024   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01918   896   NtResumeThread  ... 1, ) == 0x0
 01919  1972   NtWaitForSingleObject  (136, 0, 0x0, ...
 01920  1024   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01921   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01920  1024   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01921   896   NtAllocateVirtualMemory  ... 42008576, 1048576, ) == 0x0
 01922  1024   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01923   896   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ...
 01916  1708   NtOpenKey  ... 360, ) == 0x0
 01924  1248   NtTestAlert  (...
 01923   896   NtAllocateVirtualMemory  ... 43048960, 8192, ) == 0x0
 01925  1708   NtQueryValueKey  (360,  (360, "Mapping", Partial, 144, ... , Partial, 144, ...
 01924  1248   NtTestAlert  ... ) == 0x0
 01922  1024   NtCreateKey  ... -2147482756, 2, ) == 0x0
 01925  1708   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01926  1248   NtContinue  (42007856, 1, ...
 01927  1024   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\331H\356\345\314\36\344O\10y-C\262\302\34L\206\256#Z8\377'\27\2152w\257A\271\210\211{\5\222\373\371\374\342`\16\235v\366V,\242\223"\273\273\272\2179\203@\203\306\353\322\361\310;\276>\355x\253\246-\233!U\311\25j\323\324\350\263", 80, ... , 0, 3,  (-2147482756, "Seed", 0, 3, "\331H\356\345\314\36\344O\10y-C\262\302\34L\206\256#Z8\377'\27\2152w\257A\271\210\211{\5\222\373\371\374\342`\16\235v\366V,\242\223"\273\273\272\2179\203@\203\306\353\322\361\310;\276>\355x\253\246-\233!U\311\25j\323\324\350\263", 80, ... \273\273\272\2179\203@\203\306\353\322\361\310;\276>\355x\253\246-\233!U\311\25j\323\324\350\263", 80, ...
 01928  1708   NtQueryValueKey  (360,  (360, "Mapping", Partial, 144, ... , Partial, 144, ...
 01929  1248   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01930  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 372, ) == 0x0
 01931  1248   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01932  1248   NtWaitForSingleObject  (136, 0, 0x0, ...
 01933   896   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ... (0x290e000), 4096, 4, ) == 0x0
 01934   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 376, {1252, 760}, ) == 0x0
 01935   896   NtQueryInformationThread  (376, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1252,Tid=760,}, 0x0, ) == 0x0
 01936   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\0\370\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\0\370\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\0\370\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\344\4\0\0\370\2\0\0" )  ) == 0x0
 01937   896   NtResumeThread  (376, ... 1, ) == 0x0
 01938   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01939   760   NtTestAlert  (... ) == 0x0
 01940   760   NtContinue  (43056432, 1, ...
 01941   760   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01942   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 380, ) == 0x0
 01943   760   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01944   760   NtWaitForSingleObject  (136, 0, 0x0, ...
 01938   896   NtAllocateVirtualMemory  ... 43057152, 1048576, ) == 0x0
 01945   896   NtAllocateVirtualMemory  (-1, 44097536, 0, 8192, 4096, 4, ... 44097536, 8192, ) == 0x0
 01946   896   NtProtectVirtualMemory  (-1, (0x2a0e000), 4096, 260, ... (0x2a0e000), 4096, 4, ) == 0x0
 01947   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 384, {1252, 484}, ) == 0x0
 01948   896   NtQueryInformationThread  (384, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1252,Tid=484,}, 0x0, ) == 0x0
 01949   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0\344\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81947, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0\344\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0\344\1\0\0" )  ) == 0x0
 01950   896   NtResumeThread  (384, ... 1, ) == 0x0
 01951   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44105728, 1048576, ) == 0x0
 01952   896   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ... 45146112, 8192, ) == 0x0
 01953   484   NtTestAlert  (... ) == 0x0
 01954   484   NtContinue  (44105008, 1, ...
 01955   484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01956   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 388, ) == 0x0
 01957   484   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01958   484   NtWaitForSingleObject  (136, 0, 0x0, ...
 01959   896   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ... (0x2b0e000), 4096, 4, ) == 0x0
 01960   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 392, {1252, 1304}, ) == 0x0
 01961   896   NtQueryInformationThread  (392, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1252,Tid=1304,}, 0x0, ) == 0x0
 01962   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\344\4\0\0\30\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\344\4\0\0\30\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\344\4\0\0\30\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\344\4\0\0\30\5\0\0" )  ) == 0x0
 01963   896   NtResumeThread  (392, ... 1, ) == 0x0
 01964   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01965  1304   NtTestAlert  (... ) == 0x0
 01966  1304   NtContinue  (45153584, 1, ...
 01967  1304   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01968  1304   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 396, ) == 0x0
 01969  1304   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01970  1304   NtWaitForSingleObject  (136, 0, 0x0, ...
 01964   896   NtAllocateVirtualMemory  ... 45154304, 1048576, ) == 0x0
 01971   896   NtAllocateVirtualMemory  (-1, 46194688, 0, 8192, 4096, 4, ... 46194688, 8192, ) == 0x0
 01972   896   NtProtectVirtualMemory  (-1, (0x2c0e000), 4096, 260, ... (0x2c0e000), 4096, 4, ) == 0x0
 01973   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 400, {1252, 1292}, ) == 0x0
 01974   896   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1252,Tid=1292,}, 0x0, ) == 0x0
 01975   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0\14\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0\14\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0\14\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0\14\5\0\0" )  ) == 0x0
 01976   896   NtResumeThread  (400, ... 1, ) == 0x0
 01977   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 46202880, 1048576, ) == 0x0
 01978   896   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ... 47243264, 8192, ) == 0x0
 01979  1292   NtTestAlert  (... ) == 0x0
 01980  1292   NtContinue  (46202160, 1, ...
 01981  1292   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01982  1292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 404, ) == 0x0
 01983  1292   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 01984  1292   NtWaitForSingleObject  (136, 0, 0x0, ...
 01985   896   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ... (0x2d0e000), 4096, 4, ) == 0x0
 01986   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 408, {1252, 1956}, ) == 0x0
 01987   896   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1252,Tid=1956,}, 0x0, ) == 0x0
 01988   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\244\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\244\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\244\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\344\4\0\0\244\7\0\0" )  ) == 0x0
 01989   896   NtResumeThread  (408, ... 1, ) == 0x0
 01990   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01991  1956   NtTestAlert  (... ) == 0x0
 01992  1956   NtContinue  (47250736, 1, ...
 01993  1956   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01994  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 412, ) == 0x0
 01995  1956   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01996  1956   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01990   896   NtAllocateVirtualMemory  ... 47251456, 1048576, ) == 0x0
 01997   896   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ... 48291840, 8192, ) == 0x0
 01998   896   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ... (0x2e0e000), 4096, 4, ) == 0x0
 01999   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01996  1956   NtWaitForSingleObject  ... ) == 0x102
 02000  1956   NtWaitForSingleObject  (136, 0, 0x0, ...
 01999   896   NtCreateThread  ... 416, {1252, 1556}, ) == 0x0
 02001   896   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1252,Tid=1556,}, 0x0, ) == 0x0
 02002   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\24\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\24\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81951, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\24\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\344\4\0\0\24\6\0\0" )  ) == 0x0
 02003   896   NtResumeThread  (416, ... 1, ) == 0x0
 02004   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 48300032, 1048576, ) == 0x0
 02005   896   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ... 49340416, 8192, ) == 0x0
 02006  1556   NtTestAlert  (... ) == 0x0
 02007  1556   NtContinue  (48299312, 1, ...
 02008  1556   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02009  1556   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 420, ) == 0x0
 02010  1556   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02011  1556   NtWaitForSingleObject  (136, 0, 0x0, ...
 02012   896   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ... (0x2f0e000), 4096, 4, ) == 0x0
 02013   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 424, {1252, 1480}, ) == 0x0
 02014   896   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1252,Tid=1480,}, 0x0, ) == 0x0
 02015   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0\310\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81952, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0\310\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0\310\5\0\0" )  ) == 0x0
 02016   896   NtResumeThread  (424, ... 1, ) == 0x0
 02017   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02018  1480   NtTestAlert  (... ) == 0x0
 02019  1480   NtContinue  (49347888, 1, ...
 02020  1480   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02021  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 428, ) == 0x0
 02022  1480   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02023  1480   NtWaitForSingleObject  (136, 0, 0x0, ...
 02017   896   NtAllocateVirtualMemory  ... 49348608, 1048576, ) == 0x0
 02024   896   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ... 50388992, 8192, ) == 0x0
 02025   896   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ... (0x300e000), 4096, 4, ) == 0x0
 02026   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 432, {1252, 1784}, ) == 0x0
 02027   896   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1252,Tid=1784,}, 0x0, ) == 0x0
 02028   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\370\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81953, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\370\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\344\4\0\0\370\6\0\0" )  ) == 0x0
 02029   896   NtResumeThread  (432, ... 1, ) == 0x0
 02030   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50397184, 1048576, ) == 0x0
 02031   896   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ... 51437568, 8192, ) == 0x0
 02032  1784   NtTestAlert  (... ) == 0x0
 02033  1784   NtContinue  (50396464, 1, ...
 02034  1784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02035  1784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 436, ) == 0x0
 02036  1784   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02037  1784   NtWaitForSingleObject  (136, 0, 0x0, ...
 02038   896   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ... (0x310e000), 4096, 4, ) == 0x0
 02039   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {1252, 1068}, ) == 0x0
 02040   896   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1252,Tid=1068,}, 0x0, ) == 0x0
 02041   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0,\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81954, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0,\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0,\4\0\0" )  ) == 0x0
 02042   896   NtResumeThread  (440, ... 1, ) == 0x0
 02043   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02044  1068   NtTestAlert  (... ) == 0x0
 02045  1068   NtContinue  (51445040, 1, ...
 02046  1068   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02047  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 444, ) == 0x0
 02048  1068   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02049  1068   NtWaitForSingleObject  (136, 0, 0x0, ...
 02043   896   NtAllocateVirtualMemory  ... 51445760, 1048576, ) == 0x0
 02050   896   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ... 52486144, 8192, ) == 0x0
 02051   896   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ... (0x320e000), 4096, 4, ) == 0x0
 02052   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {1252, 1856}, ) == 0x0
 02053   896   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1252,Tid=1856,}, 0x0, ) == 0x0
 02054   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81954, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0@\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81955, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0@\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\344\4\0\0@\7\0\0" )  ) == 0x0
 02055   896   NtResumeThread  (448, ... 1, ) == 0x0
 02056   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52494336, 1048576, ) == 0x0
 02057   896   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ... 53534720, 8192, ) == 0x0
 02058  1856   NtTestAlert  (... ) == 0x0
 02059  1856   NtContinue  (52493616, 1, ...
 02060  1856   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02061  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 452, ) == 0x0
 02062  1856   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02063  1856   NtWaitForSingleObject  (136, 0, 0x0, ...
 02064   896   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ... (0x330e000), 4096, 4, ) == 0x0
 02065   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 456, {1252, 1572}, ) == 0x0
 02066   896   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1252,Tid=1572,}, 0x0, ) == 0x0
 02067   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0$\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0$\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0$\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\1\0\0\344\4\0\0$\6\0\0" )  ) == 0x0
 02068   896   NtResumeThread  (456, ... 1, ) == 0x0
 02069   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02070  1572   NtTestAlert  (... ) == 0x0
 02071  1572   NtContinue  (53542192, 1, ...
 02072  1572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02073  1572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 460, ) == 0x0
 02074  1572   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02075  1572   NtWaitForSingleObject  (136, 0, 0x0, ...
 02069   896   NtAllocateVirtualMemory  ... 53542912, 1048576, ) == 0x0
 02076   896   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ... 54583296, 8192, ) == 0x0
 02077   896   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ... (0x340e000), 4096, 4, ) == 0x0
 02078   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 464, {1252, 1604}, ) == 0x0
 02079   896   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1252,Tid=1604,}, 0x0, ) == 0x0
 02080   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0D\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0D\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81957, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0D\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\1\0\0\344\4\0\0D\6\0\0" )  ) == 0x0
 02081   896   NtResumeThread  (464, ... 1, ) == 0x0
 02082   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54591488, 1048576, ) == 0x0
 02083   896   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ... 55631872, 8192, ) == 0x0
 02084  1604   NtTestAlert  (... ) == 0x0
 02085  1604   NtContinue  (54590768, 1, ...
 02086  1604   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02087  1604   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 468, ) == 0x0
 02088  1604   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02089  1604   NtWaitForSingleObject  (136, 0, 0x0, ...
 02090   896   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ... (0x350e000), 4096, 4, ) == 0x0
 02091   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 472, {1252, 1596}, ) == 0x0
 02092   896   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1252,Tid=1596,}, 0x0, ) == 0x0
 02093   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0<\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0<\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81958, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0<\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0<\6\0\0" )  ) == 0x0
 02094   896   NtResumeThread  (472, ... 1, ) == 0x0
 02095   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02096  1596   NtTestAlert  (... ) == 0x0
 02097  1596   NtContinue  (55639344, 1, ...
 02098  1596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02099  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 476, ) == 0x0
 02100  1596   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02101  1596   NtWaitForSingleObject  (136, 0, 0x0, ...
 02095   896   NtAllocateVirtualMemory  ... 55640064, 1048576, ) == 0x0
 02102   896   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ... 56680448, 8192, ) == 0x0
 02103   896   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ... (0x360e000), 4096, 4, ) == 0x0
 02104   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 480, {1252, 1272}, ) == 0x0
 02105   896   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1252,Tid=1272,}, 0x0, ) == 0x0
 02106   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\370\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\370\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\344\4\0\0\370\4\0\0" )  ) == 0x0
 02107   896   NtResumeThread  (480, ... 1, ) == 0x0
 02108   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56688640, 1048576, ) == 0x0
 02109   896   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ... 57729024, 8192, ) == 0x0
 02110  1272   NtTestAlert  (... ) == 0x0
 02111  1272   NtContinue  (56687920, 1, ...
 02112  1272   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02113  1272   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 484, ) == 0x0
 02114  1272   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02115  1272   NtWaitForSingleObject  (136, 0, 0x0, ...
 02116   896   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ... (0x370e000), 4096, 4, ) == 0x0
 02117   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 488, {1252, 948}, ) == 0x0
 02118   896   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1252,Tid=948,}, 0x0, ) == 0x0
 02119   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\264\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\264\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\344\4\0\0\264\3\0\0" )  ) == 0x0
 02120   896   NtResumeThread  (488, ... 1, ) == 0x0
 02121   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02122   948   NtTestAlert  (... ) == 0x0
 02123   948   NtContinue  (57736496, 1, ...
 02124   948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02125   948   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 02126   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 492, ) == 0x0
 02127   948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02121   896   NtAllocateVirtualMemory  ... 57737216, 1048576, ) == 0x0
 02128   896   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ... 58777600, 8192, ) == 0x0
 02129   896   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ... (0x380e000), 4096, 4, ) == 0x0
 02130   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02127   948   NtWaitForSingleObject  ... ) == 0x102
 02131   948   NtWaitForSingleObject  (136, 0, 0x0, ...
 02130   896   NtCreateThread  ... 496, {1252, 1064}, ) == 0x0
 02132   896   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1252,Tid=1064,}, 0x0, ) == 0x0
 02133   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0(\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0(\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0(\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\0(\4\0\0" )  ) == 0x0
 02134   896   NtResumeThread  (496, ... 1, ) == 0x0
 02135   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58785792, 1048576, ) == 0x0
 02136   896   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ... 59826176, 8192, ) == 0x0
 02137  1064   NtTestAlert  (... ) == 0x0
 02138  1064   NtContinue  (58785072, 1, ...
 02139  1064   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02140  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 500, ) == 0x0
 02141  1064   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02142  1064   NtWaitForSingleObject  (136, 0, 0x0, ...
 02143   896   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ... (0x390e000), 4096, 4, ) == 0x0
 02144   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 504, {1252, 284}, ) == 0x0
 02145   896   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1252,Tid=284,}, 0x0, ) == 0x0
 02146   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\34\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\34\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\34\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\344\4\0\0\34\1\0\0" )  ) == 0x0
 02147   896   NtResumeThread  (504, ... 1, ) == 0x0
 02148   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02149   284   NtTestAlert  (... ) == 0x0
 02150   284   NtContinue  (59833648, 1, ...
 02151   284   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02152   284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 508, ) == 0x0
 02153   284   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02154   284   NtWaitForSingleObject  (136, 0, 0x0, ...
 02148   896   NtAllocateVirtualMemory  ... 59834368, 1048576, ) == 0x0
 02155   896   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ... 60874752, 8192, ) == 0x0
 02156   896   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ... (0x3a0e000), 4096, 4, ) == 0x0
 02157   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 512, {1252, 1384}, ) == 0x0
 02158   896   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1252,Tid=1384,}, 0x0, ) == 0x0
 02159   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0h\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0h\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0h\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0h\5\0\0" )  ) == 0x0
 02160   896   NtResumeThread  (512, ... 1, ) == 0x0
 02161   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60882944, 1048576, ) == 0x0
 02162   896   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ... 61923328, 8192, ) == 0x0
 02163  1384   NtTestAlert  (... ) == 0x0
 02164  1384   NtContinue  (60882224, 1, ...
 02165  1384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02166  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 516, ) == 0x0
 02167  1384   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02168  1384   NtWaitForSingleObject  (136, 0, 0x0, ...
 02169   896   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ... (0x3b0e000), 4096, 4, ) == 0x0
 02170   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 520, {1252, 1240}, ) == 0x0
 02171   896   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1252,Tid=1240,}, 0x0, ) == 0x0
 02172   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\330\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\330\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81964, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\330\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\330\4\0\0" )  ) == 0x0
 02173   896   NtResumeThread  (520, ... 1, ) == 0x0
 02174   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02175  1240   NtTestAlert  (... ) == 0x0
 02176  1240   NtContinue  (61930800, 1, ...
 02177  1240   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02178  1240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 524, ) == 0x0
 02179  1240   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02174   896   NtAllocateVirtualMemory  ... 61931520, 1048576, ) == 0x0
 02180   896   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ... 62971904, 8192, ) == 0x0
 02181   896   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ... (0x3c0e000), 4096, 4, ) == 0x0
 02182   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 528, {1252, 296}, ) == 0x0
 02183   896   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1252,Tid=296,}, 0x0, ) == 0x0
 02184   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0(\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0(\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81965, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0(\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\344\4\0\0(\1\0\0" )  ) == 0x0
 02179  1240   NtWaitForSingleObject  ... ) == 0x102
 02185  1240   NtWaitForSingleObject  (136, 0, 0x0, ...
 02186   896   NtResumeThread  (528, ... 1, ) == 0x0
 02187   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62980096, 1048576, ) == 0x0
 02188   896   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ... 64020480, 8192, ) == 0x0
 02189   296   NtTestAlert  (... ) == 0x0
 02190   296   NtContinue  (62979376, 1, ...
 02191   296   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02192   296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 532, ) == 0x0
 02193   296   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02194   296   NtWaitForSingleObject  (136, 0, 0x0, ...
 02195   896   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ... (0x3d0e000), 4096, 4, ) == 0x0
 02196   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 536, {1252, 740}, ) == 0x0
 02197   896   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1252,Tid=740,}, 0x0, ) == 0x0
 02198   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\344\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81966, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\344\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\344\4\0\0\344\2\0\0" )  ) == 0x0
 02199   896   NtResumeThread  (536, ... 1, ) == 0x0
 02200   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02201   740   NtTestAlert  (... ) == 0x0
 02202   740   NtContinue  (64027952, 1, ...
 02203   740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02204   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 540, ) == 0x0
 02205   740   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02206   740   NtWaitForSingleObject  (136, 0, 0x0, ...
 02200   896   NtAllocateVirtualMemory  ... 64028672, 1048576, ) == 0x0
 02207   896   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ... 65069056, 8192, ) == 0x0
 02208   896   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ... (0x3e0e000), 4096, 4, ) == 0x0
 02209   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 544, {1252, 120}, ) == 0x0
 02210   896   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1252,Tid=120,}, 0x0, ) == 0x0
 02211   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0x\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81967, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0x\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0x\0\0\0" )  ) == 0x0
 02212   896   NtResumeThread  (544, ... 1, ) == 0x0
 02213   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65077248, 1048576, ) == 0x0
 02214   896   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ... 66117632, 8192, ) == 0x0
 02215   120   NtTestAlert  (... ) == 0x0
 02216   120   NtContinue  (65076528, 1, ...
 02217   120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02218   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 548, ) == 0x0
 02219   120   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02220   120   NtWaitForSingleObject  (136, 0, 0x0, ...
 02221   896   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ... (0x3f0e000), 4096, 4, ) == 0x0
 02222   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 552, {1252, 1356}, ) == 0x0
 02223   896   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1252,Tid=1356,}, 0x0, ) == 0x0
 02224   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0L\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81968, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0L\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0\344\4\0\0L\5\0\0" )  ) == 0x0
 02225   896   NtResumeThread  (552, ... 1, ) == 0x0
 02226   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02227  1356   NtAllocateVirtualMemory  (-1, 3629056, 0, 4096, 4096, 4, ... 3629056, 4096, ) == 0x0
 02228  1356   NtTestAlert  (... ) == 0x0
 02229  1356   NtContinue  (66125104, 1, ...
 02230  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02231  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 556, ) == 0x0
 02232  1356   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02226   896   NtAllocateVirtualMemory  ... 66125824, 1048576, ) == 0x0
 02233   896   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ... 67166208, 8192, ) == 0x0
 02234   896   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ... (0x400e000), 4096, 4, ) == 0x0
 02235   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02232  1356   NtWaitForSingleObject  ... ) == 0x102
 02236  1356   NtWaitForSingleObject  (136, 0, 0x0, ...
 02235   896   NtCreateThread  ... 560, {1252, 1796}, ) == 0x0
 02237   896   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1252,Tid=1796,}, 0x0, ) == 0x0
 02238   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\4\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\4\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81969, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\4\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\344\4\0\0\4\7\0\0" )  ) == 0x0
 02239   896   NtResumeThread  (560, ... 1, ) == 0x0
 02240   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 67174400, 1048576, ) == 0x0
 02241   896   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 02242  1796   NtTestAlert  (... ) == 0x0
 02243  1796   NtContinue  (67173680, 1, ...
 02244  1796   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02245  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 564, ) == 0x0
 02246  1796   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 02247  1796   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02248   896   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ... (0x410e000), 4096, 4, ) == 0x0
 02249   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 568, {1252, 712}, ) == 0x0
 02250   896   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1252,Tid=712,}, 0x0, ) == 0x0
 02247  1796   NtWaitForSingleObject  ... ) == 0x102
 02251  1796   NtWaitForSingleObject  (136, 0, 0x0, ...
 02252   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0\310\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81970, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0\310\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\344\4\0\0\310\2\0\0" )  ) == 0x0
 02253   896   NtResumeThread  (568, ... 1, ) == 0x0
 02254   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02255   712   NtTestAlert  (... ) == 0x0
 02256   712   NtContinue  (68222256, 1, ...
 02257   712   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02258   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 572, ) == 0x0
 02259   712   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02260   712   NtWaitForSingleObject  (136, 0, 0x0, ...
 02254   896   NtAllocateVirtualMemory  ... 68222976, 1048576, ) == 0x0
 02261   896   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ... 69263360, 8192, ) == 0x0
 02262   896   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ... (0x420e000), 4096, 4, ) == 0x0
 02263   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {1252, 1728}, ) == 0x0
 02264   896   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1252,Tid=1728,}, 0x0, ) == 0x0
 02265   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\300\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\300\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81971, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\300\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0\300\6\0\0" )  ) == 0x0
 02266   896   NtResumeThread  (576, ... 1, ) == 0x0
 02267   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69271552, 1048576, ) == 0x0
 02268   896   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 02269  1728   NtTestAlert  (... ) == 0x0
 02270  1728   NtContinue  (69270832, 1, ...
 02271  1728   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02272  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 580, ) == 0x0
 02273  1728   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02274  1728   NtWaitForSingleObject  (136, 0, 0x0, ...
 02275   896   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 02276   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 584, {1252, 152}, ) == 0x0
 02277   896   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1252,Tid=152,}, 0x0, ) == 0x0
 02278   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\230\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\230\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81972, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\230\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0\230\0\0\0" )  ) == 0x0
 02279   896   NtResumeThread  (584, ... 1, ) == 0x0
 02280   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02281   152   NtTestAlert  (... ) == 0x0
 02282   152   NtContinue  (70319408, 1, ...
 02283   152   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02284   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 588, ) == 0x0
 02285   152   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02286   152   NtWaitForSingleObject  (136, 0, 0x0, ...
 02280   896   NtAllocateVirtualMemory  ... 70320128, 1048576, ) == 0x0
 02287   896   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ... 71360512, 8192, ) == 0x0
 02288   896   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ... (0x440e000), 4096, 4, ) == 0x0
 02289   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 592, {1252, 212}, ) == 0x0
 02290   896   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1252,Tid=212,}, 0x0, ) == 0x0
 02291   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\324\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\324\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81973, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\324\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\344\4\0\0\324\0\0\0" )  ) == 0x0
 02292   896   NtResumeThread  (592, ... 1, ) == 0x0
 02293   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71368704, 1048576, ) == 0x0
 02294   896   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ... 72409088, 8192, ) == 0x0
 02295   212   NtTestAlert  (... ) == 0x0
 02296   212   NtContinue  (71367984, 1, ...
 02297   212   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02298   212   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 596, ) == 0x0
 02299   212   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02300   212   NtWaitForSingleObject  (136, 0, 0x0, ...
 02301   896   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ... (0x450e000), 4096, 4, ) == 0x0
 02302   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 600, {1252, 180}, ) == 0x0
 02303   896   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1252,Tid=180,}, 0x0, ) == 0x0
 02304   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\264\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\264\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81974, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\264\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0\264\0\0\0" )  ) == 0x0
 02305   896   NtResumeThread  (600, ... 1, ) == 0x0
 02306   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02307   180   NtTestAlert  (... ) == 0x0
 02308   180   NtContinue  (72416560, 1, ...
 02309   180   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02310   180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 604, ) == 0x0
 02311   180   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02312   180   NtWaitForSingleObject  (136, 0, 0x0, ...
 02306   896   NtAllocateVirtualMemory  ... 72417280, 1048576, ) == 0x0
 02313   896   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ... 73457664, 8192, ) == 0x0
 02314   896   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ... (0x460e000), 4096, 4, ) == 0x0
 02315   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1252, 1904}, ) == 0x0
 02316   896   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1252,Tid=1904,}, 0x0, ) == 0x0
 02317   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0p\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0p\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81975, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0p\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\344\4\0\0p\7\0\0" )  ) == 0x0
 02318   896   NtResumeThread  (608, ... 1, ) == 0x0
 02319   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73465856, 1048576, ) == 0x0
 02320   896   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ... 74506240, 8192, ) == 0x0
 02321  1904   NtTestAlert  (... ) == 0x0
 02322  1904   NtContinue  (73465136, 1, ...
 02323  1904   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02324  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 612, ) == 0x0
 02325  1904   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02326  1904   NtWaitForSingleObject  (136, 0, 0x0, ...
 02327   896   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ... (0x470e000), 4096, 4, ) == 0x0
 02328   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1252, 1536}, ) == 0x0
 02329   896   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1252,Tid=1536,}, 0x0, ) == 0x0
 02330   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\0\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81976, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\0\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\0\6\0\0" )  ) == 0x0
 02331   896   NtResumeThread  (616, ... 1, ) == 0x0
 02332   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02333  1536   NtTestAlert  (... ) == 0x0
 02334  1536   NtContinue  (74513712, 1, ...
 02335  1536   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02336  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 620, ) == 0x0
 02337  1536   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02338  1536   NtWaitForSingleObject  (136, 0, 0x0, ...
 02332   896   NtAllocateVirtualMemory  ... 74514432, 1048576, ) == 0x0
 02339   896   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02340   896   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02341   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1252, 444}, ) == 0x0
 02342   896   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1252,Tid=444,}, 0x0, ) == 0x0
 02343   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\274\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81977, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\274\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\274\1\0\0" )  ) == 0x0
 02344   896   NtResumeThread  (624, ... 1, ) == 0x0
 02345   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75563008, 1048576, ) == 0x0
 02346   896   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 02347   444   NtTestAlert  (... ) == 0x0
 02348   444   NtContinue  (75562288, 1, ...
 02349   444   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02350   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 628, ) == 0x0
 02351   444   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02352   444   NtWaitForSingleObject  (136, 0, 0x0, ...
 02353   896   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ... (0x490e000), 4096, 4, ) == 0x0
 02354   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {1252, 1936}, ) == 0x0
 02355   896   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1252,Tid=1936,}, 0x0, ) == 0x0
 02356   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\220\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\220\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81978, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\220\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\344\4\0\0\220\7\0\0" )  ) == 0x0
 02357   896   NtResumeThread  (632, ... 1, ) == 0x0
 02358   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02359  1936   NtTestAlert  (... ) == 0x0
 02360  1936   NtContinue  (76610864, 1, ...
 02361  1936   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02362  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 636, ) == 0x0
 02363  1936   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02364  1936   NtWaitForSingleObject  (136, 0, 0x0, ...
 02358   896   NtAllocateVirtualMemory  ... 76611584, 1048576, ) == 0x0
 02365   896   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ... 77651968, 8192, ) == 0x0
 02366   896   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ... (0x4a0e000), 4096, 4, ) == 0x0
 02367   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1252, 1648}, ) == 0x0
 02368   896   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1252,Tid=1648,}, 0x0, ) == 0x0
 02369   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0p\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0p\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81979, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0p\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\344\4\0\0p\6\0\0" )  ) == 0x0
 02370   896   NtResumeThread  (640, ... 1, ) == 0x0
 02371   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77660160, 1048576, ) == 0x0
 02372   896   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ... 78700544, 8192, ) == 0x0
 02373  1648   NtTestAlert  (... ) == 0x0
 02374  1648   NtContinue  (77659440, 1, ...
 02375  1648   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02376  1648   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 644, ) == 0x0
 02377  1648   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 02378  1648   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02379   896   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ... (0x4b0e000), 4096, 4, ) == 0x0
 02380   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1252, 276}, ) == 0x0
 02381   896   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1252,Tid=276,}, 0x0, ) == 0x0
 02378  1648   NtWaitForSingleObject  ... ) == 0x102
 02382  1648   NtWaitForSingleObject  (136, 0, 0x0, ...
 02383   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0\24\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81980, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0\24\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\344\4\0\0\24\1\0\0" )  ) == 0x0
 02384   896   NtResumeThread  (648, ... 1, ) == 0x0
 02385   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02386   276   NtTestAlert  (... ) == 0x0
 02387   276   NtContinue  (78708016, 1, ...
 02388   276   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02389   276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 652, ) == 0x0
 02390   276   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02391   276   NtWaitForSingleObject  (136, 0, 0x0, ...
 02385   896   NtAllocateVirtualMemory  ... 78708736, 1048576, ) == 0x0
 02392   896   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02393   896   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ... (0x4c0e000), 4096, 4, ) == 0x0
 02394   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1252, 968}, ) == 0x0
 02395   896   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1252,Tid=968,}, 0x0, ) == 0x0
 02396   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\310\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81981, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\310\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\344\4\0\0\310\3\0\0" )  ) == 0x0
 02397   896   NtResumeThread  (656, ... 1, ) == 0x0
 02398   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79757312, 1048576, ) == 0x0
 02399   896   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02400   968   NtTestAlert  (... ) == 0x0
 02401   968   NtContinue  (79756592, 1, ...
 02402   968   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02403   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 660, ) == 0x0
 02404   968   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02405   968   NtWaitForSingleObject  (136, 0, 0x0, ...
 02406   896   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ... (0x4d0e000), 4096, 4, ) == 0x0
 02407   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1252, 1688}, ) == 0x0
 02408   896   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1252,Tid=1688,}, 0x0, ) == 0x0
 02409   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\230\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\230\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81982, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\230\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\230\6\0\0" )  ) == 0x0
 02410   896   NtResumeThread  (664, ... 1, ) == 0x0
 02411   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02412  1688   NtTestAlert  (... ) == 0x0
 02413  1688   NtContinue  (80805168, 1, ...
 02414  1688   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02415  1688   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 668, ) == 0x0
 02416  1688   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02417  1688   NtWaitForSingleObject  (136, 0, 0x0, ...
 02411   896   NtAllocateVirtualMemory  ... 80805888, 1048576, ) == 0x0
 02418   896   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ... 81846272, 8192, ) == 0x0
 02419   896   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 02420   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1252, 308}, ) == 0x0
 02421   896   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1252,Tid=308,}, 0x0, ) == 0x0
 02422   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\04\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\04\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81983, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\04\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\04\1\0\0" )  ) == 0x0
 02423   896   NtResumeThread  (672, ... 1, ) == 0x0
 02424   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81854464, 1048576, ) == 0x0
 02425   896   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ... 82894848, 8192, ) == 0x0
 02426   308   NtTestAlert  (... ) == 0x0
 02427   308   NtContinue  (81853744, 1, ...
 02428   308   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02429   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 676, ) == 0x0
 02430   308   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02431   308   NtWaitForSingleObject  (136, 0, 0x0, ...
 02432   896   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ... (0x4f0e000), 4096, 4, ) == 0x0
 02433   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1252, 1584}, ) == 0x0
 02434   896   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1252,Tid=1584,}, 0x0, ) == 0x0
 02435   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\00\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\00\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81984, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\00\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\00\6\0\0" )  ) == 0x0
 02436   896   NtResumeThread  (680, ... 1, ) == 0x0
 02437   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02438  1584   NtTestAlert  (... ) == 0x0
 02439  1584   NtContinue  (82902320, 1, ...
 02440  1584   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02441  1584   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 684, ) == 0x0
 02442  1584   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02443  1584   NtWaitForSingleObject  (136, 0, 0x0, ...
 02437   896   NtAllocateVirtualMemory  ... 82903040, 1048576, ) == 0x0
 02444   896   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ... 83943424, 8192, ) == 0x0
 02445   896   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ... (0x500e000), 4096, 4, ) == 0x0
 02446   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1252, 1496}, ) == 0x0
 02447   896   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1252,Tid=1496,}, 0x0, ) == 0x0
 02448   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\330\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81985, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\330\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\330\5\0\0" )  ) == 0x0
 02449   896   NtResumeThread  (688, ... 1, ) == 0x0
 02450   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83951616, 1048576, ) == 0x0
 02451   896   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ... 84992000, 8192, ) == 0x0
 02452  1496   NtTestAlert  (... ) == 0x0
 02453  1496   NtContinue  (83950896, 1, ...
 02454  1496   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02455  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 692, ) == 0x0
 02456  1496   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02457  1496   NtWaitForSingleObject  (136, 0, 0x0, ...
 02458   896   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ... (0x510e000), 4096, 4, ) == 0x0
 02459   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1252, 1944}, ) == 0x0
 02460   896   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1252,Tid=1944,}, 0x0, ) == 0x0
 02461   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\230\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\230\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81986, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\230\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0\230\7\0\0" )  ) == 0x0
 02462   896   NtResumeThread  (696, ... 1, ) == 0x0
 02463   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02464  1944   NtTestAlert  (... ) == 0x0
 02465  1944   NtContinue  (84999472, 1, ...
 02466  1944   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02467  1944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 700, ) == 0x0
 02468  1944   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02469  1944   NtWaitForSingleObject  (136, 0, 0x0, ...
 02463   896   NtAllocateVirtualMemory  ... 85000192, 1048576, ) == 0x0
 02470   896   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ... 86040576, 8192, ) == 0x0
 02471   896   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ... (0x520e000), 4096, 4, ) == 0x0
 02472   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1252, 1896}, ) == 0x0
 02473   896   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1252,Tid=1896,}, 0x0, ) == 0x0
 02474   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0h\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0h\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81987, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0h\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\344\4\0\0h\7\0\0" )  ) == 0x0
 02475   896   NtResumeThread  (704, ... 1, ) == 0x0
 02476   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86048768, 1048576, ) == 0x0
 02477   896   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ... 87089152, 8192, ) == 0x0
 02478  1896   NtTestAlert  (... ) == 0x0
 02479  1896   NtContinue  (86048048, 1, ...
 02480  1896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02481  1896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 708, ) == 0x0
 02482  1896   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02483  1896   NtWaitForSingleObject  (136, 0, 0x0, ...
 02484   896   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ... (0x530e000), 4096, 4, ) == 0x0
 02485   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1252, 148}, ) == 0x0
 02486   896   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1252,Tid=148,}, 0x0, ) == 0x0
 02487   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\224\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81988, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\224\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0\224\0\0\0" )  ) == 0x0
 02488   896   NtResumeThread  (712, ... 1, ) == 0x0
 02489   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02490   148   NtTestAlert  (... ) == 0x0
 02491   148   NtContinue  (87096624, 1, ...
 02492   148   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02493   148   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 716, ) == 0x0
 02494   148   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02495   148   NtWaitForSingleObject  (136, 0, 0x0, ...
 02489   896   NtAllocateVirtualMemory  ... 87097344, 1048576, ) == 0x0
 02496   896   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ... 88137728, 8192, ) == 0x0
 02497   896   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ... (0x540e000), 4096, 4, ) == 0x0
 02498   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1252, 1500}, ) == 0x0
 02499   896   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1252,Tid=1500,}, 0x0, ) == 0x0
 02500   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\334\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81989, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\334\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\334\5\0\0" )  ) == 0x0
 02501   896   NtResumeThread  (720, ... 1, ) == 0x0
 02502   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88145920, 1048576, ) == 0x0
 02503   896   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ... 89186304, 8192, ) == 0x0
 02504  1500   NtTestAlert  (... ) == 0x0
 02505  1500   NtContinue  (88145200, 1, ...
 02506  1500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02507  1500   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 02508  1500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02509   896   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ... (0x550e000), 4096, 4, ) == 0x0
 02510   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1252, 2032}, ) == 0x0
 02511   896   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1252,Tid=2032,}, 0x0, ) == 0x0
 02512   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\360\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81990, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\360\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0\360\7\0\0" )  ) == 0x0
 02513   896   NtResumeThread  (724, ... 1, ) == 0x0
 02514   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02508  1500   NtDuplicateObject  ... 728, ) == 0x0
 02515  2032   NtTestAlert  (...
 02516  1500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02515  2032   NtTestAlert  ... ) == 0x0
 02516  1500   NtWaitForSingleObject  ... ) == 0x102
 02517  2032   NtContinue  (89193776, 1, ...
 02518  1500   NtWaitForSingleObject  (136, 0, 0x0, ...
 02519  2032   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02520  2032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 732, ) == 0x0
 02521  2032   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02522  2032   NtWaitForSingleObject  (136, 0, 0x0, ...
 02514   896   NtAllocateVirtualMemory  ... 89194496, 1048576, ) == 0x0
 02523   896   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ... 90234880, 8192, ) == 0x0
 02524   896   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ... (0x560e000), 4096, 4, ) == 0x0
 02525   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1252, 1592}, ) == 0x0
 02526   896   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1252,Tid=1592,}, 0x0, ) == 0x0
 02527   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\08\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\08\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81991, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\08\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\344\4\0\08\6\0\0" )  ) == 0x0
 02528   896   NtResumeThread  (736, ... 1, ) == 0x0
 02529   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90243072, 1048576, ) == 0x0
 02530   896   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ... 91283456, 8192, ) == 0x0
 02531  1592   NtTestAlert  (... ) == 0x0
 02532  1592   NtContinue  (90242352, 1, ...
 02533  1592   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02534  1592   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 740, ) == 0x0
 02535  1592   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02536  1592   NtWaitForSingleObject  (136, 0, 0x0, ...
 02537   896   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ... (0x570e000), 4096, 4, ) == 0x0
 02538   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1252, 496}, ) == 0x0
 02539   896   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1252,Tid=496,}, 0x0, ) == 0x0
 02540   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\360\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\360\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81992, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\360\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\344\4\0\0\360\1\0\0" )  ) == 0x0
 02541   896   NtResumeThread  (744, ... 1, ) == 0x0
 02542   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02543   496   NtTestAlert  (... ) == 0x0
 02544   496   NtContinue  (91290928, 1, ...
 02545   496   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02546   496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 748, ) == 0x0
 02547   496   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02548   496   NtWaitForSingleObject  (136, 0, 0x0, ...
 02542   896   NtAllocateVirtualMemory  ... 91291648, 1048576, ) == 0x0
 02549   896   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ... 92332032, 8192, ) == 0x0
 02550   896   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ... (0x580e000), 4096, 4, ) == 0x0
 02551   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1252, 476}, ) == 0x0
 02552   896   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1252,Tid=476,}, 0x0, ) == 0x0
 02553   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\334\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\334\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81993, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\334\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\344\4\0\0\334\1\0\0" )  ) == 0x0
 02554   896   NtResumeThread  (752, ... 1, ) == 0x0
 02555   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92340224, 1048576, ) == 0x0
 02556   896   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ... 93380608, 8192, ) == 0x0
 02557   476   NtTestAlert  (... ) == 0x0
 02558   476   NtContinue  (92339504, 1, ...
 02559   476   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02560   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 756, ) == 0x0
 02561   476   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02562   476   NtWaitForSingleObject  (136, 0, 0x0, ...
 02563   896   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ... (0x590e000), 4096, 4, ) == 0x0
 02564   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1252, 1404}, ) == 0x0
 02565   896   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1252,Tid=1404,}, 0x0, ) == 0x0
 02566   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0|\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81994, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0|\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0|\5\0\0" )  ) == 0x0
 02567   896   NtResumeThread  (760, ... 1, ) == 0x0
 02568   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02569  1404   NtTestAlert  (... ) == 0x0
 02570  1404   NtContinue  (93388080, 1, ...
 02571  1404   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02572  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 764, ) == 0x0
 02573  1404   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02574  1404   NtWaitForSingleObject  (136, 0, 0x0, ...
 02568   896   NtAllocateVirtualMemory  ... 93388800, 1048576, ) == 0x0
 02575   896   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ... 94429184, 8192, ) == 0x0
 02576   896   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ... (0x5a0e000), 4096, 4, ) == 0x0
 02577   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1252, 1744}, ) == 0x0
 02578   896   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1252,Tid=1744,}, 0x0, ) == 0x0
 02579   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\320\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81995, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\320\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\320\6\0\0" )  ) == 0x0
 02580   896   NtResumeThread  (768, ... 1, ) == 0x0
 02581   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94437376, 1048576, ) == 0x0
 02582   896   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ... 95477760, 8192, ) == 0x0
 02583  1744   NtTestAlert  (... ) == 0x0
 02584  1744   NtContinue  (94436656, 1, ...
 02585  1744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02586  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 772, ) == 0x0
 02587  1744   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02588  1744   NtWaitForSingleObject  (136, 0, 0x0, ...
 02589   896   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ... (0x5b0e000), 4096, 4, ) == 0x0
 02590   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 776, {1252, 1128}, ) == 0x0
 02591   896   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1252,Tid=1128,}, 0x0, ) == 0x0
 02592   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\4\0\0h\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\4\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81996, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\4\0\0h\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\344\4\0\0h\4\0\0" )  ) == 0x0
 02593   896   NtResumeThread  (776, ... 1, ) == 0x0
 02594   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02595  1128   NtTestAlert  (... ) == 0x0
 02596  1128   NtContinue  (95485232, 1, ...
 02597  1128   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02598  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 780, ) == 0x0
 02599  1128   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02600  1128   NtWaitForSingleObject  (136, 0, 0x0, ...
 02594   896   NtAllocateVirtualMemory  ... 95485952, 1048576, ) == 0x0
 02601   896   NtAllocateVirtualMemory  (-1, 96526336, 0, 8192, 4096, 4, ... 96526336, 8192, ) == 0x0
 02602   896   NtProtectVirtualMemory  (-1, (0x5c0e000), 4096, 260, ... (0x5c0e000), 4096, 4, ) == 0x0
 02603   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 784, {1252, 1924}, ) == 0x0
 02604   896   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1252,Tid=1924,}, 0x0, ) == 0x0
 02605   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0\204\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81997, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0\204\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\344\4\0\0\204\7\0\0" )  ) == 0x0
 02606   896   NtResumeThread  (784, ... 1, ) == 0x0
 02607   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96534528, 1048576, ) == 0x0
 02608   896   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ... 97574912, 8192, ) == 0x0
 02609  1924   NtAllocateVirtualMemory  (-1, 3633152, 0, 4096, 4096, 4, ... 3633152, 4096, ) == 0x0
 02610  1924   NtTestAlert  (... ) == 0x0
 02611  1924   NtContinue  (96533808, 1, ...
 02612  1924   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02613  1924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 788, ) == 0x0
 02614  1924   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02615   896   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ... (0x5d0e000), 4096, 4, ) == 0x0
 02616   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 792, {1252, 768}, ) == 0x0
 02617   896   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1252,Tid=768,}, 0x0, ) == 0x0
 02614  1924   NtWaitForSingleObject  ... ) == 0x102
 02618  1924   NtWaitForSingleObject  (136, 0, 0x0, ...
 02619   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0\0\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0\0\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81998, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0\0\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\344\4\0\0\0\3\0\0" )  ) == 0x0
 02620   896   NtResumeThread  (792, ... 1, ) == 0x0
 02621   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02622   768   NtTestAlert  (... ) == 0x0
 02623   768   NtContinue  (97582384, 1, ...
 02624   768   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02625   768   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 796, ) == 0x0
 02626   768   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02627   768   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02621   896   NtAllocateVirtualMemory  ... 97583104, 1048576, ) == 0x0
 02628   896   NtAllocateVirtualMemory  (-1, 98623488, 0, 8192, 4096, 4, ... 98623488, 8192, ) == 0x0
 02629   896   NtProtectVirtualMemory  (-1, (0x5e0e000), 4096, 260, ... (0x5e0e000), 4096, 4, ) == 0x0
 02630   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02627   768   NtWaitForSingleObject  ... ) == 0x102
 02631   768   NtWaitForSingleObject  (136, 0, 0x0, ...
 02630   896   NtCreateThread  ... 800, {1252, 216}, ) == 0x0
 02632   896   NtQueryInformationThread  (800, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1252,Tid=216,}, 0x0, ) == 0x0
 02633   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\344\4\0\0\330\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\344\4\0\0\330\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81999, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\344\4\0\0\330\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\344\4\0\0\330\0\0\0" )  ) == 0x0
 02634   896   NtResumeThread  (800, ... 1, ) == 0x0
 02635   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98631680, 1048576, ) == 0x0
 02636   896   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ... 99672064, 8192, ) == 0x0
 02637   216   NtTestAlert  (... ) == 0x0
 02638   216   NtContinue  (98630960, 1, ...
 02639   216   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02640   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 804, ) == 0x0
 02641   216   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02642   216   NtWaitForSingleObject  (136, 0, 0x0, ...
 02643   896   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ... (0x5f0e000), 4096, 4, ) == 0x0
 02644   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 808, {1252, 1864}, ) == 0x0
 02645   896   NtQueryInformationThread  (808, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1252,Tid=1864,}, 0x0, ) == 0x0
 02646   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\4\0\0H\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\4\0\0H\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82000, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\4\0\0H\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\344\4\0\0H\7\0\0" )  ) == 0x0
 02647   896   NtResumeThread  (808, ... 1, ) == 0x0
 02648   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02649  1864   NtTestAlert  (... ) == 0x0
 02650  1864   NtContinue  (99679536, 1, ...
 02651  1864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02652  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 812, ) == 0x0
 02653  1864   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02654  1864   NtWaitForSingleObject  (136, 0, 0x0, ...
 02648   896   NtAllocateVirtualMemory  ... 99680256, 1048576, ) == 0x0
 02655   896   NtAllocateVirtualMemory  (-1, 100720640, 0, 8192, 4096, 4, ... 100720640, 8192, ) == 0x0
 02656   896   NtProtectVirtualMemory  (-1, (0x600e000), 4096, 260, ... (0x600e000), 4096, 4, ) == 0x0
 02657   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 816, {1252, 388}, ) == 0x0
 02658   896   NtQueryInformationThread  (816, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1252,Tid=388,}, 0x0, ) == 0x0
 02659   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\344\4\0\0\204\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\344\4\0\0\204\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82001, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\344\4\0\0\204\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\344\4\0\0\204\1\0\0" )  ) == 0x0
 02660   896   NtResumeThread  (816, ... 1, ) == 0x0
 02661   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100728832, 1048576, ) == 0x0
 02662   896   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ... 101769216, 8192, ) == 0x0
 02663   388   NtTestAlert  (... ) == 0x0
 02664   388   NtContinue  (100728112, 1, ...
 02665   388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02666   388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 820, ) == 0x0
 02667   388   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02668   388   NtWaitForSingleObject  (136, 0, 0x0, ...
 02669   896   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ... (0x610e000), 4096, 4, ) == 0x0
 02670   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 824, {1252, 1020}, ) == 0x0
 02671   896   NtQueryInformationThread  (824, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1252,Tid=1020,}, 0x0, ) == 0x0
 02672   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\4\0\0\374\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\4\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82002, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\4\0\0\374\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\344\4\0\0\374\3\0\0" )  ) == 0x0
 02673   896   NtResumeThread  (824, ... 1, ) == 0x0
 02674   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02675  1020   NtTestAlert  (... ) == 0x0
 02676  1020   NtContinue  (101776688, 1, ...
 02677  1020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02678  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 828, ) == 0x0
 02679  1020   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02680  1020   NtWaitForSingleObject  (136, 0, 0x0, ...
 02674   896   NtAllocateVirtualMemory  ... 101777408, 1048576, ) == 0x0
 02681   896   NtAllocateVirtualMemory  (-1, 102817792, 0, 8192, 4096, 4, ... 102817792, 8192, ) == 0x0
 02682   896   NtProtectVirtualMemory  (-1, (0x620e000), 4096, 260, ... (0x620e000), 4096, 4, ) == 0x0
 02683   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 832, {1252, 1804}, ) == 0x0
 02684   896   NtQueryInformationThread  (832, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1252,Tid=1804,}, 0x0, ) == 0x0
 02685   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\4\0\0\14\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\4\0\0\14\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82003, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\4\0\0\14\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\344\4\0\0\14\7\0\0" )  ) == 0x0
 02686   896   NtResumeThread  (832, ... 1, ) == 0x0
 02687   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102825984, 1048576, ) == 0x0
 02688   896   NtAllocateVirtualMemory  (-1, 103866368, 0, 8192, 4096, 4, ... 103866368, 8192, ) == 0x0
 02689  1804   NtTestAlert  (... ) == 0x0
 02690  1804   NtContinue  (102825264, 1, ...
 02691  1804   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02692  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 836, ) == 0x0
 02693  1804   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02694  1804   NtWaitForSingleObject  (136, 0, 0x0, ...
 02695   896   NtProtectVirtualMemory  (-1, (0x630e000), 4096, 260, ... (0x630e000), 4096, 4, ) == 0x0
 02696   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 840, {1252, 1644}, ) == 0x0
 02697   896   NtQueryInformationThread  (840, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1252,Tid=1644,}, 0x0, ) == 0x0
 02698   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0l\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0l\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82004, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0l\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0l\6\0\0" )  ) == 0x0
 02699   896   NtResumeThread  (840, ... 1, ) == 0x0
 02700   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02701  1644   NtTestAlert  (... ) == 0x0
 02702  1644   NtContinue  (103873840, 1, ...
 02703  1644   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02704  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 844, ) == 0x0
 02705  1644   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02706  1644   NtWaitForSingleObject  (136, 0, 0x0, ...
 02700   896   NtAllocateVirtualMemory  ... 103874560, 1048576, ) == 0x0
 02707   896   NtAllocateVirtualMemory  (-1, 104914944, 0, 8192, 4096, 4, ... 104914944, 8192, ) == 0x0
 02708   896   NtProtectVirtualMemory  (-1, (0x640e000), 4096, 260, ... (0x640e000), 4096, 4, ) == 0x0
 02709   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 848, {1252, 1124}, ) == 0x0
 02710   896   NtQueryInformationThread  (848, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1252,Tid=1124,}, 0x0, ) == 0x0
 02711   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82005, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0d\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\344\4\0\0d\4\0\0" )  ) == 0x0
 02712   896   NtResumeThread  (848, ... 1, ) == 0x0
 02713   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104923136, 1048576, ) == 0x0
 02714   896   NtAllocateVirtualMemory  (-1, 105963520, 0, 8192, 4096, 4, ... 105963520, 8192, ) == 0x0
 02715  1124   NtTestAlert  (... ) == 0x0
 02716  1124   NtContinue  (104922416, 1, ...
 02717  1124   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02718  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 852, ) == 0x0
 02719  1124   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02720  1124   NtWaitForSingleObject  (136, 0, 0x0, ...
 02721   896   NtProtectVirtualMemory  (-1, (0x650e000), 4096, 260, ... (0x650e000), 4096, 4, ) == 0x0
 02722   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 856, {1252, 776}, ) == 0x0
 02723   896   NtQueryInformationThread  (856, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1252,Tid=776,}, 0x0, ) == 0x0
 02724   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\10\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82006, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\10\3\0\0" ... {28, 56, reply, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\10\3\0\0" )  ) == 0x0
 02725   896   NtResumeThread  (856, ... 1, ) == 0x0
 02726   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02727   776   NtTestAlert  (... ) == 0x0
 02728   776   NtContinue  (105970992, 1, ...
 02729   776   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02730   776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 860, ) == 0x0
 02731   776   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02732   776   NtWaitForSingleObject  (136, 0, 0x0, ...
 02726   896   NtAllocateVirtualMemory  ... 105971712, 1048576, ) == 0x0
 02733   896   NtAllocateVirtualMemory  (-1, 107012096, 0, 8192, 4096, 4, ... 107012096, 8192, ) == 0x0
 02734   896   NtProtectVirtualMemory  (-1, (0x660e000), 4096, 260, ... (0x660e000), 4096, 4, ) == 0x0
 02735   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 864, {1252, 1696}, ) == 0x0
 02736   896   NtQueryInformationThread  (864, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1252,Tid=1696,}, 0x0, ) == 0x0
 02737   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\4\0\0\240\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\4\0\0\240\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82007, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\4\0\0\240\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\344\4\0\0\240\6\0\0" )  ) == 0x0
 02738   896   NtResumeThread  (864, ... 1, ) == 0x0
 02739   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 107020288, 1048576, ) == 0x0
 02740   896   NtAllocateVirtualMemory  (-1, 108060672, 0, 8192, 4096, 4, ... 108060672, 8192, ) == 0x0
 02741  1696   NtTestAlert  (... ) == 0x0
 02742  1696   NtContinue  (107019568, 1, ...
 02743  1696   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02744  1696   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 868, ) == 0x0
 02745  1696   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02746  1696   NtWaitForSingleObject  (136, 0, 0x0, ...
 02747   896   NtProtectVirtualMemory  (-1, (0x670e000), 4096, 260, ... (0x670e000), 4096, 4, ) == 0x0
 02748   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 872, {1252, 1920}, ) == 0x0
 02749   896   NtQueryInformationThread  (872, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1252,Tid=1920,}, 0x0, ) == 0x0
 02750   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0\200\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82008, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0\200\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0\200\7\0\0" )  ) == 0x0
 02751   896   NtResumeThread  (872, ... 1, ) == 0x0
 02752   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02753  1920   NtTestAlert  (... ) == 0x0
 02754  1920   NtContinue  (108068144, 1, ...
 02755  1920   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02756  1920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 876, ) == 0x0
 02757  1920   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 02758  1920   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02752   896   NtAllocateVirtualMemory  ... 108068864, 1048576, ) == 0x0
 02759   896   NtAllocateVirtualMemory  (-1, 109109248, 0, 8192, 4096, 4, ... 109109248, 8192, ) == 0x0
 02760   896   NtProtectVirtualMemory  (-1, (0x680e000), 4096, 260, ... (0x680e000), 4096, 4, ) == 0x0
 02761   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02758  1920   NtWaitForSingleObject  ... ) == 0x102
 02762  1920   NtWaitForSingleObject  (136, 0, 0x0, ...
 02761   896   NtCreateThread  ... 880, {1252, 1200}, ) == 0x0
 02763   896   NtQueryInformationThread  (880, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1252,Tid=1200,}, 0x0, ) == 0x0
 02764   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\344\4\0\0\260\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\344\4\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82009, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\344\4\0\0\260\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\344\4\0\0\260\4\0\0" )  ) == 0x0
 02765   896   NtResumeThread  (880, ... 1, ) == 0x0
 02766   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109117440, 1048576, ) == 0x0
 02767   896   NtAllocateVirtualMemory  (-1, 110157824, 0, 8192, 4096, 4, ... 110157824, 8192, ) == 0x0
 02768  1200   NtTestAlert  (... ) == 0x0
 02769  1200   NtContinue  (109116720, 1, ...
 02770  1200   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02771  1200   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 884, ) == 0x0
 02772  1200   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02773  1200   NtWaitForSingleObject  (136, 0, 0x0, ...
 02774   896   NtProtectVirtualMemory  (-1, (0x690e000), 4096, 260, ... (0x690e000), 4096, 4, ) == 0x0
 02775   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 888, {1252, 1396}, ) == 0x0
 02776   896   NtQueryInformationThread  (888, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1252,Tid=1396,}, 0x0, ) == 0x0
 02777   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\344\4\0\0t\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\344\4\0\0t\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82010, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\344\4\0\0t\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\344\4\0\0t\5\0\0" )  ) == 0x0
 02778   896   NtResumeThread  (888, ... 1, ) == 0x0
 02779   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02780  1396   NtTestAlert  (... ) == 0x0
 02781  1396   NtContinue  (110165296, 1, ...
 02782  1396   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02783  1396   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 892, ) == 0x0
 02784  1396   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02785  1396   NtWaitForSingleObject  (136, 0, 0x0, ...
 02779   896   NtAllocateVirtualMemory  ... 110166016, 1048576, ) == 0x0
 02786   896   NtAllocateVirtualMemory  (-1, 111206400, 0, 8192, 4096, 4, ... 111206400, 8192, ) == 0x0
 02787   896   NtProtectVirtualMemory  (-1, (0x6a0e000), 4096, 260, ... (0x6a0e000), 4096, 4, ) == 0x0
 02788   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 896, {1252, 1692}, ) == 0x0
 02789   896   NtQueryInformationThread  (896, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1252,Tid=1692,}, 0x0, ) == 0x0
 02790   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\234\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82011, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\234\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\344\4\0\0\234\6\0\0" )  ) == 0x0
 02791   896   NtResumeThread  (896, ... 1, ) == 0x0
 02792   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 111214592, 1048576, ) == 0x0
 02793   896   NtAllocateVirtualMemory  (-1, 112254976, 0, 8192, 4096, 4, ... 112254976, 8192, ) == 0x0
 02794  1692   NtTestAlert  (... ) == 0x0
 02795  1692   NtContinue  (111213872, 1, ...
 02796  1692   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02797  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 900, ) == 0x0
 02798  1692   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02799  1692   NtWaitForSingleObject  (136, 0, 0x0, ...
 02800   896   NtProtectVirtualMemory  (-1, (0x6b0e000), 4096, 260, ... (0x6b0e000), 4096, 4, ) == 0x0
 02801   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 904, {1252, 1392}, ) == 0x0
 02802   896   NtQueryInformationThread  (904, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1252,Tid=1392,}, 0x0, ) == 0x0
 02803   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\344\4\0\0p\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\344\4\0\0p\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82012, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\344\4\0\0p\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\344\4\0\0p\5\0\0" )  ) == 0x0
 02804   896   NtResumeThread  (904, ... 1, ) == 0x0
 02805   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02806  1392   NtTestAlert  (... ) == 0x0
 02807  1392   NtContinue  (112262448, 1, ...
 02808  1392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02809  1392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 908, ) == 0x0
 02810  1392   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02811  1392   NtWaitForSingleObject  (136, 0, 0x0, ...
 02805   896   NtAllocateVirtualMemory  ... 112263168, 1048576, ) == 0x0
 02812   896   NtAllocateVirtualMemory  (-1, 113303552, 0, 8192, 4096, 4, ... 113303552, 8192, ) == 0x0
 02813   896   NtProtectVirtualMemory  (-1, (0x6c0e000), 4096, 260, ... (0x6c0e000), 4096, 4, ) == 0x0
 02814   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 912, {1252, 1852}, ) == 0x0
 02815   896   NtQueryInformationThread  (912, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1252,Tid=1852,}, 0x0, ) == 0x0
 02816   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0<\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82013, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0<\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\344\4\0\0<\7\0\0" )  ) == 0x0
 02817   896   NtResumeThread  (912, ... 1, ) == 0x0
 02818   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 113311744, 1048576, ) == 0x0
 02819   896   NtAllocateVirtualMemory  (-1, 114352128, 0, 8192, 4096, 4, ... 114352128, 8192, ) == 0x0
 02820  1852   NtTestAlert  (... ) == 0x0
 02821  1852   NtContinue  (113311024, 1, ...
 02822  1852   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02823  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 916, ) == 0x0
 02824  1852   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02825   896   NtProtectVirtualMemory  (-1, (0x6d0e000), 4096, 260, ... (0x6d0e000), 4096, 4, ) == 0x0
 02826   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 920, {1252, 504}, ) == 0x0
 02827   896   NtQueryInformationThread  (920, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1252,Tid=504,}, 0x0, ) == 0x0
 02828   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0\370\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0\370\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82014, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0\370\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\344\4\0\0\370\1\0\0" )  ) == 0x0
 02829   896   NtResumeThread  (920, ... 1, ) == 0x0
 02830   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02824  1852   NtWaitForSingleObject  ... ) == 0x102
 02831   504   NtTestAlert  (...
 02832  1852   NtWaitForSingleObject  (136, 0, 0x0, ...
 02831   504   NtTestAlert  ... ) == 0x0
 02833   504   NtContinue  (114359600, 1, ...
 02834   504   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02835   504   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 924, ) == 0x0
 02836   504   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02837   504   NtWaitForSingleObject  (136, 0, 0x0, ...
 02830   896   NtAllocateVirtualMemory  ... 114360320, 1048576, ) == 0x0
 02838   896   NtAllocateVirtualMemory  (-1, 115400704, 0, 8192, 4096, 4, ... 115400704, 8192, ) == 0x0
 02839   896   NtProtectVirtualMemory  (-1, (0x6e0e000), 4096, 260, ... (0x6e0e000), 4096, 4, ) == 0x0
 02840   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 928, {1252, 1740}, ) == 0x0
 02841   896   NtQueryInformationThread  (928, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1252,Tid=1740,}, 0x0, ) == 0x0
 02842   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\344\4\0\0\314\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\344\4\0\0\314\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82015, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\344\4\0\0\314\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\344\4\0\0\314\6\0\0" )  ) == 0x0
 02843   896   NtResumeThread  (928, ... 1, ) == 0x0
 02844   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 115408896, 1048576, ) == 0x0
 02845   896   NtAllocateVirtualMemory  (-1, 116449280, 0, 8192, 4096, 4, ... 116449280, 8192, ) == 0x0
 02846  1740   NtTestAlert  (... ) == 0x0
 02847  1740   NtContinue  (115408176, 1, ...
 02848  1740   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02849  1740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 932, ) == 0x0
 02850  1740   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02851  1740   NtWaitForSingleObject  (136, 0, 0x0, ...
 02852   896   NtProtectVirtualMemory  (-1, (0x6f0e000), 4096, 260, ... (0x6f0e000), 4096, 4, ) == 0x0
 02853   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 936, {1252, 1176}, ) == 0x0
 02854   896   NtQueryInformationThread  (936, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1252,Tid=1176,}, 0x0, ) == 0x0
 02855   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\230\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\230\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82016, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\230\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\344\4\0\0\230\4\0\0" )  ) == 0x0
 02856   896   NtResumeThread  (936, ... 1, ) == 0x0
 02857   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02858  1176   NtTestAlert  (... ) == 0x0
 02859  1176   NtContinue  (116456752, 1, ...
 02860  1176   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02861  1176   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 940, ) == 0x0
 02862  1176   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02863  1176   NtWaitForSingleObject  (136, 0, 0x0, ...
 02857   896   NtAllocateVirtualMemory  ... 116457472, 1048576, ) == 0x0
 02864   896   NtAllocateVirtualMemory  (-1, 117497856, 0, 8192, 4096, 4, ... 117497856, 8192, ) == 0x0
 02865   896   NtProtectVirtualMemory  (-1, (0x700e000), 4096, 260, ... (0x700e000), 4096, 4, ) == 0x0
 02866   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 944, {1252, 420}, ) == 0x0
 02867   896   NtQueryInformationThread  (944, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1252,Tid=420,}, 0x0, ) == 0x0
 02868   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\4\0\0\244\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\4\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82018, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\4\0\0\244\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\344\4\0\0\244\1\0\0" )  ) == 0x0
 02869   896   NtResumeThread  (944, ... 1, ) == 0x0
 02870   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 117506048, 1048576, ) == 0x0
 02871   896   NtAllocateVirtualMemory  (-1, 118546432, 0, 8192, 4096, 4, ... 118546432, 8192, ) == 0x0
 02872   420   NtTestAlert  (... ) == 0x0
 02873   420   NtContinue  (117505328, 1, ...
 02874   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02875   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 948, ) == 0x0
 02876   420   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02877   420   NtWaitForSingleObject  (136, 0, 0x0, ...
 02878   896   NtProtectVirtualMemory  (-1, (0x710e000), 4096, 260, ... (0x710e000), 4096, 4, ) == 0x0
 02879   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 952, {1252, 384}, ) == 0x0
 02880   896   NtQueryInformationThread  (952, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1252,Tid=384,}, 0x0, ) == 0x0
 02881   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\4\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82019, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\344\4\0\0\200\1\0\0" )  ) == 0x0
 02882   896   NtResumeThread  (952, ... 1, ) == 0x0
 02883   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02884   384   NtTestAlert  (... ) == 0x0
 02885   384   NtContinue  (118553904, 1, ...
 02886   384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02887   384   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02888   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 956, ) == 0x0
 02889   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02883   896   NtAllocateVirtualMemory  ... 118554624, 1048576, ) == 0x0
 02890   896   NtAllocateVirtualMemory  (-1, 119595008, 0, 8192, 4096, 4, ... 119595008, 8192, ) == 0x0
 02891   896   NtProtectVirtualMemory  (-1, (0x720e000), 4096, 260, ... (0x720e000), 4096, 4, ) == 0x0
 02892   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02889   384   NtWaitForSingleObject  ... ) == 0x102
 02893   384   NtWaitForSingleObject  (136, 0, 0x0, ...
 02892   896   NtCreateThread  ... 960, {1252, 1028}, ) == 0x0
 02894   896   NtQueryInformationThread  (960, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1252,Tid=1028,}, 0x0, ) == 0x0
 02895   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\4\0\0\4\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\4\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82020, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\4\0\0\4\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\344\4\0\0\4\4\0\0" )  ) == 0x0
 02896   896   NtResumeThread  (960, ... 1, ) == 0x0
 02897   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 119603200, 1048576, ) == 0x0
 02898   896   NtAllocateVirtualMemory  (-1, 120643584, 0, 8192, 4096, 4, ... 120643584, 8192, ) == 0x0
 02899  1028   NtTestAlert  (... ) == 0x0
 02900  1028   NtContinue  (119602480, 1, ...
 02901  1028   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02902  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 964, ) == 0x0
 02903  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02904  1028   NtWaitForSingleObject  (136, 0, 0x0, ...
 02905   896   NtProtectVirtualMemory  (-1, (0x730e000), 4096, 260, ... (0x730e000), 4096, 4, ) == 0x0
 02906   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 968, {1252, 2012}, ) == 0x0
 02907   896   NtQueryInformationThread  (968, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1252,Tid=2012,}, 0x0, ) == 0x0
 02908   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82021, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\0\334\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\0\334\7\0\0" )  ) == 0x0
 02909   896   NtResumeThread  (968, ... 1, ) == 0x0
 02910   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02911  2012   NtTestAlert  (... ) == 0x0
 02912  2012   NtContinue  (120651056, 1, ...
 02913  2012   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02914  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 972, ) == 0x0
 02915  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02916  2012   NtWaitForSingleObject  (136, 0, 0x0, ...
 02910   896   NtAllocateVirtualMemory  ... 120651776, 1048576, ) == 0x0
 02917   896   NtAllocateVirtualMemory  (-1, 121692160, 0, 8192, 4096, 4, ... 121692160, 8192, ) == 0x0
 02918   896   NtProtectVirtualMemory  (-1, (0x740e000), 4096, 260, ... (0x740e000), 4096, 4, ) == 0x0
 02919   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 976, {1252, 1528}, ) == 0x0
 02920   896   NtQueryInformationThread  (976, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1252,Tid=1528,}, 0x0, ) == 0x0
 02921   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\344\4\0\0\370\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\344\4\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82022, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\344\4\0\0\370\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\344\4\0\0\370\5\0\0" )  ) == 0x0
 02922   896   NtResumeThread  (976, ... 1, ) == 0x0
 02923   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 121700352, 1048576, ) == 0x0
 02924   896   NtAllocateVirtualMemory  (-1, 122740736, 0, 8192, 4096, 4, ... 122740736, 8192, ) == 0x0
 02925  1528   NtTestAlert  (... ) == 0x0
 02926  1528   NtContinue  (121699632, 1, ...
 02927  1528   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02928  1528   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 980, ) == 0x0
 02929  1528   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02930  1528   NtWaitForSingleObject  (136, 0, 0x0, ...
 02931   896   NtProtectVirtualMemory  (-1, (0x750e000), 4096, 260, ... (0x750e000), 4096, 4, ) == 0x0
 02932   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 984, {1252, 1180}, ) == 0x0
 02933   896   NtQueryInformationThread  (984, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1252,Tid=1180,}, 0x0, ) == 0x0
 02934   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\344\4\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82023, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\344\4\0\0\234\4\0\0" )  ) == 0x0
 02935   896   NtResumeThread  (984, ... 1, ) == 0x0
 02936   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02937  1180   NtTestAlert  (... ) == 0x0
 02938  1180   NtContinue  (122748208, 1, ...
 02939  1180   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02940  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 988, ) == 0x0
 02941  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02942  1180   NtWaitForSingleObject  (136, 0, 0x0, ...
 02936   896   NtAllocateVirtualMemory  ... 122748928, 1048576, ) == 0x0
 02943   896   NtAllocateVirtualMemory  (-1, 123789312, 0, 8192, 4096, 4, ... 123789312, 8192, ) == 0x0
 02944   896   NtProtectVirtualMemory  (-1, (0x760e000), 4096, 260, ... (0x760e000), 4096, 4, ) == 0x0
 02945   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 992, {1252, 748}, ) == 0x0
 02946   896   NtQueryInformationThread  (992, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1252,Tid=748,}, 0x0, ) == 0x0
 02947   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\344\4\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82024, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\344\4\0\0\354\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\344\4\0\0\354\2\0\0" )  ) == 0x0
 02948   896   NtResumeThread  (992, ... 1, ) == 0x0
 02949   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 123797504, 1048576, ) == 0x0
 02950   896   NtAllocateVirtualMemory  (-1, 124837888, 0, 8192, 4096, 4, ... 124837888, 8192, ) == 0x0
 02951   748   NtTestAlert  (... ) == 0x0
 02952   748   NtContinue  (123796784, 1, ...
 02953   748   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02954   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 996, ) == 0x0
 02955   748   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02956   748   NtWaitForSingleObject  (136, 0, 0x0, ...
 02957   896   NtProtectVirtualMemory  (-1, (0x770e000), 4096, 260, ... (0x770e000), 4096, 4, ) == 0x0
 02958   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1000, {1252, 1388}, ) == 0x0
 02959   896   NtQueryInformationThread  (1000, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1252,Tid=1388,}, 0x0, ) == 0x0
 02960   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\4\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82025, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\4\0\0l\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\344\4\0\0l\5\0\0" )  ) == 0x0
 02961   896   NtResumeThread  (1000, ... 1, ) == 0x0
 02962   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02963  1388   NtTestAlert  (... ) == 0x0
 02964  1388   NtContinue  (124845360, 1, ...
 02965  1388   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02966  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1004, ) == 0x0
 02967  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02968  1388   NtWaitForSingleObject  (136, 0, 0x0, ...
 02962   896   NtAllocateVirtualMemory  ... 124846080, 1048576, ) == 0x0
 02969   896   NtAllocateVirtualMemory  (-1, 125886464, 0, 8192, 4096, 4, ... 125886464, 8192, ) == 0x0
 02970   896   NtProtectVirtualMemory  (-1, (0x780e000), 4096, 260, ... (0x780e000), 4096, 4, ) == 0x0
 02971   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1008, {1252, 2036}, ) == 0x0
 02972   896   NtQueryInformationThread  (1008, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1252,Tid=2036,}, 0x0, ) == 0x0
 02973   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\4\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82026, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\4\0\0\364\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\344\4\0\0\364\7\0\0" )  ) == 0x0
 02974   896   NtResumeThread  (1008, ... 1, ) == 0x0
 02975   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125894656, 1048576, ) == 0x0
 02976   896   NtAllocateVirtualMemory  (-1, 126935040, 0, 8192, 4096, 4, ... 126935040, 8192, ) == 0x0
 02977  2036   NtAllocateVirtualMemory  (-1, 3637248, 0, 4096, 4096, 4, ... 3637248, 4096, ) == 0x0
 02978  2036   NtTestAlert  (... ) == 0x0
 02979  2036   NtContinue  (125893936, 1, ...
 02980  2036   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02981  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1012, ) == 0x0
 02982  2036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02983   896   NtProtectVirtualMemory  (-1, (0x790e000), 4096, 260, ... (0x790e000), 4096, 4, ) == 0x0
 02984   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1016, {1252, 1600}, ) == 0x0
 02985   896   NtQueryInformationThread  (1016, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=1252,Tid=1600,}, 0x0, ) == 0x0
 02982  2036   NtWaitForSingleObject  ... ) == 0x102
 02986  2036   NtWaitForSingleObject  (136, 0, 0x0, ...
 02987   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\344\4\0\0@\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82027, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\344\4\0\0@\6\0\0" )  ) == 0x0
 02988   896   NtResumeThread  (1016, ... 1, ) == 0x0
 02989   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02990  1600   NtTestAlert  (... ) == 0x0
 02991  1600   NtContinue  (126942512, 1, ...
 02992  1600   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02993  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1020, ) == 0x0
 02994  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02995  1600   NtWaitForSingleObject  (136, 0, 0x0, ...
 02989   896   NtAllocateVirtualMemory  ... 126943232, 1048576, ) == 0x0
 02996   896   NtAllocateVirtualMemory  (-1, 127983616, 0, 8192, 4096, 4, ... 127983616, 8192, ) == 0x0
 02997   896   NtProtectVirtualMemory  (-1, (0x7a0e000), 4096, 260, ... (0x7a0e000), 4096, 4, ) == 0x0
 02998   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1024, {1252, 1372}, ) == 0x0
 02999   896   NtQueryInformationThread  (1024, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=1252,Tid=1372,}, 0x0, ) == 0x0
 03000   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\344\4\0\0\\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82028, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\344\4\0\0\\5\0\0" )  ) == 0x0
 03001   896   NtResumeThread  (1024, ... 1, ) == 0x0
 03002   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 127991808, 1048576, ) == 0x0
 03003   896   NtAllocateVirtualMemory  (-1, 129032192, 0, 8192, 4096, 4, ... 129032192, 8192, ) == 0x0
 03004  1372   NtTestAlert  (... ) == 0x0
 03005  1372   NtContinue  (127991088, 1, ...
 03006  1372   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03007  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1028, ) == 0x0
 03008  1372   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 03009  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03010   896   NtProtectVirtualMemory  (-1, (0x7b0e000), 4096, 260, ... (0x7b0e000), 4096, 4, ) == 0x0
 03011   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1032, {1252, 1948}, ) == 0x0
 03012   896   NtQueryInformationThread  (1032, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=1252,Tid=1948,}, 0x0, ) == 0x0
 03009  1372   NtWaitForSingleObject  ... ) == 0x102
 03013  1372   NtWaitForSingleObject  (136, 0, 0x0, ...
 03014   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\344\4\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82029, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\344\4\0\0\234\7\0\0" )  ) == 0x0
 03015   896   NtResumeThread  (1032, ... 1, ) == 0x0
 03016   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03017  1948   NtTestAlert  (... ) == 0x0
 03018  1948   NtContinue  (129039664, 1, ...
 03019  1948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03020  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1036, ) == 0x0
 03021  1948   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 03022  1948   NtWaitForSingleObject  (136, 0, 0x0, ...
 03016   896   NtAllocateVirtualMemory  ... 129040384, 1048576, ) == 0x0
 03023   896   NtAllocateVirtualMemory  (-1, 130080768, 0, 8192, 4096, 4, ... 130080768, 8192, ) == 0x0
 03024   896   NtProtectVirtualMemory  (-1, (0x7c0e000), 4096, 260, ... (0x7c0e000), 4096, 4, ) == 0x0
 03025   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1040, {1252, 1096}, ) == 0x0
 03026   896   NtQueryInformationThread  (1040, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=1252,Tid=1096,}, 0x0, ) == 0x0
 03027   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\344\4\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82030, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\344\4\0\0H\4\0\0" )  ) == 0x0
 03028   896   NtResumeThread  (1040, ... 1, ) == 0x0
 03029   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 130088960, 1048576, ) == 0x0
 03030   896   NtAllocateVirtualMemory  (-1, 131129344, 0, 8192, 4096, 4, ... 131129344, 8192, ) == 0x0
 03031  1096   NtTestAlert  (... ) == 0x0
 03032  1096   NtContinue  (130088240, 1, ...
 03033  1096   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03034  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1044, ) == 0x0
 03035  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 03036  1096   NtWaitForSingleObject  (136, 0, 0x0, ...
 03037   896   NtProtectVirtualMemory  (-1, (0x7d0e000), 4096, 260, ... (0x7d0e000), 4096, 4, ) == 0x0
 03038   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1048, {1252, 500}, ) == 0x0
 03039   896   NtQueryInformationThread  (1048, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=1252,Tid=500,}, 0x0, ) == 0x0
 03040   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82031, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\364\1\0\0" )  ) == 0x0
 03041   896   NtResumeThread  (1048, ... 1, ) == 0x0
 03042   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03043   500   NtTestAlert  (... ) == 0x0
 03044   500   NtContinue  (131136816, 1, ...
 03045   500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03046   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1052, ) == 0x0
 03047   500   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 03048   500   NtWaitForSingleObject  (136, 0, 0x0, ...
 03042   896   NtAllocateVirtualMemory  ... 131137536, 1048576, ) == 0x0
 03049   896   NtAllocateVirtualMemory  (-1, 132177920, 0, 8192, 4096, 4, ... 132177920, 8192, ) == 0x0
 03050   896   NtProtectVirtualMemory  (-1, (0x7e0e000), 4096, 260, ... (0x7e0e000), 4096, 4, ) == 0x0
 03051   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1056, {1252, 1676}, ) == 0x0
 03052   896   NtQueryInformationThread  (1056, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=1252,Tid=1676,}, 0x0, ) == 0x0
 03053   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\344\4\0\0\214\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82032, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\344\4\0\0\214\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\344\4\0\0\214\6\0\0" )  ) == 0x0
 03054   896   NtResumeThread  (1056, ... 1, ) == 0x0
 03055   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 132186112, 1048576, ) == 0x0
 03056   896   NtAllocateVirtualMemory  (-1, 133226496, 0, 8192, 4096, 4, ... 133226496, 8192, ) == 0x0
 03057  1676   NtTestAlert  (... ) == 0x0
 03058  1676   NtContinue  (132185392, 1, ...
 03059  1676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03060  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1060, ) == 0x0
 03061  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03062   896   NtProtectVirtualMemory  (-1, (0x7f0e000), 4096, 260, ... (0x7f0e000), 4096, 4, ) == 0x0
 03063   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1064, {1252, 1620}, ) == 0x0
 03064   896   NtQueryInformationThread  (1064, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=1252,Tid=1620,}, 0x0, ) == 0x0
 03065   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\344\4\0\0T\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\344\4\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82033, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\344\4\0\0T\6\0\0" ... {28, 56, reply, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\344\4\0\0T\6\0\0" )  ) == 0x0
 03066   896   NtResumeThread  (1064, ... 1, ) == 0x0
 03067   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03061  1676   NtWaitForSingleObject  ... ) == 0x102
 03068  1620   NtTestAlert  (...
 03069  1676   NtWaitForSingleObject  (136, 0, 0x0, ...
 03068  1620   NtTestAlert  ... ) == 0x0
 03070  1620   NtContinue  (133233968, 1, ...
 03071  1620   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03072  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1068, ) == 0x0
 03073  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 03074  1620   NtWaitForSingleObject  (136, 0, 0x0, ...
 03067   896   NtAllocateVirtualMemory  ... 133234688, 1048576, ) == 0x0
 03075   896   NtAllocateVirtualMemory  (-1, 134275072, 0, 8192, 4096, 4, ... 134275072, 8192, ) == 0x0
 03076   896   NtProtectVirtualMemory  (-1, (0x800e000), 4096, 260, ... (0x800e000), 4096, 4, ) == 0x0
 03077   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1072, {1252, 588}, ) == 0x0
 03078   896   NtQueryInformationThread  (1072, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=1252,Tid=588,}, 0x0, ) == 0x0
 03079   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\344\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\344\4\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82034, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\344\4\0\0L\2\0\0" ... {28, 56, reply, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\344\4\0\0L\2\0\0" )  ) == 0x0
 03080   896   NtResumeThread  (1072, ...
 01927  1024   NtSetValueKey  ... ) == 0x0
 03081  1024   NtClose  (-2147482756, ... ) == 0x0
 01928  1708   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 03080   896   NtResumeThread  ... 1, ) == 0x0
 03082   588   NtTestAlert  (...
 01873  1024   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "X\35\214\223\6\375\360\200K\26\336\11&\15\346"\216ZE\177\333\265\357\24\234\34\26f\334\274\373\254\361\202\24\276cVb\247h\341\326\343\2607\366yD^}\236\1\343\25\201\257\247\250\350\231\31\234\376\224\352\334i\273\20\344\362\356\16\214+\231\313\210\21\203\7\314d\342\251\316%\343\323\343A.\275\5\334jY\277\347*E\255\250L9\344\231\260\240\222\6\330X\255\14\257\347 \321\212\226\0\273\320\12\34w\253\361\240{3\241\327\177\223\241\211p\266{B\255y84?J\350\305nl^\31\21l\234\352[r\233\307\216\331\211N;F\3441\210\232\314'\335(g\3Q\10eV\260\304\12\351\23`\236\352d\217'\375\301\361\325wQO\21%\250\21<\274\201\261!I\27\344\27\2673\303\7E*\356[\32\313\232\16"\277\330o\227\254a\215f\370'2L\177\311\332\317\231\272\363\231\206\276\30\345\321\17U", ) \216ZE\177\333\265\357\24\234\34\26f\334\274\373\254\361\202\24\276cVb\247h\341\326\343\2607\366yD^}\236\1\343\25\201\257\247\250\350\231\31\234\376\224\352\334i\273\20\344\362\356\16\214+\231\313\210\21\203\7\314d\342\251\316%\343\323\343A.\275\5\334jY\277\347*E\255\250L9\344\231\260\240\222\6\330X\255\14\257\347 \321\212\226\0\273\320\12\34w\253\361\240{3\241\327\177\223\241\211p\266{B\255y84?J\350\305nl^\31\21l\234\352[r\233\307\216\331\211N;F\3441\210\232\314'\335(g\3Q\10eV\260\304\12\351\23`\236\352d\217'\375\301\361\325wQO\21%\250\21<\274\201\261!I\27\344\27\2673\303\7E*\356[\32\313\232\16 ... {status=0x0, info=256}, "X\35\214\223\6\375\360\200K\26\336\11&\15\346"\216ZE\177\333\265\357\24\234\34\26f\334\274\373\254\361\202\24\276cVb\247h\341\326\343\2607\366yD^}\236\1\343\25\201\257\247\250\350\231\31\234\376\224\352\334i\273\20\344\362\356\16\214+\231\313\210\21\203\7\314d\342\251\316%\343\323\343A.\275\5\334jY\277\347*E\255\250L9\344\231\260\240\222\6\330X\255\14\257\347 \321\212\226\0\273\320\12\34w\253\361\240{3\241\327\177\223\241\211p\266{B\255y84?J\350\305nl^\31\21l\234\352[r\233\307\216\331\211N;F\3441\210\232\314'\335(g\3Q\10eV\260\304\12\351\23`\236\352d\217'\375\301\361\325wQO\21%\250\21<\274\201\261!I\27\344\27\2673\303\7E*\356[\32\313\232\16"\277\330o\227\254a\215f\370'2L\177\311\332\317\231\272\363\231\206\276\30\345\321\17U", ) , ) == 0x0
 03083   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03082   588   NtTestAlert  ... ) == 0x0
 03084  1024   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03083   896   NtAllocateVirtualMemory  ... 134283264, 1048576, ) == 0x0
 03085   588   NtContinue  (134282544, 1, ...
 03084  1024   NtCreateEvent  ... 1076, ) == 0x0
 03086   896   NtAllocateVirtualMemory  (-1, 135323648, 0, 8192, 4096, 4, ...
 03087   588   NtRegisterThreadTerminatePort  (24, ...
 03088  1024   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12643844, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12643844, 188, ...
 03086   896   NtAllocateVirtualMemory  ... 135323648, 8192, ) == 0x0
 03087   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 03088  1024   NtConnectPort  ... 1080, 0x0, 0x0, 0x0, 188, ) == 0x0
 03089  1708   NtQueryValueKey  (360,  (360, "Mapping", Partial, 152, ... , Partial, 152, ...
 03090   896   NtProtectVirtualMemory  (-1, (0x810e000), 4096, 260, ...
 03091   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03089  1708   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 03090   896   NtProtectVirtualMemory  ... (0x810e000), 4096, 4, ) == 0x0
 03091   588   NtDuplicateObject  ... 1084, ) == 0x0
 03092  1708   NtClose  (360, ...
 03093   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03094   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03092  1708   NtClose  ... ) == 0x0
 03093   896   NtCreateThread  ... 360, {1252, 1328}, ) == 0x0
 03094   588   NtWaitForSingleObject  ... ) == 0x102
 03095  1708   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 03096   896   NtQueryInformationThread  (360, Basic, 28, ...
 03097   588   NtWaitForSingleObject  (136, 0, 0x0, ...
 03095  1708   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 03096   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=1252,Tid=1328,}, 0x0, ) == 0x0
 03098  1024   NtRequestWaitReplyPort  (1080, {200, 224, new_msg, 0, 1424008, 12, 2, 1310721}  (1080, {200, 224, new_msg, 0, 1424008, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\270\270\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\311\360I\267m\357\277\2438\272\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\20\272\25\0!~\14\256x\1\24\00\272\25\0h\1\24\0\0\0\0\0\0\0\0\00\272\25\0P\0\0\08\272\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\300\0\372\31\221|\30\364\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 03099  1708   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 1088, ) }, ... 1088, ) == 0x0
 03100  1708   NtQueryValueKey  (1088,  (1088, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (1088, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 03101  1708   NtQueryValueKey  (1088,  (1088, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (1088, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 03098  1024   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1024, 82066, 0}  ... {200, 224, reply, 0, 1252, 1024, 82066, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\311\360I\267m\357\277\2438\272\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\20\272\25\0!~\14\256x\1\24\00\272\25\0h\1\24\0\0\0\0\0\0\0\0\00\272\25\0P\0\0\08\272\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\300\0\372\31\221|\30\364\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 03102   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82034, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\00\5\0\0" ...  ...
 03103  1024   NtRequestWaitReplyPort  (1080, {64, 88, new_msg, 0, 0, 0, 0, 0}  (1080, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03102   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82071, 0}  ... {28, 56, reply, 0, 1252, 896, 82071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\00\5\0\0" )  ) == 0x0
 03104   896   NtResumeThread  (360, ... 1, ) == 0x0
 03105   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03103  1024   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1252, 1024, 82072, 0}  ... {52, 76, reply, 0, 1252, 1024, 82072, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\30\302\13\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 03106  1708   NtQueryValueKey  (1088,  (1088, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 03107  1328   NtTestAlert  (...
 03105   896   NtAllocateVirtualMemory  ... 135331840, 1048576, ) == 0x0
 03106  1708   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03107  1328   NtTestAlert  ... ) == 0x0
 03108   896   NtAllocateVirtualMemory  (-1, 136372224, 0, 8192, 4096, 4, ...
 03109  1708   NtQueryValueKey  (1088,  (1088, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 03110  1328   NtContinue  (135331120, 1, ...
 03108   896   NtAllocateVirtualMemory  ... 136372224, 8192, ) == 0x0
 03109  1708   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03111  1328   NtRegisterThreadTerminatePort  (24, ...
 03112  1024   NtClose  (1076, ...
 03113  1708   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11596844, ... }, 11596844, ...
 03111  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 03112  1024   NtClose  ... ) == 0x0
 03113  1708   NtQueryAttributesFile  ... ) == 0x0
 03114   896   NtProtectVirtualMemory  (-1, (0x820e000), 4096, 260, ...
 03115  1024   NtClose  (1080, ...
 03116  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03114   896   NtProtectVirtualMemory  ... (0x820e000), 4096, 4, ) == 0x0
 03115  1024   NtClose  ... ) == 0x0
 03116  1328   NtDuplicateObject  ... 1080, ) == 0x0
 03117   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03118  1024   NtWaitForSingleObject  (88, 0, 0x0, ...
 03119  1328   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03117   896   NtCreateThread  ... 1076, {1252, 1484}, ) == 0x0
 03119  1328   NtWaitForSingleObject  ... ) == 0x102
 03120   896   NtQueryInformationThread  (1076, Basic, 28, ...
 03121  1328   NtWaitForSingleObject  (136, 0, 0x0, ...
 03120   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=1252,Tid=1484,}, 0x0, ) == 0x0
 03122  1708   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 1092, {status=0x0, info=1}, ) }, 5, 96, ... 1092, {status=0x0, info=1}, ) == 0x0
 03123  1708   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 1092, ... 1096, ) == 0x0
 03124  1708   NtClose  (1092, ... ) == 0x0
 03125  1708   NtMapViewOfSection  (1096, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 20480, ) == 0x0
 03126  1708   NtClose  (1096, ... ) == 0x0
 03127   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82071, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\344\4\0\0\314\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\344\4\0\0\314\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82077, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\344\4\0\0\314\5\0\0" ... {28, 56, reply, 0, 1252, 896, 82077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\344\4\0\0\314\5\0\0" )  ) == 0x0
 03128   896   NtResumeThread  (1076, ... 1, ) == 0x0
 03129   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03130  1484   NtWaitForSingleObject  (88, 0, 0x0, ...
 03129   896   NtAllocateVirtualMemory  ... 136380416, 1048576, ) == 0x0
 03131   896   NtAllocateVirtualMemory  (-1, 137420800, 0, 8192, 4096, 4, ... 137420800, 8192, ) == 0x0
 03132   896   NtProtectVirtualMemory  (-1, (0x830e000), 4096, 260, ... (0x830e000), 4096, 4, ) == 0x0
 03133   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03134  1708   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 03135  1708   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11597152, ... ) }, 11597152, ... ) == 0x0
 03136  1708   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 1096, {status=0x0, info=1}, ) }, 5, 96, ... 1096, {status=0x0, info=1}, ) == 0x0
 03137  1708   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 1096, ... 1092, ) == 0x0
 03138  1708   NtQuerySection  (1092, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03139  1708   NtClose  (1096, ... ) == 0x0
 03133   896   NtCreateThread  ... 1096, {1252, 1104}, ) == 0x0
 03140   896   NtQueryInformationThread  (1096, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=1252,Tid=1104,}, 0x0, ) == 0x0
 03141   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82077, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\4\0\0P\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82082, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\4\0\0P\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\344\4\0\0P\4\0\0" )  ) == 0x0
 03142   896   NtResumeThread  (1096, ... 1, ) == 0x0
 03143   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 137428992, 1048576, ) == 0x0
 03144   896   NtAllocateVirtualMemory  (-1, 138469376, 0, 8192, 4096, 4, ... 138469376, 8192, ) == 0x0
 03145  1708   NtMapViewOfSection  (1092, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03146  1104   NtWaitForSingleObject  (88, 0, 0x0, ...
 03145  1708   NtMapViewOfSection  ... (0x71a90000), 0x0, 32768, ) == 0x0
 03147  1708   NtClose  (1092, ... ) == 0x0
 03148  1708   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 03149  1708   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 03150  1708   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 03151   896   NtProtectVirtualMemory  (-1, (0x840e000), 4096, 260, ... (0x840e000), 4096, 4, ) == 0x0
 03152   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1092, {1252, 1268}, ) == 0x0
 03153   896   NtQueryInformationThread  (1092, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=1252,Tid=1268,}, 0x0, ) == 0x0
 03154   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82082, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\344\4\0\0\364\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\344\4\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82083, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\344\4\0\0\364\4\0\0" ... {28, 56, reply, 0, 1252, 896, 82083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\344\4\0\0\364\4\0\0" )  ) == 0x0
 03155   896   NtResumeThread  (1092, ... 1, ) == 0x0
 03156   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03157  1708   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 03158  1268   NtWaitForSingleObject  (88, 0, 0x0, ...
 03157  1708   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03159  1708   NtSetEventBoostPriority  (88, ...
 03118  1024   NtWaitForSingleObject  ... ) == 0x0
 03160  1024   NtSetEventBoostPriority  (88, ...
 03130  1484   NtWaitForSingleObject  ... ) == 0x0
 03161  1484   NtSetEventBoostPriority  (88, ...
 03146  1104   NtWaitForSingleObject  ... ) == 0x0
 03162  1104   NtSetEventBoostPriority  (88, ...
 03158  1268   NtWaitForSingleObject  ... ) == 0x0
 03163  1268   NtTestAlert  (... ) == 0x0
 03162  1104   NtSetEventBoostPriority  ... ) == 0x0
 03161  1484   NtSetEventBoostPriority  ... ) == 0x0
 03160  1024   NtSetEventBoostPriority  ... ) == 0x0
 03159  1708   NtSetEventBoostPriority  ... ) == 0x0
 03156   896   NtAllocateVirtualMemory  ... 138477568, 1048576, ) == 0x0
 03164  1268   NtContinue  (138476848, 1, ...
 03165  1104   NtTestAlert  (...
 03166  1484   NtTestAlert  (...
 03167  1024   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03168   896   NtAllocateVirtualMemory  (-1, 139517952, 0, 8192, 4096, 4, ...
 03169  1268   NtRegisterThreadTerminatePort  (24, ...
 03165  1104   NtTestAlert  ... ) == 0x0
 03166  1484   NtTestAlert  ... ) == 0x0
 03167  1024   NtCreateKey  ... 1100, 2, ) == 0x0
 03168   896   NtAllocateVirtualMemory  ... 139517952, 8192, ) == 0x0
 03169  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 03170  1104   NtContinue  (137428272, 1, ...
 03171  1484   NtContinue  (136379696, 1, ...
 03172  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03173   896   NtProtectVirtualMemory  (-1, (0x850e000), 4096, 260, ...
 03174  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03175  1104   NtRegisterThreadTerminatePort  (24, ...
 03176  1484   NtRegisterThreadTerminatePort  (24, ...
 03172  1024   NtOpenKey  ... 1104, ) == 0x0
 03173   896   NtProtectVirtualMemory  ... (0x850e000), 4096, 4, ) == 0x0
 03174  1268   NtDuplicateObject  ... 1108, ) == 0x0
 03175  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 03176  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 03177  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03178   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03179  1268   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03180  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03181  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03177  1024   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03182  1708   NtClose  (1088, ...
 03178   896   NtCreateThread  ... 1112, {1252, 1664}, ) == 0x0
 03179  1268   NtWaitForSingleObject  ... ) == 0x102
 03180  1104   NtDuplicateObject  ... 1116, ) == 0x0
 03181  1484   NtDuplicateObject  ... 1120, ) == 0x0
 03182  1708   NtClose  ... ) == 0x0
 03183   896   NtQueryInformationThread  (1112, Basic, 28, ...
 03184  1268   NtWaitForSingleObject  (136, 0, 0x0, ...
 03185  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03186  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03187  1708   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11599488, 67, ... }, 0x0, 0, 3, 3, 0, 11599488, 67, ...
 03183   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=1252,Tid=1664,}, 0x0, ) == 0x0
 03185  1104   NtWaitForSingleObject  ... ) == 0x102
 03186  1484   NtWaitForSingleObject  ... ) == 0x102
 03187  1708   NtCreateFile  ... 1088, {status=0x0, info=0}, ) == 0x0
 03188   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82083, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\344\4\0\0\200\6\0\0" ...  ...
 03189  1104   NtWaitForSingleObject  (136, 0, 0x0, ...
 03190  1484   NtWaitForSingleObject  (136, 0, 0x0, ...
 03191  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x1207b,  (1088, 108, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 03188   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82130, 0}  ... {28, 56, reply, 0, 1252, 896, 82130, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\344\4\0\0\200\6\0\0" )  ) == 0x0
 03191  1708   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\200=\242\201", ) , ) == 0x0
 03192  1024   NtQueryValueKey  (1100,  (1100, "Hostname", Partial, 144, ... , Partial, 144, ...
 03193   896   NtResumeThread  (1112, ...
 03192  1024   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 03193   896   NtResumeThread  ... 1, ) == 0x0
 03194  1024   NtQueryValueKey  (1100,  (1100, "Hostname", Partial, 144, ... , Partial, 144, ...
 03195   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03194  1024   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 03195   896   NtAllocateVirtualMemory  ... 139526144, 1048576, ) == 0x0
 03196  1024   NtClose  (1100, ...
 03197   896   NtAllocateVirtualMemory  (-1, 140566528, 0, 8192, 4096, 4, ...
 03196  1024   NtClose  ... ) == 0x0
 03197   896   NtAllocateVirtualMemory  ... 140566528, 8192, ) == 0x0
 03198  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x1207b,  (1088, 108, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\200=\242\201", 16, 16, ... , 16, 16, ...
 03199  1664   NtTestAlert  (...
 03200  1024   NtClose  (1104, ...
 03198  1708   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\200=\242\201", ) , ) == 0x0
 03199  1664   NtTestAlert  ... ) == 0x0
 03200  1024   NtClose  ... ) == 0x0
 03201  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x12047,  (1088, 108, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 03202  1664   NtContinue  (139525424, 1, ...
 03203  1024   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214|\273\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03204  1664   NtRegisterThreadTerminatePort  (24, ...
 03205  1024   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03204  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 03205  1024   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03201  1708   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 03206   896   NtProtectVirtualMemory  (-1, (0x860e000), 4096, 260, ...
 03207  1024   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03208  1708   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 03206   896   NtProtectVirtualMemory  ... (0x860e000), 4096, 4, ) == 0x0
 03209  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03208  1708   NtWaitForSingleObject  ... ) == 0x102
 03210   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03209  1664   NtDuplicateObject  ... 1104, ) == 0x0
 03211  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x12003,  (1088, 108, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 03210   896   NtCreateThread  ... 1100, {1252, 2056}, ) == 0x0
 03212  1664   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03213   896   NtQueryInformationThread  (1100, Basic, 28, ...
 03212  1664   NtWaitForSingleObject  ... ) == 0x102
 03213   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=1252,Tid=2056,}, 0x0, ) == 0x0
 03214  1664   NtWaitForSingleObject  (136, 0, 0x0, ...
 03207  1024   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03211  1708   NtDeviceIoControlFile  ... {status=0x0, info=1124},  ... {status=0x0, info=1124}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03215   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82130, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82130, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\344\4\0\0\10\10\0\0" ...  ...
 03216  1024   NtQuerySystemInformation  (Performance, 312, ...
 03217  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x12047,  (1088, 108, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 03215   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82141, 0}  ... {28, 56, reply, 0, 1252, 896, 82141, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\344\4\0\0\10\10\0\0" )  ) == 0x0
 03216  1024   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03217  1708   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03218   896   NtResumeThread  (1100, ...
 03219  1024   NtQuerySystemInformation  (Exception, 16, ...
 03220  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x12037,  (1088, 108, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 03218   896   NtResumeThread  ... 1, ) == 0x0
 03219  1024   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03220  1708   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03221   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03222  1024   NtQuerySystemInformation  (Lookaside, 32, ...
 03223  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x1200b,  (1088, 108, 0x0, 0x0, 0x1200b, "\0\376\260\0\5\0\0\0\0\314\24\0", 12, 0, ... , 12, 0, ...
 03224  2056   NtTestAlert  (...
 03221   896   NtAllocateVirtualMemory  ... 140574720, 1048576, ) == 0x0
 03222  1024   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03224  2056   NtTestAlert  ... ) == 0x0
 03225   896   NtAllocateVirtualMemory  (-1, 141615104, 0, 8192, 4096, 4, ...
 03226  1024   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03227  2056   NtContinue  (140574000, 1, ...
 03225   896   NtAllocateVirtualMemory  ... 141615104, 8192, ) == 0x0
 03226  1024   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03228  2056   NtRegisterThreadTerminatePort  (24, ...
 03229   896   NtProtectVirtualMemory  (-1, (0x870e000), 4096, 260, ...
 03230  1024   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03228  2056   NtRegisterThreadTerminatePort  ... ) == 0x0
 03229   896   NtProtectVirtualMemory  ... (0x870e000), 4096, 4, ) == 0x0
 03230  1024   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03223  1708   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03231   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03232  1024   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03233  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x12047,  (1088, 108, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\260\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 03234  2056   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03231   896   NtCreateThread  ... 1128, {1252, 2072}, ) == 0x0
 03233  1708   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03234  2056   NtDuplicateObject  ... 1132, ) == 0x0
 03235   896   NtQueryInformationThread  (1128, Basic, 28, ...
 03236  1708   NtDeviceIoControlFile  (1088, 108, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 03237  2056   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03235   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=1252,Tid=2072,}, 0x0, ) == 0x0
 03236  1708   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03237  2056   NtWaitForSingleObject  ... ) == 0x102
 03238   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82141, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82141, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\344\4\0\0\30\10\0\0" ...  ...
 03239  1708   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03240  2056   NtWaitForSingleObject  (136, 0, 0x0, ...
 03238   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82152, 0}  ... {28, 56, reply, 0, 1252, 896, 82152, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\344\4\0\0\30\10\0\0" )  ) == 0x0
 03232  1024   NtCreateKey  ... -2147481484, 2, ) == 0x0
 03239  1708   NtCreateEvent  ... 1136, ) == 0x0
 03241  1024   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\20\220\23\32I\260\31Bs\1JV\\177\246\135W\271\330g\331\343(p\235\333\245Q5\236L\347\307\204\323\236lu\277\217G\314)\371\374\275\250G\242\211X\352\247\215\363\342\332\356\4\236J\373\335\222\5-\331\231\341\262\370\367\247\330y=D6n", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\20\220\23\32I\260\31Bs\1JV\\177\246\135W\271\330g\331\343(p\235\333\245Q5\236L\347\307\204\323\236lu\277\217G\314)\371\374\275\250G\242\211X\352\247\215\363\342\332\356\4\236J\373\335\222\5-\331\231\341\262\370\367\247\330y=D6n", 80, ... , 80, ...
 03242  1708   NtWaitForSingleObject  (1136, 0, 0x0, ...
 03241  1024   NtSetValueKey  ... ) == 0x0
 03243  1024   NtClose  (-2147481484, ... ) == 0x0
 03203  1024   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "{\322\253\225\260\37\366\206k@\261scNyK\352[d\360\21\211\361\335\341UC\344\225\271w\232\304N\211\30\357\216\202\305\360X}\32q6(A\367\302\352P\14\200\12\366E\3\334\26\233BR\331G\223#yz\266\311\317\237\321\311^\202\321y6\232e\344\215\301\356Be\314\254\364J\333\273\204#\342\367\30,4\254w<\312\323\252\3135\330-]\202B\244\303D\23\4\343I#\4Y\316\266\265'r\15\202\376L\3145\32\6\377\33\354;(\374\16\35\234\177'\301\252\335\5\240\317j@\340JJ\317R;x\36\246\323,\224{\343S;\202_<\374@\314\260\340\333\346\243\361\323\353\0\264\7\253\341\334\2425\301\201\231\246\371\22\350\2\7\344@S\0\20(\257\235EF\5\253\300[k\252\222P\346\254QTv\234?\353\0^\234\32%\336\353", ) EF\5\253\300[k\252\222P\346\254QTv\234?\353\0^\234\32%\336\353", ) == 0x0
 03244  1024   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 03245  1024   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 03246  1024   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 03247  1024   NtQuerySystemInformation  (Performance, 312, ...
 03248   896   NtResumeThread  (1128, ... 1, ) == 0x0
 03249   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 141623296, 1048576, ) == 0x0
 03250   896   NtAllocateVirtualMemory  (-1, 142663680, 0, 8192, 4096, 4, ... 142663680, 8192, ) == 0x0
 03251   896   NtProtectVirtualMemory  (-1, (0x880e000), 4096, 260, ... (0x880e000), 4096, 4, ) == 0x0
 03252   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1140, {1252, 2088}, ) == 0x0
 03253   896   NtQueryInformationThread  (1140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=1252,Tid=2088,}, 0x0, ) == 0x0
 03247  1024   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03254  2072   NtTestAlert  (...
 03255  1024   NtQuerySystemInformation  (Exception, 16, ...
 03254  2072   NtTestAlert  ... ) == 0x0
 03255  1024   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03256  2072   NtContinue  (141622576, 1, ...
 03257  1024   NtQuerySystemInformation  (Lookaside, 32, ...
 03258  2072   NtRegisterThreadTerminatePort  (24, ...
 03257  1024   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03258  2072   NtRegisterThreadTerminatePort  ... ) == 0x0
 03259  1024   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03260   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82152, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82152, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\344\4\0\0(\10\0\0" ...  ...
 03261  2072   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03260   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82177, 0}  ... {28, 56, reply, 0, 1252, 896, 82177, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\344\4\0\0(\10\0\0" )  ) == 0x0
 03261  2072   NtDuplicateObject  ... 1144, ) == 0x0
 03262   896   NtResumeThread  (1140, ...
 03263  2072   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03262   896   NtResumeThread  ... 1, ) == 0x0
 03263  2072   NtWaitForSingleObject  ... ) == 0x102
 03264   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03265  2072   NtWaitForSingleObject  (136, 0, 0x0, ...
 03259  1024   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03266  2088   NtTestAlert  (...
 03264   896   NtAllocateVirtualMemory  ... 142671872, 1048576, ) == 0x0
 03267  1024   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03266  2088   NtTestAlert  ... ) == 0x0
 03268   896   NtAllocateVirtualMemory  (-1, 143712256, 0, 8192, 4096, 4, ...
 03267  1024   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03269  2088   NtContinue  (142671152, 1, ...
 03268   896   NtAllocateVirtualMemory  ... 143712256, 8192, ) == 0x0
 03270  1024   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03271  2088   NtRegisterThreadTerminatePort  (24, ...
 03272   896   NtProtectVirtualMemory  (-1, (0x890e000), 4096, 260, ...
 03270  1024   NtCreateKey  ... -2147481484, 2, ) == 0x0
 03271  2088   NtRegisterThreadTerminatePort  ... ) == 0x0
 03272   896   NtProtectVirtualMemory  ... (0x890e000), 4096, 4, ) == 0x0
 03273  1024   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\220?\254\253\353\335-^\321\241C\355\236\256\243w\332\244#f,\222\377\331\15\215'h\240\237\362\333\25+m1\315\270P\303\346o\302\234y\354\0C\212\317e\321\331\313E\32\213\343\333\327s'\15\\255?\17\331y\213\316\223\351^\247\32\237?\246\263", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\220?\254\253\353\335-^\321\241C\355\236\256\243w\332\244#f,\222\377\331\15\215'h\240\237\362\333\25+m1\315\270P\303\346o\302\234y\354\0C\212\317e\321\331\313E\32\213\343\333\327s'\15\\255?\17\331y\213\316\223\351^\247\32\237?\246\263", 80, ... , 80, ...
 03274   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03275  2088   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 03273  1024   NtSetValueKey  ... ) == 0x0
 03275  2088   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 03276  1024   NtClose  (-2147481484, ...
 03277  2088   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03276  1024   NtClose  ... ) == 0x0
 03277  2088   NtDuplicateObject  ... 1148, ) == 0x0
 03244  1024   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\306\334\351]\217\207\25\340\243Z9\275\33\216\3634\307\263\305\265\241(\361\353\226\361\362\211M\2\347\211\215E\265\260L\333\301\5\370\3\262\224\23\223%c\177\313\306\23\203\24\300\376\37\312\15\202\274,\21\214O\212'\3302S\361\343\264\302\210'\231\217EU\337\361d\305\202\215\315\267\241M\350O\276A\245J\234\10\236\346\253I\252\332\267\272\343\230+\333\242\34\252\247\343jV\204\201E\206:\270\304\316\262\353q\371\256G\224#\346B5\364\274,\304\330Io<\246Y\370\317\277\267y\223\223W;/\222\357\314F\3\211\22\244!'\246\352\375\243\177\307\5g\12\3727\207e\320/\241\30\335\214l\31\260\257^X\253\330\354\223,K\223E\4\214\345\261;\214\12\215\276\26\35\207$\3343\357A\17\317\230\334\363\317\311q\366$J&\310P\216\3171}\217\347X\12\366\202\312\272\200S\303\241=8\24U7\216\256Zy\326", ) , ) == 0x0
 03278  2088   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03279  1024   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03280  1024   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 03281  1024   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 03282  1024   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 03283  1024   NtQuerySystemInformation  (Exception, 16, ...
 03274   896   NtCreateThread  ... 1152, {1252, 2100}, ) == 0x0
 03278  2088   NtWaitForSingleObject  ... ) == 0x102
 03284   896   NtQueryInformationThread  (1152, Basic, 28, ...
 03285  2088   NtWaitForSingleObject  (136, 0, 0x0, ...
 03284   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=1252,Tid=2100,}, 0x0, ) == 0x0
 03286   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82177, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82177, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\344\4\0\04\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82178, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\344\4\0\04\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82178, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82177, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\344\4\0\04\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82178, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\344\4\0\04\10\0\0" )  ) == 0x0
 03287   896   NtResumeThread  (1152, ... 1, ) == 0x0
 03288   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 143720448, 1048576, ) == 0x0
 03289   896   NtAllocateVirtualMemory  (-1, 144760832, 0, 8192, 4096, 4, ... 144760832, 8192, ) == 0x0
 03283  1024   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03290  2100   NtTestAlert  (...
 03291  1024   NtQuerySystemInformation  (Lookaside, 32, ...
 03290  2100   NtTestAlert  ... ) == 0x0
 03291  1024   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03292  2100   NtContinue  (143719728, 1, ...
 03293  1024   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03294  2100   NtRegisterThreadTerminatePort  (24, ...
 03293  1024   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03294  2100   NtRegisterThreadTerminatePort  ... ) == 0x0
 03295  1024   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03296   896   NtProtectVirtualMemory  (-1, (0x8a0e000), 4096, 260, ...
 03297  2100   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03296   896   NtProtectVirtualMemory  ... (0x8a0e000), 4096, 4, ) == 0x0
 03297  2100   NtDuplicateObject  ... 1156, ) == 0x0
 03298   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03299  2100   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03298   896   NtCreateThread  ... 1160, {1252, 2104}, ) == 0x0
 03299  2100   NtWaitForSingleObject  ... ) == 0x102
 03300   896   NtQueryInformationThread  (1160, Basic, 28, ...
 03301  2100   NtWaitForSingleObject  (136, 0, 0x0, ...
 03300   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=1252,Tid=2104,}, 0x0, ) == 0x0
 03295  1024   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03302  1024   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 03303  1024   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\371]\325C\205I("\14\307\204`\240\235]M\320v7{\30\355\230\263\366Q\306L\177o\367E\363u1!\314\255\224\256w\3z@\33b\323\4o\262\362-\22F\335\337i\312U*\236g\243\260N\344\303\34,&\252\377\305\342\255P\17\T\372", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "\371]\325C\205I("\14\307\204`\240\235]M\320v7{\30\355\230\263\366Q\306L\177o\367E\363u1!\314\255\224\256w\3z@\33b\323\4o\262\362-\22F\335\337i\312U*\236g\243\260N\344\303\34,&\252\377\305\342\255P\17\T\372", 80, ... ) \14\307\204`\240\235]M\320v7{\30\355\230\263\366Q\306L\177o\367E\363u1!\314\255\224\256w\3z@\33b\323\4o\262\362-\22F\335\337i\312U*\236g\243\260N\344\303\34,&\252\377\305\342\255P\17\T\372", 80, ... ) == 0x0
 03304  1024   NtClose  (-2147481484, ... ) == 0x0
 03279  1024   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\333$\252\256\347\235Z\306\208B\344.\7k\2625\206\351^w\227\15CY\256.M\310\211\10j\360l\236 \307S\247\4\235\32\32\243M\21E$\225\366\362\337\202m\211\272?\251\207\24\312E\25\377Z\177\24 c\231\314"\311_\252\7:<>fMz~S\13\345\320\36~\373cOW\346e\7\352A*\323\20T\240K\334\1\274i\274\17~\246.\241\265\201\32.\251Dq'\264\341n\311\231\374V\31B\335,\304Tt\201\17\240\322\11\3307C\37v\275\237\240E\2417N\331uL\264\350\374\205V~\300z\261\370B\253\247f\335Y\247\243\499R\37B\16OE\337p\272\377\326\315\314\263\203\3\215\300S\33\366O\327\367\25\1-g\35\372\241\3303\353\335u\357\324\210;U\324\177,S\352\37\3475\211c\245N\217\242`\300O;\261\232\3$\314\17%sL\331?\242\3353!F\235\2301|", ) \311_\252\7:<>fMz~S\13\345\320\36~\373cOW\346e\7\352A*\323\20T\240K\334\1\274i\274\17~\246.\241\265\201\32.\251Dq'\264\341n\311\231\374V\31B\335,\304Tt\201\17\240\322\11\3307C\37v\275\237\240E\2417N\331uL\264\350\374\205V~\300z\261\370B\253\247f\335Y\247\243\499R\37B\16OE\337p\272\377\326\315\314\263\203\3\215\300S\33\366O\327\367\25\1-g\35\372\241\3303\353\335u\357\324\210;U\324\177,S\352\37\3475\211c\245N\217\242`\300O;\261\232\3$\314\17%sL\331?\242\3353!F\235\2301|", ) == 0x0
 03305  1024   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 03306  1024   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 03307  1024   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03308   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82178, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82178, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\344\4\0\08\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82182, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\344\4\0\08\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82182, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82178, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\344\4\0\08\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82182, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\344\4\0\08\10\0\0" )  ) == 0x0
 03309   896   NtResumeThread  (1160, ... 1, ) == 0x0
 03310   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 144769024, 1048576, ) == 0x0
 03311   896   NtAllocateVirtualMemory  (-1, 145809408, 0, 8192, 4096, 4, ... 145809408, 8192, ) == 0x0
 03312   896   NtProtectVirtualMemory  (-1, (0x8b0e000), 4096, 260, ... (0x8b0e000), 4096, 4, ) == 0x0
 03313   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03307  1024   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03314  2104   NtTestAlert  (...
 03315  1024   NtQuerySystemInformation  (Performance, 312, ...
 03314  2104   NtTestAlert  ... ) == 0x0
 03315  1024   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03316  2104   NtContinue  (144768304, 1, ...
 03317  1024   NtQuerySystemInformation  (Exception, 16, ...
 03318  2104   NtRegisterThreadTerminatePort  (24, ...
 03317  1024   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03318  2104   NtRegisterThreadTerminatePort  ... ) == 0x0
 03319  1024   NtQuerySystemInformation  (Lookaside, 32, ...
 03313   896   NtCreateThread  ... 1164, {1252, 2108}, ) == 0x0
 03320  2104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03321   896   NtQueryInformationThread  (1164, Basic, 28, ...
 03320  2104   NtDuplicateObject  ... 1168, ) == 0x0
 03321   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=1252,Tid=2108,}, 0x0, ) == 0x0
 03322  2104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03323   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82182, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82182, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\344\4\0\0<\10\0\0" ...  ...
 03322  2104   NtWaitForSingleObject  ... ) == 0x102
 03323   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82185, 0}  ... {28, 56, reply, 0, 1252, 896, 82185, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\344\4\0\0<\10\0\0" )  ) == 0x0
 03324  2104   NtWaitForSingleObject  (136, 0, 0x0, ...
 03319  1024   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03325   896   NtResumeThread  (1164, ...
 03326  1024   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03325   896   NtResumeThread  ... 1, ) == 0x0
 03326  1024   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03327   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03328  1024   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03327   896   NtAllocateVirtualMemory  ... 145817600, 1048576, ) == 0x0
 03328  1024   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03329   896   NtAllocateVirtualMemory  (-1, 146857984, 0, 8192, 4096, 4, ...
 03330  1024   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03329   896   NtAllocateVirtualMemory  ... 146857984, 8192, ) == 0x0
 03331  2108   NtTestAlert  (...
 03330  1024   NtCreateKey  ... -2147481484, 2, ) == 0x0
 03331  2108   NtTestAlert  ... ) == 0x0
 03332  1024   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\344\256\334\3771\16.\216D*\276\362\34\234d\74cC~\274\327p.h\311\0sL\214g\210\25\237\26l+\202\333rh\36E]\216\277" \245\375\31\177@i8\35\177\31\326\364\276\277\313;\35\271\274\303\177Db2\237\363a\353\214yk", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\344\256\334\3771\16.\216D*\276\362\34\234d\74cC~\274\327p.h\311\0sL\214g\210\25\237\26l+\202\333rh\36E]\216\277" \245\375\31\177@i8\35\177\31\326\364\276\277\313;\35\271\274\303\177Db2\237\363a\353\214yk", 80, ...  \245\375\31\177@i8\35\177\31\326\364\276\277\313;\35\271\274\303\177Db2\237\363a\353\214yk", 80, ...
 03333  2108   NtContinue  (145816880, 1, ...
 03332  1024   NtSetValueKey  ... ) == 0x0
 03334  2108   NtRegisterThreadTerminatePort  (24, ...
 03335  1024   NtClose  (-2147481484, ...
 03334  2108   NtRegisterThreadTerminatePort  ... ) == 0x0
 03335  1024   NtClose  ... ) == 0x0
 03336   896   NtProtectVirtualMemory  (-1, (0x8c0e000), 4096, 260, ...
 03305  1024   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\261.\334Y\230\26e\202\373_\212\17\356\366g^1\335\335M\16+\212\366\10VY\357\374\257\262K\274\11\10\306p\341\310/\353:\306H$I\374\7\304i\216\357l\M\214\366z\32K\220,\2635\367\251\177\7\271\314\270z\211\216E,W\16\23\14\335\4?\7\363;\377\324\371\24217\250`+\222\2379\255\260\1)\261\33\222|0{\356\323\377$15\210\5\233\227q\231X\363\201\\254\200~\365\352\365\243\366\202=\222\364\244,\333\336nI\224\215"\361\341\247o\210\342\360\356\371\222r\206\372\3250!x\6X\372\337\230\240s\371M\265\15\246\252\255\10\332\212\217\262\365X\340+~\33\10\376\34\313k\232\374\4)\207\216&\2163;\31\26+\321\365\215\4\33O\244:c\325S\265n\307\1\210\2674\377\307\364j $h{\307\264\314mO\3447]5\332\321\237\340\247g-\20\224\0\332X\365\334\36\230", ) \361\341\247o\210\342\360\356\371\222r\206\372\3250!x\6X\372\337\230\240s\371M\265\15\246\252\255\10\332\212\217\262\365X\340+~\33\10\376\34\313k\232\374\4)\207\216&\2163;\31\26+\321\365\215\4\33O\244:c\325S\265n\307\1\210\2674\377\307\364j $h{\307\264\314mO\3447]5\332\321\237\340\247g-\20\224\0\332X\365\334\36\230", ) == 0x0
 03336   896   NtProtectVirtualMemory  ... (0x8c0e000), 4096, 4, ) == 0x0
 03337  2108   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03338   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03337  2108   NtDuplicateObject  ... 1172, ) == 0x0
 03338   896   NtCreateThread  ... 1176, {1252, 2124}, ) == 0x0
 03339  2108   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03340   896   NtQueryInformationThread  (1176, Basic, 28, ...
 03339  2108   NtWaitForSingleObject  ... ) == 0x102
 03340   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=1252,Tid=2124,}, 0x0, ) == 0x0
 03341  2108   NtWaitForSingleObject  (136, 0, 0x0, ...
 03342  1024   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03343   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82185, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82185, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\344\4\0\0L\10\0\0" ...  ...
 03344  1024   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03343   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82186, 0}  ... {28, 56, reply, 0, 1252, 896, 82186, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\344\4\0\0L\10\0\0" )  ) == 0x0
 03344  1024   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03345   896   NtResumeThread  (1176, ...
 03346  1024   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03345   896   NtResumeThread  ... 1, ) == 0x0
 03346  1024   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03347   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03348  1024   NtQuerySystemInformation  (Performance, 312, ...
 03349  2124   NtTestAlert  (...
 03347   896   NtAllocateVirtualMemory  ... 146866176, 1048576, ) == 0x0
 03349  2124   NtTestAlert  ... ) == 0x0
 03350   896   NtAllocateVirtualMemory  (-1, 147906560, 0, 8192, 4096, 4, ...
 03351  2124   NtContinue  (146865456, 1, ...
 03350   896   NtAllocateVirtualMemory  ... 147906560, 8192, ) == 0x0
 03352  2124   NtRegisterThreadTerminatePort  (24, ...
 03353   896   NtProtectVirtualMemory  (-1, (0x8d0e000), 4096, 260, ...
 03352  2124   NtRegisterThreadTerminatePort  ... ) == 0x0
 03353   896   NtProtectVirtualMemory  ... (0x8d0e000), 4096, 4, ) == 0x0
 03348  1024   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03354   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03355  1024   NtQuerySystemInformation  (Exception, 16, ...
 03356  2124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03355  1024   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03356  2124   NtDuplicateObject  ... 1180, ) == 0x0
 03357  1024   NtQuerySystemInformation  (Lookaside, 32, ...
 03358  2124   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03357  1024   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03358  2124   NtWaitForSingleObject  ... ) == 0x102
 03359  1024   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03360  2124   NtWaitForSingleObject  (136, 0, 0x0, ...
 03354   896   NtCreateThread  ... 1184, {1252, 2136}, ) == 0x0
 03359  1024   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03361   896   NtQueryInformationThread  (1184, Basic, 28, ...
 03362  1024   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03361   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff37000,Pid=1252,Tid=2136,}, 0x0, ) == 0x0
 03362  1024   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03363  1024   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 03364  1024   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "sdU\354\2645\336>\342\332\273\220\300+\16\343\177\3079\216\312\364]\376\37\11#\345\23\236^\376\344\5U\255\225U\355\256Nj\356\365\35\227\343h\304\333'\213\271\345\310\250\344\272\276\343\302\367\353n\323\372\300\305\352]\253\357\221\265\356\272\316Jc\4", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "sdU\354\2645\336>\342\332\273\220\300+\16\343\177\3079\216\312\364]\376\37\11#\345\23\236^\376\344\5U\255\225U\355\256Nj\356\365\35\227\343h\304\333'\213\271\345\310\250\344\272\276\343\302\367\353n\323\372\300\305\352]\253\357\221\265\356\272\316Jc\4", 80, ... ) , 80, ... ) == 0x0
 03365  1024   NtClose  (-2147481484, ... ) == 0x0
 03342  1024   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\304zBP\304B\317\235\13\245\17\244{\300\246V\220]\177\31314\273l5\267t_\136\16\273\367\11\31\317\17(/\261\252\2400\7\260\340r \215\262}\244\17_\202\272\2468\307\344$7K\217Z\241\206>\235\303\320\245$\327\350\263\3\255\274\337n\217\27\344\241>Q\265\372\30\344\243\346H@\3718\356:A1\32\367\365D<\355\2656\325\226i\347\313\204Q\307f5%W\333l\311\355\355+_\323\215\246\177\3\314\354\231\307\204\356\356Y\353\223\352OW\270\333\11'Y\304y\24\364\13E~BI\343\367jAWV\27e\336\207'\227\202\321\326\3138v]\373r\363\264\210,^\264\242\325\274\2445P\327\344\300\4\37&\252F\227\332D\15\62n\10W'=\261\334g\305\320$=\341\20\366i\21\330\24\356\234>w\355\242D\267\276\243\365xMr3u]@\233\251\21\215(\343\345~\3102n\314", ) , ) == 0x0
 03366  1024   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 03367  1024   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03368   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82186, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82186, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\4\0\0\344\4\0\0X\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82187, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\4\0\0\344\4\0\0X\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82187, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82186, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\4\0\0\344\4\0\0X\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82187, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\4\0\0\344\4\0\0X\10\0\0" )  ) == 0x0
 03369   896   NtResumeThread  (1184, ... 1, ) == 0x0
 03370   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 147914752, 1048576, ) == 0x0
 03371   896   NtAllocateVirtualMemory  (-1, 148955136, 0, 8192, 4096, 4, ... 148955136, 8192, ) == 0x0
 03372   896   NtProtectVirtualMemory  (-1, (0x8e0e000), 4096, 260, ... (0x8e0e000), 4096, 4, ) == 0x0
 03373   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03367  1024   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03374  2136   NtTestAlert  (...
 03375  1024   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03374  2136   NtTestAlert  ... ) == 0x0
 03375  1024   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03376  2136   NtContinue  (147914032, 1, ...
 03377  1024   NtQuerySystemInformation  (Performance, 312, ...
 03378  2136   NtRegisterThreadTerminatePort  (24, ...
 03377  1024   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03378  2136   NtRegisterThreadTerminatePort  ... ) == 0x0
 03379  1024   NtQuerySystemInformation  (Exception, 16, ...
 03373   896   NtCreateThread  ... 1188, {1252, 2144}, ) == 0x0
 03380  2136   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03381   896   NtQueryInformationThread  (1188, Basic, 28, ...
 03380  2136   NtDuplicateObject  ... 1192, ) == 0x0
 03381   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff36000,Pid=1252,Tid=2144,}, 0x0, ) == 0x0
 03382  2136   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03383   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82187, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82187, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\4\0\0\344\4\0\0`\10\0\0" ...  ...
 03382  2136   NtWaitForSingleObject  ... ) == 0x102
 03383   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82188, 0}  ... {28, 56, reply, 0, 1252, 896, 82188, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\4\0\0\344\4\0\0`\10\0\0" )  ) == 0x0
 03384  2136   NtWaitForSingleObject  (136, 0, 0x0, ...
 03379  1024   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03385   896   NtResumeThread  (1188, ...
 03386  1024   NtQuerySystemInformation  (Lookaside, 32, ...
 03385   896   NtResumeThread  ... 1, ) == 0x0
 03386  1024   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03387   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03388  1024   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03387   896   NtAllocateVirtualMemory  ... 148963328, 1048576, ) == 0x0
 03388  1024   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03389   896   NtAllocateVirtualMemory  (-1, 150003712, 0, 8192, 4096, 4, ...
 03390  1024   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03389   896   NtAllocateVirtualMemory  ... 150003712, 8192, ) == 0x0
 03391  2144   NtTestAlert  (...
 03390  1024   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03391  2144   NtTestAlert  ... ) == 0x0
 03392  1024   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03393  2144   NtContinue  (148962608, 1, ...
 03392  1024   NtCreateKey  ... -2147481484, 2, ) == 0x0
 03394  2144   NtRegisterThreadTerminatePort  (24, ...
 03395  1024   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "&\267\203\300r\13\7\245K\317\265\321$\207\260\234T\305\365\3213f\264\344\217\372\16\237\1u\37ge\200\32"-\2354\236a\357\364\321\16\303\32u>\323L\345f\331\25S\31tx\213b\200, 3,  (-2147481484, "Seed", 0, 3, "&\267\203\300r\13\7\245K\317\265\321$\207\260\234T\305\365\3213f\264\344\217\372\16\237\1u\37ge\200\32"-\2354\236a\357\364\321\16\303\32u>\323L\345f\331\25S\31tx\213b\202354\236a\357\364\321\16\303\32u>\323L\345f\331\25S\31tx\213b\20345%\231\332\227q/\243\17#@]\316\237a", 80, ...
 03394  2144   NtRegisterThreadTerminatePort  ... ) == 0x0
 03395  1024   NtSetValueKey  ... ) == 0x0
 03396   896   NtProtectVirtualMemory  (-1, (0x8f0e000), 4096, 260, ...
 03397  1024   NtClose  (-2147481484, ...
 03396   896   NtProtectVirtualMemory  ... (0x8f0e000), 4096, 4, ) == 0x0
 03398  2144   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03399   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03398  2144   NtDuplicateObject  ... 1196, ) == 0x0
 03399   896   NtCreateThread  ... 1200, {1252, 2160}, ) == 0x0
 03400  2144   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03401   896   NtQueryInformationThread  (1200, Basic, 28, ...
 03400  2144   NtWaitForSingleObject  ... ) == 0x102
 03401   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff35000,Pid=1252,Tid=2160,}, 0x0, ) == 0x0
 03402  2144   NtWaitForSingleObject  (136, 0, 0x0, ...
 03397  1024   NtClose  ... ) == 0x0
 03403   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82188, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82188, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\4\0\0\344\4\0\0p\10\0\0" ...  ...
 03366  1024   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\253'\204\310o/t\205;\10kYv\336\260;\245}\303\f\243\377\373X\375\23\215\363\334=\326\223\223\3\251m\366J\10\331\256h\373\225\303\343\340\2064\177\372\327\12tC\1\231\213\377\260\256}\330W\312\272\340^Y9\30\315B\320\213\235\341r\272\10\331\313\276\301\qe`\25\210\244z\313\310\12T\311\243\244 g\10\14\275a\250.|\33S\272\34\\312\255&\255dC\31T\7\215.\343`\20\334&\347\310\303}[\340-\265#\364s\201%\254\216\201\264\322d\371\300\375S\37'i\275\301\36\347Zn8C\375\237r%\3566\374\266K\356\201-\260\230Tq\347\327\250Q\202\371~Q\276Q\177\364\262\234\341\255`\26\12\3761\256!\271\27\240\353h#h\3272Is,]\324\364S\3021\252\241Y\255\227\32\276@\273\20>\243\7\211\177\354\21/\310^\242,\0\313k\213\21\377\373\264\203!\335H", ) , ) == 0x0
 03403   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82203, 0}  ... {28, 56, reply, 0, 1252, 896, 82203, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\4\0\0\344\4\0\0p\10\0\0" )  ) == 0x0
 03404  1024   NtDeviceIoControlFile  (356, 0, 0x0, 0x0, 0x390008,  (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \330\267\323\3311\366 (356, 0, 0x0, 0x0, 0x390008, "\366\304\226\211\243\254MY\230\177\347k\257\214\255\2741\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\323\3311\366"\330\267\2\336\373\367ns\6/\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 03405   896   NtResumeThread  (1200, ...
 03406  1024   NtQuerySystemInformation  (TimeOfDay, 48, ...
 03405   896   NtResumeThread  ... 1, ) == 0x0
 03406  1024   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 03407   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03408  1024   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 03409  2160   NtTestAlert  (...
 03407   896   NtAllocateVirtualMemory  ... 150011904, 1048576, ) == 0x0
 03409  2160   NtTestAlert  ... ) == 0x0
 03410   896   NtAllocateVirtualMemory  (-1, 151052288, 0, 8192, 4096, 4, ...
 03411  2160   NtContinue  (150011184, 1, ...
 03410   896   NtAllocateVirtualMemory  ... 151052288, 8192, ) == 0x0
 03412  2160   NtRegisterThreadTerminatePort  (24, ...
 03413   896   NtProtectVirtualMemory  (-1, (0x900e000), 4096, 260, ...
 03412  2160   NtRegisterThreadTerminatePort  ... ) == 0x0
 03413   896   NtProtectVirtualMemory  ... (0x900e000), 4096, 4, ) == 0x0
 03408  1024   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 03414   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03415  1024   NtQuerySystemInformation  (Performance, 312, ...
 03416  2160   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03415  1024   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 03416  2160   NtDuplicateObject  ... 1204, ) == 0x0
 03417  1024   NtQuerySystemInformation  (Exception, 16, ...
 03418  2160   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03417  1024   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 03418  2160   NtWaitForSingleObject  ... ) == 0x102
 03419  1024   NtQuerySystemInformation  (Lookaside, 32, ...
 03420  2160   NtWaitForSingleObject  (136, 0, 0x0, ...
 03414   896   NtCreateThread  ... 1208, {1252, 2172}, ) == 0x0
 03419  1024   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 03421   896   NtQueryInformationThread  (1208, Basic, 28, ...
 03422  1024   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 03421   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff34000,Pid=1252,Tid=2172,}, 0x0, ) == 0x0
 03422  1024   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 03423   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82203, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82203, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\4\0\0\344\4\0\0|\10\0\0" ...  ...
 03424  1024   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 03423   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82207, 0}  ... {28, 56, reply, 0, 1252, 896, 82207, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\4\0\0\344\4\0\0|\10\0\0" )  ) == 0x0
 03424  1024   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 03425  1024   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 03426  1024   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "4$\202\341\363\234\310\374\354;:OY\326*\266>V_%/S-\201OX)\270\300\324j\354/\13\223\354\251\306\364\3071+]\2102\252\220*\223\336\357\373\364\2i\317\267\336Ya\320\352, 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "4$\202\341\363\234\310\374\354;:OY\326*\266>V_%/S-\201OX)\270\300\324j\354/\13\223\354\251\306\364\3071+]\2102\252\220*\223\336\357\373\364\2i\317\267\336Ya\320\352, 80, ... ) , 80, ... ) == 0x0
 03427  1024   NtClose  (-2147481484, ... ) == 0x0
 03404  1024   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\227x\211\314;\376\213\2438%\221^\216P_\305\324\360\201x)\360;\15\265\343\205\261\343\326\31\34,\15\366\202\371y\376)o\253"\311\321+\202DX\35\224_\251\276\317\273\321\4zD\367\252>eL\6j\216\351\217.@\233\310\27\274e\274\236\305\263\2656\334\317AqD\324G\6Ha\214\354\212s4\221\350%M\234Kg"\277\34[\2\230}O\2675\250\12\323\246A\365;\35\361o\234s\2267\302!<\221|{~\267\271\6\257\276\27Z\247B\17lGb@\234Lq\333\262\326-d\35\363\2\177\221K\207me\206bg\264.\241\323\303\25\253Dg\32\302\253\1\2656\341(W<\22\276x\324j)jM\201&\350\37\33\34a\11\7\326\226;\366S\340\363\251("\27\6\274RhC\17x\330\273\224\264\36\330\37\256\357U%\35\306>m\221-\350\317\3605{\36\245\216;j\241\310\366\354", ) \311\321+\202DX\35\224_\251\276\317\273\321\4zD\367\252>eL\6j\216\351\217.@\233\310\27\274e\274\236\305\263\2656\334\317AqD\324G\6Ha\214\354\212s4\221\350%M\234Kg ... {status=0x0, info=256}, "\227x\211\314;\376\213\2438%\221^\216P_\305\324\360\201x)\360;\15\265\343\205\261\343\326\31\34,\15\366\202\371y\376)o\253"\311\321+\202DX\35\224_\251\276\317\273\321\4zD\367\252>eL\6j\216\351\217.@\233\310\27\274e\274\236\305\263\2656\334\317AqD\324G\6Ha\214\354\212s4\221\350%M\234Kg"\277\34[\2\230}O\2675\250\12\323\246A\365;\35\361o\234s\2267\302!<\221|{~\267\271\6\257\276\27Z\247B\17lGb@\234Lq\333\262\326-d\35\363\2\177\221K\207me\206bg\264.\241\323\303\25\253Dg\32\302\253\1\2656\341(W<\22\276x\324j)jM\201&\350\37\33\34a\11\7\326\226;\366S\340\363\251("\27\6\274RhC\17x\330\273\224\264\36\330\37\256\357U%\35\306>m\221-\350\317\3605{\36\245\216;j\241\310\366\354", ) \27\6\274RhC\17x\330\273\224\264\36\330\37\256\357U%\35\306>m\221-\350\317\3605{\36\245\216;j\241\310\366\354", ) == 0x0
 03428   896   NtResumeThread  (1208, ... 1, ) == 0x0
 03429   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 151060480, 1048576, ) == 0x0
 03430   896   NtAllocateVirtualMemory  (-1, 152100864, 0, 8192, 4096, 4, ... 152100864, 8192, ) == 0x0
 03431   896   NtProtectVirtualMemory  (-1, (0x910e000), 4096, 260, ... (0x910e000), 4096, 4, ) == 0x0
 03432   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1212, {1252, 2180}, ) == 0x0
 03433   896   NtQueryInformationThread  (1212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff33000,Pid=1252,Tid=2180,}, 0x0, ) == 0x0
 03434  1024   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03435  2172   NtTestAlert  (...
 03434  1024   NtCreateEvent  ... 1216, ) == 0x0
 03435  2172   NtTestAlert  ... ) == 0x0
 03436  1024   NtSetEventBoostPriority  (1136, ...
 03437  2172   NtContinue  (151059760, 1, ...
 03242  1708   NtWaitForSingleObject  ... ) == 0x0
 03436  1024   NtSetEventBoostPriority  ... ) == 0x0
 03438  1708   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 03439  2172   NtRegisterThreadTerminatePort  (24, ...
 03438  1708   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 03440  1024   NtWaitForSingleObject  (160, 0, 0x0, ...
 03439  2172   NtRegisterThreadTerminatePort  ... ) == 0x0
 03441   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82207, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82207, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\4\0\0\344\4\0\0\204\10\0\0" ...  ...
 03442  1708   NtSetEventBoostPriority  (160, ...
 03441   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82208, 0}  ... {28, 56, reply, 0, 1252, 896, 82208, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\4\0\0\344\4\0\0\204\10\0\0" )  ) == 0x0
 03440  1024   NtWaitForSingleObject  ... ) == 0x0
 03442  1708   NtSetEventBoostPriority  ... ) == 0x0
 03443  1024   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12643692, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12643692, 188, ...
 03444   896   NtResumeThread  (1212, ...
 03445  1708   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 03444   896   NtResumeThread  ... 1, ) == 0x0
 03445  1708   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 03446   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03447  1708   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03448  2172   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03449  2180   NtTestAlert  (...
 03443  1024   NtConnectPort  ... 1220, 0x0, 0x0, 0x0, 188, ) == 0x0
 03447  1708   NtCreateEvent  ... 1224, ) == 0x0
 03448  2172   NtDuplicateObject  ... 1228, ) == 0x0
 03449  2180   NtTestAlert  ... ) == 0x0
 03450  1024   NtRequestWaitReplyPort  (1220, {200, 224, new_msg, 0, 1424008, 12, 2, 1310721}  (1220, {200, 224, new_msg, 0, 1424008, 12, 2, 1310721} "\0\4\24\0\274\0\0\0\324G\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\330\303\346?~\217?z`\347\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0(\335\25\0\302G\270\236X\4\24\0X\347\25\0h\1\24\0\0\0\0\0\0\0\0\0X\347\25\0P\0\0\0`\347\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\300\0\372\31\221|\200\363\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 03446   896   NtAllocateVirtualMemory  ... 152109056, 1048576, ) == 0x0
 03451  2172   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03452  2180   NtContinue  (152108336, 1, ...
 03453   896   NtAllocateVirtualMemory  (-1, 153149440, 0, 8192, 4096, 4, ...
 03451  2172   NtWaitForSingleObject  ... ) == 0x102
 03450  1024   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1024, 82210, 0}  ... {200, 224, reply, 0, 1252, 1024, 82210, 0} "\7\4\24\0\274\0\0\0\324G\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\330\303\346?~\217?z`\347\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0(\335\25\0\302G\270\236X\4\24\0X\347\25\0h\1\24\0\0\0\0\0\0\0\0\0X\347\25\0P\0\0\0`\347\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\300\0\372\31\221|\200\363\300\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 03454  2180   NtRegisterThreadTerminatePort  (24, ...
 03453   896   NtAllocateVirtualMemory  ... 153149440, 8192, ) == 0x0
 03455  2172   NtWaitForSingleObject  (136, 0, 0x0, ...
 03456  1024   NtRequestWaitReplyPort  (1220, {44, 68, new_msg, 0, 1252, 1024, 82072, 0}  (1220, {44, 68, new_msg, 0, 1252, 1024, 82072, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 03454  2180   NtRegisterThreadTerminatePort  ... ) == 0x0
 03457   896   NtProtectVirtualMemory  (-1, (0x920e000), 4096, 260, ...
 03458  1708   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11596408, 188, ...
 03457   896   NtProtectVirtualMemory  ... (0x920e000), 4096, 4, ) == 0x0
 03459   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03458  1708   NtConnectPort  ... 1232, 0x0, 0x0, 0x0, 188, ) == 0x0
 03460  2180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03456  1024   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1024, 82211, 0}  ... {40, 64, reply, 0, 1252, 1024, 82211, 0} "\2\356Q\200\4\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 03461  1708   NtRequestWaitReplyPort  (1232, {200, 224, new_msg, 0, 2883626, 1364720, 12, 2}  (1232, {200, 224, new_msg, 0, 2883626, 1364720, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0PE\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\23\3\347~\313Y\3667@\366\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\30\366\25\0O\311\247\350x\1\24\08\366\25\0h\1\24\0\0\0\0\0\0\0\0\08\366\25\0P\0\0\0@\366\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 03460  2180   NtDuplicateObject  ... 1236, ) == 0x0
 03462  1024   NtRequestWaitReplyPort  (1220, {64, 88, new_msg, 56, 1375312, 12644204, 12644304, 0}  (1220, {64, 88, new_msg, 56, 1375312, 12644204, 12644304, 0} "\10\357\300\0@\0\24\0\346\277\347w\320\357\300\0l\357\300\0\20\0\0\0\250.\362v\304\374\24\0\1\0\0\0\360\366\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\210\363\24\0" ...  ...
 03463  2180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03461  1708   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1708, 82215, 0}  ... {200, 224, reply, 0, 1252, 1708, 82215, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0PE\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\23\3\347~\313Y\3667@\366\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\30\366\25\0O\311\247\350x\1\24\08\366\25\0h\1\24\0\0\0\0\0\0\0\0\08\366\25\0P\0\0\0@\366\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\260\0\372\31\221|\214\370\260\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 03463  2180   NtWaitForSingleObject  ... ) == 0x102
 03462  1024   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1024, 82216, 0}  ... {64, 88, reply, 56, 1252, 1024, 82216, 0} "\10\357\300\0@\0\24\0\346\277\347w\320\357\300\0l\357\300\0\20\0\0\0\250.\362v\304\374\24\0\1\0\0\0\360\366\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\210\363\24\0" )  ) == 0x0
 03459   896   NtCreateThread  ... 1240, {1252, 2192}, ) == 0x0
 03464  2180   NtWaitForSingleObject  (136, 0, 0x0, ...
 03465  1024   NtClose  (1216, ...
 03466   896   NtQueryInformationThread  (1240, Basic, 28, ...
 03467  1708   NtRequestWaitReplyPort  (1232, {44, 68, new_msg, 56, 0, 0, 0, 0}  (1232, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\10\375\25\0\322\0\0\0" ...  ...
 03465  1024   NtClose  ... ) == 0x0
 03466   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff32000,Pid=1252,Tid=2192,}, 0x0, ) == 0x0
 03467  1708   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1708, 82217, 0}  ... {40, 64, reply, 0, 1252, 1708, 82217, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 03468   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82208, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82208, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\4\0\0\344\4\0\0\220\10\0\0" ...  ...
 03469  1708   NtRequestWaitReplyPort  (1232, {64, 88, new_msg, 56, 1310720, 11596276, 1441024, 0}  (1232, {64, 88, new_msg, 56, 1310720, 11596276, 1441024, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\350\375\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 03468   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82219, 0}  ... {28, 56, reply, 0, 1252, 896, 82219, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\4\0\0\344\4\0\0\220\10\0\0" )  ) == 0x0
 03469  1708   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1708, 82220, 0}  ... {64, 88, reply, 56, 1252, 1708, 82220, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\350\375\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 03470  1024   NtClose  (1220, ...
 03471   896   NtResumeThread  (1240, ...
 03470  1024   NtClose  ... ) == 0x0
 03471   896   NtResumeThread  ... 1, ) == 0x0
 03472  1024   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03473   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03472  1024   NtCreateKey  ... 1220, 2, ) == 0x0
 03473   896   NtAllocateVirtualMemory  ... 153157632, 1048576, ) == 0x0
 03474  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03475   896   NtAllocateVirtualMemory  (-1, 154198016, 0, 8192, 4096, 4, ...
 03474  1024   NtOpenKey  ... 1216, ) == 0x0
 03475   896   NtAllocateVirtualMemory  ... 154198016, 8192, ) == 0x0
 03476  1708   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 03477  2192   NtTestAlert  (...
 03478  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03476  1708   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 03477  2192   NtTestAlert  ... ) == 0x0
 03478  1024   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479  1708   NtRequestWaitReplyPort  (1232, {44, 68, new_msg, 56, 1252, 1708, 82217, 0}  (1232, {44, 68, new_msg, 56, 1252, 1708, 82217, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\10\375\25\0\322\0\0\0" ...  ...
 03480  2192   NtContinue  (153156912, 1, ...
 03481  1024   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 03482  2192   NtRegisterThreadTerminatePort  (24, ...
 03481  1024   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03479  1708   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1708, 82224, 0}  ... {40, 64, reply, 0, 1252, 1708, 82224, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 03482  2192   NtRegisterThreadTerminatePort  ... ) == 0x0
 03483  1024   NtQueryValueKey  (1220,  (1220, "Domain", Partial, 144, ... , Partial, 144, ...
 03484  1708   NtRequestWaitReplyPort  (1232, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (1232, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\310\11\26\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 03485   896   NtProtectVirtualMemory  (-1, (0x930e000), 4096, 260, ...
 03483  1024   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03486  2192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03485   896   NtProtectVirtualMemory  ... (0x930e000), 4096, 4, ) == 0x0
 03484  1708   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1708, 82225, 0}  ... {64, 88, reply, 56, 1252, 1708, 82225, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0\310\11\26\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 03486  2192   NtDuplicateObject  ... 1244, ) == 0x0
 03487   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03488  1708   NtRequestWaitReplyPort  (1232, {44, 68, new_msg, 56, 1252, 1708, 82224, 0}  (1232, {44, 68, new_msg, 56, 1252, 1708, 82224, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\10\375\25\0\322\0\0\0" ...  ...
 03489  2192   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03487   896   NtCreateThread  ... 1248, {1252, 2208}, ) == 0x0
 03489  2192   NtWaitForSingleObject  ... ) == 0x102
 03490   896   NtQueryInformationThread  (1248, Basic, 28, ...
 03488  1708   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1708, 82226, 0}  ... {40, 64, reply, 0, 1252, 1708, 82226, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 03491  2192   NtWaitForSingleObject  (136, 0, 0x0, ...
 03490   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff31000,Pid=1252,Tid=2208,}, 0x0, ) == 0x0
 03492  1708   NtRequestWaitReplyPort  (1232, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0}  (1232, {64, 88, new_msg, 56, 1310720, 11596276, 11597020, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0p\14\26\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 03493  1024   NtQueryValueKey  (1220,  (1220, "Domain", Partial, 144, ... , Partial, 144, ...
 03494   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82219, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82219, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\4\0\0\344\4\0\0\240\10\0\0" ...  ...
 03493  1024   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03494   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82227, 0}  ... {28, 56, reply, 0, 1252, 896, 82227, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\4\0\0\344\4\0\0\240\10\0\0" )  ) == 0x0
 03495  1024   NtClose  (1220, ...
 03496   896   NtResumeThread  (1248, ...
 03495  1024   NtClose  ... ) == 0x0
 03496   896   NtResumeThread  ... 1, ) == 0x0
 03497  1024   NtClose  (1216, ...
 03498   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03497  1024   NtClose  ... ) == 0x0
 03492  1708   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1708, 82228, 0}  ... {64, 88, reply, 56, 1252, 1708, 82228, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\260\0\351\201\347w\214\370\260\0\30\356\220|p\5\221|\1\0\0\0p\14\26\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 03499  2208   NtTestAlert  (...
 03498   896   NtAllocateVirtualMemory  ... 154206208, 1048576, ) == 0x0
 03500  1708   NtClose  (1224, ...
 03499  2208   NtTestAlert  ... ) == 0x0
 03501   896   NtAllocateVirtualMemory  (-1, 155246592, 0, 8192, 4096, 4, ...
 03500  1708   NtClose  ... ) == 0x0
 03502  2208   NtContinue  (154205488, 1, ...
 03501   896   NtAllocateVirtualMemory  ... 155246592, 8192, ) == 0x0
 03503  1708   NtClose  (1232, ...
 03504  2208   NtRegisterThreadTerminatePort  (24, ...
 03505   896   NtProtectVirtualMemory  (-1, (0x940e000), 4096, 260, ...
 03503  1708   NtClose  ... ) == 0x0
 03504  2208   NtRegisterThreadTerminatePort  ... ) == 0x0
 03505   896   NtProtectVirtualMemory  ... (0x940e000), 4096, 4, ) == 0x0
 03506  1024   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 03507  1708   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03508   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03506  1024   NtOpenKey  ... 1232, ) == 0x0
 03507  1708   NtCreateEvent  ... 1224, ) == 0x0
 03509  2208   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03510  1024   NtQueryValueKey  (1232,  (1232, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 03511  1708   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 03509  2208   NtDuplicateObject  ... 1216, ) == 0x0
 03510  1024   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03511  1708   NtOpenKey  ... 1220, ) == 0x0
 03512  2208   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03513  1024   NtClose  (1232, ...
 03514  1708   NtOpenKey  (0x20019, {24, 1220, 0x40, 0, 0,  (0x20019, {24, 1220, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 03512  2208   NtWaitForSingleObject  ... ) == 0x102
 03513  1024   NtClose  ... ) == 0x0
 03514  1708   NtOpenKey  ... 1232, ) == 0x0
 03515  2208   NtWaitForSingleObject  (136, 0, 0x0, ...
 03508   896   NtCreateThread  ... 1252, {1252, 2220}, ) == 0x0
 03516  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12643280, ... }, 12643280, ...
 03517  1708   NtQueryValueKey  (1232,  (1232, "ComputerName", Full, 108, ... , Full, 108, ...
 03518   896   NtQueryInformationThread  (1252, Basic, 28, ...
 03516  1024   NtQueryAttributesFile  ... ) == 0x0
 03517  1708   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 03518   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff30000,Pid=1252,Tid=2220,}, 0x0, ) == 0x0
 03519  1024   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 03520  1708   NtClose  (1232, ...
 03521   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82227, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82227, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\4\0\0\344\4\0\0\254\10\0\0" ...  ...
 03519  1024   NtOpenFile  ... 1256, {status=0x0, info=1}, ) == 0x0
 03520  1708   NtClose  ... ) == 0x0
 03521   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82230, 0}  ... {28, 56, reply, 0, 1252, 896, 82230, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\4\0\0\344\4\0\0\254\10\0\0" )  ) == 0x0
 03522  1024   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 1256, ...
 03523  1708   NtClose  (1220, ...
 03522  1024   NtCreateSection  ... 1232, ) == 0x0
 03523  1708   NtClose  ... ) == 0x0
 03524   896   NtResumeThread  (1252, ...
 03525  1024   NtClose  (1256, ...
 03524   896   NtResumeThread  ... 1, ) == 0x0
 03525  1024   NtClose  ... ) == 0x0
 03526   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03527  1024   NtMapViewOfSection  (1232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 03526   896   NtAllocateVirtualMemory  ... 155254784, 1048576, ) == 0x0
 03527  1024   NtMapViewOfSection  ... (0x360000), 0x0, 20480, ) == 0x0
 03528   896   NtAllocateVirtualMemory  (-1, 156295168, 0, 8192, 4096, 4, ...
 03529  1024   NtClose  (1232, ...
 03528   896   NtAllocateVirtualMemory  ... 156295168, 8192, ) == 0x0
 03529  1024   NtClose  ... ) == 0x0
 03530  1708   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 03531  2220   NtWaitForSingleObject  (88, 0, 0x0, ...
 03532   896   NtProtectVirtualMemory  (-1, (0x950e000), 4096, 260, ...
 03530  1708   NtCreateIoCompletion  ... 1232, ) == 0x0
 03532   896   NtProtectVirtualMemory  ... (0x950e000), 4096, 4, ) == 0x0
 03533  1708   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 03534   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03533  1708   NtCreateIoCompletion  ... 1256, ) == 0x0
 03534   896   NtCreateThread  ... 1220, {1252, 2236}, ) == 0x0
 03535  1708   NtDuplicateObject  (-1, 1232, -1, 0x0, 0, 2, ...
 03536   896   NtQueryInformationThread  (1220, Basic, 28, ...
 03535  1708   NtDuplicateObject  ... 1260, ) == 0x0
 03536   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff2f000,Pid=1252,Tid=2236,}, 0x0, ) == 0x0
 03537  1024   NtUnmapViewOfSection  (-1, 0x360000, ...
 03538  1708   NtOpenThreadToken  (-2, 0xc, 1, ...
 03537  1024   NtUnmapViewOfSection  ... ) == 0x0
 03538  1708   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 03539  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12643588, ... }, 12643588, ...
 03540  1708   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 1264, ) == 0x0
 03541  1708   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03542  1708   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03543  1708   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11595968,  (0xc0100080, {24, 0, 0x40, 0, 11595968, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 1268, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 1268, {status=0x0, info=1}, ) == 0x0
 03544  1708   NtSetInformationFile  (1268, 11596024, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03545   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82230, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82230, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\4\0\0\344\4\0\0\274\10\0\0" ...  ...
 03539  1024   NtQueryAttributesFile  ... ) == 0x0
 03545   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82231, 0}  ... {28, 56, reply, 0, 1252, 896, 82231, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\4\0\0\344\4\0\0\274\10\0\0" )  ) == 0x0
 03546  1024   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 03547   896   NtResumeThread  (1220, ...
 03546  1024   NtOpenFile  ... 1272, {status=0x0, info=1}, ) == 0x0
 03547   896   NtResumeThread  ... 1, ) == 0x0
 03548  1024   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 1272, ...
 03549   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03548  1024   NtCreateSection  ... 1276, ) == 0x0
 03550  1708   NtSetInformationFile  (1268, 11596012, 8, Completion, ...
 03551  2236   NtWaitForSingleObject  (88, 0, 0x0, ...
 03552  1024   NtQuerySection  (1276, Image, 48, ...
 03550  1708   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03549   896   NtAllocateVirtualMemory  ... 156303360, 1048576, ) == 0x0
 03553  1708   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 03554   896   NtAllocateVirtualMemory  (-1, 157343744, 0, 8192, 4096, 4, ...
 03553  1708   NtSetInformationThread  ... ) == 0x0
 03554   896   NtAllocateVirtualMemory  ... 157343744, 8192, ) == 0x0
 03555  1708   NtWriteFile  (1268, 261, 0, 0,  (1268, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 03556   896   NtProtectVirtualMemory  (-1, (0x960e000), 4096, 260, ...
 03555  1708   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 03556   896   NtProtectVirtualMemory  ... (0x960e000), 4096, 4, ) == 0x0
 03552  1024   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03557   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03558  1024   NtClose  (1272, ...
 03559  1708   NtReadFile  (1268, 261, 0, 0, 1024, {0, 0}, 0, ...
 03558  1024   NtClose  ... ) == 0x0
 03559  1708   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20|+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03560  1024   NtMapViewOfSection  (1276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03561  1708   NtFsControlFile  (1268, 261, 0x0, 0x0, 0x11c017,  (1268, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\260\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 03560  1024   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 03561  1708   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20|+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03562  1024   NtClose  (1276, ...
 03563  1708   NtFsControlFile  (1268, 261, 0x0, 0x0, 0x11c017,  (1268, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231\1\0\0\0\1\0\0\0&\0(\0\0\17\26\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 03557   896   NtCreateThread  ... 1272, {1252, 2244}, ) == 0x0
 03563  1708   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231\0\0\0\0", ) , ) == 0x103
 03564   896   NtQueryInformationThread  (1272, Basic, 28, ...
 03562  1024   NtClose  ... ) == 0x0
 03564   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff2e000,Pid=1252,Tid=2244,}, 0x0, ) == 0x0
 03565  1024   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 03566   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82231, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82231, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\4\0\0\344\4\0\0\304\10\0\0" ...  ...
 03565  1024   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 03566   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82232, 0}  ... {28, 56, reply, 0, 1252, 896, 82232, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\4\0\0\344\4\0\0\304\10\0\0" )  ) == 0x0
 03567  1024   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 03568  1708   NtFsControlFile  (1268, 261, 0x0, 0x0, 0x11c017,  (1268, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231", 44, 1024, ... , 44, 1024, ...
 03567  1024   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 03568  1708   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0@\1\26\0\1\0\0\0L\1\26\0 \0\0\0\1\0\0\0\30\0\32\0X\1\26\0t\1\26\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\250\1\26\0\1\0\0\0\5\0\15\0\270\1\26\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03569  1024   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 03570  1708   NtClose  (1264, ...
 03571   896   NtResumeThread  (1272, ...
 03570  1708   NtClose  ... ) == 0x0
 03571   896   NtResumeThread  ... 1, ) == 0x0
 03572  1708   NtClose  (1268, ...
 03573   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03572  1708   NtClose  ... ) == 0x0
 03573   896   NtAllocateVirtualMemory  ... 157351936, 1048576, ) == 0x0
 03569  1024   NtFlushInstructionCache  ... ) == 0x0
 03574  2244   NtWaitForSingleObject  (88, 0, 0x0, ...
 03575   896   NtAllocateVirtualMemory  (-1, 158392320, 0, 8192, 4096, 4, ...
 03576  1024   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 03575   896   NtAllocateVirtualMemory  ... 158392320, 8192, ) == 0x0
 03576  1024   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 03577  1708   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1424008, 0x0, 11597892, 188, ... , {12, 2, 1, 1}, 0x0, 1424008, 0x0, 11597892, 188, ...
 03578  1024   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 03577  1708   NtSecureConnectPort  ... 1268, 0x0, 0x0, 0x0, 188, ) == 0x0
 03578  1024   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 03579  1708   NtOpenThreadToken  (-2, 0xc, 1, ...
 03580  1024   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 03579  1708   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 03581   896   NtProtectVirtualMemory  (-1, (0x970e000), 4096, 260, ...
 03582  1708   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 03581   896   NtProtectVirtualMemory  ... (0x970e000), 4096, 4, ) == 0x0
 03580  1024   NtFlushInstructionCache  ... ) == 0x0
 03583   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03584  1024   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 03583   896   NtCreateThread  ... 1264, {1252, 2256}, ) == 0x0
 03584  1024   NtOpenSection  ... 1276, ) == 0x0
 03585   896   NtQueryInformationThread  (1264, Basic, 28, ...
 03586  1024   NtMapViewOfSection  (1276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03585   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff2d000,Pid=1252,Tid=2256,}, 0x0, ) == 0x0
 03586  1024   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 03582  1708   NtSetInformationThread  ... ) == 0x0
 03587  1024   NtClose  (1276, ...
 03588  1708   NtRequestWaitReplyPort  (1268, {200, 224, new_msg, 0, 1364720, 12, 2, 1310977}  (1268, {200, 224, new_msg, 0, 1364720, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\334\0\355`a\360\21;Z\236\205\2\34\337\254k\12\0\0\0\300\233\34"`jco\0\0\0\0\320\372\25\0\371\215\237\306f\4\331\337(\0\0\0\257\264\0D\0\0\24\0\240\366\260\07\363K\206\0\0\0\0@\366\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... `jco\0\0\0\0\320\372\25\0\371\215\237\306f\4\331\337(\0\0\0\257\264\0D\0\0\24\0\240\366\260\07\363K\206\0\0\0\0@\366\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...
 03589   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82232, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82232, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\4\0\0\344\4\0\0\320\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82235, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\4\0\0\344\4\0\0\320\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82235, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82232, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\4\0\0\344\4\0\0\320\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82235, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\4\0\0\344\4\0\0\320\10\0\0" )  ) == 0x0
 03590   896   NtResumeThread  (1264, ... 1, ) == 0x0
 03591   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03588  1708   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1708, 82234, 0}  ... {200, 224, reply, 0, 1252, 1708, 82234, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\334\0\355`a\360\21;Z\236\205\2\34\337\254k\12\0\0\0\300\233\34"`jco\0\0\0\0\320\372\25\0\371\215\237\306f\4\331\337(\0\0\0\257\264\0D\0\0\24\0\240\366\260\07\363K\206\0\0\0\0@\366\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) `jco\0\0\0\0\320\372\25\0\371\215\237\306f\4\331\337(\0\0\0\257\264\0D\0\0\24\0\240\366\260\07\363K\206\0\0\0\0@\366\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\260\0\372\31\221|X\376\260\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) == 0x0
 03587  1024   NtClose  ... ) == 0x0
 03592  2256   NtWaitForSingleObject  (88, 0, 0x0, ...
 03593  1708   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 03594  1024   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 03593  1708   NtSetInformationThread  ... ) == 0x0
 03594  1024   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 03591   896   NtAllocateVirtualMemory  ... 158400512, 1048576, ) == 0x0
 03595  1024   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 03596   896   NtAllocateVirtualMemory  (-1, 159440896, 0, 8192, 4096, 4, ...
 03595  1024   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 03596   896   NtAllocateVirtualMemory  ... 159440896, 8192, ) == 0x0
 03597  1024   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 03598   896   NtProtectVirtualMemory  (-1, (0x980e000), 4096, 260, ...
 03599  1708   NtRequestWaitReplyPort  (1268, {56, 80, new_msg, 0, 44, 3, 20, 0}  (1268, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0C\213\241L\276\303\213\220\2204\7\231\1\0\0\0\0\0\0\0&\0(\0@\4\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 03598   896   NtProtectVirtualMemory  ... (0x980e000), 4096, 4, ) == 0x0
 03600   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03597  1024   NtFlushInstructionCache  ... ) == 0x0
 03601  1024   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 03602  1024   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 03603  1024   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 03604  1024   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 03605  1024   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 03606  1024   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 03600   896   NtCreateThread  ... 1276, {1252, 2260}, ) == 0x0
 03607   896   NtQueryInformationThread  (1276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2c000,Pid=1252,Tid=2260,}, 0x0, ) == 0x0
 03608   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82235, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82235, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\344\4\0\0\324\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82237, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\344\4\0\0\324\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82237, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82235, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\344\4\0\0\324\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82237, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\344\4\0\0\324\10\0\0" )  ) == 0x0
 03609   896   NtResumeThread  (1276, ... 1, ) == 0x0
 03610   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 159449088, 1048576, ) == 0x0
 03611   896   NtAllocateVirtualMemory  (-1, 160489472, 0, 8192, 4096, 4, ... 160489472, 8192, ) == 0x0
 03606  1024   NtFlushInstructionCache  ... ) == 0x0
 03612  2260   NtWaitForSingleObject  (88, 0, 0x0, ...
 03613  1024   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03614  1024   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 1280, ) == 0x0
 03615  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 1284, ) }, ... 1284, ) == 0x0
 03616  1024   NtQueryValueKey  (1284,  (1284, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (1284, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03617  1024   NtClose  (1284, ... ) == 0x0
 03618  1024   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... }, ...
 03619   896   NtProtectVirtualMemory  (-1, (0x990e000), 4096, 260, ... (0x990e000), 4096, 4, ) == 0x0
 03620   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1284, {1252, 2264}, ) == 0x0
 03621   896   NtQueryInformationThread  (1284, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2b000,Pid=1252,Tid=2264,}, 0x0, ) == 0x0
 03622   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82237, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82237, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\344\4\0\0\330\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82238, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\344\4\0\0\330\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82238, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82237, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\344\4\0\0\330\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82238, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\344\4\0\0\330\10\0\0" )  ) == 0x0
 03623   896   NtResumeThread  (1284, ... 1, ) == 0x0
 03624   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03618  1024   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03625  2264   NtWaitForSingleObject  (88, 0, 0x0, ...
 03626  1024   NtAllocateVirtualMemory  (-1, 3641344, 0, 4096, 4096, 4, ... 3641344, 4096, ) == 0x0
 03627  1024   NtQueryPerformanceCounter  (... {-1443426505, 16}, {3579545, 0}, ) == 0x0
 03628  1024   NtSetEventBoostPriority  (88, ...
 03531  2220   NtWaitForSingleObject  ... ) == 0x0
 03629  2220   NtSetEventBoostPriority  (88, ...
 03551  2236   NtWaitForSingleObject  ... ) == 0x0
 03630  2236   NtSetEventBoostPriority  (88, ...
 03574  2244   NtWaitForSingleObject  ... ) == 0x0
 03631  2244   NtSetEventBoostPriority  (88, ...
 03592  2256   NtWaitForSingleObject  ... ) == 0x0
 03632  2256   NtSetEventBoostPriority  (88, ...
 03612  2260   NtWaitForSingleObject  ... ) == 0x0
 03633  2260   NtSetEventBoostPriority  (88, ...
 03625  2264   NtWaitForSingleObject  ... ) == 0x0
 03634  2264   NtTestAlert  (... ) == 0x0
 03633  2260   NtSetEventBoostPriority  ... ) == 0x0
 03632  2256   NtSetEventBoostPriority  ... ) == 0x0
 03631  2244   NtSetEventBoostPriority  ... ) == 0x0
 03630  2236   NtSetEventBoostPriority  ... ) == 0x0
 03629  2220   NtSetEventBoostPriority  ... ) == 0x0
 03628  1024   NtSetEventBoostPriority  ... ) == 0x0
 03624   896   NtAllocateVirtualMemory  ... 160497664, 1048576, ) == 0x0
 03635  2264   NtContinue  (160496944, 1, ...
 03636  2260   NtTestAlert  (...
 03637  2256   NtTestAlert  (...
 03638  2244   NtTestAlert  (...
 03639  2236   NtTestAlert  (...
 03640  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12643280, ... }, 12643280, ...
 03641   896   NtAllocateVirtualMemory  (-1, 161538048, 0, 8192, 4096, 4, ...
 03642  2264   NtRegisterThreadTerminatePort  (24, ...
 03636  2260   NtTestAlert  ... ) == 0x0
 03637  2256   NtTestAlert  ... ) == 0x0
 03638  2244   NtTestAlert  ... ) == 0x0
 03639  2236   NtTestAlert  ... ) == 0x0
 03640  1024   NtQueryAttributesFile  ... ) == 0x0
 03641   896   NtAllocateVirtualMemory  ... 161538048, 8192, ) == 0x0
 03642  2264   NtRegisterThreadTerminatePort  ... ) == 0x0
 03643  2260   NtContinue  (159448368, 1, ...
 03644  2256   NtContinue  (158399792, 1, ...
 03645  2244   NtContinue  (157351216, 1, ...
 03646  2236   NtContinue  (156302640, 1, ...
 03647  1024   NtQuerySystemInformation  (Basic, 44, ...
 03648   896   NtProtectVirtualMemory  (-1, (0x9a0e000), 4096, 260, ...
 03649  2264   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03650  2260   NtRegisterThreadTerminatePort  (24, ...
 03651  2256   NtRegisterThreadTerminatePort  (24, ...
 03652  2244   NtRegisterThreadTerminatePort  (24, ...
 03653  2236   NtRegisterThreadTerminatePort  (24, ...
 03647  1024   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03648   896   NtProtectVirtualMemory  ... (0x9a0e000), 4096, 4, ) == 0x0
 03649  2264   NtDuplicateObject  ... 1288, ) == 0x0
 03650  2260   NtRegisterThreadTerminatePort  ... ) == 0x0
 03651  2256   NtRegisterThreadTerminatePort  ... ) == 0x0
 03652  2244   NtRegisterThreadTerminatePort  ... ) == 0x0
 03653  2236   NtRegisterThreadTerminatePort  ... ) == 0x0
 03654  1024   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 03655   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03656  2264   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03657  2260   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03658  2256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03659  2244   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03660  2236   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03661  2220   NtTestAlert  (...
 03654  1024   NtAllocateVirtualMemory  ... 3538944, 65536, ) == 0x0
 03655   896   NtCreateThread  ... 1292, {1252, 2272}, ) == 0x0
 03656  2264   NtWaitForSingleObject  ... ) == 0x102
 03657  2260   NtDuplicateObject  ... 1296, ) == 0x0
 03658  2256   NtDuplicateObject  ... 1300, ) == 0x0
 03659  2244   NtDuplicateObject  ... 1304, ) == 0x0
 03661  2220   NtTestAlert  ... ) == 0x0
 03662  1024   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ...
 03663   896   NtQueryInformationThread  (1292, Basic, 28, ...
 03664  2264   NtWaitForSingleObject  (136, 0, 0x0, ...
 03665  2260   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03666  2256   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03667  2244   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03668  2220   NtContinue  (155254064, 1, ...
 03662  1024   NtAllocateVirtualMemory  ... 3538944, 4096, ) == 0x0
 03663   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff2a000,Pid=1252,Tid=2272,}, 0x0, ) == 0x0
 03665  2260   NtWaitForSingleObject  ... ) == 0x102
 03666  2256   NtWaitForSingleObject  ... ) == 0x102
 03667  2244   NtWaitForSingleObject  ... ) == 0x102
 03669  2220   NtRegisterThreadTerminatePort  (24, ...
 03670  1024   NtAllocateVirtualMemory  (-1, 3543040, 0, 8192, 4096, 4, ...
 03671   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82238, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82238, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\5\0\0\344\4\0\0\340\10\0\0" ...  ...
 03672  2260   NtWaitForSingleObject  (136, 0, 0x0, ...
 03673  2256   NtWaitForSingleObject  (136, 0, 0x0, ...
 03674  2244   NtWaitForSingleObject  (136, 0, 0x0, ...
 03669  2220   NtRegisterThreadTerminatePort  ... ) == 0x0
 03670  1024   NtAllocateVirtualMemory  ... 3543040, 8192, ) == 0x0
 03671   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82239, 0}  ... {28, 56, reply, 0, 1252, 896, 82239, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\5\0\0\344\4\0\0\340\10\0\0" )  ) == 0x0
 03675  2220   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ...
 03676  1024   NtWaitForSingleObject  (160, 0, 0x0, ...
 03660  2236   NtDuplicateObject  ... 1308, ) == 0x0
 03677   896   NtResumeThread  (1292, ...
 03675  2220   NtAllocateVirtualMemory  ... 1445888, 4096, ) == 0x0
 03678  2236   NtWaitForSingleObject  (160, 0, 0x0, ...
 03677   896   NtResumeThread  ... 1, ) == 0x0
 03679  2220   NtSetEventBoostPriority  (160, ...
 03680   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03678  2236   NtWaitForSingleObject  ... ) == 0x0
 03679  2220   NtSetEventBoostPriority  ... ) == 0x0
 03681  2236   NtSetEventBoostPriority  (160, ...
 03680   896   NtAllocateVirtualMemory  ... 161546240, 1048576, ) == 0x0
 03681  2236   NtSetEventBoostPriority  ... ) == 0x0
 03682  2220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03683   896   NtAllocateVirtualMemory  (-1, 162586624, 0, 8192, 4096, 4, ...
 03676  1024   NtWaitForSingleObject  ... ) == 0x0
 03684  2272   NtWaitForSingleObject  (160, 0, 0x0, ...
 03682  2220   NtDuplicateObject  ... 1312, ) == 0x0
 03683   896   NtAllocateVirtualMemory  ... 162586624, 8192, ) == 0x0
 03685  1024   NtSetEventBoostPriority  (160, ...
 03686  2220   NtWaitForSingleObject  (160, 0, 0x0, ...
 03687  2236   NtWaitForSingleObject  (160, 0, 0x0, ...
 03684  2272   NtWaitForSingleObject  ... ) == 0x0
 03685  1024   NtSetEventBoostPriority  ... ) == 0x0
 03688   896   NtProtectVirtualMemory  (-1, (0x9b0e000), 4096, 260, ...
 03689  2272   NtSetEventBoostPriority  (160, ...
 03690  1024   NtWaitForSingleObject  (160, 0, 0x0, ...
 03687  2236   NtWaitForSingleObject  ... ) == 0x0
 03689  2272   NtSetEventBoostPriority  ... ) == 0x0
 03688   896   NtProtectVirtualMemory  ... (0x9b0e000), 4096, 4, ) == 0x0
 03691  2236   NtSetEventBoostPriority  (160, ...
 03690  1024   NtWaitForSingleObject  ... ) == 0x0
 03692  1024   NtSetEventBoostPriority  (160, ...
 03686  2220   NtWaitForSingleObject  ... ) == 0x0
 03693  2220   NtWaitForSingleObject  (200, 0, 0x0, ...
 03692  1024   NtSetEventBoostPriority  ... ) == 0x0
 03691  2236   NtSetEventBoostPriority  ... ) == 0x0
 03694   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03695  2272   NtTestAlert  (...
 03696  2236   NtWaitForSingleObject  (200, 0, 0x0, ...
 03694   896   NtCreateThread  ... 1316, {1252, 2284}, ) == 0x0
 03695  2272   NtTestAlert  ... ) == 0x0
 03697  1024   NtSetEventBoostPriority  (200, ...
 03698   896   NtQueryInformationThread  (1316, Basic, 28, ...
 03699  2272   NtContinue  (161545520, 1, ...
 03693  2220   NtWaitForSingleObject  ... ) == 0x0
 03697  1024   NtSetEventBoostPriority  ... ) == 0x0
 03698   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff29000,Pid=1252,Tid=2284,}, 0x0, ) == 0x0
 03700  2220   NtSetEventBoostPriority  (200, ...
 03701  2272   NtRegisterThreadTerminatePort  (24, ...
 03702  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12643280, ... }, 12643280, ...
 03696  2236   NtWaitForSingleObject  ... ) == 0x0
 03701  2272   NtRegisterThreadTerminatePort  ... ) == 0x0
 03702  1024   NtQueryAttributesFile  ... ) == 0x0
 03703  2236   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03704  2272   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03705  1024   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 03703  2236   NtWaitForSingleObject  ... ) == 0x102
 03700  2220   NtSetEventBoostPriority  ... ) == 0x0
 03706   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82239, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82239, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\5\0\0\344\4\0\0\354\10\0\0" ...  ...
 03705  1024   NtOpenFile  ... 1320, {status=0x0, info=1}, ) == 0x0
 03707  2236   NtWaitForSingleObject  (136, 0, 0x0, ...
 03704  2272   NtDuplicateObject  ... 1324, ) == 0x0
 03706   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 82240, 0}  ... {28, 56, reply, 0, 1252, 896, 82240, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\5\0\0\344\4\0\0\354\10\0\0" )  ) == 0x0
 03708  2220   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03709  1024   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 1320, ...
 03710  2272   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03711   896   NtResumeThread  (1316, ...
 03708  2220   NtWaitForSingleObject  ... ) == 0x102
 03709  1024   NtCreateSection  ... 1328, ) == 0x0
 03710  2272   NtWaitForSingleObject  ... ) == 0x102
 03711   896   NtResumeThread  ... 1, ) == 0x0
 03712  2220   NtWaitForSingleObject  (136, 0, 0x0, ...
 03713  1024   NtClose  (1320, ...
 03714  2272   NtWaitForSingleObject  (136, 0, 0x0, ...
 03715   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03713  1024   NtClose  ... ) == 0x0
 03716  2284   NtWaitForSingleObject  (88, 0, 0x0, ...
 03717  1024   NtMapViewOfSection  (1328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 110592, ) == 0x0
 03718  1024   NtClose  (1328, ... ) == 0x0
 03719  1024   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 03720  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12643588, ... ) }, 12643588, ... ) == 0x0
 03715   896   NtAllocateVirtualMemory  ... 162594816, 1048576, ) == 0x0
 03721   896   NtAllocateVirtualMemory  (-1, 163635200, 0, 8192, 4096, 4, ... 163635200, 8192, ) == 0x0
 03722   896   NtProtectVirtualMemory  (-1, (0x9c0e000), 4096, 260, ... (0x9c0e000), 4096, 4, ) == 0x0
 03723   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1328, {1252, 2292}, ) == 0x0
 03724   896   NtQueryInformationThread  (1328, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff28000,Pid=1252,Tid=2292,}, 0x0, ) == 0x0
 03725   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82240, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82240, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\5\0\0\344\4\0\0\364\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82241, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\5\0\0\344\4\0\0\364\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82241, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82240, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\5\0\0\344\4\0\0\364\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82241, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\5\0\0\344\4\0\0\364\10\0\0" )  ) == 0x0
 03726  1024   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 1320, {status=0x0, info=1}, ) }, 5, 96, ... 1320, {status=0x0, info=1}, ) == 0x0
 03727  1024   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 1320, ... 1332, ) == 0x0
 03728  1024   NtQuerySection  (1332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03729  1024   NtClose  (1320, ... ) == 0x0
 03730  1024   NtMapViewOfSection  (1332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 03731  1024   NtClose  (1332, ... ) == 0x0
 03732   896   NtResumeThread  (1328, ... 1, ) == 0x0
 03733   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 163643392, 1048576, ) == 0x0
 03734   896   NtAllocateVirtualMemory  (-1, 164683776, 0, 8192, 4096, 4, ... 164683776, 8192, ) == 0x0
 03735   896   NtProtectVirtualMemory  (-1, (0x9d0e000), 4096, 260, ... (0x9d0e000), 4096, 4, ) == 0x0
 03736   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1332, {1252, 2296}, ) == 0x0
 03737   896   NtQueryInformationThread  (1332, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff27000,Pid=1252,Tid=2296,}, 0x0, ) == 0x0
 03738  1024   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ...
 03739  2292   NtWaitForSingleObject  (88, 0, 0x0, ...
 03738  1024   NtProtectVirtualMemory  ... (0x751d1000), 4096, 32, ) == 0x0
 03740  1024   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 03741  1024   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 03742  1024   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 03743  1024   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 03744  1024   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 03745   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82241, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82241, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\5\0\0\344\4\0\0\370\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82242, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\5\0\0\344\4\0\0\370\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82242, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82241, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\5\0\0\344\4\0\0\370\10\0\0" ... {28, 56, reply, 0, 1252, 896, 82242, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\5\0\0\344\4\0\0\370\10\0\0" )  ) == 0x0
 03746   896   NtResumeThread  (1332, ... 1, ) == 0x0
 03747   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 164691968, 1048576, ) == 0x0
 03748   896   NtAllocateVirtualMemory  (-1, 165732352, 0, 8192, 4096, 4, ... 165732352, 8192, ) == 0x0
 03749   896   NtProtectVirtualMemory  (-1, (0x9e0e000), 4096, 260, ... (0x9e0e000), 4096, 4, ) == 0x0
 03750   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03751  1024   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... }, ...
 03752  2296   NtWaitForSingleObject  (88, 0, 0x0, ...
 03751  1024   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03753  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 12642764, ... }, 12642764, ...
 03750   896   NtCreateThread  ... 1320, {1252, 2304}, ) == 0x0
 03754   896   NtQueryInformationThread  (1320, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff26000,Pid=1252,Tid=2304,}, 0x0, ) == 0x0
 03755   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82242, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82242, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\5\0\0\344\4\0\0\0\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82243, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\5\0\0\344\4\0\0\0\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82243, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82242, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\5\0\0\344\4\0\0\0\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82243, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\5\0\0\344\4\0\0\0\11\0\0" )  ) == 0x0
 03756   896   NtResumeThread  (1320, ... 1, ) == 0x0
 03757   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 165740544, 1048576, ) == 0x0
 03758   896   NtAllocateVirtualMemory  (-1, 166780928, 0, 8192, 4096, 4, ... 166780928, 8192, ) == 0x0
 03759  2304   NtWaitForSingleObject  (88, 0, 0x0, ...
 03760   896   NtProtectVirtualMemory  (-1, (0x9f0e000), 4096, 260, ... (0x9f0e000), 4096, 4, ) == 0x0
 03761   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1336, {1252, 2308}, ) == 0x0
 03762   896   NtQueryInformationThread  (1336, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff25000,Pid=1252,Tid=2308,}, 0x0, ) == 0x0
 03763   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82243, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82243, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\5\0\0\344\4\0\0\4\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82244, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\5\0\0\344\4\0\0\4\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82244, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82243, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\5\0\0\344\4\0\0\4\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82244, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\5\0\0\344\4\0\0\4\11\0\0" )  ) == 0x0
 03764   896   NtResumeThread  (1336, ... 1, ) == 0x0
 03765   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03753  1024   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03766  2308   NtWaitForSingleObject  (88, 0, 0x0, ...
 03767  1024   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 12642764, ... ) }, 12642764, ... ) == 0x0
 03768  1024   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 1340, {status=0x0, info=1}, ) }, 5, 96, ... 1340, {status=0x0, info=1}, ) == 0x0
 03769  1024   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 1340, ... 1344, ) == 0x0
 03770  1024   NtQuerySection  (1344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03771  1024   NtClose  (1340, ... ) == 0x0
 03772  1024   NtMapViewOfSection  (1344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03765   896   NtAllocateVirtualMemory  ... 166789120, 1048576, ) == 0x0
 03773   896   NtAllocateVirtualMemory  (-1, 167829504, 0, 8192, 4096, 4, ... 167829504, 8192, ) == 0x0
 03774   896   NtProtectVirtualMemory  (-1, (0xa00e000), 4096, 260, ... (0xa00e000), 4096, 4, ) == 0x0
 03775   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1340, {1252, 2316}, ) == 0x0
 03776   896   NtQueryInformationThread  (1340, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff24000,Pid=1252,Tid=2316,}, 0x0, ) == 0x0
 03777   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82244, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82244, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\5\0\0\344\4\0\0\14\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82245, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\5\0\0\344\4\0\0\14\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82245, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82244, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\5\0\0\344\4\0\0\14\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82245, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\5\0\0\344\4\0\0\14\11\0\0" )  ) == 0x0
 03772  1024   NtMapViewOfSection  ... (0x77920000), 0x0, 995328, ) == 0x0
 03778  1024   NtClose  (1344, ... ) == 0x0
 03779  1024   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 03780  1024   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 03781  1024   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 03782  1024   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 03783  1024   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 03784   896   NtResumeThread  (1340, ... 1, ) == 0x0
 03785   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 167837696, 1048576, ) == 0x0
 03786   896   NtAllocateVirtualMemory  (-1, 168878080, 0, 8192, 4096, 4, ... 168878080, 8192, ) == 0x0
 03787   896   NtProtectVirtualMemory  (-1, (0xa10e000), 4096, 260, ... (0xa10e000), 4096, 4, ) == 0x0
 03788   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1344, {1252, 2320}, ) == 0x0
 03789   896   NtQueryInformationThread  (1344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff23000,Pid=1252,Tid=2320,}, 0x0, ) == 0x0
 03783  1024   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 03790  2316   NtWaitForSingleObject  (88, 0, 0x0, ...
 03791  1024   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 03792  1024   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 03793  1024   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 03794  1024   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 03795  1024   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 03796  1024   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 03797   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82245, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82245, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\5\0\0\344\4\0\0\20\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82246, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\5\0\0\344\4\0\0\20\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82246, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82245, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\5\0\0\344\4\0\0\20\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82246, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\5\0\0\344\4\0\0\20\11\0\0" )  ) == 0x0
 03798   896   NtResumeThread  (1344, ... 1, ) == 0x0
 03799   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 168886272, 1048576, ) == 0x0
 03800   896   NtAllocateVirtualMemory  (-1, 169926656, 0, 8192, 4096, 4, ... 169926656, 8192, ) == 0x0
 03801   896   NtProtectVirtualMemory  (-1, (0xa20e000), 4096, 260, ... (0xa20e000), 4096, 4, ) == 0x0
 03802   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03796  1024   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 03803  2320   NtWaitForSingleObject  (88, 0, 0x0, ...
 03804  1024   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 03805  1024   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 03806  1024   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 03807  1024   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 03808  1024   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 03809  1024   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 03802   896   NtCreateThread  ... 1348, {1252, 2328}, ) == 0x0
 03810   896   NtQueryInformationThread  (1348, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff22000,Pid=1252,Tid=2328,}, 0x0, ) == 0x0
 03811   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82246, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82246, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\5\0\0\344\4\0\0\30\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82247, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\5\0\0\344\4\0\0\30\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82247, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82246, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\5\0\0\344\4\0\0\30\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82247, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\5\0\0\344\4\0\0\30\11\0\0" )  ) == 0x0
 03812   896   NtResumeThread  (1348, ... 1, ) == 0x0
 03813   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 169934848, 1048576, ) == 0x0
 03814   896   NtAllocateVirtualMemory  (-1, 170975232, 0, 8192, 4096, 4, ... 170975232, 8192, ) == 0x0
 03809  1024   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 03815  2328   NtWaitForSingleObject  (88, 0, 0x0, ...
 03816  1024   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 03817  1024   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03818  1024   NtAllocateVirtualMemory  (-1, 12632064, 0, 4096, 4096, 260, ... 12632064, 4096, ) == 0x0
 03819  1024   NtQueryDefaultLocale  (1, 12643484, ... ) == 0x0
 03820  1024   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 03821  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\Setup"}, ... }, ...
 03822   896   NtProtectVirtualMemory  (-1, (0xa30e000), 4096, 260, ... (0xa30e000), 4096, 4, ) == 0x0
 03823   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1352, {1252, 2336}, ) == 0x0
 03824   896   NtQueryInformationThread  (1352, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff21000,Pid=1252,Tid=2336,}, 0x0, ) == 0x0
 03825   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82247, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82247, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\5\0\0\344\4\0\0 \11\0\0" ... {28, 56, reply, 0, 1252, 896, 82248, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\5\0\0\344\4\0\0 \11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82248, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82247, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\5\0\0\344\4\0\0 \11\0\0" ... {28, 56, reply, 0, 1252, 896, 82248, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\5\0\0\344\4\0\0 \11\0\0" )  ) == 0x0
 03826   896   NtResumeThread  (1352, ... 1, ) == 0x0
 03827   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03821  1024   NtOpenKey  ... 1356, ) == 0x0
 03828  2336   NtWaitForSingleObject  (88, 0, 0x0, ...
 03829  1024   NtQueryValueKey  (1356,  (1356, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (1356, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03830  1024   NtClose  (1356, ... ) == 0x0
 03831  1024   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 1356, ) == 0x0
 03832  1024   NtCallbackReturn  (0, 0, 0, ...
 03833  1024   NtUserGetProcessWindowStation  (... ) == 0x28
 03834  1024   NtUserGetObjectInformation  (40, 1, 12643080, 12, 12643092, ... ) == 0x1
 03827   896   NtAllocateVirtualMemory  ... 170983424, 1048576, ) == 0x0
 03835   896   NtAllocateVirtualMemory  (-1, 172023808, 0, 8192, 4096, 4, ... 172023808, 8192, ) == 0x0
 03836   896   NtProtectVirtualMemory  (-1, (0xa40e000), 4096, 260, ... (0xa40e000), 4096, 4, ) == 0x0
 03837   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1360, {1252, 2340}, ) == 0x0
 03838   896   NtQueryInformationThread  (1360, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff20000,Pid=1252,Tid=2340,}, 0x0, ) == 0x0
 03839   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82248, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82248, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\5\0\0\344\4\0\0$\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82249, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\5\0\0\344\4\0\0$\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82249, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82248, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\5\0\0\344\4\0\0$\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82249, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\5\0\0\344\4\0\0$\11\0\0" )  ) == 0x0
 03840  1024   NtOpenKey  (0xf003f, {24, 36, 0x40, 0, 0,  (0xf003f, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03841  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\WPA\PnP"}, ... 1364, ) }, ... 1364, ) == 0x0
 03842  1024   NtQueryValueKey  (1364,  (1364, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (1364, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 03843  1024   NtClose  (1364, ... ) == 0x0
 03844  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 1364, ) }, ... 1364, ) == 0x0
 03845  1024   NtQueryValueKey  (1364,  (1364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (1364, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 03846   896   NtResumeThread  (1360, ... 1, ) == 0x0
 03847   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 172032000, 1048576, ) == 0x0
 03848   896   NtAllocateVirtualMemory  (-1, 173072384, 0, 8192, 4096, 4, ... 173072384, 8192, ) == 0x0
 03849   896   NtProtectVirtualMemory  (-1, (0xa50e000), 4096, 260, ... (0xa50e000), 4096, 4, ) == 0x0
 03850   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1368, {1252, 2348}, ) == 0x0
 03851   896   NtQueryInformationThread  (1368, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1f000,Pid=1252,Tid=2348,}, 0x0, ) == 0x0
 03852  1024   NtQueryValueKey  (1364,  (1364, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 03853  2340   NtWaitForSingleObject  (88, 0, 0x0, ...
 03852  1024   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 03854  1024   NtClose  (1364, ... ) == 0x0
 03855  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... 1364, ) }, ... 1364, ) == 0x0
 03856  1024   NtQueryValueKey  (1364,  (1364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (1364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 03857  1024   NtQueryValueKey  (1364,  (1364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (1364, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 03858  1024   NtClose  (1364, ... ) == 0x0
 03859   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82249, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82249, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\5\0\0\344\4\0\0,\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82250, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\5\0\0\344\4\0\0,\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82250, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82249, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\5\0\0\344\4\0\0,\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82250, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\5\0\0\344\4\0\0,\11\0\0" )  ) == 0x0
 03860   896   NtResumeThread  (1368, ... 1, ) == 0x0
 03861   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 173080576, 1048576, ) == 0x0
 03862   896   NtAllocateVirtualMemory  (-1, 174120960, 0, 8192, 4096, 4, ... 174120960, 8192, ) == 0x0
 03863   896   NtProtectVirtualMemory  (-1, (0xa60e000), 4096, 260, ... (0xa60e000), 4096, 4, ) == 0x0
 03864   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03865  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 03866  2348   NtWaitForSingleObject  (88, 0, 0x0, ...
 03865  1024   NtOpenKey  ... 1364, ) == 0x0
 03867  1024   NtQueryValueKey  (1364,  (1364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (1364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 03868  1024   NtQueryValueKey  (1364,  (1364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (1364, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 03869  1024   NtClose  (1364, ... ) == 0x0
 03870  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 1364, ) }, ... 1364, ) == 0x0
 03871  1024   NtQueryValueKey  (1364,  (1364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (1364, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 03864   896   NtCreateThread  ... 1372, {1252, 2352}, ) == 0x0
 03872   896   NtQueryInformationThread  (1372, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1e000,Pid=1252,Tid=2352,}, 0x0, ) == 0x0
 03873   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 82250, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82250, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\5\0\0\344\4\0\00\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82251, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\5\0\0\344\4\0\00\11\0\0" )  ... {28, 56, reply, 0, 1252, 896, 82251, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 82250, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\5\0\0\344\4\0\00\11\0\0" ... {28, 56, reply, 0, 1252, 896, 82251, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\5\0\0\344\4\0\00\11\0\0" )  ) == 0x0
 03874   896   NtResumeThread  (1372, ... 1, ) == 0x0
 03875   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 174129152, 1048576, ) == 0x0
 03876   896   NtAllocateVirtualMemory  (-1, 175169536, 0, 8192, 4096, 4, ... 175169536, 8192, ) == 0x0
 03877  1024   NtQueryValueKey  (1364,  (1364, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 03878  2352   NtWaitForSingleObject  (88, 0, 0x0, ...
 03877  1024   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 03879  1024   NtClose  (1364, ... ) == 0x0
 03880  1024   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 1364, ) }, ... 1364, ) == 0x0
 03881  1024   NtQueryValueKey  (1364,  (1364, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (1364, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 03882  1024   NtQueryValueKey  (1364,  (1364, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (1364, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 03883  1024   NtClose  (1364, ... ) == 0x0
 03884   896   NtProtectVirtualMemory  (-1, (0xa70e000), 4096, 260, ... (0xa70e000), 4096, 4, ) == 0x0
 03885   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1364, {1252, 2356}, ) == 0x0