Summary:


NtGdiCreateBitmap(>) 
 1 
NtOpenProcessToken(>) 
 2 
NtQueryInformationFile(>) 
 7 
NtQueryAttributesFile(>) 
 37 

NtGdiInit(>) 
 1 
NtQueryDefaultUILanguage(>) 
 2 
NtQueryInformationToken(>) 
 7 
NtFlushInstructionCache(>) 
 53 

NtGdiQueryFontAssocInfo(>) 
 1 
NtQueryPerformanceCounter(>) 
 2 
NtQueryVirtualMemory(>) 
 7 
NtCreateEvent(>) 
 101 

NtGdiSelectBitmap(>) 
 1 
NtReadFile(>) 
 2 
NtConnectPort(>) 
 8 
NtContinue(>) 
 103 

NtOpenKeyedEvent(>) 
 1 
NtSetInformationObject(>) 
 2 
NtQueryInformationProcess(>) 
 8 
NtQuerySystemInformation(>) 
 123 

NtOpenSymbolicLinkObject(>) 
 1 
NtUserGetObjectInformation(>) 
 2 
NtUnmapViewOfSection(>) 
 8 
NtOpenKey(>) 
 136 

NtQueryInstallUILanguage(>) 
 1 
NtFreeVirtualMemory(>) 
 3 
NtSetInformationFile(>) 
 9 
NtResumeThread(>) 
 147 

NtQueryObject(>) 
 1 
NtGdiCreateCompatibleDC(>) 
 3 
NtSetInformationThread(>) 
 9 
NtCreateThread(>) 
 148 

NtQuerySymbolicLinkObject(>) 
 1 
NtOpenProcessTokenEx(>) 
 3 
NtUserFindExistingCursorIcon(>) 
 9 
NtQueryInformationThread(>) 
 151 

NtQuerySystemTime(>) 
 1 
NtOpenThreadTokenEx(>) 
 3 
NtOpenThreadToken(>) 
 10 
NtRequestWaitReplyPort(>) 
 191 

NtRaiseException(>) 
 1 
NtQueryDefaultLocale(>) 
 3 
NtQuerySection(>) 
 13 
NtTestAlert(>) 
 198 

NtSetInformationProcess(>) 
 1 
NtSecureConnectPort(>) 
 3 
NtUserRegisterClassExWOW(>) 
 14 
NtRegisterThreadTerminatePort(>) 
 200 

NtUserCallNoParam(>) 
 1 
NtCreateIoCompletion(>) 
 4 
NtSetValueKey(>) 
 16 
NtDuplicateObject(>) 
 207 

NtUserGetProcessWindowStation(>) 
 1 
NtQueryVolumeInformationFile(>) 
 4 
NtCreateSection(>) 
 20 
NtClose(>) 
 223 

NtUserGetThreadDesktop(>) 
 1 
NtWriteFile(>) 
 4 
NtOpenSection(>) 
 22 
NtQueryValueKey(>) 
 255 

NtCallbackReturn(>) 
 2 
NtCreateMutant(>) 
 5 
NtOpenFile(>) 
 23 
NtProtectVirtualMemory(>) 
 270 

NtGdiCreateSolidBrush(>) 
 2 
NtGdiGetStockObject(>) 
 5 
NtCreateKey(>) 
 24 
NtAllocateVirtualMemory(>) 
 394 

NtNotifyChangeKey(>) 
 2 
NtCreateFile(>) 
 7 
NtDeviceIoControlFile(>) 
 36 
NtSetEventBoostPriority(>) 
 697 

NtOpenDirectoryObject(>) 
 2 
NtFsControlFile(>) 
 7 
NtMapViewOfSection(>) 
 37 
NtWaitForSingleObject(>) 
 990 


Trace:
 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x409000), 94224, 4, ... (0x409000), 98304, 128, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x409000), 98304, 128, ... (0x409000), 98304, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 4231168, 94224, ... ) == 0x0
 00064  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1736   NtClose  (16, ... ) == 0x0
 00069  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1736   NtClose  (16, ... ) == 0x0
 00072  1736   NtTestAlert  (... ) == 0x0
 00073  1736   NtContinue  (1244464, 1, ...
 00074  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x419010,}, 4, ... ) == 0x0
 00075  1736   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076  1736   NtContinue  (1244400, 0, ...
 00077  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00078  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079  1736   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1736   NtClose  (16, ... ) == 0x0
 00081  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00084  1736   NtClose  (16, ... ) == 0x0
 00085  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00086  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00087  1736   NtClose  (16, ... ) == 0x0
 00088  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00109  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6$\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00110  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00111  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00112  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00113  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00114  1736   NtClose  (16, ... ) == 0x0
 00115  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00116  1736   NtClose  (28, ... ) == 0x0
 00117  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00118  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00119  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00120  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00121  1736   NtClose  (28, ... ) == 0x0
 00122  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x430000), 0x0, 110592, ) == 0x0
 00123  1736   NtClose  (16, ... ) == 0x0
 00124  1736   NtUnmapViewOfSection  (-1, 0x430000, ... ) == 0x0
 00125  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00126  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00127  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00128  1736   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00129  1736   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130  1736   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00131  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00133  1736   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134  1736   NtClose  (36, ... ) == 0x0
 00135  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00136  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00137  1736   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00138  1736   NtClose  (36, ... ) == 0x0
 00139  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140  1736   NtClose  (32, ... ) == 0x0
 00141  1736   NtClose  (16, ... ) == 0x0
 00142  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00143  1736   NtClose  (28, ... ) == 0x0
 00144  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00151  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00152  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00153  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00154  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00155  1736   NtClose  (28, ... ) == 0x0
 00156  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00157  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00158  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00159  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00160  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00161  1736   NtClose  (28, ... ) == 0x0
 00162  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00163  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00170  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00171  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00172  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00173  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00174  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00175  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00177  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00179  1736   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180  1736   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181  1736   NtClose  (28, ... ) == 0x0
 00182  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00183  1736   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184  1736   NtClose  (28, ... ) == 0x0
 00185  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00186  1736   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00187  1736   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00191  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00194  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00196  1736   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1736   NtClose  (16, ... ) == 0x0
 00198  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00199  1736   NtClose  (-2147482576, ... ) == 0x0
 00200  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00201  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00202  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00203  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00204  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00205  1736   NtClose  (-2147482576, ... ) == 0x0
 00206  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5505024, 4096, ) == 0x0
 00207  1736   NtFreeVirtualMemory  (-1, (0x540000), 4096, 32768, ... (0x540000), 4096, ) == 0x0
 00208  1736   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00209  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00210  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1736   NtClose  (-2147482576, ... ) == 0x0
 00212  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00213  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1736   NtClose  (-2147482576, ... ) == 0x0
 00215  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00216  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00217  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00218  1736   NtGdiCreateCompatibleDC  (0, ...
 00219  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5505024, 4096, ) == 0x0
 00218  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00220  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00221  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00222  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00223  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00224  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00223  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00225  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00226  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00227  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00228  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00229  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00230  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00231  1736   NtClose  (44, ... ) == 0x0
 00232  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00233  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8169c017
 00234  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8169c01c
 00236  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8169c01e
 00238  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81698002
 00240  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00241  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8169c018
 00242  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00243  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8169c01a
 00244  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8169c01d
 00246  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8169c026
 00248  1736   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249  1736   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8169c019
 00250  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8169c020
 00251  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8169c022
 00252  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8169c023
 00253  1736   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8169c024
 00254  1736   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8169c025
 00255  1736   NtCallbackReturn  (0, 0, 0, ...
 00256  1736   NtGdiInit  (... ) == 0x1
 00257  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00258  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00259  1736   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8781824, 28672, ) == 0x0
 00260  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00263  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00264  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00265  1736   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266  1736   NtClose  (44, ... ) == 0x0
 00267  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00268  1736   NtClose  (48, ... ) == 0x0
 00269  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00270  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00271  1736   NtClose  (48, ... ) == 0x0
 00272  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00273  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00274  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00275  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00276  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00277  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00278  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00281  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00282  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00283  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00284  1736   NtClose  (48, ... ) == 0x0
 00285  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00286  1736   NtClose  (44, ... ) == 0x0
 00287  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00288  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00289  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00290  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00291  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00292  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00293  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00296  1736   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00297  1736   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00298  1736   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00299  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00300  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00301  1736   NtClose  (44, ... ) == 0x0
 00302  1736   NtAllocateVirtualMemory  (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0
 00303  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00304  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00305  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00306  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00307  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00310  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00311  1736   NtFreeVirtualMemory  (-1, (0x860000), 0, 32768, ... (0x860000), 28672, ) == 0x0
 00312  1736   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00313  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00314  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00315  1736   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00316  1736   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00317  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0
 00318  1736   NtAllocateVirtualMemory  (-1, 8978432, 0, 32768, 4096, 4, ... 8978432, 32768, ) == 0x0
 00319  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00320  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00321  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00322  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00323  1736   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00324  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00325  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00326  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00327  1736   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00328  1736   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00329  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330  1736   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00331  1736   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00332  1736   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00333  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00334  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00335  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00336  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00337  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00338  1736   NtClose  (68, ... ) == 0x0
 00339  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00340  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00341  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00342  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00343  1736   NtClose  (68, ... ) == 0x0
 00344  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00345  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00346  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00347  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00348  1736   NtClose  (68, ... ) == 0x0
 00349  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00350  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00351  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00352  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00353  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00354  1736   NtClose  (68, ... ) == 0x0
 00355  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00356  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00357  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00358  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00359  1736   NtClose  (68, ... ) == 0x0
 00360  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00361  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00362  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00363  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00364  1736   NtClose  (68, ... ) == 0x0
 00365  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00366  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00367  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00368  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00369  1736   NtClose  (68, ... ) == 0x0
 00370  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00371  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00372  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00373  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00374  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00375  1736   NtClose  (68, ... ) == 0x0
 00376  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00377  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00378  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00379  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00380  1736   NtClose  (68, ... ) == 0x0
 00381  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00382  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00383  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00384  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00385  1736   NtClose  (68, ... ) == 0x0
 00386  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00387  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00388  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00389  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00390  1736   NtClose  (68, ... ) == 0x0
 00391  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00392  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00393  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00394  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00395  1736   NtClose  (68, ... ) == 0x0
 00396  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00397  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00398  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00399  1736   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00400  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00401  1736   NtClose  (68, ... ) == 0x0
 00402  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00403  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00404  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00405  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00406  1736   NtClose  (68, ... ) == 0x0
 00407  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00408  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00409  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00410  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00411  1736   NtClose  (68, ... ) == 0x0
 00412  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00413  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00414  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00415  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00416  1736   NtClose  (68, ... ) == 0x0
 00417  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00418  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00419  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00420  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00421  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00422  1736   NtClose  (68, ... ) == 0x0
 00423  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00424  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00425  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00426  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00427  1736   NtClose  (68, ... ) == 0x0
 00428  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00429  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00432  1736   NtClose  (68, ... ) == 0x0
 00433  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00434  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00436  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00437  1736   NtClose  (68, ... ) == 0x0
 00438  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00439  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00440  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00441  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0d\6\0\0\310\6\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00442  1736   NtClose  (68, ... ) == 0x0
 00443  1736   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00444  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446  1736   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00447  1736   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0d\6\0\0\310\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0d\6\0\0\310\6\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0d\6\0\0\310\6\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0d\6\0\0\310\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00448  1736   NtClose  (68, ... ) == 0x0
 00449  1736   NtClose  (64, ... ) == 0x0
 00450  1736   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00451  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00452  1736   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00453  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00454  1736   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00455  1736   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00456  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457  1736   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00458  1736   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00459  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00460  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00461  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00462  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00463  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00464  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00465  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00466  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00467  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00469  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00470  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00471  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00472  1736   NtClose  (76, ... ) == 0x0
 00473  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00474  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00475  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00476  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00477  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00478  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00479  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00480  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00481  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00483  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00484  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00485  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00486  1736   NtClose  (76, ... ) == 0x0
 00487  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00488  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00489  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00490  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00491  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00492  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00493  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00494  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00495  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00497  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00498  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00499  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00500  1736   NtClose  (76, ... ) == 0x0
 00501  1736   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00502  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00503  1736   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00504  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00505  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00506  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00507  1736   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00508  1736   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00509  1736   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00510  1736   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00511  1736   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00512  1736   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00513  1736   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514  1736   NtClose  (76, ... ) == 0x0
 00515  1736   NtClose  (72, ... ) == 0x0
 00516  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00517  1736   NtClose  (52, ... ) == 0x0
 00518  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00519  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00520  1736   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00521  1736   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522  1736   NtClose  (52, ... ) == 0x0
 00523  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00524  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00525  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00526  1736   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00527  1736   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00528  1736   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00529  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00530  1736   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00531  1736   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00532  1736   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00533  1736   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00534  1736   NtClose  (-2147482576, ... ) == 0x0
 00533  1736   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00535  1736   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00536  1736   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00537  1736   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00538  1736   NtQueryVolumeInformationFile  (72, 1239912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00539  1736   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00540  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00541  1736   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x990000), {0, 0}, 90112, ) == 0x0
 00542  1736   NtClose  (80, ... ) == 0x0
 00543  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\20\220\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\20\220\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00544  1736   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 24592, 0x0, 0, ... {status=0x0, info=24592}, ) , 24592, 0x0, 0, ... {status=0x0, info=24592}, ) == 0x0
 00545  1736   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 00546  1736   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00547  1736   NtClose  (72, ... ) == 0x0
 00548  1736   NtClose  (76, ... ) == 0x0
 00549  1736   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00550  1736   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00551  1736   NtSetInformationFile  (-2147482448, -139348176, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00552  1736   NtSetInformationFile  (-2147482448, -139348268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00553  1736   NtSetInformationFile  (-2147482448, -139348576, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00550  1736   NtSetValueKey  ... ) == 0x0
 00554  1736   NtClose  (76, ... ) == 0x0
 00555  1736   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00556  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0
 00557  1736   NtAllocateVirtualMemory  (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0
 00558  1736   NtProtectVirtualMemory  (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0
 00559  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1636, 220}, ) == 0x0
 00560  1736   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1636,Tid=220,}, 0x0, ) == 0x0
 00561  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0\334\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0\334\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75479, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0\334\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0d\6\0\0\334\0\0\0" )  ) == 0x0
 00562  1736   NtResumeThread  (72, ... 1, ) == 0x0
 00563  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11075584, 1048576, ) == 0x0
 00564  1736   NtAllocateVirtualMemory  (-1, 12115968, 0, 8192, 4096, 4, ... 12115968, 8192, ) == 0x0
 00565   220   NtTestAlert  (... ) == 0x0
 00566   220   NtContinue  (11074864, 1, ...
 00567   220   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00568   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00569   220   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00570   220   NtAllocateVirtualMemory  (-1, 11063296, 0, 4096, 4096, 260, ...
 00571  1736   NtProtectVirtualMemory  (-1, (0xb8e000), 4096, 260, ... (0xb8e000), 4096, 4, ) == 0x0
 00572  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1636, 1356}, ) == 0x0
 00573  1736   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 00574  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75479, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75480, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 00575  1736   NtResumeThread  (84, ... 1, ) == 0x0
 00576  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00570   220   NtAllocateVirtualMemory  ... 11063296, 4096, ) == 0x0
 00577  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00578   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071988, ... }, 11071988, ...
 00577  1356   NtCreateEvent  ... 88, ) == 0x0
 00578   220   NtQueryAttributesFile  ... ) == 0x0
 00579  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00580   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00581   220   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00582   220   NtClose  (92, ... ) == 0x0
 00583   220   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb90000), 0x0, 245760, ) == 0x0
 00584   220   NtClose  (96, ...
 00576  1736   NtAllocateVirtualMemory  ... 12386304, 1048576, ) == 0x0
 00585  1736   NtAllocateVirtualMemory  (-1, 13426688, 0, 8192, 4096, 4, ... 13426688, 8192, ) == 0x0
 00586  1736   NtProtectVirtualMemory  (-1, (0xcce000), 4096, 260, ... (0xcce000), 4096, 4, ) == 0x0
 00587  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1636, 868}, ) == 0x0
 00588  1736   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 00589  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75481, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 00584   220   NtClose  ... ) == 0x0
 00590  1736   NtResumeThread  (92, ... 1, ) == 0x0
 00591  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13434880, 1048576, ) == 0x0
 00592  1736   NtAllocateVirtualMemory  (-1, 14475264, 0, 8192, 4096, 4, ... 14475264, 8192, ) == 0x0
 00593   868   NtWaitForSingleObject  (88, 0, 0x0, ...
 00594  1736   NtProtectVirtualMemory  (-1, (0xdce000), 4096, 260, ... (0xdce000), 4096, 4, ) == 0x0
 00595  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00596   220   NtUnmapViewOfSection  (-1, 0xb90000, ... ) == 0x0
 00597   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11072296, ... ) }, 11072296, ... ) == 0x0
 00598   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00599   220   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00600   220   NtQuerySection  (100, Image, 48, ...
 00595  1736   NtCreateThread  ... 104, {1636, 808}, ) == 0x0
 00601  1736   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 00602  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75481, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0(\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75482, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 00603  1736   NtResumeThread  (104, ... 1, ) == 0x0
 00604  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00600   220   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00605   808   NtWaitForSingleObject  (88, 0, 0x0, ...
 00606   220   NtClose  (96, ... ) == 0x0
 00607   220   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00608   220   NtClose  (100, ... ) == 0x0
 00609   220   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00610   220   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00604  1736   NtAllocateVirtualMemory  ... 14483456, 1048576, ) == 0x0
 00611  1736   NtAllocateVirtualMemory  (-1, 15523840, 0, 8192, 4096, 4, ... 15523840, 8192, ) == 0x0
 00612  1736   NtProtectVirtualMemory  (-1, (0xece000), 4096, 260, ... (0xece000), 4096, 4, ) == 0x0
 00613  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1636, 2020}, ) == 0x0
 00614  1736   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 00615  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75483, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 00610   220   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00616   220   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00617   220   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00618   220   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00619   220   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00620   220   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00621   220   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00622  1736   NtResumeThread  (100, ... 1, ) == 0x0
 00623  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 00624  1736   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 00625  1736   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ... (0xfce000), 4096, 4, ) == 0x0
 00626  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1636, 896}, ) == 0x0
 00627  1736   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 00621   220   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00628  2020   NtWaitForSingleObject  (88, 0, 0x0, ...
 00629   220   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00630  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75483, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\200\3\0\0" ...  ...
 00631   220   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00632   220   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00633   220   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00634   220   NtSetEventBoostPriority  (88, ...
 00630  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75484, 0}  ... {28, 56, reply, 0, 1636, 1736, 75484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 00635  1736   NtResumeThread  (96, ... 1, ) == 0x0
 00636  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16580608, 1048576, ) == 0x0
 00637  1736   NtAllocateVirtualMemory  (-1, 17620992, 0, 8192, 4096, 4, ... 17620992, 8192, ) == 0x0
 00638  1736   NtProtectVirtualMemory  (-1, (0x10ce000), 4096, 260, ... (0x10ce000), 4096, 4, ) == 0x0
 00639  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00579  1356   NtWaitForSingleObject  ... ) == 0x0
 00634   220   NtSetEventBoostPriority  ... ) == 0x0
 00640   896   NtWaitForSingleObject  (88, 0, 0x0, ...
 00641  1356   NtSetEventBoostPriority  (88, ...
 00642   220   NtWaitForSingleObject  (88, 0, 0x0, ...
 00593   868   NtWaitForSingleObject  ... ) == 0x0
 00641  1356   NtSetEventBoostPriority  ... ) == 0x0
 00643   868   NtSetEventBoostPriority  (88, ...
 00639  1736   NtCreateThread  ... 108, {1636, 1252}, ) == 0x0
 00605   808   NtWaitForSingleObject  ... ) == 0x0
 00643   868   NtSetEventBoostPriority  ... ) == 0x0
 00644   808   NtSetEventBoostPriority  (88, ...
 00645  1736   NtQueryInformationThread  (108, Basic, 28, ...
 00646  1356   NtTestAlert  (...
 00628  2020   NtWaitForSingleObject  ... ) == 0x0
 00644   808   NtSetEventBoostPriority  ... ) == 0x0
 00645  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 00647  2020   NtSetEventBoostPriority  (88, ...
 00646  1356   NtTestAlert  ... ) == 0x0
 00648   868   NtTestAlert  (...
 00640   896   NtWaitForSingleObject  ... ) == 0x0
 00647  2020   NtSetEventBoostPriority  ... ) == 0x0
 00649  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75484, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\344\4\0\0" ...  ...
 00650  1356   NtContinue  (12123440, 1, ...
 00651   896   NtSetEventBoostPriority  (88, ...
 00648   868   NtTestAlert  ... ) == 0x0
 00652   808   NtTestAlert  (...
 00649  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75485, 0}  ... {28, 56, reply, 0, 1636, 1736, 75485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 00642   220   NtWaitForSingleObject  ... ) == 0x0
 00651   896   NtSetEventBoostPriority  ... ) == 0x0
 00653  1356   NtRegisterThreadTerminatePort  (24, ...
 00654   868   NtContinue  (13434160, 1, ...
 00652   808   NtTestAlert  ... ) == 0x0
 00655  2020   NtTestAlert  (...
 00656   220   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00657  1736   NtResumeThread  (108, ...
 00653  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 00658   868   NtRegisterThreadTerminatePort  (24, ...
 00659   808   NtContinue  (14482736, 1, ...
 00656   220   NtCreateEvent  ... 112, ) == 0x0
 00655  2020   NtTestAlert  ... ) == 0x0
 00657  1736   NtResumeThread  ... 1, ) == 0x0
 00660  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00658   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 00661   808   NtRegisterThreadTerminatePort  (24, ...
 00662   896   NtTestAlert  (...
 00663  1252   NtTestAlert  (...
 00664  2020   NtContinue  (15531312, 1, ...
 00665  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00666   220   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00667   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00661   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 00662   896   NtTestAlert  ... ) == 0x0
 00663  1252   NtTestAlert  ... ) == 0x0
 00668  2020   NtRegisterThreadTerminatePort  (24, ...
 00665  1736   NtAllocateVirtualMemory  ... 17629184, 1048576, ) == 0x0
 00666   220   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00660  1356   NtDuplicateObject  ... 116, ) == 0x0
 00669   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00670   896   NtContinue  (16579888, 1, ...
 00671  1252   NtContinue  (17628464, 1, ...
 00668  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 00672  1736   NtAllocateVirtualMemory  (-1, 18669568, 0, 8192, 4096, 4, ...
 00673   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11071908, ... }, 11071908, ...
 00674  1356   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00667   868   NtDuplicateObject  ... 120, ) == 0x0
 00675   896   NtRegisterThreadTerminatePort  (24, ...
 00676  1252   NtRegisterThreadTerminatePort  (24, ...
 00677  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00672  1736   NtAllocateVirtualMemory  ... 18669568, 8192, ) == 0x0
 00674  1356   NtWaitForSingleObject  ... ) == 0x102
 00678   868   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00675   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 00676  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 00669   808   NtDuplicateObject  ... 124, ) == 0x0
 00677  2020   NtDuplicateObject  ... 128, ) == 0x0
 00679  1356   NtAllocateVirtualMemory  (-1, 12111872, 0, 4096, 4096, 260, ...
 00678   868   NtWaitForSingleObject  ... ) == 0x102
 00680   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00681  1736   NtProtectVirtualMemory  (-1, (0x11ce000), 4096, 260, ...
 00682   808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00683  2020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00679  1356   NtAllocateVirtualMemory  ... 12111872, 4096, ) == 0x0
 00684   868   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00685  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00681  1736   NtProtectVirtualMemory  ... (0x11ce000), 4096, 4, ) == 0x0
 00682   808   NtWaitForSingleObject  ... ) == 0x102
 00683  2020   NtWaitForSingleObject  ... ) == 0x102
 00680   896   NtDuplicateObject  ... 132, ) == 0x0
 00684   868   NtCreateEvent  ... 136, ) == 0x0
 00685  1252   NtDuplicateObject  ... 140, ) == 0x0
 00686  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00687   808   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00688  2020   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00689   896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00690  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00691  1252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00686  1736   NtCreateThread  ... 144, {1636, 2016}, ) == 0x0
 00687   808   NtCreateEvent  ... 148, ) == 0x0
 00688  2020   NtCreateEvent  ... 152, ) == 0x0
 00689   896   NtWaitForSingleObject  ... ) == 0x102
 00691  1252   NtWaitForSingleObject  ... ) == 0x102
 00692  1736   NtQueryInformationThread  (144, Basic, 28, ...
 00693   868   NtWaitForSingleObject  (136, 0, 0x0, ...
 00694   808   NtClose  (148, ...
 00695   896   NtWaitForSingleObject  (136, 0, 0x0, ...
 00696  1252   NtWaitForSingleObject  (136, 0, 0x0, ...
 00692  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 00694   808   NtClose  ... ) == 0x0
 00697  2020   NtClose  (152, ...
 00698   808   NtWaitForSingleObject  (136, 0, 0x0, ...
 00697  2020   NtClose  ... ) == 0x0
 00699  2020   NtWaitForSingleObject  (136, 0, 0x0, ...
 00700  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75485, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75486, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 00701  1736   NtResumeThread  (144, ... 1, ) == 0x0
 00702  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00703  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 00702  1736   NtAllocateVirtualMemory  ... 18677760, 1048576, ) == 0x0
 00704  1736   NtAllocateVirtualMemory  (-1, 19718144, 0, 8192, 4096, 4, ... 19718144, 8192, ) == 0x0
 00705  1736   NtProtectVirtualMemory  (-1, (0x12ce000), 4096, 260, ... (0x12ce000), 4096, 4, ) == 0x0
 00706  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1636, 2012}, ) == 0x0
 00707  1736   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 00708  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75486, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75487, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 00709  1736   NtResumeThread  (152, ... 1, ) == 0x0
 00710  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19726336, 1048576, ) == 0x0
 00711  1736   NtAllocateVirtualMemory  (-1, 20766720, 0, 8192, 4096, 4, ... 20766720, 8192, ) == 0x0
 00712  2012   NtWaitForSingleObject  (88, 0, 0x0, ...
 00713  1736   NtProtectVirtualMemory  (-1, (0x13ce000), 4096, 260, ... (0x13ce000), 4096, 4, ) == 0x0
 00714  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1636, 1028}, ) == 0x0
 00715  1736   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 00673   220   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00716   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11071908, ... ) }, 11071908, ... ) == 0x0
 00717   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 00718   220   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 160, ) == 0x0
 00719   220   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00720   220   NtClose  (156, ... ) == 0x0
 00721   220   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00722  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75488, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 00723  1736   NtResumeThread  (148, ... 1, ) == 0x0
 00724  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20774912, 1048576, ) == 0x0
 00725  1736   NtAllocateVirtualMemory  (-1, 21815296, 0, 8192, 4096, 4, ... 21815296, 8192, ) == 0x0
 00726  1736   NtProtectVirtualMemory  (-1, (0x14ce000), 4096, 260, ... (0x14ce000), 4096, 4, ) == 0x0
 00727  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00721   220   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 00728  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00729   220   NtClose  (160, ... ) == 0x0
 00730   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00731   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00732   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00733   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00734   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00727  1736   NtCreateThread  ... 160, {1636, 384}, ) == 0x0
 00735  1736   NtQueryInformationThread  (160, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 00736  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 00737  1736   NtResumeThread  (160, ... 1, ) == 0x0
 00738  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21823488, 1048576, ) == 0x0
 00739  1736   NtAllocateVirtualMemory  (-1, 22863872, 0, 8192, 4096, 4, ... 22863872, 8192, ) == 0x0
 00734   220   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00740   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00741   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00742   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00743   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00744   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00745   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ...
 00746  1736   NtProtectVirtualMemory  (-1, (0x15ce000), 4096, 260, ... (0x15ce000), 4096, 4, ) == 0x0
 00747  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 156, {1636, 1180}, ) == 0x0
 00748  1736   NtQueryInformationThread  (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 00749  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 00750  1736   NtResumeThread  (156, ... 1, ) == 0x0
 00745   220   NtProtectVirtualMemory  ... (0x662b1000), 4096, 32, ) == 0x0
 00751  1180   NtWaitForSingleObject  (88, 0, 0x0, ...
 00752   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00753   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00754   220   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00755   220   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00756   220   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00757   220   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... }, ...
 00758  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22872064, 1048576, ) == 0x0
 00759  1736   NtAllocateVirtualMemory  (-1, 23912448, 0, 8192, 4096, 4, ... 23912448, 8192, ) == 0x0
 00760  1736   NtProtectVirtualMemory  (-1, (0x16ce000), 4096, 260, ... (0x16ce000), 4096, 4, ) == 0x0
 00761  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 164, {1636, 420}, ) == 0x0
 00762  1736   NtQueryInformationThread  (164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 00763  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0d\6\0\0\244\1\0\0" ...  ...
 00757   220   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764   220   NtSetEventBoostPriority  (88, ...
 00690  1356   NtWaitForSingleObject  ... ) == 0x0
 00765  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12118992, ... ) }, 12118992, ... ) == 0x0
 00766  1356   NtSetEventBoostPriority  (88, ...
 00703  2016   NtWaitForSingleObject  ... ) == 0x0
 00767  2016   NtSetEventBoostPriority  (88, ...
 00712  2012   NtWaitForSingleObject  ... ) == 0x0
 00768  2012   NtSetEventBoostPriority  (88, ...
 00728  1028   NtWaitForSingleObject  ... ) == 0x0
 00769  1028   NtSetEventBoostPriority  (88, ...
 00740   384   NtWaitForSingleObject  ... ) == 0x0
 00770   384   NtSetEventBoostPriority  (88, ...
 00751  1180   NtWaitForSingleObject  ... ) == 0x0
 00771  1180   NtTestAlert  (... ) == 0x0
 00770   384   NtSetEventBoostPriority  ... ) == 0x0
 00769  1028   NtSetEventBoostPriority  ... ) == 0x0
 00768  2012   NtSetEventBoostPriority  ... ) == 0x0
 00767  2016   NtSetEventBoostPriority  ... ) == 0x0
 00766  1356   NtSetEventBoostPriority  ... ) == 0x0
 00764   220   NtSetEventBoostPriority  ... ) == 0x0
 00763  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75491, 0}  ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 00772  1180   NtContinue  (22871344, 1, ...
 00773   384   NtTestAlert  (...
 00774  1028   NtTestAlert  (...
 00775  2012   NtTestAlert  (...
 00776  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00777   220   NtQuerySystemInformation  (Basic, 44, ...
 00778  1736   NtResumeThread  (164, ...
 00779  1180   NtRegisterThreadTerminatePort  (24, ...
 00773   384   NtTestAlert  ... ) == 0x0
 00774  1028   NtTestAlert  ... ) == 0x0
 00775  2012   NtTestAlert  ... ) == 0x0
 00776  1356   NtCreateEvent  ... 168, ) == 0x0
 00777   220   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00778  1736   NtResumeThread  ... 1, ) == 0x0
 00779  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 00780   384   NtContinue  (21822768, 1, ...
 00781  1028   NtContinue  (20774192, 1, ...
 00782  2012   NtContinue  (19725616, 1, ...
 00783  1356   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00784   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00785  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00786  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00787   384   NtRegisterThreadTerminatePort  (24, ...
 00788  1028   NtRegisterThreadTerminatePort  (24, ...
 00789  2012   NtRegisterThreadTerminatePort  (24, ...
 00783  1356   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790  2016   NtTestAlert  (...
 00791   420   NtWaitForSingleObject  (88, 0, 0x0, ...
 00785  1736   NtAllocateVirtualMemory  ... 23920640, 1048576, ) == 0x0
 00786  1180   NtDuplicateObject  ... 172, ) == 0x0
 00787   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00788  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00789  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00792  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12119096, ... }, 12119096, ...
 00790  2016   NtTestAlert  ... ) == 0x0
 00793  1736   NtAllocateVirtualMemory  (-1, 24961024, 0, 8192, 4096, 4, ...
 00794  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00795   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00796  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00797  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00784   220   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798  2016   NtContinue  (18677040, 1, ...
 00793  1736   NtAllocateVirtualMemory  ... 24961024, 8192, ) == 0x0
 00794  1180   NtWaitForSingleObject  ... ) == 0x102
 00795   384   NtDuplicateObject  ... 176, ) == 0x0
 00796  1028   NtDuplicateObject  ... 180, ) == 0x0
 00799   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00800  2016   NtRegisterThreadTerminatePort  (24, ...
 00801  1736   NtProtectVirtualMemory  (-1, (0x17ce000), 4096, 260, ...
 00802  1180   NtWaitForSingleObject  (136, 0, 0x0, ...
 00803   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00804  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00799   220   NtOpenKey  ... 184, ) == 0x0
 00800  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 00801  1736   NtProtectVirtualMemory  ... (0x17ce000), 4096, 4, ) == 0x0
 00803   384   NtWaitForSingleObject  ... ) == 0x102
 00804  1028   NtWaitForSingleObject  ... ) == 0x102
 00805   220   NtQueryValueKey  (184,  (184, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00806  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00807  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00808   384   NtWaitForSingleObject  (136, 0, 0x0, ...
 00809  1028   NtWaitForSingleObject  (136, 0, 0x0, ...
 00805   220   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00797  2012   NtDuplicateObject  ... 188, ) == 0x0
 00807  1736   NtCreateThread  ... 192, {1636, 596}, ) == 0x0
 00810   220   NtClose  (184, ...
 00811  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00812  1736   NtQueryInformationThread  (192, Basic, 28, ...
 00806  2016   NtDuplicateObject  ... 196, ) == 0x0
 00811  2012   NtWaitForSingleObject  ... ) == 0x102
 00810   220   NtClose  ... ) == 0x0
 00813  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00814  2012   NtWaitForSingleObject  (136, 0, 0x0, ...
 00815   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 00813  2016   NtWaitForSingleObject  ... ) == 0x102
 00815   220   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00816  2016   NtWaitForSingleObject  (136, 0, 0x0, ...
 00817   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 00818   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 200, ) == 0x0
 00819   220   NtQuerySystemTime  (... {2058317878, 29929432}, ) == 0x0
 00820   220   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 00821   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 00812  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 00822  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0T\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0T\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0T\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 00823  1736   NtResumeThread  (192, ... 1, ) == 0x0
 00824  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24969216, 1048576, ) == 0x0
 00825  1736   NtAllocateVirtualMemory  (-1, 26009600, 0, 8192, 4096, 4, ... 26009600, 8192, ) == 0x0
 00826  1736   NtProtectVirtualMemory  (-1, (0x18ce000), 4096, 260, ... (0x18ce000), 4096, 4, ) == 0x0
 00821   220   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00827   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00828   220   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00829   220   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00830   220   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00831   220   NtWaitForSingleObject  (88, 0, 0x0, ...
 00832  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1636, 376}, ) == 0x0
 00833  1736   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 00834  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0x\1\0\0" ...  ...
 00792  1356   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 12119096, ... ) }, 12119096, ... ) == 0x0
 00834  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 00836  1736   NtResumeThread  (208, ... 1, ) == 0x0
 00837  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26017792, 1048576, ) == 0x0
 00838  1736   NtAllocateVirtualMemory  (-1, 27058176, 0, 8192, 4096, 4, ... 27058176, 8192, ) == 0x0
 00839  1736   NtProtectVirtualMemory  (-1, (0x19ce000), 4096, 260, ... (0x19ce000), 4096, 4, ) == 0x0
 00840  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1636, 1168}, ) == 0x0
 00841  1736   NtQueryInformationThread  (212, Basic, 28, ...
 00842  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00843   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 00842  1356   NtOpenFile  ... 216, {status=0x0, info=1}, ) == 0x0
 00844  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 216, ... 220, ) == 0x0
 00845  1356   NtQuerySection  (220, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00846  1356   NtClose  (216, ... ) == 0x0
 00847  1356   NtMapViewOfSection  (220, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 00848  1356   NtClose  (220, ... ) == 0x0
 00841  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 00849  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 00850  1736   NtResumeThread  (212, ... 1, ) == 0x0
 00851  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27066368, 1048576, ) == 0x0
 00852  1736   NtAllocateVirtualMemory  (-1, 28106752, 0, 8192, 4096, 4, ... 28106752, 8192, ) == 0x0
 00853  1736   NtProtectVirtualMemory  (-1, (0x1ace000), 4096, 260, ... (0x1ace000), 4096, 4, ) == 0x0
 00854  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00855  1168   NtWaitForSingleObject  (88, 0, 0x0, ...
 00854  1356   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00856  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00857  1356   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00858  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00859  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00860  1356   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00861  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1636, 120}, ) == 0x0
 00862  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 00863  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 00864  1736   NtResumeThread  (220, ... 1, ) == 0x0
 00865  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28114944, 1048576, ) == 0x0
 00866  1736   NtAllocateVirtualMemory  (-1, 29155328, 0, 8192, 4096, 4, ...
 00867  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00868   120   NtWaitForSingleObject  (88, 0, 0x0, ...
 00867  1356   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00869  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00870  1356   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00871  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00872  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00873  1356   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00866  1736   NtAllocateVirtualMemory  ... 29155328, 8192, ) == 0x0
 00874  1736   NtProtectVirtualMemory  (-1, (0x1bce000), 4096, 260, ... (0x1bce000), 4096, 4, ) == 0x0
 00875  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1636, 928}, ) == 0x0
 00876  1736   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=928,}, 0x0, ) == 0x0
 00877  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0d\6\0\0\240\3\0\0" )  ) == 0x0
 00878  1736   NtResumeThread  (216, ... 1, ) == 0x0
 00879  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00880   928   NtWaitForSingleObject  (88, 0, 0x0, ...
 00879  1356   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00881  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00882  1356   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00883  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00884  1356   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00885  1356   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00886  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29163520, 1048576, ) == 0x0
 00887  1736   NtAllocateVirtualMemory  (-1, 30203904, 0, 8192, 4096, 4, ... 30203904, 8192, ) == 0x0
 00888  1736   NtProtectVirtualMemory  (-1, (0x1cce000), 4096, 260, ... (0x1cce000), 4096, 4, ) == 0x0
 00889  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1636, 1732}, ) == 0x0
 00890  1736   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 00891  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\304\6\0\0" ...  ...
 00892  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893  1356   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 228, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 228, 2, ) , 0, ... 228, 2, ) == 0x0
 00894  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 00891  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 00895  1736   NtResumeThread  (224, ... 1, ) == 0x0
 00896  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30212096, 1048576, ) == 0x0
 00897  1736   NtAllocateVirtualMemory  (-1, 31252480, 0, 8192, 4096, 4, ... 31252480, 8192, ) == 0x0
 00898  1736   NtProtectVirtualMemory  (-1, (0x1dce000), 4096, 260, ... (0x1dce000), 4096, 4, ) == 0x0
 00899  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1636, 428}, ) == 0x0
 00900  1736   NtQueryInformationThread  (236, Basic, 28, ...
 00901  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 00902  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 00901  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903  1356   NtQueryValueKey  (232,  (232, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904  1356   NtQueryValueKey  (228,  (228, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905  1356   NtQueryValueKey  (232,  (232, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906  1356   NtQueryValueKey  (228,  (228, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00907  1356   NtQueryValueKey  (232,  (232, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=428,}, 0x0, ) == 0x0
 00908  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0d\6\0\0\254\1\0\0" )  ) == 0x0
 00909  1736   NtResumeThread  (236, ... 1, ) == 0x0
 00910  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31260672, 1048576, ) == 0x0
 00911  1736   NtAllocateVirtualMemory  (-1, 32301056, 0, 8192, 4096, 4, ... 32301056, 8192, ) == 0x0
 00912  1736   NtProtectVirtualMemory  (-1, (0x1ece000), 4096, 260, ... (0x1ece000), 4096, 4, ) == 0x0
 00913  1356   NtQueryValueKey  (228,  (228, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 00914   428   NtWaitForSingleObject  (88, 0, 0x0, ...
 00913  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915  1356   NtQueryValueKey  (232,  (232, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916  1356   NtQueryValueKey  (228,  (228, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917  1356   NtQueryValueKey  (232,  (232, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918  1356   NtQueryValueKey  (232,  (232, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919  1356   NtQueryValueKey  (232,  (232, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1636, 748}, ) == 0x0
 00921  1736   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 00922  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 00923  1736   NtResumeThread  (240, ... 1, ) == 0x0
 00924  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32309248, 1048576, ) == 0x0
 00925  1736   NtAllocateVirtualMemory  (-1, 33349632, 0, 8192, 4096, 4, ...
 00926  1356   NtQueryValueKey  (232,  (232, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 00927   748   NtWaitForSingleObject  (88, 0, 0x0, ...
 00926  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928  1356   NtQueryValueKey  (232,  (232, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929  1356   NtQueryValueKey  (232,  (232, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930  1356   NtQueryValueKey  (232,  (232, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931  1356   NtQueryValueKey  (232,  (232, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932  1356   NtQueryValueKey  (232,  (232, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925  1736   NtAllocateVirtualMemory  ... 33349632, 8192, ) == 0x0
 00933  1736   NtProtectVirtualMemory  (-1, (0x1fce000), 4096, 260, ... (0x1fce000), 4096, 4, ) == 0x0
 00934  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1636, 1300}, ) == 0x0
 00935  1736   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 00936  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 00937  1736   NtResumeThread  (244, ... 1, ) == 0x0
 00938  1356   NtQueryValueKey  (228,  (228, "DisableDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 00939  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 00938  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940  1356   NtQueryValueKey  (232,  (232, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941  1356   NtQueryValueKey  (232,  (232, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942  1356   NtQueryValueKey  (228,  (228, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943  1356   NtQueryValueKey  (232,  (232, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  1356   NtQueryValueKey  (228,  (228, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33357824, 1048576, ) == 0x0
 00946  1736   NtAllocateVirtualMemory  (-1, 34398208, 0, 8192, 4096, 4, ... 34398208, 8192, ) == 0x0
 00947  1736   NtProtectVirtualMemory  (-1, (0x20ce000), 4096, 260, ... (0x20ce000), 4096, 4, ) == 0x0
 00948  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1636, 1096}, ) == 0x0
 00949  1736   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=1096,}, 0x0, ) == 0x0
 00950  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0H\4\0\0" ...  ...
 00951  1356   NtQueryValueKey  (232,  (232, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952  1356   NtQueryValueKey  (228,  (228, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953  1356   NtQueryValueKey  (232,  (232, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0d\6\0\0H\4\0\0" )  ) == 0x0
 00954  1736   NtResumeThread  (248, ... 1, ) == 0x0
 00955  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34406400, 1048576, ) == 0x0
 00956  1736   NtAllocateVirtualMemory  (-1, 35446784, 0, 8192, 4096, 4, ... 35446784, 8192, ) == 0x0
 00957  1736   NtProtectVirtualMemory  (-1, (0x21ce000), 4096, 260, ... (0x21ce000), 4096, 4, ) == 0x0
 00958  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1636, 252}, ) == 0x0
 00959  1736   NtQueryInformationThread  (252, Basic, 28, ...
 00960  1356   NtQueryValueKey  (228,  (228, "DefaultRegistrationTTL", Partial, 144, ... , Partial, 144, ...
 00961  1096   NtWaitForSingleObject  (88, 0, 0x0, ...
 00960  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962  1356   NtQueryValueKey  (232,  (232, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963  1356   NtQueryValueKey  (228,  (228, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964  1356   NtQueryValueKey  (232,  (232, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965  1356   NtQueryValueKey  (228,  (228, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966  1356   NtQueryValueKey  (232,  (232, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=252,}, 0x0, ) == 0x0
 00967  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0d\6\0\0\374\0\0\0" )  ) == 0x0
 00968  1736   NtResumeThread  (252, ... 1, ) == 0x0
 00969  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35454976, 1048576, ) == 0x0
 00970  1736   NtAllocateVirtualMemory  (-1, 36495360, 0, 8192, 4096, 4, ... 36495360, 8192, ) == 0x0
 00971  1736   NtProtectVirtualMemory  (-1, (0x22ce000), 4096, 260, ... (0x22ce000), 4096, 4, ) == 0x0
 00972  1356   NtQueryValueKey  (228,  (228, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 00973   252   NtWaitForSingleObject  (88, 0, 0x0, ...
 00972  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974  1356   NtQueryValueKey  (232,  (232, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975  1356   NtQueryValueKey  (232,  (232, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976  1356   NtQueryValueKey  (232,  (232, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977  1356   NtQueryValueKey  (232,  (232, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978  1356   NtQueryValueKey  (232,  (232, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1636, 500}, ) == 0x0
 00980  1736   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 00981  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 00982  1736   NtResumeThread  (256, ... 1, ) == 0x0
 00983  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36503552, 1048576, ) == 0x0
 00984  1736   NtAllocateVirtualMemory  (-1, 37543936, 0, 8192, 4096, 4, ...
 00985  1356   NtQueryValueKey  (232,  (232, "MaxNegativeCacheTtl", Partial, 144, ... , Partial, 144, ...
 00986   500   NtWaitForSingleObject  (88, 0, 0x0, ...
 00985  1356   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987  1356   NtQueryValueKey  (232,  (232, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988  1356   NtQueryValueKey  (232,  (232, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989  1356   NtQueryValueKey  (232,  (232, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990  1356   NtQueryValueKey  (232,  (232, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991  1356   NtQueryValueKey  (232,  (232, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984  1736   NtAllocateVirtualMemory  ... 37543936, 8192, ) == 0x0
 00992  1736   NtProtectVirtualMemory  (-1, (0x23ce000), 4096, 260, ... (0x23ce000), 4096, 4, ) == 0x0
 00993  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 260, {1636, 1132}, ) == 0x0
 00994  1736   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1636,Tid=1132,}, 0x0, ) == 0x0
 00995  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0d\6\0\0l\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0d\6\0\0l\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0d\6\0\0l\4\0\0" )  ) == 0x0
 00996  1736   NtResumeThread  (260, ... 1, ) == 0x0
 00997  1356   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... }, ...
 00998  1132   NtWaitForSingleObject  (88, 0, 0x0, ...
 00997  1356   NtOpenKey  ... 264, ) == 0x0
 00999  1356   NtQueryValueKey  (264,  (264, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (264, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01000  1356   NtClose  (264, ... ) == 0x0
 01001  1356   NtClose  (228, ... ) == 0x0
 01002  1356   NtClose  (232, ... ) == 0x0
 01003  1356   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 232, ) }, ... 232, ) == 0x0
 01004  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37552128, 1048576, ) == 0x0
 01005  1736   NtAllocateVirtualMemory  (-1, 38592512, 0, 8192, 4096, 4, ... 38592512, 8192, ) == 0x0
 01006  1736   NtProtectVirtualMemory  (-1, (0x24ce000), 4096, 260, ... (0x24ce000), 4096, 4, ) == 0x0
 01007  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1636, 1024}, ) == 0x0
 01008  1736   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1636,Tid=1024,}, 0x0, ) == 0x0
 01009  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\0\4\0\0" ...  ...
 01010  1356   NtQueryValueKey  (232,  (232, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011  1356   NtQueryValueKey  (232,  (232, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012  1356   NtQueryValueKey  (232,  (232, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0d\6\0\0\0\4\0\0" )  ) == 0x0
 01013  1736   NtResumeThread  (228, ... 1, ) == 0x0
 01014  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38600704, 1048576, ) == 0x0
 01015  1736   NtAllocateVirtualMemory  (-1, 39641088, 0, 8192, 4096, 4, ... 39641088, 8192, ) == 0x0
 01016  1736   NtProtectVirtualMemory  (-1, (0x25ce000), 4096, 260, ... (0x25ce000), 4096, 4, ) == 0x0
 01017  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 264, {1636, 948}, ) == 0x0
 01018  1736   NtQueryInformationThread  (264, Basic, 28, ...
 01019  1356   NtClose  (232, ...
 01020  1024   NtWaitForSingleObject  (88, 0, 0x0, ...
 01019  1356   NtClose  ... ) == 0x0
 01021  1356   NtSetEventBoostPriority  (88, ...
 00791   420   NtWaitForSingleObject  ... ) == 0x0
 01022   420   NtSetEventBoostPriority  (88, ...
 00827   596   NtWaitForSingleObject  ... ) == 0x0
 01023   596   NtSetEventBoostPriority  (88, ...
 00831   220   NtWaitForSingleObject  ... ) == 0x0
 01024   220   NtSetEventBoostPriority  (88, ...
 00843   376   NtWaitForSingleObject  ... ) == 0x0
 01025   376   NtSetEventBoostPriority  (88, ...
 00855  1168   NtWaitForSingleObject  ... ) == 0x0
 01026  1168   NtSetEventBoostPriority  (88, ...
 00868   120   NtWaitForSingleObject  ... ) == 0x0
 01027   120   NtSetEventBoostPriority  (88, ...
 00880   928   NtWaitForSingleObject  ... ) == 0x0
 01028   928   NtSetEventBoostPriority  (88, ...
 00902  1732   NtWaitForSingleObject  ... ) == 0x0
 01029  1732   NtSetEventBoostPriority  (88, ...
 00914   428   NtWaitForSingleObject  ... ) == 0x0
 01030   428   NtSetEventBoostPriority  (88, ...
 00927   748   NtWaitForSingleObject  ... ) == 0x0
 01031   748   NtSetEventBoostPriority  (88, ...
 00939  1300   NtWaitForSingleObject  ... ) == 0x0
 01032  1300   NtSetEventBoostPriority  (88, ...
 00961  1096   NtWaitForSingleObject  ... ) == 0x0
 01033  1096   NtSetEventBoostPriority  (88, ...
 00973   252   NtWaitForSingleObject  ... ) == 0x0
 01034   252   NtSetEventBoostPriority  (88, ...
 00986   500   NtWaitForSingleObject  ... ) == 0x0
 01035   500   NtAllocateVirtualMemory  (-1, 8867840, 0, 4096, 4096, 4, ... 8867840, 4096, ) == 0x0
 01034   252   NtSetEventBoostPriority  ... ) == 0x0
 01033  1096   NtSetEventBoostPriority  ... ) == 0x0
 01032  1300   NtSetEventBoostPriority  ... ) == 0x0
 01031   748   NtSetEventBoostPriority  ... ) == 0x0
 01030   428   NtSetEventBoostPriority  ... ) == 0x0
 01029  1732   NtSetEventBoostPriority  ... ) == 0x0
 01028   928   NtSetEventBoostPriority  ... ) == 0x0
 01027   120   NtSetEventBoostPriority  ... ) == 0x0
 01026  1168   NtSetEventBoostPriority  ... ) == 0x0
 01025   376   NtSetEventBoostPriority  ... ) == 0x0
 01023   596   NtSetEventBoostPriority  ... ) == 0x0
 01022   420   NtSetEventBoostPriority  ... ) == 0x0
 01021  1356   NtSetEventBoostPriority  ... ) == 0x0
 01024   220   NtSetEventBoostPriority  ... ) == 0x0
 01018  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1636,Tid=948,}, 0x0, ) == 0x0
 01036   500   NtSetEventBoostPriority  (88, ...
 01037   252   NtTestAlert  (...
 01038  1096   NtTestAlert  (...
 01039  1300   NtTestAlert  (...
 01040   748   NtTestAlert  (...
 01041   428   NtTestAlert  (...
 01042  1732   NtTestAlert  (...
 01043   928   NtTestAlert  (...
 01044   120   NtTestAlert  (...
 01045  1168   NtTestAlert  (...
 01046   376   NtTestAlert  (...
 01047   596   NtTestAlert  (...
 01048  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 01049   420   NtTestAlert  (...
 01050  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0d\6\0\0\264\3\0\0" ...  ...
 00998  1132   NtWaitForSingleObject  ... ) == 0x0
 01036   500   NtSetEventBoostPriority  ... ) == 0x0
 01037   252   NtTestAlert  ... ) == 0x0
 01038  1096   NtTestAlert  ... ) == 0x0
 01039  1300   NtTestAlert  ... ) == 0x0
 01040   748   NtTestAlert  ... ) == 0x0
 01041   428   NtTestAlert  ... ) == 0x0
 01042  1732   NtTestAlert  ... ) == 0x0
 01043   928   NtTestAlert  ... ) == 0x0
 01044   120   NtTestAlert  ... ) == 0x0
 01045  1168   NtTestAlert  ... ) == 0x0
 01046   376   NtTestAlert  ... ) == 0x0
 01047   596   NtTestAlert  ... ) == 0x0
 01049   420   NtTestAlert  ... ) == 0x0
 01051  1132   NtSetEventBoostPriority  (88, ...
 01050  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\1\0\0d\6\0\0\264\3\0\0" )  ) == 0x0
 01052   500   NtTestAlert  (...
 01053   252   NtContinue  (35454256, 1, ...
 01054  1096   NtContinue  (34405680, 1, ...
 01055  1300   NtContinue  (33357104, 1, ...
 01056   748   NtContinue  (32308528, 1, ...
 01057   428   NtContinue  (31259952, 1, ...
 01058  1732   NtContinue  (30211376, 1, ...
 01059   928   NtContinue  (29162800, 1, ...
 01060   120   NtContinue  (28114224, 1, ...
 01061  1168   NtContinue  (27065648, 1, ...
 01062   376   NtContinue  (26017072, 1, ...
 01063   596   NtContinue  (24968496, 1, ...
 01020  1024   NtWaitForSingleObject  ... ) == 0x0
 01051  1132   NtSetEventBoostPriority  ... ) == 0x0
 01064   420   NtContinue  (23919920, 1, ...
 01065  1736   NtResumeThread  (264, ...
 01052   500   NtTestAlert  ... ) == 0x0
 01066   252   NtRegisterThreadTerminatePort  (24, ...
 01067  1096   NtRegisterThreadTerminatePort  (24, ...
 01068  1300   NtRegisterThreadTerminatePort  (24, ...
 01069   748   NtRegisterThreadTerminatePort  (24, ...
 01070   428   NtRegisterThreadTerminatePort  (24, ...
 01071  1732   NtRegisterThreadTerminatePort  (24, ...
 01072   928   NtRegisterThreadTerminatePort  (24, ...
 01073   120   NtRegisterThreadTerminatePort  (24, ...
 01074  1168   NtRegisterThreadTerminatePort  (24, ...
 01075   376   NtRegisterThreadTerminatePort  (24, ...
 01076  1024   NtSetEventBoostPriority  (88, ...
 01077   596   NtRegisterThreadTerminatePort  (24, ...
 01078   220   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01079   420   NtRegisterThreadTerminatePort  (24, ...
 01065  1736   NtResumeThread  ... 1, ) == 0x0
 01080   500   NtContinue  (36502832, 1, ...
 01066   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01067  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01068  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01069   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01070   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 01071  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01072   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01073   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 01074  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 01048  1356   NtWaitForSingleObject  ... ) == 0x0
 01076  1024   NtSetEventBoostPriority  ... ) == 0x0
 01075   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01077   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01078   220   NtCreateEvent  ... 232, ) == 0x0
 01079   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01081  1132   NtTestAlert  (...
 01082   948   NtWaitForSingleObject  (88, 0, 0x0, ...
 01083   500   NtRegisterThreadTerminatePort  (24, ...
 01084   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01085  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01086  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01087   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01088   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01089  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01090   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01091   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01092  1356   NtSetEventBoostPriority  (88, ...
 01093  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01094  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01095   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01096   596   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01097   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01098   420   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01081  1132   NtTestAlert  ... ) == 0x0
 01099  1024   NtTestAlert  (...
 01083   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01084   252   NtDuplicateObject  ... 268, ) == 0x0
 01085  1096   NtDuplicateObject  ... 272, ) == 0x0
 01086  1300   NtDuplicateObject  ... 276, ) == 0x0
 01087   748   NtDuplicateObject  ... 280, ) == 0x0
 01088   428   NtDuplicateObject  ... 284, ) == 0x0
 01089  1732   NtDuplicateObject  ... 288, ) == 0x0
 01090   928   NtDuplicateObject  ... 292, ) == 0x0
 01082   948   NtWaitForSingleObject  ... ) == 0x0
 01092  1356   NtSetEventBoostPriority  ... ) == 0x0
 01091   120   NtDuplicateObject  ... 296, ) == 0x0
 01094  1736   NtAllocateVirtualMemory  ... 39649280, 1048576, ) == 0x0
 01093  1168   NtDuplicateObject  ... 300, ) == 0x0
 01095   376   NtDuplicateObject  ... 304, ) == 0x0
 01097   220   NtDuplicateObject  ... 308, ) == 0x0
 01096   596   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01100  1132   NtContinue  (37551408, 1, ...
 01099  1024   NtTestAlert  ... ) == 0x0
 01101   500   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01102   252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01103  1096   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01104  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01105   748   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01106   428   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01107  1732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01108   948   NtTestAlert  (...
 01109   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01098   420   NtCreateEvent  ... 312, ) == 0x0
 01110   120   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01111  1736   NtAllocateVirtualMemory  (-1, 40689664, 0, 8192, 4096, 4, ...
 01112  1168   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01113   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01114   220   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01115   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01116  1132   NtRegisterThreadTerminatePort  (24, ...
 01117  1024   NtContinue  (38599984, 1, ...
 01101   500   NtCreateEvent  ... 316, ) == 0x0
 01102   252   NtCreateEvent  ... 320, ) == 0x0
 01103  1096   NtCreateEvent  ... 324, ) == 0x0
 01104  1300   NtCreateEvent  ... 328, ) == 0x0
 01105   748   NtCreateEvent  ... 332, ) == 0x0
 01106   428   NtCreateEvent  ... 336, ) == 0x0
 01108   948   NtTestAlert  ... ) == 0x0
 01107  1732   NtCreateEvent  ... 340, ) == 0x0
 01109   928   NtCreateEvent  ... 344, ) == 0x0
 01118   420   NtWaitForSingleObject  (312, 0, 0x0, ...
 01110   120   NtCreateEvent  ... 348, ) == 0x0
 01111  1736   NtAllocateVirtualMemory  ... 40689664, 8192, ) == 0x0
 01112  1168   NtCreateEvent  ... 352, ) == 0x0
 01113   376   NtCreateEvent  ... 356, ) == 0x0
 01114   220   NtCreateEvent  ... 360, ) == 0x0
 01115   596   NtCreateEvent  ... 364, ) == 0x0
 01116  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 01119  1024   NtRegisterThreadTerminatePort  (24, ...
 01120   500   NtClose  (316, ...
 01121   252   NtClose  (320, ...
 01122  1096   NtClose  (324, ...
 01123  1300   NtClose  (328, ...
 01124   748   NtClose  (332, ...
 01125   428   NtClose  (336, ...
 01126  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 01127  1732   NtClose  (340, ...
 01128   928   NtClose  (344, ...
 01129   120   NtClose  (348, ...
 01130  1736   NtProtectVirtualMemory  (-1, (0x26ce000), 4096, 260, ...
 01131  1168   NtClose  (352, ...
 01132   376   NtClose  (356, ...
 01133   948   NtContinue  (39648560, 1, ...
 01134   596   NtClose  (364, ...
 01135  1132   NtWaitForSingleObject  (312, 0, 0x0, ...
 01119  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01120   500   NtClose  ... ) == 0x0
 01121   252   NtClose  ... ) == 0x0
 01122  1096   NtClose  ... ) == 0x0
 01123  1300   NtClose  ... ) == 0x0
 01124   748   NtClose  ... ) == 0x0
 01125   428   NtClose  ... ) == 0x0
 01127  1732   NtClose  ... ) == 0x0
 01128   928   NtClose  ... ) == 0x0
 01129   120   NtClose  ... ) == 0x0
 01130  1736   NtProtectVirtualMemory  ... (0x26ce000), 4096, 4, ) == 0x0
 01131  1168   NtClose  ... ) == 0x0
 01132   376   NtClose  ... ) == 0x0
 01136   948   NtRegisterThreadTerminatePort  (24, ...
 01134   596   NtClose  ... ) == 0x0
 01137   220   NtClose  (360, ...
 01138  1024   NtWaitForSingleObject  (312, 0, 0x0, ...
 01139   500   NtWaitForSingleObject  (312, 0, 0x0, ...
 01140   252   NtWaitForSingleObject  (312, 0, 0x0, ...
 01141  1096   NtWaitForSingleObject  (312, 0, 0x0, ...
 01142  1300   NtWaitForSingleObject  (312, 0, 0x0, ...
 01143   748   NtWaitForSingleObject  (312, 0, 0x0, ...
 01144   428   NtWaitForSingleObject  (312, 0, 0x0, ...
 01145  1732   NtWaitForSingleObject  (312, 0, 0x0, ...
 01146   928   NtWaitForSingleObject  (312, 0, 0x0, ...
 01147   120   NtWaitForSingleObject  (312, 0, 0x0, ...
 01148  1168   NtWaitForSingleObject  (312, 0, 0x0, ...
 01149   376   NtWaitForSingleObject  (312, 0, 0x0, ...
 01136   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01150   596   NtSetEventBoostPriority  (312, ...
 01137   220   NtClose  ... ) == 0x0
 01151  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01152   948   NtWaitForSingleObject  (312, 0, 0x0, ...
 01153   220   NtWaitForSingleObject  (312, 0, 0x0, ...
 01151  1736   NtCreateThread  ... 360, {1636, 1064}, ) == 0x0
 01154  1736   NtQueryInformationThread  (360, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1636,Tid=1064,}, 0x0, ) == 0x0
 01155  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0d\6\0\0(\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0d\6\0\0(\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0d\6\0\0(\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0d\6\0\0(\4\0\0" )  ) == 0x0
 01156  1736   NtResumeThread  (360, ... 1, ) == 0x0
 01118   420   NtWaitForSingleObject  ... ) == 0x0
 01150   596   NtSetEventBoostPriority  ... ) == 0x0
 01157  1064   NtTestAlert  (...
 01158   420   NtSetEventBoostPriority  (312, ...
 01159   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01157  1064   NtTestAlert  ... ) == 0x0
 01126  1356   NtWaitForSingleObject  ... ) == 0x0
 01158   420   NtSetEventBoostPriority  ... ) == 0x0
 01159   596   NtDuplicateObject  ... 364, ) == 0x0
 01160  1356   NtSetEventBoostPriority  (312, ...
 01161  1064   NtContinue  (40697136, 1, ...
 01162  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01135  1132   NtWaitForSingleObject  ... ) == 0x0
 01160  1356   NtSetEventBoostPriority  ... ) == 0x0
 01163   596   NtWaitForSingleObject  (312, 0, 0x0, ...
 01164  1064   NtRegisterThreadTerminatePort  (24, ...
 01165  1132   NtSetEventBoostPriority  (312, ...
 01162  1736   NtAllocateVirtualMemory  ... 40697856, 1048576, ) == 0x0
 01166  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 01138  1024   NtWaitForSingleObject  ... ) == 0x0
 01164  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 01167  1736   NtAllocateVirtualMemory  (-1, 41738240, 0, 8192, 4096, 4, ...
 01165  1132   NtSetEventBoostPriority  ... ) == 0x0
 01168   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01169  1024   NtSetEventBoostPriority  (312, ...
 01167  1736   NtAllocateVirtualMemory  ... 41738240, 8192, ) == 0x0
 01170  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01168   420   NtDuplicateObject  ... 356, ) == 0x0
 01139   500   NtWaitForSingleObject  ... ) == 0x0
 01171  1736   NtProtectVirtualMemory  (-1, (0x27ce000), 4096, 260, ...
 01170  1132   NtDuplicateObject  ... 352, ) == 0x0
 01172   420   NtWaitForSingleObject  (312, 0, 0x0, ...
 01173   500   NtSetEventBoostPriority  (312, ...
 01171  1736   NtProtectVirtualMemory  ... (0x27ce000), 4096, 4, ) == 0x0
 01169  1024   NtSetEventBoostPriority  ... ) == 0x0
 01174  1064   NtWaitForSingleObject  (312, 0, 0x0, ...
 01140   252   NtWaitForSingleObject  ... ) == 0x0
 01173   500   NtSetEventBoostPriority  ... ) == 0x0
 01175  1132   NtWaitForSingleObject  (312, 0, 0x0, ...
 01176  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01177   252   NtSetEventBoostPriority  (312, ...
 01178   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01176  1024   NtDuplicateObject  ... 348, ) == 0x0
 01141  1096   NtWaitForSingleObject  ... ) == 0x0
 01178   500   NtDuplicateObject  ... 344, ) == 0x0
 01177   252   NtSetEventBoostPriority  ... ) == 0x0
 01179  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01180  1096   NtSetEventBoostPriority  (312, ...
 01181  1024   NtWaitForSingleObject  (312, 0, 0x0, ...
 01182   252   NtWaitForSingleObject  (312, 0, 0x0, ...
 01179  1736   NtCreateThread  ... 340, {1636, 1384}, ) == 0x0
 01142  1300   NtWaitForSingleObject  ... ) == 0x0
 01183  1736   NtQueryInformationThread  (340, Basic, 28, ...
 01184  1300   NtSetEventBoostPriority  (312, ...
 01183  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1636,Tid=1384,}, 0x0, ) == 0x0
 01143   748   NtWaitForSingleObject  ... ) == 0x0
 01185  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0d\6\0\0h\5\0\0" ...  ...
 01186   748   NtSetEventBoostPriority  (312, ...
 01144   428   NtWaitForSingleObject  ... ) == 0x0
 01187   428   NtSetEventBoostPriority  (312, ...
 01145  1732   NtWaitForSingleObject  ... ) == 0x0
 01188  1732   NtSetEventBoostPriority  (312, ...
 01146   928   NtWaitForSingleObject  ... ) == 0x0
 01189   928   NtSetEventBoostPriority  (312, ...
 01147   120   NtWaitForSingleObject  ... ) == 0x0
 01190   120   NtSetEventBoostPriority  (312, ...
 01148  1168   NtWaitForSingleObject  ... ) == 0x0
 01191  1168   NtSetEventBoostPriority  (312, ...
 01149   376   NtWaitForSingleObject  ... ) == 0x0
 01192   376   NtSetEventBoostPriority  (312, ...
 01152   948   NtWaitForSingleObject  ... ) == 0x0
 01193   948   NtSetEventBoostPriority  (312, ...
 01153   220   NtWaitForSingleObject  ... ) == 0x0
 01194   220   NtSetEventBoostPriority  (312, ...
 01163   596   NtWaitForSingleObject  ... ) == 0x0
 01195   596   NtSetEventBoostPriority  (312, ...
 01166  1356   NtWaitForSingleObject  ... ) == 0x0
 01196  1356   NtSetEventBoostPriority  (312, ...
 01172   420   NtWaitForSingleObject  ... ) == 0x0
 01197   420   NtSetEventBoostPriority  (312, ...
 01174  1064   NtWaitForSingleObject  ... ) == 0x0
 01198  1064   NtSetEventBoostPriority  (312, ...
 01175  1132   NtWaitForSingleObject  ... ) == 0x0
 01199  1132   NtSetEventBoostPriority  (312, ...
 01181  1024   NtWaitForSingleObject  ... ) == 0x0
 01200  1024   NtSetEventBoostPriority  (312, ...
 01182   252   NtWaitForSingleObject  ... ) == 0x0
 01201   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01200  1024   NtSetEventBoostPriority  ... ) == 0x0
 01202  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01199  1132   NtSetEventBoostPriority  ... ) == 0x0
 01198  1064   NtSetEventBoostPriority  ... ) == 0x0
 01197   420   NtSetEventBoostPriority  ... ) == 0x0
 01195   596   NtSetEventBoostPriority  ... ) == 0x0
 01194   220   NtSetEventBoostPriority  ... ) == 0x0
 01193   948   NtSetEventBoostPriority  ... ) == 0x0
 01196  1356   NtSetEventBoostPriority  ... ) == 0x0
 01192   376   NtSetEventBoostPriority  ... ) == 0x0
 01191  1168   NtSetEventBoostPriority  ... ) == 0x0
 01190   120   NtSetEventBoostPriority  ... ) == 0x0
 01189   928   NtSetEventBoostPriority  ... ) == 0x0
 01188  1732   NtSetEventBoostPriority  ... ) == 0x0
 01187   428   NtSetEventBoostPriority  ... ) == 0x0
 01186   748   NtSetEventBoostPriority  ... ) == 0x0
 01184  1300   NtSetEventBoostPriority  ... ) == 0x0
 01180  1096   NtSetEventBoostPriority  ... ) == 0x0
 01203   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01185  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\1\0\0d\6\0\0h\5\0\0" )  ) == 0x0
 01201   252   NtWaitForSingleObject  ... ) == 0x102
 01204  1132   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01205  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01202  1024   NtWaitForSingleObject  ... ) == 0x102
 01206   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01207   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01208   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01209  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01210   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01211  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01212   120   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01213   928   NtWaitForSingleObject  (312, 0, 0x0, ...
 01214  1732   NtWaitForSingleObject  (312, 0, 0x0, ...
 01215   428   NtWaitForSingleObject  (312, 0, 0x0, ...
 01216   748   NtWaitForSingleObject  (312, 0, 0x0, ...
 01217  1300   NtWaitForSingleObject  (312, 0, 0x0, ...
 01218  1096   NtWaitForSingleObject  (312, 0, 0x0, ...
 01203   500   NtWaitForSingleObject  ... ) == 0x102
 01219  1736   NtResumeThread  (340, ...
 01220   252   NtWaitForSingleObject  (136, 0, 0x0, ...
 01221   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01204  1132   NtWaitForSingleObject  ... ) == 0x102
 01222  1024   NtWaitForSingleObject  (312, 0, 0x0, ...
 01206   420   NtWaitForSingleObject  ... ) == 0x102
 01207   596   NtWaitForSingleObject  ... ) == 0x102
 01208   220   NtOpenKey  ... 336, ) == 0x0
 01209  1356   NtCreateEvent  ... 332, ) == 0x0
 01212   120   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01223   500   NtWaitForSingleObject  (312, 0, 0x0, ...
 01219  1736   NtResumeThread  ... 1, ) == 0x0
 01221   948   NtDuplicateObject  ... 328, ) == 0x0
 01224  1132   NtWaitForSingleObject  (312, 0, 0x0, ...
 01225   420   NtWaitForSingleObject  (312, 0, 0x0, ...
 01226   596   NtWaitForSingleObject  (312, 0, 0x0, ...
 01227   220   NtQueryValueKey  (336,  (336, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01205  1064   NtDuplicateObject  ... 324, ) == 0x0
 01210   376   NtWaitForSingleObject  ... ) == 0x102
 01211  1168   NtWaitForSingleObject  ... ) == 0x102
 01228  1384   NtTestAlert  (...
 01229  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01230  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01231   948   NtWaitForSingleObject  (312, 0, 0x0, ...
 01227   220   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232  1064   NtWaitForSingleObject  (312, 0, 0x0, ...
 01233   376   NtWaitForSingleObject  (312, 0, 0x0, ...
 01234  1168   NtWaitForSingleObject  (312, 0, 0x0, ...
 01228  1384   NtTestAlert  ... ) == 0x0
 01229  1356   NtDuplicateObject  ... 320, ) == 0x0
 01230  1736   NtAllocateVirtualMemory  ... 41746432, 1048576, ) == 0x0
 01235   220   NtClose  (336, ...
 01236  1384   NtContinue  (41745712, 1, ...
 01237  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 01238  1736   NtAllocateVirtualMemory  (-1, 42786816, 0, 8192, 4096, 4, ...
 01235   220   NtClose  ... ) == 0x0
 01239  1384   NtRegisterThreadTerminatePort  (24, ...
 01240   120   NtSetEventBoostPriority  (312, ...
 01238  1736   NtAllocateVirtualMemory  ... 42786816, 8192, ) == 0x0
 01239  1384   NtRegisterThreadTerminatePort  ... ) == 0x0
 01213   928   NtWaitForSingleObject  ... ) == 0x0
 01240   120   NtSetEventBoostPriority  ... ) == 0x0
 01241  1736   NtProtectVirtualMemory  (-1, (0x28ce000), 4096, 260, ...
 01242   220   NtWaitForSingleObject  (312, 0, 0x0, ...
 01243   928   NtSetEventBoostPriority  (312, ...
 01244   120   NtWaitForSingleObject  (312, 0, 0x0, ...
 01241  1736   NtProtectVirtualMemory  ... (0x28ce000), 4096, 4, ) == 0x0
 01214  1732   NtWaitForSingleObject  ... ) == 0x0
 01243   928   NtSetEventBoostPriority  ... ) == 0x0
 01245  1732   NtSetEventBoostPriority  (312, ...
 01246  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01247  1384   NtWaitForSingleObject  (312, 0, 0x0, ...
 01215   428   NtWaitForSingleObject  ... ) == 0x0
 01245  1732   NtSetEventBoostPriority  ... ) == 0x0
 01246  1736   NtCreateThread  ... 336, {1636, 188}, ) == 0x0
 01248   428   NtSetEventBoostPriority  (312, ...
 01249   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01216   748   NtWaitForSingleObject  ... ) == 0x0
 01248   428   NtSetEventBoostPriority  ... ) == 0x0
 01250  1736   NtQueryInformationThread  (336, Basic, 28, ...
 01251   748   NtSetEventBoostPriority  (312, ...
 01249   928   NtCreateEvent  ... 316, ) == 0x0
 01252  1732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01253   428   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01217  1300   NtWaitForSingleObject  ... ) == 0x0
 01251   748   NtSetEventBoostPriority  ... ) == 0x0
 01254   928   NtWaitForSingleObject  (316, 0, 0x0, ...
 01252  1732   NtCreateEvent  ... 368, ) == 0x0
 01255  1300   NtSetEventBoostPriority  (312, ...
 01253   428   NtCreateEvent  ... 372, ) == 0x0
 01250  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1636,Tid=188,}, 0x0, ) == 0x0
 01218  1096   NtWaitForSingleObject  ... ) == 0x0
 01255  1300   NtSetEventBoostPriority  ... ) == 0x0
 01256  1732   NtClose  (368, ...
 01257   428   NtClose  (372, ...
 01258  1096   NtSetEventBoostPriority  (312, ...
 01259  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0d\6\0\0\274\0\0\0" ...  ...
 01260   748   NtWaitForSingleObject  (316, 0, 0x0, ...
 01256  1732   NtClose  ... ) == 0x0
 01222  1024   NtWaitForSingleObject  ... ) == 0x0
 01258  1096   NtSetEventBoostPriority  ... ) == 0x0
 01257   428   NtClose  ... ) == 0x0
 01259  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0d\6\0\0\274\0\0\0" )  ) == 0x0
 01261  1024   NtSetEventBoostPriority  (312, ...
 01262  1732   NtWaitForSingleObject  (316, 0, 0x0, ...
 01263  1300   NtWaitForSingleObject  (316, 0, 0x0, ...
 01264   428   NtWaitForSingleObject  (316, 0, 0x0, ...
 01223   500   NtWaitForSingleObject  ... ) == 0x0
 01261  1024   NtSetEventBoostPriority  ... ) == 0x0
 01265  1736   NtResumeThread  (336, ...
 01266   500   NtSetEventBoostPriority  (312, ...
 01267  1096   NtWaitForSingleObject  (316, 0, 0x0, ...
 01224  1132   NtWaitForSingleObject  ... ) == 0x0
 01266   500   NtSetEventBoostPriority  ... ) == 0x0
 01265  1736   NtResumeThread  ... 1, ) == 0x0
 01268  1132   NtSetEventBoostPriority  (312, ...
 01269  1024   NtWaitForSingleObject  (136, 0, 0x0, ...
 01270   188   NtTestAlert  (...
 01271   500   NtWaitForSingleObject  (136, 0, 0x0, ...
 01225   420   NtWaitForSingleObject  ... ) == 0x0
 01268  1132   NtSetEventBoostPriority  ... ) == 0x0
 01270   188   NtTestAlert  ... ) == 0x0
 01272   420   NtSetEventBoostPriority  (312, ...
 01273  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01226   596   NtWaitForSingleObject  ... ) == 0x0
 01272   420   NtSetEventBoostPriority  ... ) == 0x0
 01274   188   NtContinue  (42794288, 1, ...
 01275   596   NtSetEventBoostPriority  (312, ...
 01273  1736   NtAllocateVirtualMemory  ... 42795008, 1048576, ) == 0x0
 01276  1132   NtWaitForSingleObject  (136, 0, 0x0, ...
 01231   948   NtWaitForSingleObject  ... ) == 0x0
 01275   596   NtSetEventBoostPriority  ... ) == 0x0
 01277   188   NtRegisterThreadTerminatePort  (24, ...
 01278  1736   NtAllocateVirtualMemory  (-1, 43835392, 0, 8192, 4096, 4, ...
 01279   948   NtSetEventBoostPriority  (312, ...
 01280   420   NtWaitForSingleObject  (136, 0, 0x0, ...
 01277   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 01232  1064   NtWaitForSingleObject  ... ) == 0x0
 01279   948   NtSetEventBoostPriority  ... ) == 0x0
 01278  1736   NtAllocateVirtualMemory  ... 43835392, 8192, ) == 0x0
 01281   596   NtWaitForSingleObject  (136, 0, 0x0, ...
 01282  1064   NtSetEventBoostPriority  (312, ...
 01283   188   NtWaitForSingleObject  (312, 0, 0x0, ...
 01284  1736   NtProtectVirtualMemory  (-1, (0x29ce000), 4096, 260, ...
 01233   376   NtWaitForSingleObject  ... ) == 0x0
 01282  1064   NtSetEventBoostPriority  ... ) == 0x0
 01285   376   NtSetEventBoostPriority  (312, ...
 01284  1736   NtProtectVirtualMemory  ... (0x29ce000), 4096, 4, ) == 0x0
 01286   948   NtWaitForSingleObject  (312, 0, 0x0, ...
 01234  1168   NtWaitForSingleObject  ... ) == 0x0
 01285   376   NtSetEventBoostPriority  ... ) == 0x0
 01287  1064   NtWaitForSingleObject  (312, 0, 0x0, ...
 01288  1168   NtSetEventBoostPriority  (312, ...
 01289  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01237  1356   NtWaitForSingleObject  ... ) == 0x0
 01288  1168   NtSetEventBoostPriority  ... ) == 0x0
 01290  1356   NtSetEventBoostPriority  (312, ...
 01289  1736   NtCreateThread  ... 372, {1636, 1600}, ) == 0x0
 01291   376   NtWaitForSingleObject  (136, 0, 0x0, ...
 01242   220   NtWaitForSingleObject  ... ) == 0x0
 01290  1356   NtSetEventBoostPriority  ... ) == 0x0
 01292  1736   NtQueryInformationThread  (372, Basic, 28, ...
 01293   220   NtSetEventBoostPriority  (312, ...
 01294  1168   NtWaitForSingleObject  (136, 0, 0x0, ...
 01244   120   NtWaitForSingleObject  ... ) == 0x0
 01293   220   NtSetEventBoostPriority  ... ) == 0x0
 01292  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1636,Tid=1600,}, 0x0, ) == 0x0
 01295   120   NtSetEventBoostPriority  (312, ...
 01296   220   NtOpenThreadToken  (-2, 0xc, 1, ...
 01247  1384   NtWaitForSingleObject  ... ) == 0x0
 01295   120   NtSetEventBoostPriority  ... ) == 0x0
 01297  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0@\6\0\0" ...  ...
 01298  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 01299  1384   NtSetEventBoostPriority  (312, ...
 01296   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01283   188   NtWaitForSingleObject  ... ) == 0x0
 01299  1384   NtSetEventBoostPriority  ... ) == 0x0
 01300   188   NtSetEventBoostPriority  (312, ...
 01301   220   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01286   948   NtWaitForSingleObject  ... ) == 0x0
 01300   188   NtSetEventBoostPriority  ... ) == 0x0
 01302  1384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01303   948   NtSetEventBoostPriority  (312, ...
 01301   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01304   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01305   120   NtSetEventBoostPriority  (316, ...
 01297  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\1\0\0d\6\0\0@\6\0\0" )  ) == 0x0
 01287  1064   NtWaitForSingleObject  ... ) == 0x0
 01303   948   NtSetEventBoostPriority  ... ) == 0x0
 01306   220   NtWaitForSingleObject  (312, 0, 0x0, ...
 01302  1384   NtDuplicateObject  ... 368, ) == 0x0
 01254   928   NtWaitForSingleObject  ... ) == 0x0
 01305   120   NtSetEventBoostPriority  ... ) == 0x0
 01307  1064   NtSetEventBoostPriority  (312, ...
 01308  1736   NtResumeThread  (372, ...
 01309   948   NtWaitForSingleObject  (312, 0, 0x0, ...
 01310   928   NtWaitForSingleObject  (312, 0, 0x0, ...
 01311  1384   NtWaitForSingleObject  (312, 0, 0x0, ...
 01298  1356   NtWaitForSingleObject  ... ) == 0x0
 01307  1064   NtSetEventBoostPriority  ... ) == 0x0
 01312   120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01308  1736   NtResumeThread  ... 1, ) == 0x0
 01304   188   NtDuplicateObject  ... 376, ) == 0x0
 01313  1356   NtSetEventBoostPriority  (312, ...
 01314  1064   NtWaitForSingleObject  (312, 0, 0x0, ...
 01312   120   NtWaitForSingleObject  ... ) == 0x102
 01315  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01306   220   NtWaitForSingleObject  ... ) == 0x0
 01313  1356   NtSetEventBoostPriority  ... ) == 0x0
 01316   188   NtWaitForSingleObject  (312, 0, 0x0, ...
 01317  1600   NtTestAlert  (...
 01318   120   NtWaitForSingleObject  (312, 0, 0x0, ...
 01319   220   NtSetEventBoostPriority  (312, ...
 01315  1736   NtAllocateVirtualMemory  ... 43843584, 1048576, ) == 0x0
 01320  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 01317  1600   NtTestAlert  ... ) == 0x0
 01310   928   NtWaitForSingleObject  ... ) == 0x0
 01319   220   NtSetEventBoostPriority  ... ) == 0x0
 01321  1736   NtAllocateVirtualMemory  (-1, 44883968, 0, 8192, 4096, 4, ...
 01322   928   NtSetEventBoostPriority  (312, ...
 01323  1600   NtContinue  (43842864, 1, ...
 01324   220   NtWaitForSingleObject  (316, 0, 0x0, ...
 01311  1384   NtWaitForSingleObject  ... ) == 0x0
 01322   928   NtSetEventBoostPriority  ... ) == 0x0
 01325  1600   NtRegisterThreadTerminatePort  (24, ...
 01326  1384   NtSetEventBoostPriority  (312, ...
 01321  1736   NtAllocateVirtualMemory  ... 44883968, 8192, ) == 0x0
 01309   948   NtWaitForSingleObject  ... ) == 0x0
 01326  1384   NtSetEventBoostPriority  ... ) == 0x0
 01325  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01327   948   NtSetEventBoostPriority  (312, ...
 01328  1736   NtProtectVirtualMemory  (-1, (0x2ace000), 4096, 260, ...
 01329   928   NtSetEventBoostPriority  (316, ...
 01330  1384   NtWaitForSingleObject  (312, 0, 0x0, ...
 01316   188   NtWaitForSingleObject  ... ) == 0x0
 01328  1736   NtProtectVirtualMemory  ... (0x2ace000), 4096, 4, ) == 0x0
 01260   748   NtWaitForSingleObject  ... ) == 0x0
 01329   928   NtSetEventBoostPriority  ... ) == 0x0
 01331   188   NtSetEventBoostPriority  (312, ...
 01332   748   NtWaitForSingleObject  (312, 0, 0x0, ...
 01333  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01334   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01314  1064   NtWaitForSingleObject  ... ) == 0x0
 01331   188   NtSetEventBoostPriority  ... ) == 0x0
 01333  1736   NtCreateThread  ... 380, {1636, 1372}, ) == 0x0
 01335  1064   NtSetEventBoostPriority  (312, ...
 01334   928   NtWaitForSingleObject  ... ) == 0x102
 01327   948   NtSetEventBoostPriority  ... ) == 0x0
 01336  1600   NtWaitForSingleObject  (312, 0, 0x0, ...
 01318   120   NtWaitForSingleObject  ... ) == 0x0
 01337  1736   NtQueryInformationThread  (380, Basic, 28, ...
 01338   928   NtWaitForSingleObject  (136, 0, 0x0, ...
 01339   948   NtWaitForSingleObject  (316, 0, 0x0, ...
 01340   120   NtSetEventBoostPriority  (312, ...
 01335  1064   NtSetEventBoostPriority  ... ) == 0x0
 01341   188   NtWaitForSingleObject  (312, 0, 0x0, ...
 01337  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1636,Tid=1372,}, 0x0, ) == 0x0
 01320  1356   NtWaitForSingleObject  ... ) == 0x0
 01342  1064   NtWaitForSingleObject  (316, 0, 0x0, ...
 01343  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0\\5\0\0" ...  ...
 01344  1356   NtSetEventBoostPriority  (312, ...
 01343  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\1\0\0d\6\0\0\\5\0\0" )  ) == 0x0
 01330  1384   NtWaitForSingleObject  ... ) == 0x0
 01345  1736   NtResumeThread  (380, ...
 01346  1384   NtSetEventBoostPriority  (312, ...
 01345  1736   NtResumeThread  ... 1, ) == 0x0
 01332   748   NtWaitForSingleObject  ... ) == 0x0
 01346  1384   NtSetEventBoostPriority  ... ) == 0x0
 01344  1356   NtSetEventBoostPriority  ... ) == 0x0
 01340   120   NtSetEventBoostPriority  ... ) == 0x0
 01347  1372   NtTestAlert  (...
 01348   748   NtSetEventBoostPriority  (312, ...
 01349  1384   NtWaitForSingleObject  (316, 0, 0x0, ...
 01350  1356   NtWaitForSingleObject  (316, 0, 0x0, ...
 01351   120   NtWaitForSingleObject  (136, 0, 0x0, ...
 01336  1600   NtWaitForSingleObject  ... ) == 0x0
 01348   748   NtSetEventBoostPriority  ... ) == 0x0
 01347  1372   NtTestAlert  ... ) == 0x0
 01352  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01353  1600   NtSetEventBoostPriority  (312, ...
 01354  1372   NtContinue  (44891440, 1, ...
 01341   188   NtWaitForSingleObject  ... ) == 0x0
 01353  1600   NtSetEventBoostPriority  ... ) == 0x0
 01352  1736   NtAllocateVirtualMemory  ... 44892160, 1048576, ) == 0x0
 01355   188   NtWaitForSingleObject  (316, 0, 0x0, ...
 01356  1372   NtRegisterThreadTerminatePort  (24, ...
 01357  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01358  1736   NtAllocateVirtualMemory  (-1, 45932544, 0, 8192, 4096, 4, ...
 01356  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01359   748   NtSetEventBoostPriority  (316, ...
 01358  1736   NtAllocateVirtualMemory  ... 45932544, 8192, ) == 0x0
 01357  1600   NtDuplicateObject  ... 384, ) == 0x0
 01262  1732   NtWaitForSingleObject  ... ) == 0x0
 01359   748   NtSetEventBoostPriority  ... ) == 0x0
 01360  1736   NtProtectVirtualMemory  (-1, (0x2bce000), 4096, 260, ...
 01361  1732   NtSetEventBoostPriority  (316, ...
 01362  1600   NtWaitForSingleObject  (316, 0, 0x0, ...
 01363   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01263  1300   NtWaitForSingleObject  ... ) == 0x0
 01361  1732   NtSetEventBoostPriority  ... ) == 0x0
 01360  1736   NtProtectVirtualMemory  ... (0x2bce000), 4096, 4, ) == 0x0
 01364  1300   NtSetEventBoostPriority  (316, ...
 01363   748   NtWaitForSingleObject  ... ) == 0x102
 01365  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01366  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01264   428   NtWaitForSingleObject  ... ) == 0x0
 01364  1300   NtSetEventBoostPriority  ... ) == 0x0
 01367   748   NtWaitForSingleObject  (136, 0, 0x0, ...
 01365  1372   NtDuplicateObject  ... 388, ) == 0x0
 01368   428   NtSetEventBoostPriority  (316, ...
 01366  1732   NtWaitForSingleObject  ... ) == 0x102
 01369  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01370  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01267  1096   NtWaitForSingleObject  ... ) == 0x0
 01368   428   NtSetEventBoostPriority  ... ) == 0x0
 01371  1372   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01372  1732   NtWaitForSingleObject  (136, 0, 0x0, ...
 01373  1096   NtWaitForSingleObject  (312, 0, 0x0, ...
 01370  1736   NtCreateThread  ... 392, {1636, 2040}, ) == 0x0
 01369  1300   NtWaitForSingleObject  ... ) == 0x102
 01371  1372   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01374  1736   NtQueryInformationThread  (392, Basic, 28, ...
 01375  1300   NtWaitForSingleObject  (312, 0, 0x0, ...
 01376  1372   NtSetEventBoostPriority  (312, ...
 01374  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1636,Tid=2040,}, 0x0, ) == 0x0
 01373  1096   NtWaitForSingleObject  ... ) == 0x0
 01376  1372   NtSetEventBoostPriority  ... ) == 0x0
 01377  1096   NtSetEventBoostPriority  (312, ...
 01378  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0d\6\0\0\370\7\0\0" ...  ...
 01379   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01375  1300   NtWaitForSingleObject  ... ) == 0x0
 01377  1096   NtSetEventBoostPriority  ... ) == 0x0
 01380  1300   NtWaitForSingleObject  (136, 0, 0x0, ...
 01379   428   NtWaitForSingleObject  ... ) == 0x102
 01381  1372   NtWaitForSingleObject  (316, 0, 0x0, ...
 01378  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0d\6\0\0\370\7\0\0" )  ) == 0x0
 01382   428   NtWaitForSingleObject  (136, 0, 0x0, ...
 01383  1736   NtResumeThread  (392, ... 1, ) == 0x0
 01384  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45940736, 1048576, ) == 0x0
 01385  1736   NtAllocateVirtualMemory  (-1, 46981120, 0, 8192, 4096, 4, ... 46981120, 8192, ) == 0x0
 01386  1736   NtProtectVirtualMemory  (-1, (0x2cce000), 4096, 260, ... (0x2cce000), 4096, 4, ) == 0x0
 01387  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 396, {1636, 216}, ) == 0x0
 01388  1736   NtQueryInformationThread  (396, Basic, 28, ...
 01389  1096   NtSetEventBoostPriority  (316, ...
 01390  2040   NtTestAlert  (...
 01324   220   NtWaitForSingleObject  ... ) == 0x0
 01389  1096   NtSetEventBoostPriority  ... ) == 0x0
 01391   220   NtSetEventBoostPriority  (316, ...
 01390  2040   NtTestAlert  ... ) == 0x0
 01339   948   NtWaitForSingleObject  ... ) == 0x0
 01391   220   NtSetEventBoostPriority  ... ) == 0x0
 01392  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01393   948   NtSetEventBoostPriority  (316, ...
 01394  2040   NtContinue  (45940016, 1, ...
 01395   220   NtWaitForSingleObject  (316, 0, 0x0, ...
 01342  1064   NtWaitForSingleObject  ... ) == 0x0
 01393   948   NtSetEventBoostPriority  ... ) == 0x0
 01392  1096   NtWaitForSingleObject  ... ) == 0x102
 01396  2040   NtRegisterThreadTerminatePort  (24, ...
 01388  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1636,Tid=216,}, 0x0, ) == 0x0
 01397  1064   NtSetEventBoostPriority  (316, ...
 01398  1096   NtWaitForSingleObject  (136, 0, 0x0, ...
 01396  2040   NtRegisterThreadTerminatePort  ... ) == 0x0
 01350  1356   NtWaitForSingleObject  ... ) == 0x0
 01397  1064   NtSetEventBoostPriority  ... ) == 0x0
 01399  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0d\6\0\0\330\0\0\0" ...  ...
 01400   948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01401  1356   NtSetEventBoostPriority  (316, ...
 01402  2040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01399  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0d\6\0\0\330\0\0\0" )  ) == 0x0
 01349  1384   NtWaitForSingleObject  ... ) == 0x0
 01401  1356   NtSetEventBoostPriority  ... ) == 0x0
 01400   948   NtWaitForSingleObject  ... ) == 0x102
 01402  2040   NtDuplicateObject  ... 400, ) == 0x0
 01403  1384   NtSetEventBoostPriority  (316, ...
 01404  1736   NtResumeThread  (396, ...
 01405  1064   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01406   948   NtWaitForSingleObject  (136, 0, 0x0, ...
 01355   188   NtWaitForSingleObject  ... ) == 0x0
 01407  2040   NtWaitForSingleObject  (316, 0, 0x0, ...
 01404  1736   NtResumeThread  ... 1, ) == 0x0
 01405  1064   NtWaitForSingleObject  ... ) == 0x102
 01408   188   NtSetEventBoostPriority  (316, ...
 01403  1384   NtSetEventBoostPriority  ... ) == 0x0
 01409  1356   NtWaitForSingleObject  (316, 0, 0x0, ...
 01410   216   NtTestAlert  (...
 01362  1600   NtWaitForSingleObject  ... ) == 0x0
 01408   188   NtSetEventBoostPriority  ... ) == 0x0
 01411  1064   NtWaitForSingleObject  (136, 0, 0x0, ...
 01412  1384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01413  1600   NtSetEventBoostPriority  (316, ...
 01410   216   NtTestAlert  ... ) == 0x0
 01414  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01381  1372   NtWaitForSingleObject  ... ) == 0x0
 01413  1600   NtSetEventBoostPriority  ... ) == 0x0
 01415   216   NtContinue  (46988592, 1, ...
 01416  1372   NtSetEventBoostPriority  (316, ...
 01414  1736   NtAllocateVirtualMemory  ... 46989312, 1048576, ) == 0x0
 01417   188   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01412  1384   NtWaitForSingleObject  ... ) == 0x102
 01395   220   NtWaitForSingleObject  ... ) == 0x0
 01416  1372   NtSetEventBoostPriority  ... ) == 0x0
 01418   216   NtRegisterThreadTerminatePort  (24, ...
 01419  1736   NtAllocateVirtualMemory  (-1, 48029696, 0, 8192, 4096, 4, ...
 01417   188   NtWaitForSingleObject  ... ) == 0x102
 01420   220   NtSetEventBoostPriority  (316, ...
 01421  1384   NtWaitForSingleObject  (136, 0, 0x0, ...
 01422  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01418   216   NtRegisterThreadTerminatePort  ... ) == 0x0
 01419  1736   NtAllocateVirtualMemory  ... 48029696, 8192, ) == 0x0
 01407  2040   NtWaitForSingleObject  ... ) == 0x0
 01423   188   NtWaitForSingleObject  (136, 0, 0x0, ...
 01420   220   NtSetEventBoostPriority  ... ) == 0x0
 01424  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01422  1372   NtWaitForSingleObject  ... ) == 0x102
 01425  1736   NtProtectVirtualMemory  (-1, (0x2dce000), 4096, 260, ...
 01426  2040   NtSetEventBoostPriority  (316, ...
 01427   220   NtWaitForSingleObject  (316, 0, 0x0, ...
 01424  1600   NtWaitForSingleObject  ... ) == 0x102
 01428  1372   NtWaitForSingleObject  (136, 0, 0x0, ...
 01425  1736   NtProtectVirtualMemory  ... (0x2dce000), 4096, 4, ) == 0x0
 01409  1356   NtWaitForSingleObject  ... ) == 0x0
 01426  2040   NtSetEventBoostPriority  ... ) == 0x0
 01429  1600   NtWaitForSingleObject  (136, 0, 0x0, ...
 01430   216   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01431  1356   NtSetEventBoostPriority  (316, ...
 01432  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01427   220   NtWaitForSingleObject  ... ) == 0x0
 01431  1356   NtSetEventBoostPriority  ... ) == 0x0
 01430   216   NtDuplicateObject  ... 404, ) == 0x0
 01433   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11071600, ... }, 11071600, ...
 01432  1736   NtCreateThread  ... 408, {1636, 152}, ) == 0x0
 01434  1356   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01433   220   NtQueryAttributesFile  ... ) == 0x0
 01435   216   NtWaitForSingleObject  (312, 0, 0x0, ...
 01436  1736   NtQueryInformationThread  (408, Basic, 28, ...
 01437  2040   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01434  1356   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01436  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1636,Tid=152,}, 0x0, ) == 0x0
 01437  2040   NtWaitForSingleObject  ... ) == 0x102
 01438  1356   NtSetEventBoostPriority  (312, ...
 01439  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\230\0\0\0" ...  ...
 01440  2040   NtWaitForSingleObject  (312, 0, 0x0, ...
 01435   216   NtWaitForSingleObject  ... ) == 0x0
 01438  1356   NtSetEventBoostPriority  ... ) == 0x0
 01441   216   NtSetEventBoostPriority  (312, ...
 01440  2040   NtWaitForSingleObject  ... ) == 0x0
 01442  2040   NtWaitForSingleObject  (136, 0, 0x0, ...
 01441   216   NtSetEventBoostPriority  ... ) == 0x0
 01443  1356   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01444   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01439  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75514, 0}  ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0d\6\0\0\230\0\0\0" )  ) == 0x0
 01443  1356   NtOpenFile  ... 412, {status=0x0, info=0}, ) == 0x0
 01444   220   NtOpenKey  ... 416, ) == 0x0
 01445  1736   NtResumeThread  (408, ...
 01446  1356   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345?\374\256\212\232t\33\345<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01447   220   NtQueryValueKey  (416,  (416, "Transports", Partial, 144, ... , Partial, 144, ...
 01445  1736   NtResumeThread  ... 1, ) == 0x0
 01448   216   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01447   220   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01449  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01448   216   NtWaitForSingleObject  ... ) == 0x102
 01450   220   NtQueryValueKey  (416,  (416, "Transports", Partial, 144, ... , Partial, 144, ...
 01449  1736   NtAllocateVirtualMemory  ... 48037888, 1048576, ) == 0x0
 01451   216   NtWaitForSingleObject  (136, 0, 0x0, ...
 01450   220   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01452  1736   NtAllocateVirtualMemory  (-1, 49078272, 0, 8192, 4096, 4, ...
 01453  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01454   152   NtTestAlert  (...
 01455   220   NtClose  (416, ...
 01453  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01454   152   NtTestAlert  ... ) == 0x0
 01455   220   NtClose  ... ) == 0x0
 01456  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01457   152   NtContinue  (48037168, 1, ...
 01458   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01456  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01459   152   NtRegisterThreadTerminatePort  (24, ...
 01458   220   NtOpenKey  ... 416, ) == 0x0
 01460  1356   NtQuerySystemInformation  (Performance, 312, ...
 01459   152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01461   220   NtQueryValueKey  (416,  (416, "Mapping", Partial, 144, ... , Partial, 144, ...
 01460  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01452  1736   NtAllocateVirtualMemory  ... 49078272, 8192, ) == 0x0
 01461   220   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01462   152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01463  1736   NtProtectVirtualMemory  (-1, (0x2ece000), 4096, 260, ...
 01464  1356   NtQuerySystemInformation  (Exception, 16, ...
 01462   152   NtDuplicateObject  ... 420, ) == 0x0
 01463  1736   NtProtectVirtualMemory  ... (0x2ece000), 4096, 4, ) == 0x0
 01464  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01465   152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01466  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01467  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01465   152   NtWaitForSingleObject  ... ) == 0x102
 01466  1736   NtCreateThread  ... 424, {1636, 900}, ) == 0x0
 01467  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01468   152   NtWaitForSingleObject  (136, 0, 0x0, ...
 01469  1736   NtQueryInformationThread  (424, Basic, 28, ...
 01470  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01471   220   NtQueryValueKey  (416,  (416, "Mapping", Partial, 144, ... , Partial, 144, ...
 01470  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01471   220   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01469  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1636,Tid=900,}, 0x0, ) == 0x0
 01472   220   NtQueryValueKey  (416,  (416, "Mapping", Partial, 152, ... , Partial, 152, ...
 01473  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0\204\3\0\0" ...  ...
 01472   220   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01473  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0d\6\0\0\204\3\0\0" )  ) == 0x0
 01474   220   NtClose  (416, ...
 01475  1736   NtResumeThread  (424, ...
 01474   220   NtClose  ... ) == 0x0
 01475  1736   NtResumeThread  ... 1, ) == 0x0
 01476  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01477   220   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01478   900   NtTestAlert  (...
 01476  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01477   220   NtOpenKey  ... 416, ) == 0x0
 01478   900   NtTestAlert  ... ) == 0x0
 01479  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01480   220   NtQueryValueKey  (416,  (416, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01481   900   NtContinue  (49085744, 1, ...
 01482  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01480   220   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01483   900   NtRegisterThreadTerminatePort  (24, ...
 01482  1736   NtAllocateVirtualMemory  ... 49086464, 1048576, ) == 0x0
 01484   220   NtQueryValueKey  (416,  (416, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01483   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01485  1736   NtAllocateVirtualMemory  (-1, 50126848, 0, 8192, 4096, 4, ...
 01484   220   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01479  1356   NtCreateKey  ... -2147482576, 2, ) == 0x0
 01485  1736   NtAllocateVirtualMemory  ... 50126848, 8192, ) == 0x0
 01486   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01487  1356   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\277P\2116;\222\327\252,\35{\27N\205GN\337\34\4vG\346I\303o\10\317\257\242\254ws\11-B\356\336Yn\255N1\12'\315\22\23\271\216\15Uc\324\377_>\242\312\2738P\330g\216\274\232X\345\253\312\360\341mp{vO\234\312\256", 80, ... , 0, 3,  (-2147482576, "Seed", 0, 3, "\277P\2116;\222\327\252,\35{\27N\205GN\337\34\4vG\346I\303o\10\317\257\242\254ws\11-B\356\336Yn\255N1\12'\315\22\23\271\216\15Uc\324\377_>\242\312\2738P\330g\216\274\232X\345\253\312\360\341mp{vO\234\312\256", 80, ... , 80, ...
 01488  1736   NtProtectVirtualMemory  (-1, (0x2fce000), 4096, 260, ...
 01486   900   NtDuplicateObject  ... 428, ) == 0x0
 01487  1356   NtSetValueKey  ... ) == 0x0
 01488  1736   NtProtectVirtualMemory  ... (0x2fce000), 4096, 4, ) == 0x0
 01489   900   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01490  1356   NtClose  (-2147482576, ...
 01491   220   NtQueryValueKey  (416,  (416, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01489   900   NtWaitForSingleObject  ... ) == 0x102
 01490  1356   NtClose  ... ) == 0x0
 01491   220   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01492   900   NtWaitForSingleObject  (136, 0, 0x0, ...
 01446  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\204d\325S\231JN\262\252\253\324\12\224eo\360\205\255\311rd\3760\300\11\262p\275\216\221\236\377W~\352\33\270\302\22Em\212\27\32\326\264?bG\235\223\235\363\306\262\236\230.|\272@\221\216\334\1\320\205\245\212\306\2567\20\246T\232r\371L"s\200c\26\37\275\37ol4\27\247\7`_\304\272\341l89\305\335-\350>\315\202\4\376MS\336\230\1i\15Y\275\357D-s\323@Dy7\211&E\177\214u%>\242b\23R~\332F\356\3461\231\3566\321\261fy\200\263\213xN\312:U<\230\335/\374z\365\264f0\331\324\251$\203@t\235\212\232\305\265\340\223YW\31\34\333*l\12.\300\225\330\211\356\201\03\323\4*W\16\240\233\34\14^s\211\36m\37\243\17\20\222\375\336\200P\236W\372\273\215\236\230g\303\345\257\0\26,\206\205\366\361o(B\10\202\2620J\205\241\277\306", ) s\200c\26\37\275\37ol4\27\247\7`_\304\272\341l89\305\335-\350>\315\202\4\376MS\336\230\1i\15Y\275\357D-s\323@Dy7\211&E\177\214u%>\242b\23R~\332F\356\3461\231\3566\321\261fy\200\263\213xN\312:U<\230\335/\374z\365\264f0\331\324\251$\203@t\235\212\232\305\265\340\223YW\31\34\333*l\12.\300\225\330\211\356\201\03\323\4*W\16\240\233\34\14^s\211\36m\37\243\17\20\222\375\336\200P\236W\372\273\215\236\230g\303\345\257\0\26,\206\205\366\361o(B\10\202\2620J\205\241\277\306", ) == 0x0
 01493   220   NtQueryValueKey  (416,  (416, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01494  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01493   220   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01494  1736   NtCreateThread  ... 432, {1636, 1388}, ) == 0x0
 01495   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072556, ... }, 11072556, ...
 01496  1736   NtQueryInformationThread  (432, Basic, 28, ...
 01495   220   NtQueryAttributesFile  ... ) == 0x0
 01496  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1636,Tid=1388,}, 0x0, ) == 0x0
 01497  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01498  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0l\5\0\0" ...  ...
 01497  1356   NtCreateEvent  ... 436, ) == 0x0
 01499  1356   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01500  1356   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12119556, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12119556, 188, ...
 01501   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 440, {status=0x0, info=1}, ) }, 5, 96, ... 440, {status=0x0, info=1}, ) == 0x0
 01502   220   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 440, ... 444, ) == 0x0
 01503   220   NtClose  (440, ... ) == 0x0
 01498  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75516, 0}  ... {28, 56, reply, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0d\6\0\0l\5\0\0" )  ) == 0x0
 01500  1356   NtConnectPort  ... 440, 0x0, 0x0, 0x0, 188, ) == 0x0
 01504  1736   NtResumeThread  (432, ...
 01505  1356   NtRequestWaitReplyPort  (440, {200, 224, new_msg, 0, 1384456, 12, 2, 1310721}  (440, {200, 224, new_msg, 0, 1384456, 12, 2, 1310721} "\0\1\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320\1\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\231\226\200qX?:\241\200\37\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\10\0\0(\0\0\0\210\37\25\0\316\234\354'\370\1\24\0\250\37\25\0\\1\24\0\0\0\0\0\0\0\0\0\250\37\25\0X\0\0\0\260\37\25\0\360\6\221|\320\1\24\0P\0\0\0\346\31\0\20\0\0\24\0\204\354\270\0\372\31\221|\30\364\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01504  1736   NtResumeThread  ... 1, ) == 0x0
 01506  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50135040, 1048576, ) == 0x0
 01507  1736   NtAllocateVirtualMemory  (-1, 51175424, 0, 8192, 4096, 4, ...
 01505  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75518, 0}  ... {200, 224, reply, 0, 1636, 1356, 75518, 0} "\7\1\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\231\226\200qX?:\241\200\37\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\10\0\0(\0\0\0\210\37\25\0\316\234\354'\370\1\24\0\250\37\25\0\\1\24\0\0\0\0\0\0\0\0\0\250\37\25\0X\0\0\0\260\37\25\0\360\6\221|\320\1\24\0P\0\0\0\346\31\0\20\0\0\24\0\204\354\270\0\372\31\221|\30\364\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01508   220   NtMapViewOfSection  (444, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01509  1388   NtWaitForSingleObject  (88, 0, 0x0, ...
 01510  1356   NtRequestWaitReplyPort  (440, {64, 88, new_msg, 0, 0, 0, 0, 0}  (440, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01508   220   NtMapViewOfSection  ... (0x860000), 0x0, 20480, ) == 0x0
 01511   220   NtClose  (444, ... ) == 0x0
 01512   220   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 01513   220   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11072864, ... ) }, 11072864, ... ) == 0x0
 01514   220   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 444, {status=0x0, info=1}, ) }, 5, 96, ... 444, {status=0x0, info=1}, ) == 0x0
 01507  1736   NtAllocateVirtualMemory  ... 51175424, 8192, ) == 0x0
 01515  1736   NtProtectVirtualMemory  (-1, (0x30ce000), 4096, 260, ... (0x30ce000), 4096, 4, ) == 0x0
 01516  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {1636, 1708}, ) == 0x0
 01517  1736   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1636,Tid=1708,}, 0x0, ) == 0x0
 01518  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0\254\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0\254\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0d\6\0\0\254\6\0\0" )  ) == 0x0
 01519  1736   NtResumeThread  (448, ... 1, ) == 0x0
 01520   220   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 444, ...
 01521  1708   NtWaitForSingleObject  (88, 0, 0x0, ...
 01520   220   NtCreateSection  ... 452, ) == 0x0
 01522   220   NtQuerySection  (452, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01523   220   NtClose  (444, ... ) == 0x0
 01524   220   NtMapViewOfSection  (452, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01525   220   NtClose  (452, ... ) == 0x0
 01526   220   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01527  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51183616, 1048576, ) == 0x0
 01528  1736   NtAllocateVirtualMemory  (-1, 52224000, 0, 8192, 4096, 4, ... 52224000, 8192, ) == 0x0
 01529  1736   NtProtectVirtualMemory  (-1, (0x31ce000), 4096, 260, ... (0x31ce000), 4096, 4, ) == 0x0
 01530  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 452, {1636, 1324}, ) == 0x0
 01531  1736   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1636,Tid=1324,}, 0x0, ) == 0x0
 01532  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0,\5\0\0" ...  ...
 01533   220   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01534   220   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01532  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75521, 0}  ... {28, 56, reply, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0d\6\0\0,\5\0\0" )  ) == 0x0
 01535  1736   NtResumeThread  (452, ... 1, ) == 0x0
 01536  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52232192, 1048576, ) == 0x0
 01537  1736   NtAllocateVirtualMemory  (-1, 53272576, 0, 8192, 4096, 4, ... 53272576, 8192, ) == 0x0
 01538  1736   NtProtectVirtualMemory  (-1, (0x32ce000), 4096, 260, ... (0x32ce000), 4096, 4, ) == 0x0
 01539  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {1636, 1884}, ) == 0x0
 01540  1736   NtQueryInformationThread  (444, Basic, 28, ...
 01541   220   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01510  1356   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 1356, 75519, 0}  ... {52, 76, reply, 0, 1636, 1356, 75519, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270+\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01542  1324   NtWaitForSingleObject  (88, 0, 0x0, ...
 01541   220   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543  1356   NtClose  (436, ...
 01544   220   NtSetEventBoostPriority  (88, ...
 01543  1356   NtClose  ... ) == 0x0
 01509  1388   NtWaitForSingleObject  ... ) == 0x0
 01544   220   NtSetEventBoostPriority  ... ) == 0x0
 01545  1388   NtSetEventBoostPriority  (88, ...
 01546  1356   NtClose  (440, ...
 01540  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1636,Tid=1884,}, 0x0, ) == 0x0
 01521  1708   NtWaitForSingleObject  ... ) == 0x0
 01545  1388   NtSetEventBoostPriority  ... ) == 0x0
 01546  1356   NtClose  ... ) == 0x0
 01547  1708   NtSetEventBoostPriority  (88, ...
 01548  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0\\7\0\0" ...  ...
 01549   220   NtClose  (416, ...
 01542  1324   NtWaitForSingleObject  ... ) == 0x0
 01547  1708   NtSetEventBoostPriority  ... ) == 0x0
 01550  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 01548  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75523, 0}  ... {28, 56, reply, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0d\6\0\0\\7\0\0" )  ) == 0x0
 01551  1324   NtSetEventBoostPriority  (88, ...
 01549   220   NtClose  ... ) == 0x0
 01552  1388   NtTestAlert  (...
 01553  1708   NtTestAlert  (...
 01551  1324   NtSetEventBoostPriority  ... ) == 0x0
 01554  1736   NtResumeThread  (444, ...
 01555   220   NtWaitForSingleObject  (88, 0, 0x0, ...
 01552  1388   NtTestAlert  ... ) == 0x0
 01553  1708   NtTestAlert  ... ) == 0x0
 01550  1356   NtWaitForSingleObject  ... ) == 0x0
 01554  1736   NtResumeThread  ... 1, ) == 0x0
 01556  1388   NtContinue  (50134320, 1, ...
 01557  1708   NtContinue  (51182896, 1, ...
 01558  1356   NtSetEventBoostPriority  (88, ...
 01559  1324   NtTestAlert  (...
 01560  1884   NtWaitForSingleObject  (88, 0, 0x0, ...
 01561  1388   NtRegisterThreadTerminatePort  (24, ...
 01562  1708   NtRegisterThreadTerminatePort  (24, ...
 01555   220   NtWaitForSingleObject  ... ) == 0x0
 01558  1356   NtSetEventBoostPriority  ... ) == 0x0
 01559  1324   NtTestAlert  ... ) == 0x0
 01561  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01563   220   NtSetEventBoostPriority  (88, ...
 01562  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01564  1356   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01565  1324   NtContinue  (52231472, 1, ...
 01560  1884   NtWaitForSingleObject  ... ) == 0x0
 01563   220   NtSetEventBoostPriority  ... ) == 0x0
 01566  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01567  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01564  1356   NtCreateKey  ... 416, 2, ) == 0x0
 01568  1884   NtTestAlert  (...
 01569  1324   NtRegisterThreadTerminatePort  (24, ...
 01570  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01571   220   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11075200, 67, ... }, 0x0, 0, 3, 3, 0, 11075200, 67, ...
 01566  1388   NtDuplicateObject  ... 440, ) == 0x0
 01567  1708   NtDuplicateObject  ... 436, ) == 0x0
 01568  1884   NtTestAlert  ... ) == 0x0
 01569  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01570  1736   NtAllocateVirtualMemory  ... 53280768, 1048576, ) == 0x0
 01571   220   NtCreateFile  ... 456, {status=0x0, info=0}, ) == 0x0
 01572  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01573  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01574  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01575  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01576  1736   NtAllocateVirtualMemory  (-1, 54321152, 0, 8192, 4096, 4, ...
 01577   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x1207b,  (456, 112, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01572  1388   NtWaitForSingleObject  ... ) == 0x102
 01573  1708   NtWaitForSingleObject  ... ) == 0x102
 01574  1356   NtOpenKey  ... 460, ) == 0x0
 01578  1884   NtContinue  (53280048, 1, ...
 01576  1736   NtAllocateVirtualMemory  ... 54321152, 8192, ) == 0x0
 01577   220   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01579  1388   NtWaitForSingleObject  (136, 0, 0x0, ...
 01580  1708   NtWaitForSingleObject  (136, 0, 0x0, ...
 01581  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01582  1884   NtRegisterThreadTerminatePort  (24, ...
 01583  1736   NtProtectVirtualMemory  (-1, (0x33ce000), 4096, 260, ...
 01584   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x1207b,  (456, 112, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", 16, 16, ... , 16, 16, ...
 01581  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01583  1736   NtProtectVirtualMemory  ... (0x33ce000), 4096, 4, ) == 0x0
 01584   220   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\300\332\243\201", ) , ) == 0x0
 01585  1356   NtQueryValueKey  (416,  (416, "Hostname", Partial, 144, ... , Partial, 144, ...
 01586  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01575  1324   NtDuplicateObject  ... 464, ) == 0x0
 01587  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01585  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01586  1884   NtDuplicateObject  ... 468, ) == 0x0
 01588  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01587  1736   NtCreateThread  ... 472, {1636, 248}, ) == 0x0
 01589   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x12047,  (456, 112, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01590  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01588  1324   NtWaitForSingleObject  ... ) == 0x102
 01591  1736   NtQueryInformationThread  (472, Basic, 28, ...
 01589   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01592  1356   NtQueryValueKey  (416,  (416, "Hostname", Partial, 144, ... , Partial, 144, ...
 01593  1324   NtWaitForSingleObject  (136, 0, 0x0, ...
 01591  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1636,Tid=248,}, 0x0, ) == 0x0
 01594   220   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01592  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01595  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0\370\0\0\0" ...  ...
 01594   220   NtWaitForSingleObject  ... ) == 0x102
 01596  1356   NtClose  (416, ...
 01597   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x12003,  (456, 112, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01596  1356   NtClose  ... ) == 0x0
 01590  1884   NtWaitForSingleObject  ... ) == 0x102
 01595  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75524, 0}  ... {28, 56, reply, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0d\6\0\0\370\0\0\0" )  ) == 0x0
 01598  1356   NtClose  (460, ...
 01599  1884   NtWaitForSingleObject  (136, 0, 0x0, ...
 01600  1736   NtResumeThread  (472, ...
 01598  1356   NtClose  ... ) == 0x0
 01600  1736   NtResumeThread  ... 1, ) == 0x0
 01597   220   NtDeviceIoControlFile  ... {status=0x0, info=460},  ... {status=0x0, info=460}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01601  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01602   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x12047,  (456, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01601  1736   NtAllocateVirtualMemory  ... 54329344, 1048576, ) == 0x0
 01602   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01603  1736   NtAllocateVirtualMemory  (-1, 55369728, 0, 8192, 4096, 4, ...
 01604   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x12037,  (456, 112, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01605  1356   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32pL\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01606   248   NtTestAlert  (...
 01607  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01606   248   NtTestAlert  ... ) == 0x0
 01607  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01608   248   NtContinue  (54328624, 1, ...
 01609  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01610   248   NtRegisterThreadTerminatePort  (24, ...
 01609  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01610   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01611  1356   NtQuerySystemInformation  (Performance, 312, ...
 01603  1736   NtAllocateVirtualMemory  ... 55369728, 8192, ) == 0x0
 01604   220   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01612   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01613  1736   NtProtectVirtualMemory  (-1, (0x34ce000), 4096, 260, ...
 01614   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x1200b,  (456, 112, 0x0, 0x0, 0x1200b, "\0\376\250\0\5\0\0\0\0\256\24\0", 12, 0, ... , 12, 0, ...
 01612   248   NtDuplicateObject  ... 416, ) == 0x0
 01613  1736   NtProtectVirtualMemory  ... (0x34ce000), 4096, 4, ) == 0x0
 01614   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01615   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01616  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01617   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x12047,  (456, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\250\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01615   248   NtWaitForSingleObject  ... ) == 0x102
 01616  1736   NtCreateThread  ... 476, {1636, 1652}, ) == 0x0
 01617   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01618   248   NtWaitForSingleObject  (136, 0, 0x0, ...
 01619  1736   NtQueryInformationThread  (476, Basic, 28, ...
 01620   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01611  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01619  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1636,Tid=1652,}, 0x0, ) == 0x0
 01621  1356   NtQuerySystemInformation  (Exception, 16, ...
 01622  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0t\6\0\0" ...  ...
 01621  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01622  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75525, 0}  ... {28, 56, reply, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0d\6\0\0t\6\0\0" )  ) == 0x0
 01623  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01624  1736   NtResumeThread  (476, ...
 01623  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01624  1736   NtResumeThread  ... 1, ) == 0x0
 01625  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01620   220   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01626  1652   NtTestAlert  (...
 01627  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01628   220   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01626  1652   NtTestAlert  ... ) == 0x0
 01627  1736   NtAllocateVirtualMemory  ... 55377920, 1048576, ) == 0x0
 01628   220   NtCreateEvent  ... 480, ) == 0x0
 01629  1652   NtContinue  (55377200, 1, ...
 01630  1736   NtAllocateVirtualMemory  (-1, 56418304, 0, 8192, 4096, 4, ...
 01631   220   NtWaitForSingleObject  (480, 0, 0x0, ...
 01632  1652   NtRegisterThreadTerminatePort  (24, ...
 01630  1736   NtAllocateVirtualMemory  ... 56418304, 8192, ) == 0x0
 01632  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01633  1736   NtProtectVirtualMemory  (-1, (0x35ce000), 4096, 260, ...
 01625  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01633  1736   NtProtectVirtualMemory  ... (0x35ce000), 4096, 4, ) == 0x0
 01634  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01635  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01634  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01635  1652   NtDuplicateObject  ... 484, ) == 0x0
 01636  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01637  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01636  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01637  1652   NtWaitForSingleObject  ... ) == 0x102
 01638  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\305\203\235Tc\215\230\373\200\253\1\341`f:\371\245<5%\331\2404\362I;\313Z\346\270[\230'U\262[A{\244\330U\274Q\301v\30H#\316y\306K/A\206\226\346\234\2614\272aU\202\302\365V\264\321\352ZH\234O\316%\352Z,\332", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\305\203\235Tc\215\230\373\200\253\1\341`f:\371\245<5%\331\2404\362I;\313Z\346\270[\230'U\262[A{\244\330U\274Q\301v\30H#\316y\306K/A\206\226\346\234\2614\272aU\202\302\365V\264\321\352ZH\234O\316%\352Z,\332", 80, ... , 80, ...
 01639  1652   NtWaitForSingleObject  (136, 0, 0x0, ...
 01640  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01638  1356   NtSetValueKey  ... ) == 0x0
 01640  1736   NtCreateThread  ... 488, {1636, 588}, ) == 0x0
 01641  1356   NtClose  (-2147482564, ...
 01642  1736   NtQueryInformationThread  (488, Basic, 28, ...
 01641  1356   NtClose  ... ) == 0x0
 01642  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1636,Tid=588,}, 0x0, ) == 0x0
 01605  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "gR%\352E\5\353>\371q\3\2658\350\246y\15\377\336\15p\345)q\0\273\365\362u\21{\254g\2145\20\336Ef\366!\346\1\270r\326P\211\22\34\13\3216^t\204a\3-V\13b\33l\330\332l\350\230\343/\345R\241\15\253\224\205,\235\3132Q\361[3_\341\265\333!\246\345\27\10\372QUZ7t\361o\306Y+\252\33l\224\342+Y~\353F_^\350\307\377($J&\243\234C^\2543\0/\230j\274\214\226\266^*\316\341\352]\342\346T4\224\326\C\236\330w[\354\223!\367\306\273p1vr\374/\0\264"\11Y\360\261j\21\10I\15]e\14\253\306\246\376\364\275I\30(\350K\230CD\22(\376d\356r\274\236\366\340\225V]\272R\33\16\353\351\256<,\273\340\361X@\256\10>[G\34\360\21\332\254g*Y\231`\353\216a"M\271\12\234\202\17\353\327R\36Y\224", ) \11Y\360\261j\21\10I\15]e\14\253\306\246\376\364\275I\30(\350K\230CD\22(\376d\356r\274\236\366\340\225V]\272R\33\16\353\351\256<,\273\340\361X@\256\10>[G\34\360\21\332\254g*Y\231`\353\216a ... {status=0x0, info=256}, "gR%\352E\5\353>\371q\3\2658\350\246y\15\377\336\15p\345)q\0\273\365\362u\21{\254g\2145\20\336Ef\366!\346\1\270r\326P\211\22\34\13\3216^t\204a\3-V\13b\33l\330\332l\350\230\343/\345R\241\15\253\224\205,\235\3132Q\361[3_\341\265\333!\246\345\27\10\372QUZ7t\361o\306Y+\252\33l\224\342+Y~\353F_^\350\307\377($J&\243\234C^\2543\0/\230j\274\214\226\266^*\316\341\352]\342\346T4\224\326\C\236\330w[\354\223!\367\306\273p1vr\374/\0\264"\11Y\360\261j\21\10I\15]e\14\253\306\246\376\364\275I\30(\350K\230CD\22(\376d\356r\274\236\366\340\225V]\272R\33\16\353\351\256<,\273\340\361X@\256\10>[G\34\360\21\332\254g*Y\231`\353\216a"M\271\12\234\202\17\353\327R\36Y\224", ) , ) == 0x0
 01643  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0L\2\0\0" ...  ...
 01644  1356   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01645  1356   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01646  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01647  1356   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01648  1356   NtQuerySystemInformation  (Exception, 16, ...
 01643  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75526, 0}  ... {28, 56, reply, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0d\6\0\0L\2\0\0" )  ) == 0x0
 01649  1736   NtResumeThread  (488, ... 1, ) == 0x0
 01650  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56426496, 1048576, ) == 0x0
 01651  1736   NtAllocateVirtualMemory  (-1, 57466880, 0, 8192, 4096, 4, ... 57466880, 8192, ) == 0x0
 01652  1736   NtProtectVirtualMemory  (-1, (0x36ce000), 4096, 260, ... (0x36ce000), 4096, 4, ) == 0x0
 01653  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 492, {1636, 440}, ) == 0x0
 01654  1736   NtQueryInformationThread  (492, Basic, 28, ...
 01648  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01655   588   NtTestAlert  (...
 01656  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01655   588   NtTestAlert  ... ) == 0x0
 01656  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01657   588   NtContinue  (56425776, 1, ...
 01658  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01659   588   NtRegisterThreadTerminatePort  (24, ...
 01658  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01659   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01660  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01654  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1636,Tid=440,}, 0x0, ) == 0x0
 01661   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01662  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\270\1\0\0" ...  ...
 01661   588   NtDuplicateObject  ... 496, ) == 0x0
 01662  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75527, 0}  ... {28, 56, reply, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\1\0\0d\6\0\0\270\1\0\0" )  ) == 0x0
 01663   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01664  1736   NtResumeThread  (492, ...
 01663   588   NtWaitForSingleObject  ... ) == 0x102
 01664  1736   NtResumeThread  ... 1, ) == 0x0
 01665   588   NtWaitForSingleObject  (136, 0, 0x0, ...
 01660  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01666   440   NtTestAlert  (...
 01667  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01668  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01666   440   NtTestAlert  ... ) == 0x0
 01667  1736   NtAllocateVirtualMemory  ... 57475072, 1048576, ) == 0x0
 01668  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01669   440   NtContinue  (57474352, 1, ...
 01670  1736   NtAllocateVirtualMemory  (-1, 58515456, 0, 8192, 4096, 4, ...
 01671  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "u\271[\313\340\232\12\325\206.P\22/\357\267"m\3\252\26\207W)^y\17]#\237#!+F\376\264Qq\233\362\355c\244\251\246\341\17\215p\257X\333D\263B7\30\225+\243\306fb\3033\177z\264\2543M\331^7\257\300\344\205\250\331\15", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "u\271[\313\340\232\12\325\206.P\22/\357\267"m\3\252\26\207W)^y\17]#\237#!+F\376\264Qq\233\362\355c\244\251\246\341\17\215p\257X\333D\263B7\30\225+\243\306fb\3033\177z\264\2543M\331^7\257\300\344\205\250\331\15", 80, ... m\3\252\26\207W)^y\17]#\237#!+F\376\264Qq\233\362\355c\244\251\246\341\17\215p\257X\333D\263B7\30\225+\243\306fb\3033\177z\264\2543M\331^7\257\300\344\205\250\331\15", 80, ...
 01672   440   NtRegisterThreadTerminatePort  (24, ...
 01670  1736   NtAllocateVirtualMemory  ... 58515456, 8192, ) == 0x0
 01671  1356   NtSetValueKey  ... ) == 0x0
 01672   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01673  1736   NtProtectVirtualMemory  (-1, (0x37ce000), 4096, 260, ...
 01674  1356   NtClose  (-2147482564, ...
 01673  1736   NtProtectVirtualMemory  ... (0x37ce000), 4096, 4, ) == 0x0
 01675   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01674  1356   NtClose  ... ) == 0x0
 01675   440   NtDuplicateObject  ... 500, ) == 0x0
 01644  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\367k\371\305\3=\277g\375\315\226\377&~\240\366\265\315\3\356Wp)\266\221\231hR.\233\353Djw\27\257j\343\32\273_eP\224\223;\247\7\374>I\366\230\253\21?\203\2037lh\31\3030o\366m5\1t\232\233~\200\363\271\204:~\24!\344\374\312\4\321@\325F|\17\302\5\327F\17\200\3_q\365\340q\266\350\341\316\321g\17\325}\26\37\331\26\321\353\217\216\221u\376\264\340\242O\370\340 \201\313\10?\374\326\225\355\267\232\374\221\212\300\343Zd\267\351\2434\21\222\213\345\12\240 \33\235\20\10#u6\3407\223\177\312\324\217\347\311\240\357M5\313\27\230|\227P\247Dv\211\214#\256\305\324\231\25\341\234&\7\227\10rE\3026\310\266-\260\2258\377\236\267Q\372\1\13\253\2362\24\353\372U\335\254\364\37LV\322\301\204/k9Z\307AO\377\6\5\220\231\342>f*$e\341", ) , ) == 0x0
 01676   440   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01677  1356   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01676   440   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01678  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01679   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01678  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01680  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01681  1356   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01682  1356   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01683  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01684  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01679   440   NtWaitForSingleObject  ... ) == 0x102
 01684  1736   NtCreateThread  ... 504, {1636, 1296}, ) == 0x0
 01685   440   NtWaitForSingleObject  (136, 0, 0x0, ...
 01686  1736   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1636,Tid=1296,}, 0x0, ) == 0x0
 01687  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0d\6\0\0\20\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0d\6\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75528, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0d\6\0\0\20\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0d\6\0\0\20\5\0\0" )  ) == 0x0
 01688  1736   NtResumeThread  (504, ... 1, ) == 0x0
 01689  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58523648, 1048576, ) == 0x0
 01690  1736   NtAllocateVirtualMemory  (-1, 59564032, 0, 8192, 4096, 4, ...
 01683  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01691  1296   NtTestAlert  (...
 01692  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01691  1296   NtTestAlert  ... ) == 0x0
 01692  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01693  1296   NtContinue  (58522928, 1, ...
 01694  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01695  1296   NtRegisterThreadTerminatePort  (24, ...
 01694  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01695  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01696  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01690  1736   NtAllocateVirtualMemory  ... 59564032, 8192, ) == 0x0
 01697  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01698  1736   NtProtectVirtualMemory  (-1, (0x38ce000), 4096, 260, ...
 01697  1296   NtDuplicateObject  ... 508, ) == 0x0
 01698  1736   NtProtectVirtualMemory  ... (0x38ce000), 4096, 4, ) == 0x0
 01699  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01700  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01699  1296   NtWaitForSingleObject  ... ) == 0x102
 01700  1736   NtCreateThread  ... 512, {1636, 1620}, ) == 0x0
 01701  1296   NtWaitForSingleObject  (136, 0, 0x0, ...
 01702  1736   NtQueryInformationThread  (512, Basic, 28, ...
 01696  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01703  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "x\2149\365kF\347R*G\2\206\364-\15\232W\312\202Ie\244\306\212\3760\3z\373c\361\2228U\231`\323\303\224)\315m\264\327\321\177\262J\4,s\254\22\303\357\0a\31\2334[\37\230\274\313\374%\206\16\26j\202.\243\6\373\372\177!h", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "x\2149\365kF\347R*G\2\206\364-\15\232W\312\202Ie\244\306\212\3760\3z\373c\361\2228U\231`\323\303\224)\315m\264\327\321\177\262J\4,s\254\22\303\357\0a\31\2334[\37\230\274\313\374%\206\16\26j\202.\243\6\373\372\177!h", 80, ... ) , 80, ... ) == 0x0
 01704  1356   NtClose  (-2147482564, ... ) == 0x0
 01677  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\207\22yPd\374\242\21\10z\3728\4\36\304\22s\336\220\3\14<\347\23\256O\20r\14\336\353z\2314An\205F\304?X\376(l~\240\257\245\307_\355\305h\320\274\23\276D\372\277\360+\216>\35.\277<\217\227\245&{\206D7\256\3^\204(X\0\13]\330\363\315\226\351VZ\353-\366\26u\274\356s>\13\303\264\264\275$\251\277l\\32K\10\2106\264H\27\262\256)*\246\230\230\14@\366\253n\222N\275\237\136R\327\361\332\241\3159\360tm\257$\374z%\213\365\252\212\231\11\307\314Mt\254\257\306\244\35\320\13\362\344|\274Y\237\312\300d\353\210m\241~\37\250\213\217.\23\362\377\242\317J\213\234\231334\254j\325R\275n\270\2d\342\331s\224-\27\202\210\357\373\224\373\30\31d\244\202\273V\242\367^ \346B\276F_\3C\0E\353\221\27\323\0Vp\341\340\247\33=\310", ) , ) == 0x0
 01705  1356   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01706  1356   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01707  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01708  1356   NtQuerySystemInformation  (Performance, 312, ...
 01702  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1636,Tid=1620,}, 0x0, ) == 0x0
 01709  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0d\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0d\6\0\0T\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75529, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0d\6\0\0T\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0d\6\0\0T\6\0\0" )  ) == 0x0
 01710  1736   NtResumeThread  (512, ... 1, ) == 0x0
 01711  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59572224, 1048576, ) == 0x0
 01712  1736   NtAllocateVirtualMemory  (-1, 60612608, 0, 8192, 4096, 4, ... 60612608, 8192, ) == 0x0
 01713  1736   NtProtectVirtualMemory  (-1, (0x39ce000), 4096, 260, ... (0x39ce000), 4096, 4, ) == 0x0
 01708  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01714  1620   NtTestAlert  (...
 01715  1356   NtQuerySystemInformation  (Exception, 16, ...
 01714  1620   NtTestAlert  ... ) == 0x0
 01715  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01716  1620   NtContinue  (59571504, 1, ...
 01717  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01718  1620   NtRegisterThreadTerminatePort  (24, ...
 01717  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01718  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01719  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01720  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01721  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01720  1736   NtCreateThread  ... 516, {1636, 1588}, ) == 0x0
 01721  1620   NtDuplicateObject  ... 520, ) == 0x0
 01722  1736   NtQueryInformationThread  (516, Basic, 28, ...
 01723  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01722  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1636,Tid=1588,}, 0x0, ) == 0x0
 01723  1620   NtWaitForSingleObject  ... ) == 0x102
 01724  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\04\6\0\0" ...  ...
 01725  1620   NtWaitForSingleObject  (136, 0, 0x0, ...
 01724  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75530, 0}  ... {28, 56, reply, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\2\0\0d\6\0\04\6\0\0" )  ) == 0x0
 01719  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01726  1736   NtResumeThread  (516, ...
 01727  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01726  1736   NtResumeThread  ... 1, ) == 0x0
 01727  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01728  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01729  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01728  1736   NtAllocateVirtualMemory  ... 60620800, 1048576, ) == 0x0
 01729  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01730  1736   NtAllocateVirtualMemory  (-1, 61661184, 0, 8192, 4096, 4, ...
 01731  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\25\12\235\34\376\37e\213\3175V-\204\324'\17O\273\277\2415\206\310\262\302f, 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\25\12\235\34\376\37e\213\3175V-\204\324'\17O\273\277\2415\206\310\262\302f, 80, ... , 80, ...
 01732  1588   NtTestAlert  (...
 01730  1736   NtAllocateVirtualMemory  ... 61661184, 8192, ) == 0x0
 01732  1588   NtTestAlert  ... ) == 0x0
 01733  1736   NtProtectVirtualMemory  (-1, (0x3ace000), 4096, 260, ...
 01734  1588   NtContinue  (60620080, 1, ...
 01733  1736   NtProtectVirtualMemory  ... (0x3ace000), 4096, 4, ) == 0x0
 01735  1588   NtRegisterThreadTerminatePort  (24, ...
 01736  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01735  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01736  1736   NtCreateThread  ... 524, {1636, 2044}, ) == 0x0
 01731  1356   NtSetValueKey  ... ) == 0x0
 01737  1736   NtQueryInformationThread  (524, Basic, 28, ...
 01738  1356   NtClose  (-2147482564, ...
 01739  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01738  1356   NtClose  ... ) == 0x0
 01739  1588   NtDuplicateObject  ... 528, ) == 0x0
 01705  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\365\206\350\3GI\336\325L\322\341\13\342\316\275\22\20W\212HG`\17`c\275\3\373\15\251\345\277F"\376\346\345}p\372@I?U\360\210k\372\374(\260\17|g\300Qj\200\224\265\370\20p\5\275\15\36] \372\0\241\276\346\316\255;-\203 \244\25h\1770O\347t\373\2\333M\366\203.\300\364\351[c+ Q4O\37597|s\22\14\307\302&\2\335\227\311\317\3\236\204\32t\277VG\353y\1&Q\244%0\344\252\21n\373\343\342A\17X\306\355\220@\316\365T\12\315.\350\366y3e\263&\1\12\236\265\324T>\210\2507\207\\15\326\20I\203\215j\335d\244\343\216le\30\326|\3538\343?\32\375\243\263\37\211\330\311}\350\335\13i\257\335\320\233sy\237Z\11\346Q\5r\221\350\352E\202=\242\226\365\252\344\31\253\221\372?\260Z#|\356Z\335\10z&\362*\271\273\30\341\204", ) \376\346\345}p\372@I?U\360\210k\372\374(\260\17|g\300Qj\200\224\265\370\20p\5\275\15\36] \372\0\241\276\346\316\255;-\203 \244\25h\1770O\347t\373\2\333M\366\203.\300\364\351[c+ Q4O\37597|s\22\14\307\302&\2\335\227\311\317\3\236\204\32t\277VG\353y\1&Q\244%0\344\252\21n\373\343\342A\17X\306\355\220@\316\365T\12\315.\350\366y3e\263&\1\12\236\265\324T>\210\2507\207\\15\326\20I\203\215j\335d\244\343\216le\30\326|\3538\343?\32\375\243\263\37\211\330\311}\350\335\13i\257\335\320\233sy\237Z\11\346Q\5r\221\350\352E\202=\242\226\365\252\344\31\253\221\372?\260Z#|\356Z\335\10z&\362*\271\273\30\341\204", ) == 0x0
 01740  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01741  1356   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01740  1588   NtWaitForSingleObject  ... ) == 0x102
 01742  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01743  1588   NtWaitForSingleObject  (136, 0, 0x0, ...
 01737  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1636,Tid=2044,}, 0x0, ) == 0x0
 01742  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01744  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\374\7\0\0" ...  ...
 01745  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01744  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75531, 0}  ... {28, 56, reply, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0d\6\0\0\374\7\0\0" )  ) == 0x0
 01745  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01746  1736   NtResumeThread  (524, ...
 01747  1356   NtQuerySystemInformation  (Performance, 312, ...
 01746  1736   NtResumeThread  ... 1, ) == 0x0
 01747  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01748  2044   NtTestAlert  (...
 01749  1356   NtQuerySystemInformation  (Exception, 16, ...
 01748  2044   NtTestAlert  ... ) == 0x0
 01750  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01751  2044   NtContinue  (61668656, 1, ...
 01750  1736   NtAllocateVirtualMemory  ... 61669376, 1048576, ) == 0x0
 01752  2044   NtRegisterThreadTerminatePort  (24, ...
 01753  1736   NtAllocateVirtualMemory  (-1, 62709760, 0, 8192, 4096, 4, ...
 01752  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01753  1736   NtAllocateVirtualMemory  ... 62709760, 8192, ) == 0x0
 01749  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01754  1736   NtProtectVirtualMemory  (-1, (0x3bce000), 4096, 260, ...
 01755  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01754  1736   NtProtectVirtualMemory  ... (0x3bce000), 4096, 4, ) == 0x0
 01755  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01756  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01757  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01756  2044   NtDuplicateObject  ... 532, ) == 0x0
 01757  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01758  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01759  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01758  2044   NtWaitForSingleObject  ... ) == 0x102
 01760  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01761  2044   NtWaitForSingleObject  (136, 0, 0x0, ...
 01760  1736   NtCreateThread  ... 536, {1636, 1308}, ) == 0x0
 01759  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01762  1736   NtQueryInformationThread  (536, Basic, 28, ...
 01763  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01762  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1636,Tid=1308,}, 0x0, ) == 0x0
 01763  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01764  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0d\6\0\0\34\5\0\0" ...  ...
 01765  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\273\235\4\270\325\35794\260C\342\267\245\237<\266\31\203b`\240\204}\202$\216\311\303>S\373\204_K\336\200I\327\344\24c\346\251\343\242/\243<\304W`\371\254;9\24\242\270P-F\276\372\361\257\243\356\271\260Hv\261\316q\276<\254\320,\254", 80, ... ) , 0, 3,  (-2147482564, "Seed", 0, 3, "\273\235\4\270\325\35794\260C\342\267\245\237<\266\31\203b`\240\204}\202$\216\311\303>S\373\204_K\336\200I\327\344\24c\346\251\343\242/\243<\304W`\371\254;9\24\242\270P-F\276\372\361\257\243\356\271\260Hv\261\316q\276<\254\320,\254", 80, ... ) , 80, ... ) == 0x0
 01766  1356   NtClose  (-2147482564, ... ) == 0x0
 01741  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "kf]\373\21VK\3\375\20\272\273\332\325\247\346\366\212\25d\367gk\2741\210\27\243\345z\320c$\330Y\240|\357I\251\303\4#T\11\225R\236\354\2520\323\16F\231!F\332\17*\274p'M\362%%\266S\263}\363\375\22\304\203H\311u\324lX+\243P\215\306\201\261<\331\371\260\305?\6\241}\307\15\207V&\2026\3#z\37\314g@v\325P\371\340\17u%\261\304\212\30\260\211\200\273%\7\16\324B\3413\364\347\215E\357 PknN\220\315S\351u\262\17c\277\244\13zOD.\273\213-\34\301O\362\227-_HD\325\252L\370\17xV\312\201\205\30\16]\13\344>J\240\236\317\347\315\221\254h\310\256ch\263\242;V\351\301\247\365#\303\334\237~\361NZ\211P[\221p\246m\371\355\22\244\263dg\201\204\300\261\262\5\367:L\304~\340\177\305[(\202=/0\321\304\254\4", ) , ) == 0x0
 01767  1356   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01768  1356   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01769  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01764  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75532, 0}  ... {28, 56, reply, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0d\6\0\0\34\5\0\0" )  ) == 0x0
 01770  1736   NtResumeThread  (536, ... 1, ) == 0x0
 01771  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62717952, 1048576, ) == 0x0
 01772  1736   NtAllocateVirtualMemory  (-1, 63758336, 0, 8192, 4096, 4, ... 63758336, 8192, ) == 0x0
 01773  1736   NtProtectVirtualMemory  (-1, (0x3cce000), 4096, 260, ... (0x3cce000), 4096, 4, ) == 0x0
 01774  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 540, {1636, 1676}, ) == 0x0
 01775  1736   NtQueryInformationThread  (540, Basic, 28, ...
 01769  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01776  1308   NtTestAlert  (...
 01777  1356   NtQuerySystemInformation  (Performance, 312, ...
 01776  1308   NtTestAlert  ... ) == 0x0
 01777  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01778  1308   NtContinue  (62717232, 1, ...
 01779  1356   NtQuerySystemInformation  (Exception, 16, ...
 01780  1308   NtRegisterThreadTerminatePort  (24, ...
 01779  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01780  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01781  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01775  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1636,Tid=1676,}, 0x0, ) == 0x0
 01782  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01783  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\214\6\0\0" ...  ...
 01782  1308   NtDuplicateObject  ... 544, ) == 0x0
 01783  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75533, 0}  ... {28, 56, reply, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0d\6\0\0\214\6\0\0" )  ) == 0x0
 01784  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01785  1736   NtResumeThread  (540, ...
 01784  1308   NtWaitForSingleObject  ... ) == 0x102
 01785  1736   NtResumeThread  ... 1, ) == 0x0
 01786  1308   NtWaitForSingleObject  (136, 0, 0x0, ...
 01781  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01787  1676   NtTestAlert  (...
 01788  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01789  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01787  1676   NtTestAlert  ... ) == 0x0
 01788  1736   NtAllocateVirtualMemory  ... 63766528, 1048576, ) == 0x0
 01789  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01790  1676   NtContinue  (63765808, 1, ...
 01791  1736   NtAllocateVirtualMemory  (-1, 64806912, 0, 8192, 4096, 4, ...
 01792  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01793  1676   NtRegisterThreadTerminatePort  (24, ...
 01791  1736   NtAllocateVirtualMemory  ... 64806912, 8192, ) == 0x0
 01792  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01793  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01794  1736   NtProtectVirtualMemory  (-1, (0x3dce000), 4096, 260, ...
 01795  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01794  1736   NtProtectVirtualMemory  ... (0x3dce000), 4096, 4, ) == 0x0
 01796  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01795  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01796  1676   NtDuplicateObject  ... 548, ) == 0x0
 01797  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\241l\31,\305\336\216q\271P\33\355`I7\261\335\344\7\33\21\300\7\332\245Y\253\263t\6\241\246r\273\21O\230\26\344^\347\267\17G\363\202\311\204\24\3545\260\231S\332\243\340\201cN\260Z\6\345\253,N[\32\217s\263\274\237\371FXV\11", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\241l\31,\305\336\216q\271P\33\355`I7\261\335\344\7\33\21\300\7\332\245Y\253\263t\6\241\246r\273\21O\230\26\344^\347\267\17G\363\202\311\204\24\3545\260\231S\332\243\340\201cN\260Z\6\345\253,N[\32\217s\263\274\237\371FXV\11", 80, ... , 80, ...
 01798  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01797  1356   NtSetValueKey  ... ) == 0x0
 01798  1676   NtWaitForSingleObject  ... ) == 0x102
 01799  1356   NtClose  (-2147482564, ...
 01800  1676   NtWaitForSingleObject  (136, 0, 0x0, ...
 01799  1356   NtClose  ... ) == 0x0
 01801  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01767  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "o<'\214$eQ\10s\360\33\256}J\317N\\4\332\3355\20\10\306\2\2012\32\243\335L_\201h\203s\220\274:g>%{\352\205\317\3510\301_Z\205\316\362I\331\265\5\217\271\5_\270\236|N\13[\252a\207L\2 rb:v\322Lu\211\264\373\12I*j\20\217\206X\367\227W\347\235\267n\10\370\320c\33 8v\372\3\227b\210\6\206\277Y\320V<\351~\337\376\26\217g=Vw\346\15\247\214\201\341\243\246\221\33\221imh\343\321\366\245'8.\363\335\266IGP\223\36\363l\15\307& g\230P\267\234\37\371\356]\252\316\306\204\347\202\211\264\202\267\220~[\241\305\275\274\267p^d}q\16tx-\345\374\341e=j7\315\215\263\7\210\12N\12\12\370\274\2114|\7\311\306\0Wc\332\204\264\306\344\327\211\69\333\340\21\177\310\7\207.\34\315H\201\374\202\373,\345, ) , ) == 0x0
 01801  1736   NtCreateThread  ... 552, {1636, 1376}, ) == 0x0
 01802  1736   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1636,Tid=1376,}, 0x0, ) == 0x0
 01803  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0`\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0`\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75534, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0`\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\2\0\0d\6\0\0`\5\0\0" )  ) == 0x0
 01804  1736   NtResumeThread  (552, ... 1, ) == 0x0
 01805  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 64815104, 1048576, ) == 0x0
 01806  1736   NtAllocateVirtualMemory  (-1, 65855488, 0, 8192, 4096, 4, ...
 01807  1356   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... 1\344\353M\337U (412, 0, 0x0, 0x0, 0x390008, "\33\306\250\177\366\11\345\317\355U\34\244q\32\200]U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353M\337U"1\344\353\275\316\256\264\17\341\352(\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01808  1376   NtTestAlert  (...
 01809  1356   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01808  1376   NtTestAlert  ... ) == 0x0
 01809  1356   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01810  1376   NtContinue  (64814384, 1, ...
 01806  1736   NtAllocateVirtualMemory  ... 65855488, 8192, ) == 0x0
 01811  1376   NtRegisterThreadTerminatePort  (24, ...
 01812  1736   NtProtectVirtualMemory  (-1, (0x3ece000), 4096, 260, ...
 01811  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01812  1736   NtProtectVirtualMemory  ... (0x3ece000), 4096, 4, ) == 0x0
 01813  1356   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01814  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01813  1356   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01814  1736   NtCreateThread  ... 556, {1636, 1436}, ) == 0x0
 01815  1356   NtQuerySystemInformation  (Performance, 312, ...
 01816  1736   NtQueryInformationThread  (556, Basic, 28, ...
 01815  1356   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01817  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01818  1356   NtQuerySystemInformation  (Exception, 16, ...
 01817  1376   NtDuplicateObject  ... 560, ) == 0x0
 01818  1356   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01819  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01816  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1636,Tid=1436,}, 0x0, ) == 0x0
 01819  1376   NtWaitForSingleObject  ... ) == 0x102
 01820  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0\234\5\0\0" ...  ...
 01821  1376   NtWaitForSingleObject  (136, 0, 0x0, ...
 01820  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75535, 0}  ... {28, 56, reply, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0d\6\0\0\234\5\0\0" )  ) == 0x0
 01822  1356   NtQuerySystemInformation  (Lookaside, 32, ...
 01823  1736   NtResumeThread  (556, ...
 01822  1356   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01823  1736   NtResumeThread  ... 1, ) == 0x0
 01824  1356   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01825  1436   NtAllocateVirtualMemory  (-1, 8871936, 0, 4096, 4096, 4, ...
 01824  1356   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01825  1436   NtAllocateVirtualMemory  ... 8871936, 4096, ) == 0x0
 01826  1356   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01827  1436   NtTestAlert  (...
 01826  1356   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01827  1436   NtTestAlert  ... ) == 0x0
 01828  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01829  1436   NtContinue  (65862960, 1, ...
 01828  1736   NtAllocateVirtualMemory  ... 65863680, 1048576, ) == 0x0
 01830  1356   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01831  1736   NtAllocateVirtualMemory  (-1, 66904064, 0, 8192, 4096, 4, ...
 01830  1356   NtCreateKey  ... -2147482564, 2, ) == 0x0
 01831  1736   NtAllocateVirtualMemory  ... 66904064, 8192, ) == 0x0
 01832  1356   NtSetValueKey  (-2147482564,  (-2147482564, "Seed", 0, 3, "\274\224\304\254\26\347\206-*\246\363V\362\325\222)\352<}\201\222\306\262"\213(\375\233\262\277\363\26\33\335}p\243\305\264\376K\332\361\36\372\217\37\311\356i\0\35<\32\227 \334\261a\10\354\362\321\241\213\365\\26\7V\356\362\301M\311p]\223\252\360", 80, ... , 0, 3,  (-2147482564, "Seed", 0, 3, "\274\224\304\254\26\347\206-*\246\363V\362\325\222)\352<}\201\222\306\262"\213(\375\233\262\277\363\26\33\335}p\243\305\264\376K\332\361\36\372\217\37\311\356i\0\35<\32\227 \334\261a\10\354\362\321\241\213\365\\26\7V\356\362\301M\311p]\223\252\360", 80, ... \213(\375\233\262\277\363\26\33\335}p\243\305\264\376K\332\361\36\372\217\37\311\356i\0\35<\32\227 \334\261a\10\354\362\321\241\213\365\\26\7V\356\362\301M\311p]\223\252\360", 80, ...
 01833  1736   NtProtectVirtualMemory  (-1, (0x3fce000), 4096, 260, ...
 01832  1356   NtSetValueKey  ... ) == 0x0
 01833  1736   NtProtectVirtualMemory  ... (0x3fce000), 4096, 4, ) == 0x0
 01834  1356   NtClose  (-2147482564, ...
 01835  1436   NtRegisterThreadTerminatePort  (24, ...
 01834  1356   NtClose  ... ) == 0x0
 01835  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01836  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01837  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01836  1736   NtCreateThread  ... 564, {1636, 724}, ) == 0x0
 01837  1436   NtDuplicateObject  ... 568, ) == 0x0
 01838  1736   NtQueryInformationThread  (564, Basic, 28, ...
 01839  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01838  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1636,Tid=724,}, 0x0, ) == 0x0
 01840  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\324\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\324\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0d\6\0\0\324\2\0\0" )  ) == 0x0
 01841  1736   NtResumeThread  (564, ... 1, ) == 0x0
 01842  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66912256, 1048576, ) == 0x0
 01843  1736   NtAllocateVirtualMemory  (-1, 67952640, 0, 8192, 4096, 4, ...
 01807  1356   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "V\324\226\e\270z\264\352\35\2\37*(\24\313[\362b;i\221\273@"+E\244\255YQ\277P\7\245\224\225\107\3634'5a\357\344|#\201\314\361V\216\260t\4\221_c\210\316\214\267\157\356 \341\1\343U|\306\252$\2140\231\326\336\0\341G?0[\320\362;\257\244\362\320\264f\11\217f\330\210|\;\275\202\205\26\217\14\317\2469\326\25>\220\33\13\351\200/b\345O\302\24H\200\303+?R\363\322\2\324\372Z)\321o\261\4\234%\252\243`\3347\14\224kB\205\2\250\36\34!;\227\252^\26O\356q;zU\264M\325\276\356y\16\266p\200 :\26"\262\3H=\273ks\241\237,5BqA\27\332\6\366\303\206\352\247v\236\377[Y`\310\14\252\235h\361\200\3777/|\334\7\271\335I\1\254\265?\313HN\221\277a\22/v\223B\357\375\27\215\320\342\364\246=\257h", ) +E\244\255YQ\277P\7\245\224\225\107\3634'5a\357\344|#\201\314\361V\216\260t\4\221_c\210\316\214\267\157\356 \341\1\343U|\306\252$\2140\231\326\336\0\341G?0[\320\362;\257\244\362\320\264f\11\217f\330\210|\;\275\202\205\26\217\14\317\2469\326\25>\220\33\13\351\200/b\345O\302\24H\200\303+?R\363\322\2\324\372Z)\321o\261\4\234%\252\243`\3347\14\224kB\205\2\250\36\34!;\227\252^\26O\356q;zU\264M\325\276\356y\16\266p\200 :\26 ... {status=0x0, info=256}, "V\324\226\e\270z\264\352\35\2\37*(\24\313[\362b;i\221\273@"+E\244\255YQ\277P\7\245\224\225\107\3634'5a\357\344|#\201\314\361V\216\260t\4\221_c\210\316\214\267\157\356 \341\1\343U|\306\252$\2140\231\326\336\0\341G?0[\320\362;\257\244\362\320\264f\11\217f\330\210|\;\275\202\205\26\217\14\317\2469\326\25>\220\33\13\351\200/b\345O\302\24H\200\303+?R\363\322\2\324\372Z)\321o\261\4\234%\252\243`\3347\14\224kB\205\2\250\36\34!;\227\252^\26O\356q;zU\264M\325\276\356y\16\266p\200 :\26"\262\3H=\273ks\241\237,5BqA\27\332\6\366\303\206\352\247v\236\377[Y`\310\14\252\235h\361\200\3777/|\334\7\271\335I\1\254\265?\313HN\221\277a\22/v\223B\357\375\27\215\320\342\364\246=\257h", ) , ) == 0x0
 01844   724   NtTestAlert  (...
 01839  1436   NtWaitForSingleObject  ... ) == 0x102
 01845  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01844   724   NtTestAlert  ... ) == 0x0
 01846  1436   NtWaitForSingleObject  (136, 0, 0x0, ...
 01845  1356   NtCreateEvent  ... 572, ) == 0x0
 01847   724   NtContinue  (66911536, 1, ...
 01848  1356   NtSetEventBoostPriority  (480, ...
 01849   724   NtRegisterThreadTerminatePort  (24, ...
 01631   220   NtWaitForSingleObject  ... ) == 0x0
 01848  1356   NtSetEventBoostPriority  ... ) == 0x0
 01849   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 01850  1356   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12119404, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12119404, 188, ...
 01843  1736   NtAllocateVirtualMemory  ... 67952640, 8192, ) == 0x0
 01851   220   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01852   724   NtWaitForSingleObject  (312, 0, 0x0, ...
 01853  1736   NtProtectVirtualMemory  (-1, (0x40ce000), 4096, 260, ...
 01851   220   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01853  1736   NtProtectVirtualMemory  ... (0x40ce000), 4096, 4, ) == 0x0
 01854   220   NtSetEventBoostPriority  (312, ...
 01855  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01852   724   NtWaitForSingleObject  ... ) == 0x0
 01854   220   NtSetEventBoostPriority  ... ) == 0x0
 01856   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01855  1736   NtCreateThread  ... 576, {1636, 1276}, ) == 0x0
 01856   724   NtDuplicateObject  ... 580, ) == 0x0
 01857   220   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 01850  1356   NtConnectPort  ... 584, 0x0, 0x0, 0x0, 188, ) == 0x0
 01858   724   NtWaitForSingleObject  (312, 0, 0x0, ...
 01857   220   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 01859  1356   NtRequestWaitReplyPort  (584, {200, 224, new_msg, 0, 1384456, 12, 2, 1}  (584, {200, 224, new_msg, 0, 1384456, 12, 2, 1} "\0\3\24\0\274\0\0\0$?\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\10\3\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0X\251:\330\336\334}KH>\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\4\0(\0\0\0P>\25\0\234\241\207z0\3\24\0p>\25\0`\1\24\0\0\0\0\0\0\0\0\0p>\25\0P\0\0\0x>\25\0\360\6\221|\10\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\270\0\372\31\221|\200\363\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01860  1736   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1636,Tid=1276,}, 0x0, ) == 0x0
 01861  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0\374\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0d\6\0\0\374\4\0\0" )  ) == 0x0
 01862  1736   NtResumeThread  (576, ...
 01859  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75538, 0}  ... {200, 224, reply, 0, 1636, 1356, 75538, 0} "\7\3\24\0\274\0\0\0$?\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0X\251:\330\336\334}KH>\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\4\0(\0\0\0P>\25\0\234\241\207z0\3\24\0p>\25\0`\1\24\0\0\0\0\0\0\0\0\0p>\25\0P\0\0\0x>\25\0\360\6\221|\10\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\270\0\372\31\221|\200\363\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01863   220   NtSetEventBoostPriority  (312, ...
 01864  1356   NtRequestWaitReplyPort  (584, {44, 68, new_msg, 0, 1636, 1356, 75519, 0}  (584, {44, 68, new_msg, 0, 1636, 1356, 75519, 0} "\1\0\0\0A\2\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01858   724   NtWaitForSingleObject  ... ) == 0x0
 01863   220   NtSetEventBoostPriority  ... ) == 0x0
 01862  1736   NtResumeThread  ... 1, ) == 0x0
 01865   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01866   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01865   724   NtWaitForSingleObject  ... ) == 0x102
 01867  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01868   724   NtWaitForSingleObject  (136, 0, 0x0, ...
 01866   220   NtCreateEvent  ... 588, ) == 0x0
 01867  1736   NtAllocateVirtualMemory  ... 67960832, 1048576, ) == 0x0
 01869  1276   NtTestAlert  (...
 01870   220   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11072120, 188, ...
 01871  1736   NtAllocateVirtualMemory  (-1, 69001216, 0, 8192, 4096, 4, ...
 01869  1276   NtTestAlert  ... ) == 0x0
 01871  1736   NtAllocateVirtualMemory  ... 69001216, 8192, ) == 0x0
 01872  1276   NtContinue  (67960112, 1, ...
 01873  1736   NtProtectVirtualMemory  (-1, (0x41ce000), 4096, 260, ...
 01874  1276   NtRegisterThreadTerminatePort  (24, ...
 01864  1356   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 1356, 75540, 0}  ... {40, 64, reply, 0, 1636, 1356, 75540, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\1\0\0X-\12\0" )  ) == 0x0
 01874  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 01875  1356   NtRequestWaitReplyPort  (584, {64, 88, new_msg, 56, 1375104, 12119916, 12120016, 0}  (584, {64, 88, new_msg, 56, 1375104, 12119916, 12120016, 0} "\10\357\270\0@\0\24\0\346\277\347w\320\357\270\0l\357\270\0\20\0\0\0\250.\362v\364\373\24\0\1\0\0\00Y\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0 \356\24\0" ...  ...
 01873  1736   NtProtectVirtualMemory  ... (0x41ce000), 4096, 4, ) == 0x0
 01870   220   NtConnectPort  ... 592, 0x0, 0x0, 0x0, 188, ) == 0x0
 01876  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01877   220   NtRequestWaitReplyPort  (592, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (592, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\240<\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\304f\347\235\3009\274i\340X\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\270X\25\0\266\343\316\323x\1\24\0\330X\25\0h\1\24\0\0\0\0\0\0\0\0\0\330X\25\0P\0\0\0\340X\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01875  1356   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 1356, 75542, 0}  ... {64, 88, reply, 56, 1636, 1356, 75542, 0} "\10\357\270\0@\0\24\0\346\277\347w\320\357\270\0l\357\270\0\20\0\0\0\250.\362v\364\373\24\0\1\0\0\00Y\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0 \356\24\0" )  ) == 0x0
 01876  1736   NtCreateThread  ... 596, {1636, 1368}, ) == 0x0
 01878  1356   NtClose  (572, ...
 01879  1736   NtQueryInformationThread  (596, Basic, 28, ...
 01877   220   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 220, 75543, 0}  ... {200, 224, reply, 0, 1636, 220, 75543, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0\304f\347\235\3009\274i\340X\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\270X\25\0\266\343\316\323x\1\24\0\330X\25\0h\1\24\0\0\0\0\0\0\0\0\0\330X\25\0P\0\0\0\340X\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\250\0\372\31\221|\214\370\250\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01880  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01879  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1636,Tid=1368,}, 0x0, ) == 0x0
 01881   220   NtRequestWaitReplyPort  (592, {44, 68, new_msg, 56, 0, 0, 0, 0}  (592, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0`^\25\0\322\0\0\0" ...  ...
 01880  1276   NtDuplicateObject  ... 600, ) == 0x0
 01882  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0X\5\0\0" ...  ...
 01883  1276   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 01878  1356   NtClose  ... ) == 0x0
 01883  1276   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 01884  1356   NtClose  (584, ...
 01885  1276   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01884  1356   NtClose  ... ) == 0x0
 01886  1356   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 584, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 584, 2, ) , 0, ... 584, 2, ) == 0x0
 01887  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 572, ) }, ... 572, ) == 0x0
 01888  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01889  1356   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01890  1356   NtQueryValueKey  (584,  (584, "Domain", Partial, 144, ... , Partial, 144, ...
 01882  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75546, 0}  ... {28, 56, reply, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0d\6\0\0X\5\0\0" )  ) == 0x0
 01881   220   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 220, 75544, 0}  ... {40, 64, reply, 0, 1636, 220, 75544, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01885  1276   NtWaitForSingleObject  ... ) == 0x102
 01891  1736   NtResumeThread  (596, ...
 01892   220   NtRequestWaitReplyPort  (592, {64, 88, new_msg, 56, 1310720, 11071988, 1400408, 0}  (592, {64, 88, new_msg, 56, 1310720, 11071988, 1400408, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\310`\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01893  1276   NtWaitForSingleObject  (136, 0, 0x0, ...
 01891  1736   NtResumeThread  ... 1, ) == 0x0
 01894  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 69009408, 1048576, ) == 0x0
 01892   220   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 220, 75547, 0}  ... {64, 88, reply, 56, 1636, 220, 75547, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\310`\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01890  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01895  1368   NtTestAlert  (...
 01896   220   NtRequestWaitReplyPort  (592, {44, 68, new_msg, 56, 1636, 220, 75544, 0}  (592, {44, 68, new_msg, 56, 1636, 220, 75544, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0`^\25\0\322\0\0\0" ...  ...
 01897  1356   NtQueryValueKey  (584,  (584, "Domain", Partial, 144, ... , Partial, 144, ...
 01895  1368   NtTestAlert  ... ) == 0x0
 01897  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01898  1368   NtContinue  (69008688, 1, ...
 01899  1356   NtClose  (584, ...
 01900  1368   NtRegisterThreadTerminatePort  (24, ...
 01899  1356   NtClose  ... ) == 0x0
 01900  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 01901  1356   NtClose  (572, ...
 01902  1736   NtAllocateVirtualMemory  (-1, 70049792, 0, 8192, 4096, 4, ...
 01896   220   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 220, 75548, 0}  ... {40, 64, reply, 0, 1636, 220, 75548, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\351\1\0\0\350\232\14\0" )  ) == 0x0
 01903  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01902  1736   NtAllocateVirtualMemory  ... 70049792, 8192, ) == 0x0
 01904   220   NtRequestWaitReplyPort  (592, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (592, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\240l\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01903  1368   NtDuplicateObject  ... 584, ) == 0x0
 01905  1736   NtProtectVirtualMemory  (-1, (0x42ce000), 4096, 260, ...
 01906  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01905  1736   NtProtectVirtualMemory  ... (0x42ce000), 4096, 4, ) == 0x0
 01904   220   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 220, 75549, 0}  ... {64, 88, reply, 56, 1636, 220, 75549, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\240l\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01906  1368   NtWaitForSingleObject  ... ) == 0x102
 01907  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01908   220   NtRequestWaitReplyPort  (592, {44, 68, new_msg, 56, 1636, 220, 75548, 0}  (592, {44, 68, new_msg, 56, 1636, 220, 75548, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0`^\25\0\322\0\0\0" ...  ...
 01909  1368   NtWaitForSingleObject  (136, 0, 0x0, ...
 01907  1736   NtCreateThread  ... 604, {1636, 704}, ) == 0x0
 01901  1356   NtClose  ... ) == 0x0
 01908   220   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1636, 220, 75550, 0}  ... {40, 64, reply, 0, 1636, 220, 75550, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 01910  1356   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01911   220   NtRequestWaitReplyPort  (592, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0}  (592, {64, 88, new_msg, 56, 1310720, 11071988, 11072732, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\230J\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01910  1356   NtOpenKey  ... 572, ) == 0x0
 01912  1356   NtQueryValueKey  (572,  (572, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913  1356   NtClose  (572, ...
 01911   220   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1636, 220, 75551, 0}  ... {64, 88, reply, 56, 1636, 220, 75551, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\250\0\351\201\347w\214\370\250\0\30\356\220|p\5\221|\1\0\0\0\230J\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01914  1736   NtQueryInformationThread  (604, Basic, 28, ...
 01915   220   NtClose  (588, ...
 01914  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1636,Tid=704,}, 0x0, ) == 0x0
 01915   220   NtClose  ... ) == 0x0
 01916  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\300\2\0\0" ...  ...
 01913  1356   NtClose  ... ) == 0x0
 01916  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75552, 0}  ... {28, 56, reply, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0d\6\0\0\300\2\0\0" )  ) == 0x0
 01917  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12118992, ... }, 12118992, ...
 01918  1736   NtResumeThread  (604, ...
 01917  1356   NtQueryAttributesFile  ... ) == 0x0
 01919   220   NtClose  (592, ...
 01920  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01919   220   NtClose  ... ) == 0x0
 01920  1356   NtOpenFile  ... 592, {status=0x0, info=1}, ) == 0x0
 01921   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01922  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 592, ...
 01921   220   NtCreateEvent  ... 572, ) == 0x0
 01918  1736   NtResumeThread  ... 1, ) == 0x0
 01923   220   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01924  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01923   220   NtOpenKey  ... 588, ) == 0x0
 01924  1736   NtAllocateVirtualMemory  ... 70057984, 1048576, ) == 0x0
 01922  1356   NtCreateSection  ... 608, ) == 0x0
 01925   704   NtWaitForSingleObject  (88, 0, 0x0, ...
 01926  1736   NtAllocateVirtualMemory  (-1, 71098368, 0, 8192, 4096, 4, ...
 01927  1356   NtClose  (592, ...
 01926  1736   NtAllocateVirtualMemory  ... 71098368, 8192, ) == 0x0
 01927  1356   NtClose  ... ) == 0x0
 01928  1736   NtProtectVirtualMemory  (-1, (0x43ce000), 4096, 260, ...
 01929  1356   NtMapViewOfSection  (608, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01930   220   NtOpenKey  (0x20019, {24, 588, 0x40, 0, 0,  (0x20019, {24, 588, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01929  1356   NtMapViewOfSection  ... (0x860000), 0x0, 20480, ) == 0x0
 01930   220   NtOpenKey  ... 592, ) == 0x0
 01931  1356   NtClose  (608, ...
 01932   220   NtQueryValueKey  (592,  (592, "ComputerName", Full, 108, ... , Full, 108, ...
 01928  1736   NtProtectVirtualMemory  ... (0x43ce000), 4096, 4, ) == 0x0
 01932   220   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01933  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01934   220   NtClose  (592, ...
 01933  1736   NtCreateThread  ... 612, {1636, 1568}, ) == 0x0
 01934   220   NtClose  ... ) == 0x0
 01935  1736   NtQueryInformationThread  (612, Basic, 28, ...
 01931  1356   NtClose  ... ) == 0x0
 01935  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1636,Tid=1568,}, 0x0, ) == 0x0
 01936  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75552, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0 \6\0\0" ...  ...
 01937  1356   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 01938  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12119300, ... ) }, 12119300, ... ) == 0x0
 01939  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 608, {status=0x0, info=1}, ) }, 5, 96, ... 608, {status=0x0, info=1}, ) == 0x0
 01940  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 608, ... 592, ) == 0x0
 01941  1356   NtQuerySection  (592, Image, 48, ...
 01936  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75554, 0}  ... {28, 56, reply, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0d\6\0\0 \6\0\0" )  ) == 0x0
 01942   220   NtClose  (588, ...
 01943  1736   NtResumeThread  (612, ...
 01942   220   NtClose  ... ) == 0x0
 01943  1736   NtResumeThread  ... 1, ) == 0x0
 01944   220   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01945  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01944   220   NtCreateIoCompletion  ... 588, ) == 0x0
 01945  1736   NtAllocateVirtualMemory  ... 71106560, 1048576, ) == 0x0
 01946   220   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01941  1356   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01947  1568   NtWaitForSingleObject  (88, 0, 0x0, ...
 01946   220   NtCreateIoCompletion  ... 616, ) == 0x0
 01948  1356   NtClose  (608, ...
 01949  1736   NtAllocateVirtualMemory  (-1, 72146944, 0, 8192, 4096, 4, ...
 01948  1356   NtClose  ... ) == 0x0
 01949  1736   NtAllocateVirtualMemory  ... 72146944, 8192, ) == 0x0
 01950  1356   NtMapViewOfSection  (592, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01951  1736   NtProtectVirtualMemory  (-1, (0x44ce000), 4096, 260, ...
 01950  1356   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 01951  1736   NtProtectVirtualMemory  ... (0x44ce000), 4096, 4, ) == 0x0
 01952  1356   NtClose  (592, ...
 01953  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01954   220   NtDuplicateObject  (-1, 588, -1, 0x0, 0, 2, ...
 01953  1736   NtCreateThread  ... 608, {1636, 1104}, ) == 0x0
 01954   220   NtDuplicateObject  ... 620, ) == 0x0
 01952  1356   NtClose  ... ) == 0x0
 01955   220   NtOpenThreadToken  (-2, 0xc, 1, ...
 01956  1356   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01955   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01956  1356   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01957   220   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01958  1356   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01957   220   NtCreateEvent  ... 592, ) == 0x0
 01959  1736   NtQueryInformationThread  (608, Basic, 28, ...
 01958  1356   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01959  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1636,Tid=1104,}, 0x0, ) == 0x0
 01960  1356   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01961  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0P\4\0\0" ...  ...
 01960  1356   NtFlushInstructionCache  ... ) == 0x0
 01961  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75555, 0}  ... {28, 56, reply, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0d\6\0\0P\4\0\0" )  ) == 0x0
 01962  1356   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01963  1736   NtResumeThread  (608, ...
 01962  1356   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01964   220   NtOpenThreadToken  (-2, 0xc, 1, ...
 01965  1356   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01964   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01963  1736   NtResumeThread  ... 1, ) == 0x0
 01966   220   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01967  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01966   220   NtSetInformationThread  ... ) == 0x0
 01967  1736   NtAllocateVirtualMemory  ... 72155136, 1048576, ) == 0x0
 01968   220   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11071680,  (0xc0100080, {24, 0, 0x40, 0, 11071680, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 01969  1736   NtAllocateVirtualMemory  (-1, 73195520, 0, 8192, 4096, 4, ...
 01968   220   NtCreateFile  ... 624, {status=0x0, info=1}, ) == 0x0
 01969  1736   NtAllocateVirtualMemory  ... 73195520, 8192, ) == 0x0
 01970  1736   NtProtectVirtualMemory  (-1, (0x45ce000), 4096, 260, ... (0x45ce000), 4096, 4, ) == 0x0
 01971  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1636, 784}, ) == 0x0
 01972   220   NtSetInformationFile  (624, 11071736, 8, Pipe, ...
 01965  1356   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01973  1104   NtWaitForSingleObject  (88, 0, 0x0, ...
 01972   220   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01974  1356   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01975   220   NtSetInformationFile  (624, 11071724, 8, Completion, ...
 01974  1356   NtFlushInstructionCache  ... ) == 0x0
 01975   220   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01976  1356   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 01977   220   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01976  1356   NtOpenSection  ... 632, ) == 0x0
 01977   220   NtSetInformationThread  ... ) == 0x0
 01978  1356   NtMapViewOfSection  (632, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01979  1736   NtQueryInformationThread  (628, Basic, 28, ...
 01980   220   NtWriteFile  (624, 233, 0, 0,  (624, 233, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01979  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1636,Tid=784,}, 0x0, ) == 0x0
 01980   220   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01981  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75555, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\20\3\0\0" ...  ...
 01982   220   NtReadFile  (624, 233, 0, 0, 1024, {0, 0}, 0, ...
 01981  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75556, 0}  ... {28, 56, reply, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0d\6\0\0\20\3\0\0" )  ) == 0x0
 01982   220   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01983  1736   NtResumeThread  (628, ...
 01984   220   NtFsControlFile  (624, 233, 0x0, 0x0, 0x11c017,  (624, 233, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\250\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 01978  1356   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 01984   220   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01985  1356   NtClose  (632, ...
 01983  1736   NtResumeThread  ... 1, ) == 0x0
 01985  1356   NtClose  ... ) == 0x0
 01986  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01987  1356   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01986  1736   NtAllocateVirtualMemory  ... 73203712, 1048576, ) == 0x0
 01987  1356   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01988  1736   NtAllocateVirtualMemory  (-1, 74244096, 0, 8192, 4096, 4, ...
 01989  1356   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01988  1736   NtAllocateVirtualMemory  ... 74244096, 8192, ) == 0x0
 01990   220   NtFsControlFile  (624, 233, 0x0, 0x0, 0x11c017,  (624, 233, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\1\0\0\0\1\0\0\0&\0(\0\330o\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 01991   784   NtWaitForSingleObject  (88, 0, 0x0, ...
 01992  1736   NtProtectVirtualMemory  (-1, (0x46ce000), 4096, 260, ...
 01990   220   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 01989  1356   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01993   220   NtFsControlFile  (624, 233, 0x0, 0x0, 0x11c017,  (624, 233, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... , 44, 1024, ...
 01994  1356   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01993   220   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0 L\25\0\1\0\0\0,L\25\0 \0\0\0\1\0\0\0\30\0\32\08L\25\0TL\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0xH\25\0\1\0\0\0\5\0\15\0\210H\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01994  1356   NtFlushInstructionCache  ... ) == 0x0
 01995   220   NtClose  (592, ...
 01996  1356   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01995   220   NtClose  ... ) == 0x0
 01996  1356   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01992  1736   NtProtectVirtualMemory  ... (0x46ce000), 4096, 4, ) == 0x0
 01997  1356   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01998  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01999   220   NtClose  (624, ...
 01998  1736   NtCreateThread  ... 592, {1636, 1792}, ) == 0x0
 01999   220   NtClose  ... ) == 0x0
 02000  1736   NtQueryInformationThread  (592, Basic, 28, ...
 02001   220   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1384456, 0x0, 11073604, 188, ... , {12, 2, 1, 1}, 0x0, 1384456, 0x0, 11073604, 188, ...
 02000  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1636,Tid=1792,}, 0x0, ) == 0x0
 02002  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\0\7\0\0" ...  ...
 02001   220   NtSecureConnectPort  ... 624, 0x0, 0x0, 0x0, 188, ) == 0x0
 01997  1356   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02003   220   NtOpenThreadToken  (-2, 0xc, 1, ...
 02004  1356   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 02002  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75558, 0}  ... {28, 56, reply, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0d\6\0\0\0\7\0\0" )  ) == 0x0
 02004  1356   NtFlushInstructionCache  ... ) == 0x0
 02005  1736   NtResumeThread  (592, ...
 02006  1356   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02005  1736   NtResumeThread  ... 1, ) == 0x0
 02006  1356   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02007  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02008  1356   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02007  1736   NtAllocateVirtualMemory  ... 74252288, 1048576, ) == 0x0
 02003   220   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02009  1792   NtWaitForSingleObject  (88, 0, 0x0, ...
 02008  1356   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02010   220   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02011  1356   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02010   220   NtSetInformationThread  ... ) == 0x0
 02011  1356   NtFlushInstructionCache  ... ) == 0x0
 02012   220   NtRequestWaitReplyPort  (624, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (624, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0;C\335\340\37\220K\363L\224Q%b\224\32S\12\0\0\0\212X\376\361Y\267Dz\0\0\0\0\310[\25\0fcu:6\262o\203(\0\0\0\360\315\0j\0\0\24\0\240\366\250\0\303.\214J\0\0\0\0\340X\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02013  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 632, ) == 0x0
 02015  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 636, ) }, ... 636, ) == 0x0
 02016  1356   NtQueryValueKey  (636,  (636, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (636, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02017  1356   NtClose  (636, ...
 02018  1736   NtAllocateVirtualMemory  (-1, 75292672, 0, 8192, 4096, 4, ...
 02012   220   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 220, 75559, 0}  ... {200, 224, reply, 0, 1636, 220, 75559, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0;C\335\340\37\220K\363L\224Q%b\224\32S\12\0\0\0\212X\376\361Y\267Dz\0\0\0\0\310[\25\0fcu:6\262o\203(\0\0\0\360\315\0j\0\0\24\0\240\366\250\0\303.\214J\0\0\0\0\340X\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\250\0\372\31\221|X\376\250\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02018  1736   NtAllocateVirtualMemory  ... 75292672, 8192, ) == 0x0
 02017  1356   NtClose  ... ) == 0x0
 02019  1736   NtProtectVirtualMemory  (-1, (0x47ce000), 4096, 260, ...
 02020  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... }, ...
 02019  1736   NtProtectVirtualMemory  ... (0x47ce000), 4096, 4, ) == 0x0
 02020  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02021  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02022  1356   NtQueryPerformanceCounter  (...
 02021  1736   NtCreateThread  ... 636, {1636, 192}, ) == 0x0
 02023   220   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02022  1356   NtQueryPerformanceCounter  ... {1105621651, 16}, {3579545, 0}, ) == 0x0
 02023   220   NtSetInformationThread  ... ) == 0x0
 02024  1356   NtSetEventBoostPriority  (88, ...
 02025   220   NtRequestWaitReplyPort  (624, {56, 80, new_msg, 0, 44, 3, 20, 0}  (624, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0b\363\222I\243j\304#\242z\321\340\1\0\0\0\0\0\0\0&\0(\0\310\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01925   704   NtWaitForSingleObject  ... ) == 0x0
 02024  1356   NtSetEventBoostPriority  ... ) == 0x0
 02026   704   NtSetEventBoostPriority  (88, ...
 01947  1568   NtWaitForSingleObject  ... ) == 0x0
 02027  1568   NtSetEventBoostPriority  (88, ...
 01973  1104   NtWaitForSingleObject  ... ) == 0x0
 02028  1104   NtSetEventBoostPriority  (88, ...
 01991   784   NtWaitForSingleObject  ... ) == 0x0
 02029   784   NtSetEventBoostPriority  (88, ...
 02009  1792   NtWaitForSingleObject  ... ) == 0x0
 02030  1792   NtTestAlert  (... ) == 0x0
 02029   784   NtSetEventBoostPriority  ... ) == 0x0
 02028  1104   NtSetEventBoostPriority  ... ) == 0x0
 02027  1568   NtSetEventBoostPriority  ... ) == 0x0
 02026   704   NtSetEventBoostPriority  ... ) == 0x0
 02031  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12118992, ... }, 12118992, ...
 02032  1736   NtQueryInformationThread  (636, Basic, 28, ...
 02033  1792   NtContinue  (74251568, 1, ...
 02034   784   NtTestAlert  (...
 02035  1104   NtTestAlert  (...
 02036  1568   NtTestAlert  (...
 02031  1356   NtQueryAttributesFile  ... ) == 0x0
 02032  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1636,Tid=192,}, 0x0, ) == 0x0
 02037  1792   NtRegisterThreadTerminatePort  (24, ...
 02034   784   NtTestAlert  ... ) == 0x0
 02035  1104   NtTestAlert  ... ) == 0x0
 02036  1568   NtTestAlert  ... ) == 0x0
 02038  1356   NtQuerySystemInformation  (Basic, 44, ...
 02039  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\300\0\0\0" ...  ...
 02037  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02040   784   NtContinue  (73202992, 1, ...
 02041  1104   NtContinue  (72154416, 1, ...
 02042  1568   NtContinue  (71105840, 1, ...
 02043   704   NtTestAlert  (...
 02039  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75561, 0}  ... {28, 56, reply, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0d\6\0\0\300\0\0\0" )  ) == 0x0
 02044  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02045   784   NtRegisterThreadTerminatePort  (24, ...
 02046  1104   NtRegisterThreadTerminatePort  (24, ...
 02047  1568   NtRegisterThreadTerminatePort  (24, ...
 02043   704   NtTestAlert  ... ) == 0x0
 02048  1736   NtResumeThread  (636, ...
 02044  1792   NtDuplicateObject  ... 640, ) == 0x0
 02045   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02046  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02047  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 02049   704   NtContinue  (70057264, 1, ...
 02038  1356   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02025   220   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1636, 220, 75560, 0}  ... {44, 68, reply, 0, 1636, 220, 75560, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02050  1792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02051   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02052  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02053  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02054   704   NtRegisterThreadTerminatePort  (24, ...
 02055  1356   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02056   220   NtRaiseException  (11074064, 11073324, 1, ...
 02048  1736   NtResumeThread  ... 1, ) == 0x0
 02050  1792   NtWaitForSingleObject  ... ) == 0x102
 02057   192   NtTestAlert  (...
 02051   784   NtDuplicateObject  ... 644, ) == 0x0
 02052  1104   NtDuplicateObject  ... 648, ) == 0x0
 02054   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 02055  1356   NtAllocateVirtualMemory  ... 8781824, 65536, ) == 0x0
 02053  1568   NtDuplicateObject  ... 652, ) == 0x0
 02058  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02059  1792   NtWaitForSingleObject  (136, 0, 0x0, ...
 02057   192   NtTestAlert  ... ) == 0x0
 02060   784   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02061  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02062   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02063   220   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02064  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02058  1736   NtAllocateVirtualMemory  ... 75300864, 1048576, ) == 0x0
 02065   192   NtContinue  (75300144, 1, ...
 02060   784   NtWaitForSingleObject  ... ) == 0x102
 02061  1104   NtWaitForSingleObject  ... ) == 0x102
 02066  1356   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ...
 02063   220   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02064  1568   NtWaitForSingleObject  ... ) == 0x102
 02067  1736   NtAllocateVirtualMemory  (-1, 76341248, 0, 8192, 4096, 4, ...
 02068   192   NtRegisterThreadTerminatePort  (24, ...
 02069   784   NtWaitForSingleObject  (136, 0, 0x0, ...
 02070  1104   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02066  1356   NtAllocateVirtualMemory  ... 8781824, 4096, ) == 0x0
 02071   220   NtContinue  (11072292, 0, ...
 02072  1568   NtWaitForSingleObject  (312, 0, 0x0, ...
 02067  1736   NtAllocateVirtualMemory  ... 76341248, 8192, ) == 0x0
 02068   192   NtRegisterThreadTerminatePort  ... ) == 0x0
 02070  1104   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02073  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02074  1736   NtProtectVirtualMemory  (-1, (0x48ce000), 4096, 260, ...
 02062   704   NtDuplicateObject  ... 656, ) == 0x0
 02075   192   NtWaitForSingleObject  (312, 0, 0x0, ...
 02076  1104   NtSetEventBoostPriority  (312, ...
 02077   704   NtWaitForSingleObject  (312, 0, 0x0, ...
 02072  1568   NtWaitForSingleObject  ... ) == 0x0
 02076  1104   NtSetEventBoostPriority  ... ) == 0x0
 02078  1568   NtSetEventBoostPriority  (312, ...
 02073  1356   NtWaitForSingleObject  ... ) == 0x0
 02079  1356   NtSetEventBoostPriority  (312, ...
 02075   192   NtWaitForSingleObject  ... ) == 0x0
 02080   192   NtSetEventBoostPriority  (312, ...
 02077   704   NtWaitForSingleObject  ... ) == 0x0
 02081   704   NtWaitForSingleObject  (316, 0, 0x0, ...
 02080   192   NtSetEventBoostPriority  ... ) == 0x0
 02082   192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02079  1356   NtSetEventBoostPriority  ... ) == 0x0
 02078  1568   NtSetEventBoostPriority  ... ) == 0x0
 02083  1104   NtWaitForSingleObject  (136, 0, 0x0, ...
 02084   220   NtDeviceIoControlFile  (456, 112, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02074  1736   NtProtectVirtualMemory  ... (0x48ce000), 4096, 4, ) == 0x0
 02082   192   NtDuplicateObject  ... 660, ) == 0x0
 02085  1356   NtSetEventBoostPriority  (316, ...
 02086  1568   NtWaitForSingleObject  (136, 0, 0x0, ...
 02087  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02088   192   NtWaitForSingleObject  (316, 0, 0x0, ...
 02081   704   NtWaitForSingleObject  ... ) == 0x0
 02085  1356   NtSetEventBoostPriority  ... ) == 0x0
 02087  1736   NtCreateThread  ... 664, {1636, 1484}, ) == 0x0
 02089   704   NtSetEventBoostPriority  (316, ...
 02090  1356   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ...
 02088   192   NtWaitForSingleObject  ... ) == 0x0
 02089   704   NtSetEventBoostPriority  ... ) == 0x0
 02091  1736   NtQueryInformationThread  (664, Basic, 28, ...
 02092   192   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02090  1356   NtAllocateVirtualMemory  ... 8785920, 8192, ) == 0x0
 02084   220   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02091  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1636,Tid=1484,}, 0x0, ) == 0x0
 02093  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12118992, ... }, 12118992, ...
 02094   220   NtWaitForSingleObject  (112, 1, {-5000000, -1}, ...
 02095  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0\314\5\0\0" ...  ...
 02093  1356   NtQueryAttributesFile  ... ) == 0x0
 02096   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02092   192   NtWaitForSingleObject  ... ) == 0x102
 02095  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75562, 0}  ... {28, 56, reply, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0d\6\0\0\314\5\0\0" )  ) == 0x0
 02096   704   NtWaitForSingleObject  ... ) == 0x102
 02097   192   NtWaitForSingleObject  (136, 0, 0x0, ...
 02098  1736   NtResumeThread  (664, ...
 02099   704   NtWaitForSingleObject  (136, 0, 0x0, ...
 02098  1736   NtResumeThread  ... 1, ) == 0x0
 02100  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76349440, 1048576, ) == 0x0
 02101  1736   NtAllocateVirtualMemory  (-1, 77389824, 0, 8192, 4096, 4, ... 77389824, 8192, ) == 0x0
 02102  1736   NtProtectVirtualMemory  (-1, (0x49ce000), 4096, 260, ... (0x49ce000), 4096, 4, ) == 0x0
 02103  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1636, 1120}, ) == 0x0
 02104  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02105  1484   NtWaitForSingleObject  (88, 0, 0x0, ...
 02104  1356   NtOpenFile  ... 672, {status=0x0, info=1}, ) == 0x0
 02106  1356   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 672, ... 676, ) == 0x0
 02107  1356   NtClose  (672, ... ) == 0x0
 02108  1356   NtMapViewOfSection  (676, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb90000), 0x0, 110592, ) == 0x0
 02109  1356   NtClose  (676, ... ) == 0x0
 02110  1736   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1636,Tid=1120,}, 0x0, ) == 0x0
 02111  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0`\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0`\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0d\6\0\0`\4\0\0" )  ) == 0x0
 02112  1736   NtResumeThread  (668, ... 1, ) == 0x0
 02113  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77398016, 1048576, ) == 0x0
 02114  1736   NtAllocateVirtualMemory  (-1, 78438400, 0, 8192, 4096, 4, ... 78438400, 8192, ) == 0x0
 02115  1736   NtProtectVirtualMemory  (-1, (0x4ace000), 4096, 260, ...
 02116  1356   NtUnmapViewOfSection  (-1, 0xb90000, ...
 02117  1120   NtWaitForSingleObject  (88, 0, 0x0, ...
 02116  1356   NtUnmapViewOfSection  ... ) == 0x0
 02118  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 12119300, ... ) }, 12119300, ... ) == 0x0
 02119  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 676, {status=0x0, info=1}, ) }, 5, 96, ... 676, {status=0x0, info=1}, ) == 0x0
 02120  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 676, ... 672, ) == 0x0
 02121  1356   NtQuerySection  (672, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02122  1356   NtClose  (676, ... ) == 0x0
 02115  1736   NtProtectVirtualMemory  ... (0x4ace000), 4096, 4, ) == 0x0
 02123  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1636, 520}, ) == 0x0
 02124  1736   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1636,Tid=520,}, 0x0, ) == 0x0
 02125  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75564, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\10\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0d\6\0\0\10\2\0\0" )  ) == 0x0
 02126  1736   NtResumeThread  (676, ... 1, ) == 0x0
 02127  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78446592, 1048576, ) == 0x0
 02128  1356   NtMapViewOfSection  (672, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02129   520   NtWaitForSingleObject  (88, 0, 0x0, ...
 02128  1356   NtMapViewOfSection  ... (0x751d0000), 0x0, 122880, ) == 0x0
 02130  1356   NtClose  (672, ... ) == 0x0
 02131  1356   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02132  1356   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02133  1356   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02134  1736   NtAllocateVirtualMemory  (-1, 79486976, 0, 8192, 4096, 4, ... 79486976, 8192, ) == 0x0
 02135  1736   NtProtectVirtualMemory  (-1, (0x4bce000), 4096, 260, ... (0x4bce000), 4096, 4, ) == 0x0
 02136  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1636, 1612}, ) == 0x0
 02137  1736   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1636,Tid=1612,}, 0x0, ) == 0x0
 02138  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0L\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0L\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0d\6\0\0L\6\0\0" )  ) == 0x0
 02139  1736   NtResumeThread  (672, ...
 02140  1356   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02141  1356   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02142  1356   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02143  1356   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 12118476, ... }, 12118476, ...
 02139  1736   NtResumeThread  ... 1, ) == 0x0
 02145  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79495168, 1048576, ) == 0x0
 02146  1736   NtAllocateVirtualMemory  (-1, 80535552, 0, 8192, 4096, 4, ... 80535552, 8192, ) == 0x0
 02147  1736   NtProtectVirtualMemory  (-1, (0x4cce000), 4096, 260, ...
 02148  1612   NtWaitForSingleObject  (88, 0, 0x0, ...
 02147  1736   NtProtectVirtualMemory  ... (0x4cce000), 4096, 4, ) == 0x0
 02149  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1636, 876}, ) == 0x0
 02150  1736   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1636,Tid=876,}, 0x0, ) == 0x0
 02151  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0l\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0l\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0d\6\0\0l\3\0\0" )  ) == 0x0
 02152  1736   NtResumeThread  (680, ... 1, ) == 0x0
 02153  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80543744, 1048576, ) == 0x0
 02154   876   NtWaitForSingleObject  (88, 0, 0x0, ...
 02155  1736   NtAllocateVirtualMemory  (-1, 81584128, 0, 8192, 4096, 4, ... 81584128, 8192, ) == 0x0
 02156  1736   NtProtectVirtualMemory  (-1, (0x4dce000), 4096, 260, ... (0x4dce000), 4096, 4, ) == 0x0
 02157  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1636, 1628}, ) == 0x0
 02158  1736   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1636,Tid=1628,}, 0x0, ) == 0x0
 02159  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0d\6\0\0\\6\0\0" )  ) == 0x0
 02160  1736   NtResumeThread  (684, ... 1, ) == 0x0
 02161  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81592320, 1048576, ) == 0x0
 02162  1736   NtAllocateVirtualMemory  (-1, 82632704, 0, 8192, 4096, 4, ... 82632704, 8192, ) == 0x0
 02163  1736   NtProtectVirtualMemory  (-1, (0x4ece000), 4096, 260, ...
 02164  1628   NtWaitForSingleObject  (88, 0, 0x0, ...
 02163  1736   NtProtectVirtualMemory  ... (0x4ece000), 4096, 4, ) == 0x0
 02165  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1636, 940}, ) == 0x0
 02166  1736   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1636,Tid=940,}, 0x0, ) == 0x0
 02167  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0\254\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0d\6\0\0\254\3\0\0" )  ) == 0x0
 02168  1736   NtResumeThread  (688, ... 1, ) == 0x0
 02169  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82640896, 1048576, ) == 0x0
 02170   940   NtWaitForSingleObject  (88, 0, 0x0, ...
 02171  1736   NtAllocateVirtualMemory  (-1, 83681280, 0, 8192, 4096, 4, ... 83681280, 8192, ) == 0x0
 02172  1736   NtProtectVirtualMemory  (-1, (0x4fce000), 4096, 260, ... (0x4fce000), 4096, 4, ) == 0x0
 02173  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1636, 1316}, ) == 0x0
 02174  1736   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1636,Tid=1316,}, 0x0, ) == 0x0
 02175  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0$\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0$\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0d\6\0\0$\5\0\0" )  ) == 0x0
 02176  1736   NtResumeThread  (692, ... 1, ) == 0x0
 02177  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83689472, 1048576, ) == 0x0
 02178  1736   NtAllocateVirtualMemory  (-1, 84729856, 0, 8192, 4096, 4, ... 84729856, 8192, ) == 0x0
 02179  1736   NtProtectVirtualMemory  (-1, (0x50ce000), 4096, 260, ...
 02180  1316   NtWaitForSingleObject  (88, 0, 0x0, ...
 02179  1736   NtProtectVirtualMemory  ... (0x50ce000), 4096, 4, ) == 0x0
 02181  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1636, 1924}, ) == 0x0
 02182  1736   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1636,Tid=1924,}, 0x0, ) == 0x0
 02183  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\204\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\204\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0d\6\0\0\204\7\0\0" )  ) == 0x0
 02184  1736   NtResumeThread  (696, ... 1, ) == 0x0
 02185  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 84738048, 1048576, ) == 0x0
 02186  1924   NtWaitForSingleObject  (88, 0, 0x0, ...
 02187  1736   NtAllocateVirtualMemory  (-1, 85778432, 0, 8192, 4096, 4, ... 85778432, 8192, ) == 0x0
 02188  1736   NtProtectVirtualMemory  (-1, (0x51ce000), 4096, 260, ... (0x51ce000), 4096, 4, ) == 0x0
 02189  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1636, 644}, ) == 0x0
 02190  1736   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1636,Tid=644,}, 0x0, ) == 0x0
 02191  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\204\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\204\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0d\6\0\0\204\2\0\0" )  ) == 0x0
 02192  1736   NtResumeThread  (700, ... 1, ) == 0x0
 02193  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85786624, 1048576, ) == 0x0
 02194  1736   NtAllocateVirtualMemory  (-1, 86827008, 0, 8192, 4096, 4, ... 86827008, 8192, ) == 0x0
 02195  1736   NtProtectVirtualMemory  (-1, (0x52ce000), 4096, 260, ...
 02196   644   NtWaitForSingleObject  (88, 0, 0x0, ...
 02195  1736   NtProtectVirtualMemory  ... (0x52ce000), 4096, 4, ) == 0x0
 02197  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1636, 1288}, ) == 0x0
 02198  1736   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1636,Tid=1288,}, 0x0, ) == 0x0
 02199  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\10\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\10\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0d\6\0\0\10\5\0\0" )  ) == 0x0
 02200  1736   NtResumeThread  (704, ... 1, ) == 0x0
 02201  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86835200, 1048576, ) == 0x0
 02202  1288   NtWaitForSingleObject  (88, 0, 0x0, ...
 02203  1736   NtAllocateVirtualMemory  (-1, 87875584, 0, 8192, 4096, 4, ... 87875584, 8192, ) == 0x0
 02204  1736   NtProtectVirtualMemory  (-1, (0x53ce000), 4096, 260, ... (0x53ce000), 4096, 4, ) == 0x0
 02205  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1636, 752}, ) == 0x0
 02206  1736   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1636,Tid=752,}, 0x0, ) == 0x0
 02207  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\360\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0d\6\0\0\360\2\0\0" )  ) == 0x0
 02208  1736   NtResumeThread  (708, ... 1, ) == 0x0
 02209  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87883776, 1048576, ) == 0x0
 02210  1736   NtAllocateVirtualMemory  (-1, 88924160, 0, 8192, 4096, 4, ... 88924160, 8192, ) == 0x0
 02211  1736   NtProtectVirtualMemory  (-1, (0x54ce000), 4096, 260, ...
 02144  1356   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   752   NtWaitForSingleObject  (88, 0, 0x0, ...
 02213  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 12118476, ... ) }, 12118476, ... ) == 0x0
 02214  1356   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 712, {status=0x0, info=1}, ) }, 5, 96, ... 712, {status=0x0, info=1}, ) == 0x0
 02215  1356   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 712, ... 716, ) == 0x0
 02216  1356   NtQuerySection  (716, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02217  1356   NtClose  (712, ... ) == 0x0
 02218  1356   NtMapViewOfSection  (716, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02211  1736   NtProtectVirtualMemory  ... (0x54ce000), 4096, 4, ) == 0x0
 02219  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1636, 624}, ) == 0x0
 02220  1736   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1636,Tid=624,}, 0x0, ) == 0x0
 02221  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0p\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0d\6\0\0p\2\0\0" )  ) == 0x0
 02222  1736   NtResumeThread  (712, ... 1, ) == 0x0
 02223  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88932352, 1048576, ) == 0x0
 02218  1356   NtMapViewOfSection  ... (0x77920000), 0x0, 995328, ) == 0x0
 02224   624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02225  1356   NtClose  (716, ... ) == 0x0
 02226  1356   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02227  1356   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02228  1356   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02229  1356   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02230  1356   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02231  1736   NtAllocateVirtualMemory  (-1, 89972736, 0, 8192, 4096, 4, ... 89972736, 8192, ) == 0x0
 02232  1736   NtProtectVirtualMemory  (-1, (0x55ce000), 4096, 260, ... (0x55ce000), 4096, 4, ) == 0x0
 02233  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1636, 380}, ) == 0x0
 02234  1736   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1636,Tid=380,}, 0x0, ) == 0x0
 02235  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0|\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0d\6\0\0|\1\0\0" )  ) == 0x0
 02236  1736   NtResumeThread  (716, ...
 02230  1356   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02237  1356   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02238  1356   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02239  1356   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02240  1356   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02241  1356   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02242  1356   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ...
 02236  1736   NtResumeThread  ... 1, ) == 0x0
 02243  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89980928, 1048576, ) == 0x0
 02244  1736   NtAllocateVirtualMemory  (-1, 91021312, 0, 8192, 4096, 4, ... 91021312, 8192, ) == 0x0
 02245  1736   NtProtectVirtualMemory  (-1, (0x56ce000), 4096, 260, ... (0x56ce000), 4096, 4, ) == 0x0
 02246  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1636, 776}, ) == 0x0
 02247  1736   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1636,Tid=776,}, 0x0, ) == 0x0
 02248  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\10\3\0\0" ...  ...
 02242  1356   NtProtectVirtualMemory  ... (0x77921000), 4096, 4, ) == 0x0
 02249   380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02250  1356   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02251  1356   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02252  1356   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02253  1356   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02254  1356   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02255  1356   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02248  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75576, 0}  ... {28, 56, reply, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0d\6\0\0\10\3\0\0" )  ) == 0x0
 02256  1736   NtResumeThread  (720, ... 1, ) == 0x0
 02257  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91029504, 1048576, ) == 0x0
 02258  1736   NtAllocateVirtualMemory  (-1, 92069888, 0, 8192, 4096, 4, ... 92069888, 8192, ) == 0x0
 02259  1736   NtProtectVirtualMemory  (-1, (0x57ce000), 4096, 260, ... (0x57ce000), 4096, 4, ) == 0x0
 02260  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1636, 312}, ) == 0x0
 02255  1356   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02261   776   NtWaitForSingleObject  (88, 0, 0x0, ...
 02262  1356   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02263  1736   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1636,Tid=312,}, 0x0, ) == 0x0
 02264  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\08\1\0\0" ...  ...
 02265  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266  1356   NtQueryDefaultUILanguage  (2090319928, ...
 02267  1356   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02268  1356   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482564, ) == 0x0
 02264  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75577, 0}  ... {28, 56, reply, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0d\6\0\08\1\0\0" )  ) == 0x0
 02269  1736   NtResumeThread  (724, ... 1, ) == 0x0
 02270  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92078080, 1048576, ) == 0x0
 02271  1736   NtAllocateVirtualMemory  (-1, 93118464, 0, 8192, 4096, 4, ... 93118464, 8192, ) == 0x0
 02272  1736   NtProtectVirtualMemory  (-1, (0x58ce000), 4096, 260, ...
 02273  1356   NtQueryInformationToken  (-2147482564, User, 80, ...
 02274   312   NtWaitForSingleObject  (88, 0, 0x0, ...
 02273  1356   NtQueryInformationToken  ... {token info, class 1, size 36}, 36, ) == 0x0
 02275  1356   NtClose  (-2147482564, ... ) == 0x0
 02276  1356   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482564, ) }, ... -2147482564, ) == 0x0
 02277  1356   NtOpenKey  (0x80000000, {24, -2147482564, 0x240, 0, 0,  (0x80000000, {24, -2147482564, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02278  1356   NtOpenKey  (0x80000000, {24, -2147482564, 0x640, 0, 0,  (0x80000000, {24, -2147482564, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481440, ) }, ... -2147481440, ) == 0x0
 02279  1356   NtQueryValueKey  (-2147481440,  (-2147481440, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02272  1736   NtProtectVirtualMemory  ... (0x58ce000), 4096, 4, ) == 0x0
 02280  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1636, 1124}, ) == 0x0
 02281  1736   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1636,Tid=1124,}, 0x0, ) == 0x0
 02282  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0d\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0d\6\0\0d\4\0\0" )  ) == 0x0
 02283  1736   NtResumeThread  (728, ... 1, ) == 0x0
 02284  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93126656, 1048576, ) == 0x0
 02285  1356   NtClose  (-2147481440, ...
 02286  1124   NtWaitForSingleObject  (88, 0, 0x0, ...
 02285  1356   NtClose  ... ) == 0x0
 02287  1356   NtClose  (-2147482564, ... ) == 0x0
 02266  1356   NtQueryDefaultUILanguage  ... ) == 0x0
 02288  1356   NtAllocateVirtualMemory  (-1, 12107776, 0, 4096, 4096, 260, ... 12107776, 4096, ) == 0x0
 02289  1356   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02290  1356   NtQueryDefaultLocale  (1, 12119196, ... ) == 0x0
 02291  1356   NtQueryInformationProcess  (-1, Wow64, 4, ...
 02292  1736   NtAllocateVirtualMemory  (-1, 94167040, 0, 8192, 4096, 4, ... 94167040, 8192, ) == 0x0
 02293  1736   NtProtectVirtualMemory  (-1, (0x59ce000), 4096, 260, ... (0x59ce000), 4096, 4, ) == 0x0
 02294  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1636, 1404}, ) == 0x0
 02295  1736   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1636,Tid=1404,}, 0x0, ) == 0x0
 02296  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0|\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0|\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0d\6\0\0|\5\0\0" )  ) == 0x0
 02297  1736   NtResumeThread  (732, ...
 02291  1356   NtQueryInformationProcess  ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02298  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 736, ) }, ... 736, ) == 0x0
 02299  1356   NtQueryValueKey  (736,  (736, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (736, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02300  1356   NtClose  (736, ... ) == 0x0
 02301  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 736, ) == 0x0
 02302  1356   NtCallbackReturn  (0, 0, 0, ...
 02303  1356   NtUserGetProcessWindowStation  (... ) == 0x20
 02297  1736   NtResumeThread  ... 1, ) == 0x0
 02304  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94175232, 1048576, ) == 0x0
 02305  1736   NtAllocateVirtualMemory  (-1, 95215616, 0, 8192, 4096, 4, ... 95215616, 8192, ) == 0x0
 02306  1736   NtProtectVirtualMemory  (-1, (0x5ace000), 4096, 260, ... (0x5ace000), 4096, 4, ) == 0x0
 02307  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1636, 476}, ) == 0x0
 02308  1736   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1636,Tid=476,}, 0x0, ) == 0x0
 02309  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0\334\1\0\0" ...  ...
 02310  1356   NtUserGetObjectInformation  (32, 1, 12118792, 12, 12118804, ...
 02311  1404   NtWaitForSingleObject  (88, 0, 0x0, ...
 02310  1356   NtUserGetObjectInformation  ... ) == 0x1
 02312  1356   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02313  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 744, ) }, ... 744, ) == 0x0
 02314  1356   NtQueryValueKey  (744,  (744, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (744, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02315  1356   NtClose  (744, ... ) == 0x0
 02316  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02309  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75580, 0}  ... {28, 56, reply, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0d\6\0\0\334\1\0\0" )  ) == 0x0
 02317  1736   NtResumeThread  (740, ... 1, ) == 0x0
 02318  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95223808, 1048576, ) == 0x0
 02319  1736   NtAllocateVirtualMemory  (-1, 96264192, 0, 8192, 4096, 4, ... 96264192, 8192, ) == 0x0
 02320  1736   NtProtectVirtualMemory  (-1, (0x5bce000), 4096, 260, ... (0x5bce000), 4096, 4, ) == 0x0
 02321  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1636, 1964}, ) == 0x0
 02322  1356   NtQueryValueKey  (744,  (744, "OsLoaderPath", Partial, 144, ... , Partial, 144, ...
 02323   476   NtWaitForSingleObject  (88, 0, 0x0, ...
 02322  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02324  1356   NtQueryValueKey  (744,  (744, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02325  1356   NtClose  (744, ... ) == 0x0
 02326  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02327  1356   NtQueryValueKey  (744,  (744, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02328  1356   NtQueryValueKey  (744,  (744, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02329  1736   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1636,Tid=1964,}, 0x0, ) == 0x0
 02330  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\254\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\254\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\254\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0d\6\0\0\254\7\0\0" )  ) == 0x0
 02331  1736   NtResumeThread  (748, ... 1, ) == 0x0
 02332  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96272384, 1048576, ) == 0x0
 02333  1736   NtAllocateVirtualMemory  (-1, 97312768, 0, 8192, 4096, 4, ... 97312768, 8192, ) == 0x0
 02334  1736   NtProtectVirtualMemory  (-1, (0x5cce000), 4096, 260, ...
 02335  1356   NtClose  (744, ...
 02336  1964   NtWaitForSingleObject  (88, 0, 0x0, ...
 02335  1356   NtClose  ... ) == 0x0
 02337  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02338  1356   NtQueryValueKey  (744,  (744, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02339  1356   NtQueryValueKey  (744,  (744, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02340  1356   NtClose  (744, ... ) == 0x0
 02341  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02334  1736   NtProtectVirtualMemory  ... (0x5cce000), 4096, 4, ) == 0x0
 02342  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1636, 740}, ) == 0x0
 02343  1736   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1636,Tid=740,}, 0x0, ) == 0x0
 02344  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\344\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\344\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0d\6\0\0\344\2\0\0" )  ) == 0x0
 02345  1736   NtResumeThread  (752, ... 1, ) == 0x0
 02346  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97320960, 1048576, ) == 0x0
 02347  1356   NtQueryValueKey  (744,  (744, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 02348   740   NtWaitForSingleObject  (88, 0, 0x0, ...
 02347  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02349  1356   NtQueryValueKey  (744,  (744, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02350  1356   NtClose  (744, ... ) == 0x0
 02351  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02352  1356   NtQueryValueKey  (744,  (744, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02353  1356   NtQueryValueKey  (744,  (744, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (744, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02354  1736   NtAllocateVirtualMemory  (-1, 98361344, 0, 8192, 4096, 4, ... 98361344, 8192, ) == 0x0
 02355  1736   NtProtectVirtualMemory  (-1, (0x5dce000), 4096, 260, ... (0x5dce000), 4096, 4, ) == 0x0
 02356  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1636, 1624}, ) == 0x0
 02357  1736   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1636,Tid=1624,}, 0x0, ) == 0x0
 02358  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0X\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0d\6\0\0X\6\0\0" )  ) == 0x0
 02359  1736   NtResumeThread  (756, ...
 02360  1356   NtClose  (744, ... ) == 0x0
 02361  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 744, ) }, ... 744, ) == 0x0
 02362  1356   NtQueryValueKey  (744,  (744, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (744, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02363  1356   NtQueryValueKey  (744,  (744, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (744, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02364  1356   NtClose  (744, ... ) == 0x0
 02365  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 744, ) }, ... 744, ) == 0x0
 02359  1736   NtResumeThread  ... 1, ) == 0x0
 02366  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98369536, 1048576, ) == 0x0
 02367  1736   NtAllocateVirtualMemory  (-1, 99409920, 0, 8192, 4096, 4, ... 99409920, 8192, ) == 0x0
 02368  1736   NtProtectVirtualMemory  (-1, (0x5ece000), 4096, 260, ... (0x5ece000), 4096, 4, ) == 0x0
 02369  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1636, 1716}, ) == 0x0
 02370  1736   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1636,Tid=1716,}, 0x0, ) == 0x0
 02371  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\264\6\0\0" ...  ...
 02372  1356   NtQueryValueKey  (744,  (744, "DevicePath", Partial, 144, ... , Partial, 144, ...
 02373  1624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02372  1356   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02374  1356   NtQueryValueKey  (744,  (744, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (744, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02375  1356   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02376  1356   NtClose  (744, ... ) == 0x0
 02377  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 744, ) == 0x0
 02378  1356   NtCreateMutant  (0x1f0001, 0x0, 0, ... 764, ) == 0x0
 02371  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75584, 0}  ... {28, 56, reply, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0d\6\0\0\264\6\0\0" )  ) == 0x0
 02379  1736   NtResumeThread  (760, ... 1, ) == 0x0
 02380  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99418112, 1048576, ) == 0x0
 02381  1736   NtAllocateVirtualMemory  (-1, 100458496, 0, 8192, 4096, 4, ... 100458496, 8192, ) == 0x0
 02382  1736   NtProtectVirtualMemory  (-1, (0x5fce000), 4096, 260, ... (0x5fce000), 4096, 4, ) == 0x0
 02383  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1636, 1440}, ) == 0x0
 02384  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02385  1716   NtWaitForSingleObject  (88, 0, 0x0, ...
 02384  1356   NtCreateEvent  ... 772, ) == 0x0
 02386  1356   NtCreateMutant  (0x1f0001, 0x0, 0, ... 776, ) == 0x0
 02387  1356   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 780, ) == 0x0
 02388  1356   NtCreateMutant  (0x1f0001, 0x0, 0, ... 784, ) == 0x0
 02389  1356   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 788, ) }, ... 788, ) == 0x0
 02390  1356   NtQueryValueKey  (788,  (788, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (788, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02391  1736   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1636,Tid=1440,}, 0x0, ) == 0x0
 02392  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\240\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0d\6\0\0\240\5\0\0" )  ) == 0x0
 02393  1736   NtResumeThread  (768, ... 1, ) == 0x0
 02394  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100466688, 1048576, ) == 0x0
 02395  1736   NtAllocateVirtualMemory  (-1, 101507072, 0, 8192, 4096, 4, ... 101507072, 8192, ) == 0x0
 02396  1736   NtProtectVirtualMemory  (-1, (0x60ce000), 4096, 260, ...
 02397  1356   NtQueryValueKey  (788,  (788, "LogLevel", Partial, 144, ... , Partial, 144, ...
 02398  1440   NtWaitForSingleObject  (88, 0, 0x0, ...
 02397  1356   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02399  1356   NtQueryValueKey  (788,  (788, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02400  1356   NtOpenKey  (0x1, {24, 788, 0x40, 0, 0,  (0x1, {24, 788, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401  1356   NtClose  (788, ... ) == 0x0
 02402  1356   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 12118708, ... ) }, 12118708, ... ) == 0x0
 02403  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 788, ) }, ... 788, ) == 0x0
 02396  1736   NtProtectVirtualMemory  ... (0x60ce000), 4096, 4, ) == 0x0
 02404  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 792, {1636, 1516}, ) == 0x0
 02405  1736   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1636,Tid=1516,}, 0x0, ) == 0x0
 02406  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0d\6\0\0\354\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0d\6\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0d\6\0\0\354\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0d\6\0\0\354\5\0\0" )  ) == 0x0
 02407  1736   NtResumeThread  (792, ... 1, ) == 0x0
 02408  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101515264, 1048576, ) == 0x0
 02409  1356   NtQueryValueKey  (788,  (788, "ComputerName", Full, 128, ... , Full, 128, ...
 02410  1516   NtWaitForSingleObject  (88, 0, 0x0, ...
 02409  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02411  1356   NtClose  (788, ... ) == 0x0
 02412  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 788, ) }, ... 788, ) == 0x0
 02413  1356   NtQueryValueKey  (788,  (788, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (788, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (788, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02414  1356   NtClose  (788, ... ) == 0x0
 02415  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02416  1736   NtAllocateVirtualMemory  (-1, 102555648, 0, 8192, 4096, 4, ... 102555648, 8192, ) == 0x0
 02417  1736   NtProtectVirtualMemory  (-1, (0x61ce000), 4096, 260, ... (0x61ce000), 4096, 4, ) == 0x0
 02418  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 788, {1636, 1664}, ) == 0x0
 02419  1736   NtQueryInformationThread  (788, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1636,Tid=1664,}, 0x0, ) == 0x0
 02420  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0d\6\0\0\200\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0d\6\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0d\6\0\0\200\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0d\6\0\0\200\6\0\0" )  ) == 0x0
 02421  1736   NtResumeThread  (788, ...
 02422  1356   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 796, ) }, ... 796, ) == 0x0
 02423  1356   NtQueryValueKey  (796,  (796, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (796, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (796, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02424  1356   NtClose  (796, ... ) == 0x0
 02425  1356   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02426  1356   NtSetEventBoostPriority  (88, ...
 02105  1484   NtWaitForSingleObject  ... ) == 0x0
 02427  1484   NtSetEventBoostPriority  (88, ...
 02117  1120   NtWaitForSingleObject  ... ) == 0x0
 02428  1120   NtSetEventBoostPriority  (88, ...
 02129   520   NtWaitForSingleObject  ... ) == 0x0
 02429   520   NtSetEventBoostPriority  (88, ...
 02148  1612   NtWaitForSingleObject  ... ) == 0x0
 02430  1612   NtSetEventBoostPriority  (88, ...
 02154   876   NtWaitForSingleObject  ... ) == 0x0
 02431   876   NtSetEventBoostPriority  (88, ...
 02164  1628   NtWaitForSingleObject  ... ) == 0x0
 02432  1628   NtSetEventBoostPriority  (88, ...
 02170   940   NtWaitForSingleObject  ... ) == 0x0
 02433   940   NtSetEventBoostPriority  (88, ...
 02180  1316   NtWaitForSingleObject  ... ) == 0x0
 02434  1316   NtSetEventBoostPriority  (88, ...
 02186  1924   NtWaitForSingleObject  ... ) == 0x0
 02435  1924   NtSetEventBoostPriority  (88, ...
 02196   644   NtWaitForSingleObject  ... ) == 0x0
 02436   644   NtSetEventBoostPriority  (88, ...
 02202  1288   NtWaitForSingleObject  ... ) == 0x0
 02437  1288   NtSetEventBoostPriority  (88, ...
 02212   752   NtWaitForSingleObject  ... ) == 0x0
 02438   752   NtSetEventBoostPriority  (88, ...
 02224   624   NtWaitForSingleObject  ... ) == 0x0
 02439   624   NtSetEventBoostPriority  (88, ...
 02249   380   NtWaitForSingleObject  ... ) == 0x0
 02440   380   NtSetEventBoostPriority  (88, ...
 02261   776   NtWaitForSingleObject  ... ) == 0x0
 02441   776   NtSetEventBoostPriority  (88, ...
 02274   312   NtWaitForSingleObject  ... ) == 0x0
 02442   312   NtSetEventBoostPriority  (88, ...
 02286  1124   NtWaitForSingleObject  ... ) == 0x0
 02443  1124   NtAllocateVirtualMemory  (-1, 8876032, 0, 4096, 4096, 4, ... 8876032, 4096, ) == 0x0
 02442   312   NtSetEventBoostPriority  ... ) == 0x0
 02441   776   NtSetEventBoostPriority  ... ) == 0x0
 02440   380   NtSetEventBoostPriority  ... ) == 0x0
 02439   624   NtSetEventBoostPriority  ... ) == 0x0
 02438   752   NtSetEventBoostPriority  ... ) == 0x0
 02437  1288   NtSetEventBoostPriority  ... ) == 0x0
 02436   644   NtSetEventBoostPriority  ... ) == 0x0
 02435  1924   NtSetEventBoostPriority  ... ) == 0x0
 02434  1316   NtSetEventBoostPriority  ... ) == 0x0
 02433   940   NtSetEventBoostPriority  ... ) == 0x0
 02432  1628   NtSetEventBoostPriority  ... ) == 0x0
 02431   876   NtSetEventBoostPriority  ... ) == 0x0
 02430  1612   NtSetEventBoostPriority  ... ) == 0x0
 02429   520   NtSetEventBoostPriority  ... ) == 0x0
 02428  1120   NtSetEventBoostPriority  ... ) == 0x0
 02427  1484   NtSetEventBoostPriority  ... ) == 0x0
 02426  1356   NtSetEventBoostPriority  ... ) == 0x0
 02421  1736   NtResumeThread  ... 1, ) == 0x0
 02444  1124   NtSetEventBoostPriority  (88, ...
 02445  1664   NtWaitForSingleObject  (88, 0, 0x0, ...
 02446   312   NtTestAlert  (...
 02447   776   NtTestAlert  (...
 02448   380   NtTestAlert  (...
 02449   624   NtTestAlert  (...
 02450   752   NtTestAlert  (...
 02451  1288   NtTestAlert  (...
 02452   644   NtTestAlert  (...
 02453  1924   NtTestAlert  (...
 02454  1316   NtTestAlert  (...
 02455   940   NtTestAlert  (...
 02456  1628   NtTestAlert  (...
 02457   876   NtTestAlert  (...
 02458  1612   NtTestAlert  (...
 02459   520   NtTestAlert  (...
 02460  1120   NtTestAlert  (...
 02461  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 02462  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02311  1404   NtWaitForSingleObject  ... ) == 0x0
 02444  1124   NtSetEventBoostPriority  ... ) == 0x0
 02446   312   NtTestAlert  ... ) == 0x0
 02447   776   NtTestAlert  ... ) == 0x0
 02448   380   NtTestAlert  ... ) == 0x0
 02449   624   NtTestAlert  ... ) == 0x0
 02450   752   NtTestAlert  ... ) == 0x0
 02451  1288   NtTestAlert  ... ) == 0x0
 02452   644   NtTestAlert  ... ) == 0x0
 02453  1924   NtTestAlert  ... ) == 0x0
 02454  1316   NtTestAlert  ... ) == 0x0
 02455   940   NtTestAlert  ... ) == 0x0
 02456  1628   NtTestAlert  ... ) == 0x0
 02457   876   NtTestAlert  ... ) == 0x0
 02458  1612   NtTestAlert  ... ) == 0x0
 02459   520   NtTestAlert  ... ) == 0x0
 02460  1120   NtTestAlert  ... ) == 0x0
 02463  1404   NtSetEventBoostPriority  (88, ...
 02462  1736   NtAllocateVirtualMemory  ... 102563840, 1048576, ) == 0x0
 02464  1124   NtTestAlert  (...
 02465   312   NtContinue  (92077360, 1, ...
 02466   776   NtContinue  (91028784, 1, ...
 02467   380   NtContinue  (89980208, 1, ...
 02468   624   NtContinue  (88931632, 1, ...
 02469   752   NtContinue  (87883056, 1, ...
 02470  1288   NtContinue  (86834480, 1, ...
 02471   644   NtContinue  (85785904, 1, ...
 02472  1924   NtContinue  (84737328, 1, ...
 02473  1316   NtContinue  (83688752, 1, ...
 02474   940   NtContinue  (82640176, 1, ...
 02475  1628   NtContinue  (81591600, 1, ...
 02476   876   NtContinue  (80543024, 1, ...
 02477  1612   NtContinue  (79494448, 1, ...
 02478   520   NtContinue  (78445872, 1, ...
 02323   476   NtWaitForSingleObject  ... ) == 0x0
 02463  1404   NtSetEventBoostPriority  ... ) == 0x0
 02479  1120   NtContinue  (77397296, 1, ...
 02480  1736   NtAllocateVirtualMemory  (-1, 103604224, 0, 8192, 4096, 4, ...
 02464  1124   NtTestAlert  ... ) == 0x0
 02481   312   NtRegisterThreadTerminatePort  (24, ...
 02482   776   NtRegisterThreadTerminatePort  (24, ...
 02483   380   NtRegisterThreadTerminatePort  (24, ...
 02484   624   NtRegisterThreadTerminatePort  (24, ...
 02485   752   NtRegisterThreadTerminatePort  (24, ...
 02486  1288   NtRegisterThreadTerminatePort  (24, ...
 02487   644   NtRegisterThreadTerminatePort  (24, ...
 02488  1924   NtRegisterThreadTerminatePort  (24, ...
 02489  1316   NtRegisterThreadTerminatePort  (24, ...
 02490   940   NtRegisterThreadTerminatePort  (24, ...
 02491  1628   NtRegisterThreadTerminatePort  (24, ...
 02492   876   NtRegisterThreadTerminatePort  (24, ...
 02493  1612   NtRegisterThreadTerminatePort  (24, ...
 02494   476   NtSetEventBoostPriority  (88, ...
 02495   520   NtRegisterThreadTerminatePort  (24, ...
 02496  1484   NtTestAlert  (...
 02497  1120   NtRegisterThreadTerminatePort  (24, ...
 02480  1736   NtAllocateVirtualMemory  ... 103604224, 8192, ) == 0x0
 02498  1124   NtContinue  (93125936, 1, ...
 02481   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02482   776   NtRegisterThreadTerminatePort  ... ) == 0x0
 02483   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02484   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02485   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02486  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 02487   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02488  1924   NtRegisterThreadTerminatePort  ... ) == 0x0
 02489  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 02490   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 02491  1628   NtRegisterThreadTerminatePort  ... ) == 0x0
 02492   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02336  1964   NtWaitForSingleObject  ... ) == 0x0
 02494   476   NtSetEventBoostPriority  ... ) == 0x0
 02493  1612   NtRegisterThreadTerminatePort  ... ) == 0x0
 02495   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02496  1484   NtTestAlert  ... ) == 0x0
 02497  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02499  1736   NtProtectVirtualMemory  (-1, (0x62ce000), 4096, 260, ...
 02500  1124   NtRegisterThreadTerminatePort  (24, ...
 02501   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02502   776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02503   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02504   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02505   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02506  1288   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02507   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02508  1924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02509  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02510   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02511  1628   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02512  1964   NtSetEventBoostPriority  (88, ...
 02513   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02514  1404   NtTestAlert  (...
 02515  1612   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02516   520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02517  1484   NtContinue  (76348720, 1, ...
 02518  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02519   476   NtTestAlert  (...
 02499  1736   NtProtectVirtualMemory  ... (0x62ce000), 4096, 4, ) == 0x0
 02500  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02501   312   NtDuplicateObject  ... 796, ) == 0x0
 02502   776   NtDuplicateObject  ... 800, ) == 0x0
 02503   380   NtDuplicateObject  ... 804, ) == 0x0
 02504   624   NtDuplicateObject  ... 808, ) == 0x0
 02505   752   NtDuplicateObject  ... 812, ) == 0x0
 02506  1288   NtDuplicateObject  ... 816, ) == 0x0
 02507   644   NtDuplicateObject  ... 820, ) == 0x0
 02508  1924   NtDuplicateObject  ... 824, ) == 0x0
 02509  1316   NtDuplicateObject  ... 828, ) == 0x0
 02510   940   NtDuplicateObject  ... 832, ) == 0x0
 02348   740   NtWaitForSingleObject  ... ) == 0x0
 02512  1964   NtSetEventBoostPriority  ... ) == 0x0
 02511  1628   NtDuplicateObject  ... 836, ) == 0x0
 02514  1404   NtTestAlert  ... ) == 0x0
 02513   876   NtDuplicateObject  ... 840, ) == 0x0
 02515  1612   NtDuplicateObject  ... 844, ) == 0x0
 02520  1484   NtRegisterThreadTerminatePort  (24, ...
 02516   520   NtDuplicateObject  ... 848, ) == 0x0
 02519   476   NtTestAlert  ... ) == 0x0
 02521  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02522  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02523   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02524   776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02525   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02526   624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02527   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02528  1288   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02529   644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02530  1924   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02531  1316   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02532   740   NtSetEventBoostPriority  (88, ...
 02533   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02518  1120   NtDuplicateObject  ... 852, ) == 0x0
 02534  1628   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02535  1404   NtContinue  (94174512, 1, ...
 02536   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02537  1612   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02520  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02538   520   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02539   476   NtContinue  (95223088, 1, ...
 02521  1736   NtCreateThread  ... 856, {1636, 1972}, ) == 0x0
 02522  1124   NtDuplicateObject  ... 860, ) == 0x0
 02523   312   NtWaitForSingleObject  ... ) == 0x102
 02524   776   NtWaitForSingleObject  ... ) == 0x102
 02525   380   NtWaitForSingleObject  ... ) == 0x102
 02526   624   NtWaitForSingleObject  ... ) == 0x102
 02527   752   NtWaitForSingleObject  ... ) == 0x102
 02528  1288   NtWaitForSingleObject  ... ) == 0x102
 02529   644   NtWaitForSingleObject  ... ) == 0x102
 02530  1924   NtWaitForSingleObject  ... ) == 0x102
 02373  1624   NtWaitForSingleObject  ... ) == 0x0
 02532   740   NtSetEventBoostPriority  ... ) == 0x0
 02531  1316   NtWaitForSingleObject  ... ) == 0x102
 02533   940   NtWaitForSingleObject  ... ) == 0x102
 02540  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02534  1628   NtWaitForSingleObject  ... ) == 0x102
 02541  1404   NtRegisterThreadTerminatePort  (24, ...
 02536   876   NtWaitForSingleObject  ... ) == 0x102
 02537  1612   NtWaitForSingleObject  ... ) == 0x102
 02542  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02538   520   NtWaitForSingleObject  ... ) == 0x102
 02543   476   NtRegisterThreadTerminatePort  (24, ...
 02544  1736   NtQueryInformationThread  (856, Basic, 28, ...
 02545  1124   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02546   312   NtWaitForSingleObject  (136, 0, 0x0, ...
 02547   776   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02548   380   NtWaitForSingleObject  (312, 0, 0x0, ...
 02549   624   NtWaitForSingleObject  (312, 0, 0x0, ...
 02550   752   NtWaitForSingleObject  (312, 0, 0x0, ...
 02551  1288   NtWaitForSingleObject  (312, 0, 0x0, ...
 02552   644   NtWaitForSingleObject  (312, 0, 0x0, ...
 02553  1624   NtWaitForSingleObject  (312, 0, 0x0, ...
 02554  1924   NtWaitForSingleObject  (312, 0, 0x0, ...
 02555  1964   NtTestAlert  (...
 02556  1316   NtWaitForSingleObject  (312, 0, 0x0, ...
 02557   940   NtWaitForSingleObject  (312, 0, 0x0, ...
 02540  1120   NtWaitForSingleObject  ... ) == 0x102
 02558  1628   NtWaitForSingleObject  (312, 0, 0x0, ...
 02541  1404   NtRegisterThreadTerminatePort  ... ) == 0x0
 02559   876   NtWaitForSingleObject  (312, 0, 0x0, ...
 02560  1612   NtWaitForSingleObject  (312, 0, 0x0, ...
 02561   740   NtTestAlert  (...
 02562   520   NtWaitForSingleObject  (312, 0, 0x0, ...
 02543   476   NtRegisterThreadTerminatePort  ... ) == 0x0
 02544  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1636,Tid=1972,}, 0x0, ) == 0x0
 02545  1124   NtWaitForSingleObject  ... ) == 0x102
 02547   776   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02555  1964   NtTestAlert  ... ) == 0x0
 02563  1120   NtWaitForSingleObject  (312, 0, 0x0, ...
 02564  1404   NtWaitForSingleObject  (312, 0, 0x0, ...
 02561   740   NtTestAlert  ... ) == 0x0
 02565   476   NtWaitForSingleObject  (312, 0, 0x0, ...
 02566  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0d\6\0\0\264\7\0\0" ...  ...
 02542  1484   NtDuplicateObject  ... 864, ) == 0x0
 02567  1124   NtWaitForSingleObject  (312, 0, 0x0, ...
 02568  1964   NtContinue  (96271664, 1, ...
 02569   776   NtSetEventBoostPriority  (312, ...
 02570   740   NtContinue  (97320240, 1, ...
 02571  1484   NtWaitForSingleObject  (312, 0, 0x0, ...
 02572  1964   NtRegisterThreadTerminatePort  (24, ...
 02548   380   NtWaitForSingleObject  ... ) == 0x0
 02569   776   NtSetEventBoostPriority  ... ) == 0x0
 02573   740   NtRegisterThreadTerminatePort  (24, ...
 02574   380   NtSetEventBoostPriority  (312, ...
 02572  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 02575   776   NtWaitForSingleObject  (136, 0, 0x0, ...
 02549   624   NtWaitForSingleObject  ... ) == 0x0
 02574   380   NtSetEventBoostPriority  ... ) == 0x0
 02573   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 02576  1964   NtWaitForSingleObject  (312, 0, 0x0, ...
 02577   624   NtSetEventBoostPriority  (312, ...
 02566  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75588, 0}  ... {28, 56, reply, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0d\6\0\0\264\7\0\0" )  ) == 0x0
 02578   740   NtWaitForSingleObject  (312, 0, 0x0, ...
 02579   380   NtWaitForSingleObject  (136, 0, 0x0, ...
 02550   752   NtWaitForSingleObject  ... ) == 0x0
 02577   624   NtSetEventBoostPriority  ... ) == 0x0
 02580  1736   NtResumeThread  (856, ...
 02581   752   NtSetEventBoostPriority  (312, ...
 02551  1288   NtWaitForSingleObject  ... ) == 0x0
 02582  1288   NtSetEventBoostPriority  (312, ...
 02553  1624   NtWaitForSingleObject  ... ) == 0x0
 02583  1624   NtSetEventBoostPriority  (312, ...
 02552   644   NtWaitForSingleObject  ... ) == 0x0
 02584   644   NtSetEventBoostPriority  (312, ...
 02554  1924   NtWaitForSingleObject  ... ) == 0x0
 02585  1924   NtSetEventBoostPriority  (312, ...
 02556  1316   NtWaitForSingleObject  ... ) == 0x0
 02586  1316   NtSetEventBoostPriority  (312, ...
 02557   940   NtWaitForSingleObject  ... ) == 0x0
 02587   940   NtSetEventBoostPriority  (312, ...
 02558  1628   NtWaitForSingleObject  ... ) == 0x0
 02588  1628   NtSetEventBoostPriority  (312, ...
 02559   876   NtWaitForSingleObject  ... ) == 0x0
 02589   876   NtSetEventBoostPriority  (312, ...
 02560  1612   NtWaitForSingleObject  ... ) == 0x0
 02590  1612   NtSetEventBoostPriority  (312, ...
 02562   520   NtWaitForSingleObject  ... ) == 0x0
 02591   520   NtSetEventBoostPriority  (312, ...
 02563  1120   NtWaitForSingleObject  ... ) == 0x0
 02592  1120   NtSetEventBoostPriority  (312, ...
 02564  1404   NtWaitForSingleObject  ... ) == 0x0
 02593  1404   NtSetEventBoostPriority  (312, ...
 02565   476   NtWaitForSingleObject  ... ) == 0x0
 02594   476   NtSetEventBoostPriority  (312, ...
 02567  1124   NtWaitForSingleObject  ... ) == 0x0
 02595  1124   NtSetEventBoostPriority  (312, ...
 02571  1484   NtWaitForSingleObject  ... ) == 0x0
 02596  1484   NtSetEventBoostPriority  (312, ...
 02576  1964   NtWaitForSingleObject  ... ) == 0x0
 02597  1964   NtSetEventBoostPriority  (312, ...
 02578   740   NtWaitForSingleObject  ... ) == 0x0
 02598   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 868, ) == 0x0
 02599   740   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02596  1484   NtSetEventBoostPriority  ... ) == 0x0
 02595  1124   NtSetEventBoostPriority  ... ) == 0x0
 02592  1120   NtSetEventBoostPriority  ... ) == 0x0
 02591   520   NtSetEventBoostPriority  ... ) == 0x0
 02590  1612   NtSetEventBoostPriority  ... ) == 0x0
 02589   876   NtSetEventBoostPriority  ... ) == 0x0
 02588  1628   NtSetEventBoostPriority  ... ) == 0x0
 02587   940   NtSetEventBoostPriority  ... ) == 0x0
 02586  1316   NtSetEventBoostPriority  ... ) == 0x0
 02585  1924   NtSetEventBoostPriority  ... ) == 0x0
 02584   644   NtSetEventBoostPriority  ... ) == 0x0
 02583  1624   NtSetEventBoostPriority  ... ) == 0x0
 02582  1288   NtSetEventBoostPriority  ... ) == 0x0
 02581   752   NtSetEventBoostPriority  ... ) == 0x0
 02580  1736   NtResumeThread  ... 1, ) == 0x0
 02597  1964   NtSetEventBoostPriority  ... ) == 0x0
 02594   476   NtSetEventBoostPriority  ... ) == 0x0
 02593  1404   NtSetEventBoostPriority  ... ) == 0x0
 02600   624   NtWaitForSingleObject  (136, 0, 0x0, ...
 02599   740   NtWaitForSingleObject  ... ) == 0x102
 02601  1124   NtWaitForSingleObject  (136, 0, 0x0, ...
 02602  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02603  1972   NtWaitForSingleObject  (88, 0, 0x0, ...
 02604  1120   NtWaitForSingleObject  (136, 0, 0x0, ...
 02605   520   NtWaitForSingleObject  (136, 0, 0x0, ...
 02606  1612   NtWaitForSingleObject  (136, 0, 0x0, ...
 02607   876   NtWaitForSingleObject  (136, 0, 0x0, ...
 02608  1628   NtWaitForSingleObject  (136, 0, 0x0, ...
 02609   940   NtWaitForSingleObject  (136, 0, 0x0, ...
 02610  1316   NtWaitForSingleObject  (136, 0, 0x0, ...
 02611  1924   NtWaitForSingleObject  (136, 0, 0x0, ...
 02612   644   NtWaitForSingleObject  (136, 0, 0x0, ...
 02613  1624   NtSetEventBoostPriority  (88, ...
 02614  1288   NtWaitForSingleObject  (136, 0, 0x0, ...
 02615  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02616  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02617   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02618  1404   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02619   740   NtWaitForSingleObject  (136, 0, 0x0, ...
 02620   752   NtWaitForSingleObject  (136, 0, 0x0, ...
 02602  1484   NtWaitForSingleObject  ... ) == 0x102
 02385  1716   NtWaitForSingleObject  ... ) == 0x0
 02613  1624   NtSetEventBoostPriority  ... ) == 0x0
 02615  1736   NtAllocateVirtualMemory  ... 103612416, 1048576, ) == 0x0
 02616  1964   NtDuplicateObject  ... 872, ) == 0x0
 02617   476   NtDuplicateObject  ... 876, ) == 0x0
 02618  1404   NtDuplicateObject  ... 880, ) == 0x0
 02621  1716   NtSetEventBoostPriority  (88, ...
 02622  1484   NtWaitForSingleObject  (136, 0, 0x0, ...
 02623  1624   NtTestAlert  (...
 02624  1736   NtAllocateVirtualMemory  (-1, 104652800, 0, 8192, 4096, 4, ...
 02625  1964   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02626   476   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02398  1440   NtWaitForSingleObject  ... ) == 0x0
 02621  1716   NtSetEventBoostPriority  ... ) == 0x0
 02623  1624   NtTestAlert  ... ) == 0x0
 02624  1736   NtAllocateVirtualMemory  ... 104652800, 8192, ) == 0x0
 02625  1964   NtWaitForSingleObject  ... ) == 0x102
 02627  1440   NtSetEventBoostPriority  (88, ...
 02626   476   NtWaitForSingleObject  ... ) == 0x102
 02628  1404   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02629  1624   NtContinue  (98368816, 1, ...
 02630  1736   NtProtectVirtualMemory  (-1, (0x63ce000), 4096, 260, ...
 02410  1516   NtWaitForSingleObject  ... ) == 0x0
 02627  1440   NtSetEventBoostPriority  ... ) == 0x0
 02631  1964   NtWaitForSingleObject  (136, 0, 0x0, ...
 02632   476   NtWaitForSingleObject  (136, 0, 0x0, ...
 02628  1404   NtWaitForSingleObject  ... ) == 0x102
 02633  1624   NtRegisterThreadTerminatePort  (24, ...
 02634  1516   NtSetEventBoostPriority  (88, ...
 02630  1736   NtProtectVirtualMemory  ... (0x63ce000), 4096, 4, ) == 0x0
 02635  1716   NtTestAlert  (...
 02636  1404   NtWaitForSingleObject  (136, 0, 0x0, ...
 02637  1440   NtTestAlert  (...
 02445  1664   NtWaitForSingleObject  ... ) == 0x0
 02634  1516   NtSetEventBoostPriority  ... ) == 0x0
 02638  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02635  1716   NtTestAlert  ... ) == 0x0
 02639  1664   NtSetEventBoostPriority  (88, ...
 02637  1440   NtTestAlert  ... ) == 0x0
 02633  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02638  1736   NtCreateThread  ... 884, {1636, 780}, ) == 0x0
 02461  1356   NtWaitForSingleObject  ... ) == 0x0
 02639  1664   NtSetEventBoostPriority  ... ) == 0x0
 02640  1716   NtContinue  (99417392, 1, ...
 02641  1440   NtContinue  (100465968, 1, ...
 02642  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02643  1516   NtTestAlert  (...
 02644  1356   NtSetEventBoostPriority  (88, ...
 02645  1736   NtQueryInformationThread  (884, Basic, 28, ...
 02646  1716   NtRegisterThreadTerminatePort  (24, ...
 02647  1440   NtRegisterThreadTerminatePort  (24, ...
 02642  1624   NtDuplicateObject  ... 888, ) == 0x0
 02603  1972   NtWaitForSingleObject  ... ) == 0x0
 02644  1356   NtSetEventBoostPriority  ... ) == 0x0
 02643  1516   NtTestAlert  ... ) == 0x0
 02645  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1636,Tid=780,}, 0x0, ) == 0x0
 02646  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 02648  1972   NtTestAlert  (...
 02649  1624   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 02650  1664   NtTestAlert  (...
 02647  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02651  1516   NtContinue  (101514544, 1, ...
 02652  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0d\6\0\0\14\3\0\0" ...  ...
 02648  1972   NtTestAlert  ... ) == 0x0
 02653  1716   NtWaitForSingleObject  (312, 0, 0x0, ...
 02649  1624   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 02650  1664   NtTestAlert  ... ) == 0x0
 02654  1440   NtWaitForSingleObject  (312, 0, 0x0, ...
 02655  1516   NtRegisterThreadTerminatePort  (24, ...
 02652  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75589, 0}  ... {28, 56, reply, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0d\6\0\0\14\3\0\0" )  ) == 0x0
 02656  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02657  1972   NtContinue  (103611696, 1, ...
 02658  1624   NtSetEventBoostPriority  (312, ...
 02659  1664   NtContinue  (102563120, 1, ...
 02655  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 02660  1736   NtResumeThread  (884, ...
 02661  1972   NtRegisterThreadTerminatePort  (24, ...
 02662  1664   NtRegisterThreadTerminatePort  (24, ...
 02663  1516   NtWaitForSingleObject  (312, 0, 0x0, ...
 02654  1440   NtWaitForSingleObject  ... ) == 0x0
 02658  1624   NtSetEventBoostPriority  ... ) == 0x0
 02661  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 02662  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 02660  1736   NtResumeThread  ... 1, ) == 0x0
 02664  1440   NtSetEventBoostPriority  (312, ...
 02665  1624   NtWaitForSingleObject  (312, 0, 0x0, ...
 02666  1972   NtWaitForSingleObject  (312, 0, 0x0, ...
 02667  1664   NtWaitForSingleObject  (312, 0, 0x0, ...
 02668  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02656  1356   NtWaitForSingleObject  ... ) == 0x0
 02664  1440   NtSetEventBoostPriority  ... ) == 0x0
 02669   780   NtWaitForSingleObject  (312, 0, 0x0, ...
 02670  1356   NtSetEventBoostPriority  (312, ...
 02668  1736   NtAllocateVirtualMemory  ... 104660992, 1048576, ) == 0x0
 02653  1716   NtWaitForSingleObject  ... ) == 0x0
 02670  1356   NtSetEventBoostPriority  ... ) == 0x0
 02671  1716   NtSetEventBoostPriority  (312, ...
 02672  1736   NtAllocateVirtualMemory  (-1, 105701376, 0, 8192, 4096, 4, ...
 02665  1624   NtWaitForSingleObject  ... ) == 0x0
 02673  1356   NtSetEventBoostPriority  (136, ...
 02672  1736   NtAllocateVirtualMemory  ... 105701376, 8192, ) == 0x0
 02674  1624   NtSetEventBoostPriority  (312, ...
 02671  1716   NtSetEventBoostPriority  ... ) == 0x0
 02675  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02676  1736   NtProtectVirtualMemory  (-1, (0x64ce000), 4096, 260, ...
 02666  1972   NtWaitForSingleObject  ... ) == 0x0
 02674  1624   NtSetEventBoostPriority  ... ) == 0x0
 02677  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02675  1440   NtDuplicateObject  ... 892, ) == 0x0
 00693   868   NtWaitForSingleObject  ... ) == 0x0
 02673  1356   NtSetEventBoostPriority  ... ) == 0x0
 02678  1972   NtSetEventBoostPriority  (312, ...
 02676  1736   NtProtectVirtualMemory  ... (0x64ce000), 4096, 4, ) == 0x0
 02677  1716   NtDuplicateObject  ... 896, ) == 0x0
 02679  1440   NtWaitForSingleObject  (312, 0, 0x0, ...
 02680   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02663  1516   NtWaitForSingleObject  ... ) == 0x0
 02678  1972   NtSetEventBoostPriority  ... ) == 0x0
 02681  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02682  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02683  1624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02684  1516   NtSetEventBoostPriority  (312, ...
 02685  1716   NtWaitForSingleObject  (312, 0, 0x0, ...
 02682  1736   NtCreateThread  ... 900, {1636, 1656}, ) == 0x0
 02667  1664   NtWaitForSingleObject  ... ) == 0x0
 02683  1624   NtWaitForSingleObject  ... ) == 0x102
 02686  1736   NtQueryInformationThread  (900, Basic, 28, ...
 02687  1664   NtSetEventBoostPriority  (312, ...
 02688  1624   NtWaitForSingleObject  (312, 0, 0x0, ...
 02686  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1636,Tid=1656,}, 0x0, ) == 0x0
 02669   780   NtWaitForSingleObject  ... ) == 0x0
 02689  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0d\6\0\0x\6\0\0" ...  ...
 02690   780   NtSetEventBoostPriority  (312, ...
 02687  1664   NtSetEventBoostPriority  ... ) == 0x0
 02684  1516   NtSetEventBoostPriority  ... ) == 0x0
 02691  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02679  1440   NtWaitForSingleObject  ... ) == 0x0
 02690   780   NtSetEventBoostPriority  ... ) == 0x0
 02692  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02693  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02694  1440   NtSetEventBoostPriority  (312, ...
 02691  1972   NtDuplicateObject  ... 904, ) == 0x0
 02689  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75590, 0}  ... {28, 56, reply, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0d\6\0\0x\6\0\0" )  ) == 0x0
 02692  1664   NtDuplicateObject  ... 908, ) == 0x0
 02680   868   NtWaitForSingleObject  ... ) == 0x0
 02694  1440   NtSetEventBoostPriority  ... ) == 0x0
 02693  1516   NtDuplicateObject  ... 912, ) == 0x0
 02695  1972   NtWaitForSingleObject  (312, 0, 0x0, ...
 02696  1736   NtResumeThread  (900, ...
 02697   780   NtTestAlert  (...
 02698   868   NtSetEventBoostPriority  (312, ...
 02699  1664   NtWaitForSingleObject  (312, 0, 0x0, ...
 02700  1440   NtWaitForSingleObject  (312, 0, 0x0, ...
 02696  1736   NtResumeThread  ... 1, ) == 0x0
 02681  1356   NtWaitForSingleObject  ... ) == 0x0
 02698   868   NtSetEventBoostPriority  ... ) == 0x0
 02697   780   NtTestAlert  ... ) == 0x0
 02701  1356   NtSetEventBoostPriority  (312, ...
 02702  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02703  1516   NtWaitForSingleObject  (312, 0, 0x0, ...
 02704  1656   NtWaitForSingleObject  (312, 0, 0x0, ...
 02685  1716   NtWaitForSingleObject  ... ) == 0x0
 02701  1356   NtSetEventBoostPriority  ... ) == 0x0
 02705   780   NtContinue  (104660272, 1, ...
 02702  1736   NtAllocateVirtualMemory  ... 105709568, 1048576, ) == 0x0
 02706  1716   NtSetEventBoostPriority  (312, ...
 02707   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02708   780   NtRegisterThreadTerminatePort  (24, ...
 02709  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02688  1624   NtWaitForSingleObject  ... ) == 0x0
 02706  1716   NtSetEventBoostPriority  ... ) == 0x0
 02708   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02710  1624   NtSetEventBoostPriority  (312, ...
 02711  1716   NtWaitForSingleObject  (312, 0, 0x0, ...
 02695  1972   NtWaitForSingleObject  ... ) == 0x0
 02710  1624   NtSetEventBoostPriority  ... ) == 0x0
 02712   780   NtWaitForSingleObject  (312, 0, 0x0, ...
 02713  1736   NtAllocateVirtualMemory  (-1, 106749952, 0, 8192, 4096, 4, ...
 02714  1972   NtSetEventBoostPriority  (312, ...
 02715  1624   NtWaitForSingleObject  (136, 0, 0x0, ...
 02699  1664   NtWaitForSingleObject  ... ) == 0x0
 02714  1972   NtSetEventBoostPriority  ... ) == 0x0
 02713  1736   NtAllocateVirtualMemory  ... 106749952, 8192, ) == 0x0
 02716  1664   NtSetEventBoostPriority  (312, ...
 02700  1440   NtWaitForSingleObject  ... ) == 0x0
 02717  1440   NtSetEventBoostPriority  (312, ...
 02703  1516   NtWaitForSingleObject  ... ) == 0x0
 02718  1516   NtSetEventBoostPriority  (312, ...
 02704  1656   NtWaitForSingleObject  ... ) == 0x0
 02719  1656   NtSetEventBoostPriority  (312, ...
 02707   868   NtWaitForSingleObject  ... ) == 0x0
 02720   868   NtSetEventBoostPriority  (312, ...
 02709  1356   NtWaitForSingleObject  ... ) == 0x0
 02721  1356   NtSetEventBoostPriority  (312, ...
 02711  1716   NtWaitForSingleObject  ... ) == 0x0
 02722  1716   NtSetEventBoostPriority  (312, ...
 02712   780   NtWaitForSingleObject  ... ) == 0x0
 02723   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 916, ) == 0x0
 02724   780   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02721  1356   NtSetEventBoostPriority  ... ) == 0x0
 02725  1356   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02720   868   NtSetEventBoostPriority  ... ) == 0x0
 02719  1656   NtSetEventBoostPriority  ... ) == 0x0
 02718  1516   NtSetEventBoostPriority  ... ) == 0x0
 02717  1440   NtSetEventBoostPriority  ... ) == 0x0
 02716  1664   NtSetEventBoostPriority  ... ) == 0x0
 02726  1736   NtProtectVirtualMemory  (-1, (0x65ce000), 4096, 260, ...
 02722  1716   NtSetEventBoostPriority  ... ) == 0x0
 02727  1972   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02724   780   NtWaitForSingleObject  ... ) == 0x102
 02728   868   NtSetEventBoostPriority  (136, ...
 02725  1356   NtCreateEvent  ... 920, ) == 0x0
 02729  1516   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02730  1440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02731  1664   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02726  1736   NtProtectVirtualMemory  ... (0x65ce000), 4096, 4, ) == 0x0
 02732  1716   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02727  1972   NtWaitForSingleObject  ... ) == 0x102
 02733   780   NtWaitForSingleObject  (136, 0, 0x0, ...
 02734  1656   NtTestAlert  (...
 02735  1356   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12119220, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12119220, 188, ...
 00695   896   NtWaitForSingleObject  ... ) == 0x0
 02728   868   NtSetEventBoostPriority  ... ) == 0x0
 02729  1516   NtWaitForSingleObject  ... ) == 0x102
 02730  1440   NtWaitForSingleObject  ... ) == 0x102
 02736  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02737  1972   NtWaitForSingleObject  (136, 0, 0x0, ...
 02734  1656   NtTestAlert  ... ) == 0x0
 02738   896   NtSetEventBoostPriority  (136, ...
 02739   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02735  1356   NtConnectPort  ... 924, 0x0, 0x0, 0x0, 188, ) == 0x0
 02740  1516   NtWaitForSingleObject  (136, 0, 0x0, ...
 02741  1440   NtWaitForSingleObject  (136, 0, 0x0, ...
 02736  1736   NtCreateThread  ... 928, {1636, 1248}, ) == 0x0
 02742  1656   NtContinue  (105708848, 1, ...
 00696  1252   NtWaitForSingleObject  ... ) == 0x0
 02738   896   NtSetEventBoostPriority  ... ) == 0x0
 02739   868   NtCreateEvent  ... 932, ) == 0x0
 02743  1356   NtRequestWaitReplyPort  (924, {200, 224, new_msg, 0, 1382912, 12, 2, 1310721}  (924, {200, 224, new_msg, 0, 1382912, 12, 2, 1310721} "\0\4\24\0\274\0\0\0\204B\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0p\4\24\0\4\0\0\0\5\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\330\252\25\0\232\274\15o\270\247\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\200(\0\0\0\300\247\25\0\330\252\25\0\230\4\24\0\340\247\25\0d\1\24\0\0\0\0\0\0\0\0\0\340\247\25\0P\0\0\0\350\247\25\0\360\6\221|p\4\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\270\0\372\31\221|\310\362\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02731  1664   NtWaitForSingleObject  ... ) == 0x102
 02732  1716   NtWaitForSingleObject  ... ) == 0x102
 02744  1252   NtSetEventBoostPriority  (136, ...
 02745  1656   NtRegisterThreadTerminatePort  (24, ...
 02746  1736   NtQueryInformationThread  (928, Basic, 28, ...
 02747   868   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02748  1664   NtWaitForSingleObject  (312, 0, 0x0, ...
 00698   808   NtWaitForSingleObject  ... ) == 0x0
 02749  1716   NtWaitForSingleObject  (312, 0, 0x0, ...
 02745  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 02746  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1636,Tid=1248,}, 0x0, ) == 0x0
 02747   868   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02750   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02751  1656   NtWaitForSingleObject  (312, 0, 0x0, ...
 02752  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0\340\4\0\0" ...  ...
 02753   868   NtSetEventBoostPriority  (312, ...
 02744  1252   NtSetEventBoostPriority  ... ) == 0x0
 02754   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02743  1356   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1636, 1356, 75592, 0}  ... {200, 224, reply, 0, 1636, 1356, 75592, 0} "\7\4\24\0\274\0\0\0\204B\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\5\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\5\0\0\0\330\252\25\0\232\274\15o\270\247\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\200(\0\0\0\300\247\25\0\330\252\25\0\230\4\24\0\340\247\25\0d\1\24\0\0\0\0\0\0\0\0\0\340\247\25\0P\0\0\0\350\247\25\0\360\6\221|p\4\24\0P\0\0\0\346\31\0\0\0\0\24\04\353\270\0\372\31\221|\310\362\270\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02752  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75593, 0}  ... {28, 56, reply, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0d\6\0\0\340\4\0\0" )  ) == 0x0
 02755  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02754   896   NtCreateEvent  ... 936, ) == 0x0
 02756  1356   NtRequestWaitReplyPort  (924, {64, 88, new_msg, 0, 1636, 1356, 75540, 0}  (924, {64, 88, new_msg, 0, 1636, 1356, 75540, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02757  1736   NtResumeThread  (928, ...
 02755  1252   NtCreateEvent  ... 940, ) == 0x0
 02758   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 02756  1356   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1636, 1356, 75594, 0}  ... {52, 76, reply, 0, 1636, 1356, 75594, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 02748  1664   NtWaitForSingleObject  ... ) == 0x0
 02753   868   NtSetEventBoostPriority  ... ) == 0x0
 02757  1736   NtResumeThread  ... 1, ) == 0x0
 02759  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02760  1664   NtSetEventBoostPriority  (312, ...
 02761   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02762  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02749  1716   NtWaitForSingleObject  ... ) == 0x0
 02760  1664   NtSetEventBoostPriority  ... ) == 0x0
 02763  1716   NtSetEventBoostPriority  (312, ...
 02762  1736   NtAllocateVirtualMemory  ... 106758144, 1048576, ) == 0x0
 02764  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 02765  1248   NtWaitForSingleObject  (312, 0, 0x0, ...
 02750   808   NtWaitForSingleObject  ... ) == 0x0
 02763  1716   NtSetEventBoostPriority  ... ) == 0x0
 02766  1736   NtAllocateVirtualMemory  (-1, 107798528, 0, 8192, 4096, 4, ...
 02767   808   NtSetEventBoostPriority  (312, ...
 02768  1664   NtWaitForSingleObject  (136, 0, 0x0, ...
 02751  1656   NtWaitForSingleObject  ... ) == 0x0
 02767   808   NtSetEventBoostPriority  ... ) == 0x0
 02766  1736   NtAllocateVirtualMemory  ... 107798528, 8192, ) == 0x0
 02769  1656   NtSetEventBoostPriority  (312, ...
 02770  1716   NtWaitForSingleObject  (136, 0, 0x0, ...
 02758   896   NtWaitForSingleObject  ... ) == 0x0
 02771  1736   NtProtectVirtualMemory  (-1, (0x66ce000), 4096, 260, ...
 02772   896   NtSetEventBoostPriority  (312, ...
 02769  1656   NtSetEventBoostPriority  ... ) == 0x0
 02773   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02759  1356   NtWaitForSingleObject  ... ) == 0x0
 02772   896   NtSetEventBoostPriority  ... ) == 0x0
 02774  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02775  1356   NtSetEventBoostPriority  (312, ...
 02771  1736   NtProtectVirtualMemory  ... (0x66ce000), 4096, 4, ) == 0x0
 02761   868   NtWaitForSingleObject  ... ) == 0x0
 02775  1356   NtSetEventBoostPriority  ... ) == 0x0
 02774  1656   NtDuplicateObject  ... 944, ) == 0x0
 02776   868   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 02777  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02778   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 02779  1356   NtClose  (920, ...
 02776   868   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 02777  1736   NtCreateThread  ... 948, {1636, 1036}, ) == 0x0
 02779  1356   NtClose  ... ) == 0x0
 02780  1656   NtWaitForSingleObject  (312, 0, 0x0, ...
 02781  1736   NtQueryInformationThread  (948, Basic, 28, ...
 02782  1356   NtClose  (924, ...
 02781  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1636,Tid=1036,}, 0x0, ) == 0x0
 02782  1356   NtClose  ... ) == 0x0
 02783  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\0\14\4\0\0" ...  ...
 02784  1356   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02785   868   NtSetEventBoostPriority  (312, ...
 02784  1356   NtCreateKey  ... 924, 2, ) == 0x0
 02764  1252   NtWaitForSingleObject  ... ) == 0x0
 02785   868   NtSetEventBoostPriority  ... ) == 0x0
 02783  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75596, 0}  ... {28, 56, reply, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0d\6\0\0\14\4\0\0" )  ) == 0x0
 02786  1252   NtSetEventBoostPriority  (312, ...
 02787   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02765  1248   NtWaitForSingleObject  ... ) == 0x0
 02786  1252   NtSetEventBoostPriority  ... ) == 0x0
 02788  1736   NtResumeThread  (948, ...
 02789  1248   NtSetEventBoostPriority  (312, ...
 02790  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 02773   808   NtWaitForSingleObject  ... ) == 0x0
 02789  1248   NtSetEventBoostPriority  ... ) == 0x0
 02788  1736   NtResumeThread  ... 1, ) == 0x0
 02791  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02792   808   NtSetEventBoostPriority  (312, ...
 02793  1036   NtWaitForSingleObject  (88, 0, 0x0, ...
 02794  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02778   896   NtWaitForSingleObject  ... ) == 0x0
 02792   808   NtSetEventBoostPriority  ... ) == 0x0
 02791  1356   NtOpenKey  ... 920, ) == 0x0
 02795   896   NtSetEventBoostPriority  (312, ...
 02794  1736   NtAllocateVirtualMemory  ... 107806720, 1048576, ) == 0x0
 02796   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02780  1656   NtWaitForSingleObject  ... ) == 0x0
 02795   896   NtSetEventBoostPriority  ... ) == 0x0
 02797  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02798  1248   NtSetEventBoostPriority  (88, ...
 02799  1736   NtAllocateVirtualMemory  (-1, 108847104, 0, 8192, 4096, 4, ...
 02800  1656   NtSetEventBoostPriority  (312, ...
 02801   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 02797  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02793  1036   NtWaitForSingleObject  ... ) == 0x0
 02798  1248   NtSetEventBoostPriority  ... ) == 0x0
 02787   868   NtWaitForSingleObject  ... ) == 0x0
 02800  1656   NtSetEventBoostPriority  ... ) == 0x0
 02799  1736   NtAllocateVirtualMemory  ... 108847104, 8192, ) == 0x0
 02802  1036   NtTestAlert  (...
 02803  1356   NtQueryValueKey  (924,  (924, "Hostname", Partial, 144, ... , Partial, 144, ...
 02804   868   NtSetEventBoostPriority  (312, ...
 02805  1248   NtTestAlert  (...
 02806  1656   NtWaitForSingleObject  (312, 0, 0x0, ...
 02802  1036   NtTestAlert  ... ) == 0x0
 02807  1736   NtProtectVirtualMemory  (-1, (0x67ce000), 4096, 260, ...
 02790  1252   NtWaitForSingleObject  ... ) == 0x0
 02804   868   NtSetEventBoostPriority  ... ) == 0x0
 02803  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02805  1248   NtTestAlert  ... ) == 0x0
 02808  1252   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 02807  1736   NtProtectVirtualMemory  ... (0x67ce000), 4096, 4, ) == 0x0
 02809  1036   NtContinue  (107806000, 1, ...
 02810   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02808  1252   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 02811  1248   NtContinue  (106757424, 1, ...
 02812  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02813  1036   NtRegisterThreadTerminatePort  (24, ...
 02814  1252   NtSetEventBoostPriority  (312, ...
 02815  1248   NtRegisterThreadTerminatePort  (24, ...
 02812  1736   NtCreateThread  ... 952, {1636, 760}, ) == 0x0
 02796   808   NtWaitForSingleObject  ... ) == 0x0
 02813  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 02814  1252   NtSetEventBoostPriority  ... ) == 0x0
 02816  1356   NtQueryValueKey  (924,  (924, "Hostname", Partial, 144, ... , Partial, 144, ...
 02815  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02817   808   NtSetEventBoostPriority  (312, ...
 02818  1036   NtWaitForSingleObject  (312, 0, 0x0, ...
 02819  1736   NtQueryInformationThread  (952, Basic, 28, ...
 02816  1356   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 02820  1248   NtWaitForSingleObject  (312, 0, 0x0, ...
 02801   896   NtWaitForSingleObject  ... ) == 0x0
 02819  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1636,Tid=760,}, 0x0, ) == 0x0
 02821  1356   NtClose  (924, ...
 02822   896   NtSetEventBoostPriority  (312, ...
 02823  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\370\2\0\0" ...  ...
 02821  1356   NtClose  ... ) == 0x0
 02806  1656   NtWaitForSingleObject  ... ) == 0x0
 02823  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75597, 0}  ... {28, 56, reply, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0d\6\0\0\370\2\0\0" )  ) == 0x0
 02824  1356   NtClose  (920, ...
 02825  1656   NtSetEventBoostPriority  (312, ...
 02826  1736   NtResumeThread  (952, ...
 02824  1356   NtClose  ... ) == 0x0
 02810   868   NtWaitForSingleObject  ... ) == 0x0
 02825  1656   NtSetEventBoostPriority  ... ) == 0x0
 02822   896   NtSetEventBoostPriority  ... ) == 0x0
 02817   808   NtSetEventBoostPriority  ... ) == 0x0
 02827  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 02826  1736   NtResumeThread  ... 1, ) == 0x0
 02828   868   NtSetEventBoostPriority  (312, ...
 02829  1656   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02830   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 02831   808   NtSetEventBoostPriority  (136, ...
 02832  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02818  1036   NtWaitForSingleObject  ... ) == 0x0
 02828   868   NtSetEventBoostPriority  ... ) == 0x0
 00699  2020   NtWaitForSingleObject  ... ) == 0x0
 02831   808   NtSetEventBoostPriority  ... ) == 0x0
 02833  1036   NtSetEventBoostPriority  (312, ...
 02832  1736   NtAllocateVirtualMemory  ... 108855296, 1048576, ) == 0x0
 02834  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 02835   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02836  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02837   760   NtTestAlert  (...
 02829  1656   NtWaitForSingleObject  ... ) == 0x102
 02820  1248   NtWaitForSingleObject  ... ) == 0x0
 02833  1036   NtSetEventBoostPriority  ... ) == 0x0
 02838  1736   NtAllocateVirtualMemory  (-1, 109895680, 0, 8192, 4096, 4, ...
 02839   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02837   760   NtTestAlert  ... ) == 0x0
 02840  1248   NtSetEventBoostPriority  (312, ...
 02841  1656   NtWaitForSingleObject  (136, 0, 0x0, ...
 02838  1736   NtAllocateVirtualMemory  ... 109895680, 8192, ) == 0x0
 02839   808   NtCreateEvent  ... 920, ) == 0x0
 02827  1252   NtWaitForSingleObject  ... ) == 0x0
 02840  1248   NtSetEventBoostPriority  ... ) == 0x0
 02842   760   NtContinue  (108854576, 1, ...
 02843  1736   NtProtectVirtualMemory  (-1, (0x68ce000), 4096, 260, ...
 02844  1252   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 02845   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02846  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02847   760   NtRegisterThreadTerminatePort  (24, ...
 02848  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02844  1252   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 02846  1036   NtDuplicateObject  ... 924, ) == 0x0
 02847   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 02849  1252   NtSetEventBoostPriority  (312, ...
 02848  1248   NtDuplicateObject  ... 956, ) == 0x0
 02850  1036   NtWaitForSingleObject  (312, 0, 0x0, ...
 02843  1736   NtProtectVirtualMemory  ... (0x68ce000), 4096, 4, ) == 0x0
 02851   760   NtWaitForSingleObject  (312, 0, 0x0, ...
 02852  1248   NtWaitForSingleObject  (312, 0, 0x0, ...
 02853  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 960, {1636, 860}, ) == 0x0
 02854  1736   NtQueryInformationThread  (960, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1636,Tid=860,}, 0x0, ) == 0x0
 02855  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0d\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0d\6\0\0\\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0d\6\0\0\\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0d\6\0\0\\3\0\0" )  ) == 0x0
 02856  1736   NtResumeThread  (960, ... 1, ) == 0x0
 02857  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 109903872, 1048576, ) == 0x0
 02830   896   NtWaitForSingleObject  ... ) == 0x0
 02849  1252   NtSetEventBoostPriority  ... ) == 0x0
 02858   860   NtWaitForSingleObject  (312, 0, 0x0, ...
 02859   896   NtSetEventBoostPriority  (312, ...
 02860  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 02834  2020   NtWaitForSingleObject  ... ) == 0x0
 02859   896   NtSetEventBoostPriority  ... ) == 0x0
 02861  2020   NtSetEventBoostPriority  (312, ...
 02862  1736   NtAllocateVirtualMemory  (-1, 110944256, 0, 8192, 4096, 4, ...
 02836  1356   NtWaitForSingleObject  ... ) == 0x0
 02861  2020   NtSetEventBoostPriority  ... ) == 0x0
 02863  1356   NtSetEventBoostPriority  (312, ...
 02862  1736   NtAllocateVirtualMemory  ... 110944256, 8192, ) == 0x0
 02864   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 02835   868   NtWaitForSingleObject  ... ) == 0x0
 02863  1356   NtSetEventBoostPriority  ... ) == 0x0
 02865  1736   NtProtectVirtualMemory  (-1, (0x69ce000), 4096, 260, ...
 02866   868   NtSetEventBoostPriority  (312, ...
 02867  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02845   808   NtWaitForSingleObject  ... ) == 0x0
 02865  1736   NtProtectVirtualMemory  ... (0x69ce000), 4096, 4, ) == 0x0
 02866   868   NtSetEventBoostPriority  ... ) == 0x0
 02868  2020   NtSetEventBoostPriority  (136, ...
 02869   808   NtSetEventBoostPriority  (312, ...
 02870  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02871   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 00802  1180   NtWaitForSingleObject  ... ) == 0x0
 02868  2020   NtSetEventBoostPriority  ... ) == 0x0
 02850  1036   NtWaitForSingleObject  ... ) == 0x0
 02869   808   NtSetEventBoostPriority  ... ) == 0x0
 02870  1736   NtCreateThread  ... 964, {1636, 484}, ) == 0x0
 02872  1180   NtWaitForSingleObject  (312, 0, 0x0, ...
 02873  1036   NtSetEventBoostPriority  (312, ...
 02874  2020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02875   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02851   760   NtWaitForSingleObject  ... ) == 0x0
 02873  1036   NtSetEventBoostPriority  ... ) == 0x0
 02874  2020   NtCreateEvent  ... 968, ) == 0x0
 02876   760   NtSetEventBoostPriority  (312, ...
 02877  1736   NtQueryInformationThread  (964, Basic, 28, ...
 02852  1248   NtWaitForSingleObject  ... ) == 0x0
 02876   760   NtSetEventBoostPriority  ... ) == 0x0
 02878  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 02879  1248   NtSetEventBoostPriority  (312, ...
 02877  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1636,Tid=484,}, 0x0, ) == 0x0
 02880   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02858   860   NtWaitForSingleObject  ... ) == 0x0
 02879  1248   NtSetEventBoostPriority  ... ) == 0x0
 02881  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0d\6\0\0\344\1\0\0" ...  ...
 02882  1036   NtWaitForSingleObject  (312, 0, 0x0, ...
 02883   860   NtSetEventBoostPriority  (312, ...
 02880   760   NtDuplicateObject  ... 972, ) == 0x0
 02881  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75599, 0}  ... {28, 56, reply, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0d\6\0\0\344\1\0\0" )  ) == 0x0
 02860  1252   NtWaitForSingleObject  ... ) == 0x0
 02883   860   NtSetEventBoostPriority  ... ) == 0x0
 02884   760   NtWaitForSingleObject  (312, 0, 0x0, ...
 02885  1252   NtSetEventBoostPriority  (312, ...
 02886  1736   NtResumeThread  (964, ...
 02887  1248   NtWaitForSingleObject  (312, 0, 0x0, ...
 02864   896   NtWaitForSingleObject  ... ) == 0x0
 02885  1252   NtSetEventBoostPriority  ... ) == 0x0
 02888   860   NtTestAlert  (...
 02889   896   NtSetEventBoostPriority  (312, ...
 02886  1736   NtResumeThread  ... 1, ) == 0x0
 02871   868   NtWaitForSingleObject  ... ) == 0x0
 02889   896   NtSetEventBoostPriority  ... ) == 0x0
 02888   860   NtTestAlert  ... ) == 0x0
 02890   868   NtSetEventBoostPriority  (312, ...
 02891  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02892   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 02867  1356   NtWaitForSingleObject  ... ) == 0x0
 02890   868   NtSetEventBoostPriority  ... ) == 0x0
 02893   860   NtContinue  (109903152, 1, ...
 02891  1736   NtAllocateVirtualMemory  ... 110952448, 1048576, ) == 0x0
 02894  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 02895   484   NtTestAlert  (...
 02896  1356   NtSetEventBoostPriority  (312, ...
 02897   860   NtRegisterThreadTerminatePort  (24, ...
 02898  1736   NtAllocateVirtualMemory  (-1, 111992832, 0, 8192, 4096, 4, ...
 02872  1180   NtWaitForSingleObject  ... ) == 0x0
 02895   484   NtTestAlert  ... ) == 0x0
 02897   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 02899  1180   NtSetEventBoostPriority  (312, ...
 02898  1736   NtAllocateVirtualMemory  ... 111992832, 8192, ) == 0x0
 02900   484   NtContinue  (110951728, 1, ...
 02875   808   NtWaitForSingleObject  ... ) == 0x0
 02899  1180   NtSetEventBoostPriority  ... ) == 0x0
 02901   860   NtWaitForSingleObject  (312, 0, 0x0, ...
 02902  1736   NtProtectVirtualMemory  (-1, (0x6ace000), 4096, 260, ...
 02903   808   NtSetEventBoostPriority  (312, ...
 02904   484   NtRegisterThreadTerminatePort  (24, ...
 02896  1356   NtSetEventBoostPriority  ... ) == 0x0
 02905   868   NtAllocateVirtualMemory  (-1, 13422592, 0, 4096, 4096, 260, ...
 02906  1180   NtSetEventBoostPriority  (136, ...
 02878  2020   NtWaitForSingleObject  ... ) == 0x0
 02903   808   NtSetEventBoostPriority  ... ) == 0x0
 02904   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02907  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02905   868   NtAllocateVirtualMemory  ... 13422592, 4096, ) == 0x0
 02908  2020   NtSetEventBoostPriority  (312, ...
 00808   384   NtWaitForSingleObject  ... ) == 0x0
 02906  1180   NtSetEventBoostPriority  ... ) == 0x0
 02909   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02902  1736   NtProtectVirtualMemory  ... (0x6ace000), 4096, 4, ) == 0x0
 02882  1036   NtWaitForSingleObject  ... ) == 0x0
 02910   384   NtWaitForSingleObject  (312, 0, 0x0, ...
 02908  2020   NtSetEventBoostPriority  ... ) == 0x0
 02911   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02912  1180   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02913   484   NtWaitForSingleObject  (312, 0, 0x0, ...
 02914  1036   NtSetEventBoostPriority  (312, ...
 02915  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02912  1180   NtCreateEvent  ... 976, ) == 0x0
 02884   760   NtWaitForSingleObject  ... ) == 0x0
 02914  1036   NtSetEventBoostPriority  ... ) == 0x0
 02915  1736   NtCreateThread  ... 980, {1636, 1580}, ) == 0x0
 02916   760   NtSetEventBoostPriority  (312, ...
 02917  1180   NtWaitForSingleObject  (312, 0, 0x0, ...
 02918  1036   NtWaitForSingleObject  (312, 0, 0x0, ...
 02887  1248   NtWaitForSingleObject  ... ) == 0x0
 02916   760   NtSetEventBoostPriority  ... ) == 0x0
 02919  1736   NtQueryInformationThread  (980, Basic, 28, ...
 02920  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 02921  1248   NtSetEventBoostPriority  (312, ...
 02919  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1636,Tid=1580,}, 0x0, ) == 0x0
 02892   896   NtWaitForSingleObject  ... ) == 0x0
 02921  1248   NtSetEventBoostPriority  ... ) == 0x0
 02922   896   NtSetEventBoostPriority  (312, ...
 02923  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0d\6\0\0,\6\0\0" ...  ...
 02894  1252   NtWaitForSingleObject  ... ) == 0x0
 02924  1248   NtWaitForSingleObject  (312, 0, 0x0, ...
 02922   896   NtSetEventBoostPriority  ... ) == 0x0
 02925   760   NtWaitForSingleObject  (312, 0, 0x0, ...
 02926  1252   NtSetEventBoostPriority  (312, ...
 02923  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75600, 0}  ... {28, 56, reply, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0d\6\0\0,\6\0\0" )  ) == 0x0
 02927   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 02901   860   NtWaitForSingleObject  ... ) == 0x0
 02926  1252   NtSetEventBoostPriority  ... ) == 0x0
 02928  1736   NtResumeThread  (980, ...
 02929   860   NtSetEventBoostPriority  (312, ...
 02930  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 02907  1356   NtWaitForSingleObject  ... ) == 0x0
 02928  1736   NtResumeThread  ... 1, ) == 0x0
 02929   860   NtSetEventBoostPriority  ... ) == 0x0
 02931  1356   NtSetEventBoostPriority  (312, ...
 02932  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02933   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02910   384   NtWaitForSingleObject  ... ) == 0x0
 02931  1356   NtSetEventBoostPriority  ... ) == 0x0
 02932  1736   NtAllocateVirtualMemory  ... 112001024, 1048576, ) == 0x0
 02934   384   NtSetEventBoostPriority  (312, ...
 02933   860   NtDuplicateObject  ... 984, ) == 0x0
 02935  1580   NtWaitForSingleObject  (312, 0, 0x0, ...
 02936  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02909   808   NtWaitForSingleObject  ... ) == 0x0
 02934   384   NtSetEventBoostPriority  ... ) == 0x0
 02937  1736   NtAllocateVirtualMemory  (-1, 113041408, 0, 8192, 4096, 4, ...
 02938   808   NtSetEventBoostPriority  (312, ...
 02939   860   NtWaitForSingleObject  (312, 0, 0x0, ...
 02911   868   NtWaitForSingleObject  ... ) == 0x0
 02937  1736   NtAllocateVirtualMemory  ... 113041408, 8192, ) == 0x0
 02940   868   NtSetEventBoostPriority  (312, ...
 02941  1736   NtProtectVirtualMemory  (-1, (0x6bce000), 4096, 260, ...
 02913   484   NtWaitForSingleObject  ... ) == 0x0
 02940   868   NtSetEventBoostPriority  ... ) == 0x0
 02942   484   NtSetEventBoostPriority  (312, ...
 02941  1736   NtProtectVirtualMemory  ... (0x6bce000), 4096, 4, ) == 0x0
 02938   808   NtSetEventBoostPriority  ... ) == 0x0
 02943   384   NtSetEventBoostPriority  (136, ...
 02917  1180   NtWaitForSingleObject  ... ) == 0x0
 02942   484   NtSetEventBoostPriority  ... ) == 0x0
 02944  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02945   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02946  1180   NtSetEventBoostPriority  (312, ...
 00809  1028   NtWaitForSingleObject  ... ) == 0x0
 02943   384   NtSetEventBoostPriority  ... ) == 0x0
 02947   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02944  1736   NtCreateThread  ... 988, {1636, 1756}, ) == 0x0
 02918  1036   NtWaitForSingleObject  ... ) == 0x0
 02948  1028   NtWaitForSingleObject  (312, 0, 0x0, ...
 02946  1180   NtSetEventBoostPriority  ... ) == 0x0
 02949   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02950   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02947   484   NtDuplicateObject  ... 992, ) == 0x0
 02951  1036   NtSetEventBoostPriority  (312, ...
 02952  1736   NtQueryInformationThread  (988, Basic, 28, ...
 02949   384   NtCreateEvent  ... 996, ) == 0x0
 02920  2020   NtWaitForSingleObject  ... ) == 0x0
 02953   484   NtWaitForSingleObject  (312, 0, 0x0, ...
 02952  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1636,Tid=1756,}, 0x0, ) == 0x0
 02954   384   NtWaitForSingleObject  (312, 0, 0x0, ...
 02955  2020   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 02956  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0d\6\0\0\334\6\0\0" ...  ...
 02955  2020   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 02956  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75601, 0}  ... {28, 56, reply, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0d\6\0\0\334\6\0\0" )  ) == 0x0
 02957  2020   NtSetEventBoostPriority  (312, ...
 02958  1736   NtResumeThread  (988, ...
 02951  1036   NtSetEventBoostPriority  ... ) == 0x0
 02959  1180   NtWaitForSingleObject  (312, 0, 0x0, ...
 02925   760   NtWaitForSingleObject  ... ) == 0x0
 02957  2020   NtSetEventBoostPriority  ... ) == 0x0
 02960  1036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02961   760   NtSetEventBoostPriority  (312, ...
 02962  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 02927   896   NtWaitForSingleObject  ... ) == 0x0
 02961   760   NtSetEventBoostPriority  ... ) == 0x0
 02963   896   NtSetEventBoostPriority  (312, ...
 02924  1248   NtWaitForSingleObject  ... ) == 0x0
 02964  1248   NtSetEventBoostPriority  (312, ...
 02930  1252   NtWaitForSingleObject  ... ) == 0x0
 02965  1252   NtSetEventBoostPriority  (312, ...
 02935  1580   NtWaitForSingleObject  ... ) == 0x0
 02966  1580   NtSetEventBoostPriority  (312, ...
 02936  1356   NtWaitForSingleObject  ... ) == 0x0
 02967  1356   NtSetEventBoostPriority  (312, ...
 02939   860   NtWaitForSingleObject  ... ) == 0x0
 02968   860   NtSetEventBoostPriority  (312, ...
 02945   808   NtWaitForSingleObject  ... ) == 0x0
 02969   808   NtSetEventBoostPriority  (312, ...
 02948  1028   NtWaitForSingleObject  ... ) == 0x0
 02970  1028   NtSetEventBoostPriority  (312, ...
 02950   868   NtWaitForSingleObject  ... ) == 0x0
 02971   868   NtSetEventBoostPriority  (312, ...
 02953   484   NtWaitForSingleObject  ... ) == 0x0
 02972   484   NtSetEventBoostPriority  (312, ...
 02954   384   NtWaitForSingleObject  ... ) == 0x0
 02973   384   NtSetEventBoostPriority  (312, ...
 02959  1180   NtWaitForSingleObject  ... ) == 0x0
 02974  1180   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 02975  1180   NtSetEventBoostPriority  (312, ...
 02973   384   NtSetEventBoostPriority  ... ) == 0x0
 02972   484   NtSetEventBoostPriority  ... ) == 0x0
 02971   868   NtSetEventBoostPriority  ... ) == 0x0
 02970  1028   NtSetEventBoostPriority  ... ) == 0x0
 02969   808   NtSetEventBoostPriority  ... ) == 0x0
 02968   860   NtSetEventBoostPriority  ... ) == 0x0
 02967  1356   NtSetEventBoostPriority  ... ) == 0x0
 02966  1580   NtSetEventBoostPriority  ... ) == 0x0
 02963   896   NtSetEventBoostPriority  ... ) == 0x0
 02976   760   NtWaitForSingleObject  (312, 0, 0x0, ...
 02965  1252   NtSetEventBoostPriority  ... ) == 0x0
 02964  1248   NtSetEventBoostPriority  ... ) == 0x0
 02958  1736   NtResumeThread  ... 1, ) == 0x0
 02960  1036   NtWaitForSingleObject  ... ) == 0x102
 02962  2020   NtWaitForSingleObject  ... ) == 0x0
 02975  1180   NtSetEventBoostPriority  ... ) == 0x0
 02977  1756   NtWaitForSingleObject  (88, 0, 0x0, ...
 02978   384   NtWaitForSingleObject  (312, 0, 0x0, ...
 02979   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 02980   484   NtWaitForSingleObject  (316, 0, 0x0, ...
 02981  1028   NtWaitForSingleObject  (312, 0, 0x0, ...
 02982   860   NtWaitForSingleObject  (316, 0, 0x0, ...
 02983  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 02984   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02985  1580   NtSetEventBoostPriority  (88, ...
 02986   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 02987  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 02988  1248   NtWaitForSingleObject  (316, 0, 0x0, ...
 02989  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02990  1036   NtWaitForSingleObject  (136, 0, 0x0, ...
 02991  2020   NtSetEventBoostPriority  (312, ...
 02992  1180   NtWaitForSingleObject  (312, 0, 0x0, ...
 02977  1756   NtWaitForSingleObject  ... ) == 0x0
 02985  1580   NtSetEventBoostPriority  ... ) == 0x0
 02989  1736   NtAllocateVirtualMemory  ... 113049600, 1048576, ) == 0x0
 02978   384   NtWaitForSingleObject  ... ) == 0x0
 02991  2020   NtSetEventBoostPriority  ... ) == 0x0
 02993  1756   NtWaitForSingleObject  (312, 0, 0x0, ...
 02994  1580   NtTestAlert  (...
 02995   384   NtSetEventBoostPriority  (312, ...
 02996  1736   NtAllocateVirtualMemory  (-1, 114089984, 0, 8192, 4096, 4, ...
 02976   760   NtWaitForSingleObject  ... ) == 0x0
 02995   384   NtSetEventBoostPriority  ... ) == 0x0
 02994  1580   NtTestAlert  ... ) == 0x0
 02997   760   NtSetEventBoostPriority  (312, ...
 02996  1736   NtAllocateVirtualMemory  ... 114089984, 8192, ) == 0x0
 02998   384   NtWaitForSingleObject  (312, 0, 0x0, ...
 02981  1028   NtWaitForSingleObject  ... ) == 0x0
 02999  1580   NtContinue  (112000304, 1, ...
 03000  1736   NtProtectVirtualMemory  (-1, (0x6cce000), 4096, 260, ...
 02997   760   NtSetEventBoostPriority  ... ) == 0x0
 03001  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 03002  1028   NtSetEventBoostPriority  (312, ...
 03003  1580   NtRegisterThreadTerminatePort  (24, ...
 03004   760   NtSetEventBoostPriority  (316, ...
 02979   868   NtWaitForSingleObject  ... ) == 0x0
 03002  1028   NtSetEventBoostPriority  ... ) == 0x0
 03000  1736   NtProtectVirtualMemory  ... (0x6cce000), 4096, 4, ) == 0x0
 03005   868   NtSetEventBoostPriority  (312, ...
 02980   484   NtWaitForSingleObject  ... ) == 0x0
 03004   760   NtSetEventBoostPriority  ... ) == 0x0
 03006  1028   NtSetEventBoostPriority  (136, ...
 02984   808   NtWaitForSingleObject  ... ) == 0x0
 03007   484   NtWaitForSingleObject  (312, 0, 0x0, ...
 03008  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03005   868   NtSetEventBoostPriority  ... ) == 0x0
 03003  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 03009   760   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03010   808   NtSetEventBoostPriority  (312, ...
 03008  1736   NtCreateThread  ... 1000, {1636, 1304}, ) == 0x0
 03011   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 03012  1580   NtWaitForSingleObject  (312, 0, 0x0, ...
 03009   760   NtWaitForSingleObject  ... ) == 0x102
 02986   896   NtWaitForSingleObject  ... ) == 0x0
 03010   808   NtSetEventBoostPriority  ... ) == 0x0
 03013  1736   NtQueryInformationThread  (1000, Basic, 28, ...
 03014   896   NtSetEventBoostPriority  (312, ...
 03015   760   NtWaitForSingleObject  (136, 0, 0x0, ...
 03016   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 02987  1252   NtWaitForSingleObject  ... ) == 0x0
 03014   896   NtSetEventBoostPriority  ... ) == 0x0
 03013  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1636,Tid=1304,}, 0x0, ) == 0x0
 00814  2012   NtWaitForSingleObject  ... ) == 0x0
 03006  1028   NtSetEventBoostPriority  ... ) == 0x0
 03017  1252   NtSetEventBoostPriority  (312, ...
 03018   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 03019  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0d\6\0\0\30\5\0\0" ...  ...
 03020  2012   NtWaitForSingleObject  (312, 0, 0x0, ...
 02992  1180   NtWaitForSingleObject  ... ) == 0x0
 03017  1252   NtSetEventBoostPriority  ... ) == 0x0
 03021  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03022  1180   NtSetEventBoostPriority  (312, ...
 03019  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75602, 0}  ... {28, 56, reply, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0d\6\0\0\30\5\0\0" )  ) == 0x0
 02983  1356   NtWaitForSingleObject  ... ) == 0x0
 03022  1180   NtSetEventBoostPriority  ... ) == 0x0
 03021  1028   NtCreateEvent  ... 1004, ) == 0x0
 03023  1356   NtSetEventBoostPriority  (312, ...
 03024  1736   NtResumeThread  (1000, ...
 03025  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 02993  1756   NtWaitForSingleObject  ... ) == 0x0
 03026  1028   NtWaitForSingleObject  (312, 0, 0x0, ...
 03024  1736   NtResumeThread  ... 1, ) == 0x0
 03027  1756   NtSetEventBoostPriority  (312, ...
 02998   384   NtWaitForSingleObject  ... ) == 0x0
 03028   384   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 03029   384   NtSetEventBoostPriority  (312, ...
 03001  2020   NtWaitForSingleObject  ... ) == 0x0
 03030  2020   NtSetEventBoostPriority  (312, ...
 03007   484   NtWaitForSingleObject  ... ) == 0x0
 03031   484   NtSetEventBoostPriority  (312, ...
 03011   868   NtWaitForSingleObject  ... ) == 0x0
 03032   868   NtSetEventBoostPriority  (312, ...
 03012  1580   NtWaitForSingleObject  ... ) == 0x0
 03033  1580   NtSetEventBoostPriority  (312, ...
 03016   808   NtWaitForSingleObject  ... ) == 0x0
 03034   808   NtSetEventBoostPriority  (312, ...
 03018   896   NtWaitForSingleObject  ... ) == 0x0
 03035   896   NtSetEventBoostPriority  (312, ...
 03020  2012   NtWaitForSingleObject  ... ) == 0x0
 03036  2012   NtSetEventBoostPriority  (312, ...
 03025  1252   NtWaitForSingleObject  ... ) == 0x0
 03037  1252   NtSetEventBoostPriority  (312, ...
 03026  1028   NtWaitForSingleObject  ... ) == 0x0
 03038  1028   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ... 1449984, 4096, ) == 0x0
 03037  1252   NtSetEventBoostPriority  ... ) == 0x0
 03036  2012   NtSetEventBoostPriority  ... ) == 0x0
 03033  1580   NtSetEventBoostPriority  ... ) == 0x0
 03032   868   NtSetEventBoostPriority  ... ) == 0x0
 03031   484   NtSetEventBoostPriority  ... ) == 0x0
 03030  2020   NtSetEventBoostPriority  ... ) == 0x0
 03027  1756   NtSetEventBoostPriority  ... ) == 0x0
 03039  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03035   896   NtSetEventBoostPriority  ... ) == 0x0
 03034   808   NtSetEventBoostPriority  ... ) == 0x0
 03029   384   NtSetEventBoostPriority  ... ) == 0x0
 03023  1356   NtSetEventBoostPriority  ... ) == 0x0
 03040  1180   NtWaitForSingleObject  (312, 0, 0x0, ...
 03041  1304   NtWaitForSingleObject  (88, 0, 0x0, ...
 03042  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 03043  1028   NtSetEventBoostPriority  (312, ...
 03044  2012   NtWaitForSingleObject  (312, 0, 0x0, ...
 03045  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03046   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03047  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 03048   484   NtSetEventBoostPriority  (316, ...
 03039  1736   NtAllocateVirtualMemory  ... 114098176, 1048576, ) == 0x0
 03049   896   NtAllocateVirtualMemory  (-1, 16568320, 0, 4096, 4096, 260, ...
 03050   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 03051  1756   NtSetEventBoostPriority  (88, ...
 03052  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 03053   384   NtWaitForSingleObject  (312, 0, 0x0, ...
 03040  1180   NtWaitForSingleObject  ... ) == 0x0
 03043  1028   NtSetEventBoostPriority  ... ) == 0x0
 03045  1580   NtDuplicateObject  ... 1008, ) == 0x0
 03046   868   NtCreateEvent  ... 1012, ) == 0x0
 02982   860   NtWaitForSingleObject  ... ) == 0x0
 03048   484   NtSetEventBoostPriority  ... ) == 0x0
 03049   896   NtAllocateVirtualMemory  ... 16568320, 4096, ) == 0x0
 03041  1304   NtWaitForSingleObject  ... ) == 0x0
 03051  1756   NtSetEventBoostPriority  ... ) == 0x0
 03054  1180   NtSetEventBoostPriority  (312, ...
 03055  1028   NtWaitForSingleObject  (312, 0, 0x0, ...
 03056  1580   NtWaitForSingleObject  (312, 0, 0x0, ...
 03057   860   NtSetEventBoostPriority  (316, ...
 03058   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03059   484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03060  1736   NtAllocateVirtualMemory  (-1, 115138560, 0, 8192, 4096, 4, ...
 03061  1304   NtWaitForSingleObject  (312, 0, 0x0, ...
 03044  2012   NtWaitForSingleObject  ... ) == 0x0
 03054  1180   NtSetEventBoostPriority  ... ) == 0x0
 03062  1756   NtTestAlert  (...
 02988  1248   NtWaitForSingleObject  ... ) == 0x0
 03058   868   NtDuplicateObject  ... 1016, ) == 0x0
 03059   484   NtWaitForSingleObject  ... ) == 0x102
 03063  2012   NtSetEventBoostPriority  (312, ...
 03060  1736   NtAllocateVirtualMemory  ... 115138560, 8192, ) == 0x0
 03064  1180   NtWaitForSingleObject  (312, 0, 0x0, ...
 03062  1756   NtTestAlert  ... ) == 0x0
 03065  1248   NtWaitForSingleObject  (312, 0, 0x0, ...
 03066   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 03042  1252   NtWaitForSingleObject  ... ) == 0x0
 03063  2012   NtSetEventBoostPriority  ... ) == 0x0
 03067   484   NtWaitForSingleObject  (312, 0, 0x0, ...
 03068  1736   NtProtectVirtualMemory  (-1, (0x6dce000), 4096, 260, ...
 03057   860   NtSetEventBoostPriority  ... ) == 0x0
 03069   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 03070  1756   NtContinue  (113048880, 1, ...
 03071  1252   NtSetEventBoostPriority  (312, ...
 03072  2012   NtWaitForSingleObject  (312, 0, 0x0, ...
 03068  1736   NtProtectVirtualMemory  ... (0x6dce000), 4096, 4, ) == 0x0
 03073   860   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03047  2020   NtWaitForSingleObject  ... ) == 0x0
 03074  1756   NtRegisterThreadTerminatePort  (24, ...
 03071  1252   NtSetEventBoostPriority  ... ) == 0x0
 03075  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03076  2020   NtSetEventBoostPriority  (312, ...
 03073   860   NtWaitForSingleObject  ... ) == 0x102
 03077  1252   NtAllocateVirtualMemory  (-1, 17616896, 0, 4096, 4096, 260, ...
 03075  1736   NtCreateThread  ... 1020, {1636, 1292}, ) == 0x0
 03050   808   NtWaitForSingleObject  ... ) == 0x0
 03078   860   NtWaitForSingleObject  (312, 0, 0x0, ...
 03077  1252   NtAllocateVirtualMemory  ... 17616896, 4096, ) == 0x0
 03076  2020   NtSetEventBoostPriority  ... ) == 0x0
 03074  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 03079   808   NtSetEventBoostPriority  (312, ...
 03080  1736   NtQueryInformationThread  (1020, Basic, 28, ...
 03081  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 03082  1756   NtWaitForSingleObject  (312, 0, 0x0, ...
 03052  1356   NtWaitForSingleObject  ... ) == 0x0
 03079   808   NtSetEventBoostPriority  ... ) == 0x0
 03080  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1636,Tid=1292,}, 0x0, ) == 0x0
 03083  1356   NtSetEventBoostPriority  (312, ...
 03084  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 03053   384   NtWaitForSingleObject  ... ) == 0x0
 03083  1356   NtSetEventBoostPriority  ... ) == 0x0
 03085  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0d\6\0\0\14\5\0\0" ...  ...
 03086   384   NtSetEventBoostPriority  (312, ...
 03087   808   NtAllocateVirtualMemory  (-1, 14471168, 0, 4096, 4096, 260, ...
 03055  1028   NtWaitForSingleObject  ... ) == 0x0
 03086   384   NtSetEventBoostPriority  ... ) == 0x0
 03085  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75603, 0}  ... {28, 56, reply, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0d\6\0\0\14\5\0\0" )  ) == 0x0
 03088  1028   NtSetEventBoostPriority  (312, ...
 03087   808   NtAllocateVirtualMemory  ... 14471168, 4096, ) == 0x0
 03089   384   NtWaitForSingleObject  (312, 0, 0x0, ...
 03056  1580   NtWaitForSingleObject  ... ) == 0x0
 03088  1028   NtSetEventBoostPriority  ... ) == 0x0
 03090  1736   NtResumeThread  (1020, ...
 03091   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 03092  1356   NtWaitForSingleObject  (312, 0, 0x0, ...
 03093  1580   NtSetEventBoostPriority  (312, ...
 03094  1028   NtWaitForSingleObject  (312, 0, 0x0, ...
 03061  1304   NtWaitForSingleObject  ... ) == 0x0
 03093  1580   NtSetEventBoostPriority  ... ) == 0x0
 03095  1304   NtSetEventBoostPriority  (312, ...
 03090  1736   NtResumeThread  ... 1, ) == 0x0
 03065  1248   NtWaitForSingleObject  ... ) == 0x0
 03095  1304   NtSetEventBoostPriority  ... ) == 0x0
 03096  1248   NtSetEventBoostPriority  (312, ...
 03097  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03098  1580   NtWaitForSingleObject  (312, 0, 0x0, ...
 03099  1292   NtWaitForSingleObject  (88, 0, 0x0, ...
 03066   868   NtWaitForSingleObject  ... ) == 0x0
 03096  1248   NtSetEventBoostPriority  ... ) == 0x0
 03097  1736   NtAllocateVirtualMemory  ... 115146752, 1048576, ) == 0x0
 03100   868   NtSetEventBoostPriority  (312, ...
 03101  1304   NtSetEventBoostPriority  (88, ...
 03064  1180   NtWaitForSingleObject  ... ) == 0x0
 03100   868   NtSetEventBoostPriority  ... ) == 0x0
 03102  1736   NtAllocateVirtualMemory  (-1, 116187136, 0, 8192, 4096, 4, ...
 03103  1180   NtSetEventBoostPriority  (312, ...
 03099  1292   NtWaitForSingleObject  ... ) == 0x0
 03101  1304   NtSetEventBoostPriority  ... ) == 0x0
 03104  1248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03069   896   NtWaitForSingleObject  ... ) == 0x0
 03105  1292   NtWaitForSingleObject  (312, 0, 0x0, ...
 03102  1736   NtAllocateVirtualMemory  ... 116187136, 8192, ) == 0x0
 03106  1304   NtTestAlert  (...
 03104  1248   NtWaitForSingleObject  ... ) == 0x102
 03107   896   NtSetEventBoostPriority  (312, ...
 03108  1736   NtProtectVirtualMemory  (-1, (0x6ece000), 4096, 260, ...
 03106  1304   NtTestAlert  ... ) == 0x0
 03109  1248   NtWaitForSingleObject  (136, 0, 0x0, ...
 03067   484   NtWaitForSingleObject  ... ) == 0x0
 03107   896   NtSetEventBoostPriority  ... ) == 0x0
 03103  1180   NtSetEventBoostPriority  ... ) == 0x0
 03110   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 03111  1304   NtContinue  (114097456, 1, ...
 03112   484   NtSetEventBoostPriority  (312, ...
 03113   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 03114  1180   NtWaitForSingleObject  (312, 0, 0x0, ...
 03072  2012   NtWaitForSingleObject  ... ) == 0x0
 03115  1304   NtRegisterThreadTerminatePort  (24, ...
 03112   484   NtSetEventBoostPriority  ... ) == 0x0
 03108  1736   NtProtectVirtualMemory  ... (0x6ece000), 4096, 4, ) == 0x0
 03116  2012   NtSetEventBoostPriority  (312, ...
 03117   484   NtWaitForSingleObject  (136, 0, 0x0, ...
 03118  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03078   860   NtWaitForSingleObject  ... ) == 0x0
 03118  1736   NtCreateThread  ... 1024, {1636, 540}, ) == 0x0
 03119   860   NtSetEventBoostPriority  (312, ...
 03120  1736   NtQueryInformationThread  (1024, Basic, 28, ...
 03081  2020   NtWaitForSingleObject  ... ) == 0x0
 03119   860   NtSetEventBoostPriority  ... ) == 0x0
 03121  2020   NtSetEventBoostPriority  (312, ...
 03120  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1636,Tid=540,}, 0x0, ) == 0x0
 03116  2012   NtSetEventBoostPriority  ... ) == 0x0
 03115  1304   NtRegisterThreadTerminatePort  ... ) == 0x0
 03082  1756   NtWaitForSingleObject  ... ) == 0x0
 03121  2020   NtSetEventBoostPriority  ... ) == 0x0
 03122  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0d\6\0\0\34\2\0\0" ...  ...
 03123  2012   NtSetEventBoostPriority  (136, ...
 03124  1756   NtSetEventBoostPriority  (312, ...
 03125  1304   NtWaitForSingleObject  (312, 0, 0x0, ...
 03126   860   NtWaitForSingleObject  (136, 0, 0x0, ...
 03127  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 03084  1252   NtWaitForSingleObject  ... ) == 0x0
 03124  1756   NtSetEventBoostPriority  ... ) == 0x0
 00816  2016   NtWaitForSingleObject  ... ) == 0x0
 03123  2012   NtSetEventBoostPriority  ... ) == 0x0
 03128  1252   NtSetEventBoostPriority  (312, ...
 03122  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75604, 0}  ... {28, 56, reply, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0d\6\0\0\34\2\0\0" )  ) == 0x0
 03129  2016   NtSetEventBoostPriority  (136, ...
 03130  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03089   384   NtWaitForSingleObject  ... ) == 0x0
 03128  1252   NtSetEventBoostPriority  ... ) == 0x0
 01220   252   NtWaitForSingleObject  ... ) == 0x0
 03129  2016   NtSetEventBoostPriority  ... ) == 0x0
 03131  1736   NtResumeThread  (1024, ...
 03132   384   NtSetEventBoostPriority  (312, ...
 03130  1756   NtDuplicateObject  ... 1028, ) == 0x0
 03133   252   NtWaitForSingleObject  (312, 0, 0x0, ...
 03134  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 03135  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03091   808   NtWaitForSingleObject  ... ) == 0x0
 03131  1736   NtResumeThread  ... 1, ) == 0x0
 03136  1756   NtWaitForSingleObject  (312, 0, 0x0, ...
 03132   384   NtSetEventBoostPriority  ... ) == 0x0
 03137  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03138   540   NtWaitForSingleObject  (88, 0, 0x0, ...
 03135  2012   NtCreateEvent  ... 1032, ) == 0x0
 03139   808   NtSetEventBoostPriority  (312, ...
 03140  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03141   384   NtWaitForSingleObject  (312, 0, 0x0, ...
 03137  2016   NtCreateEvent  ... 1036, ) == 0x0
 03142  2012   NtWaitForSingleObject  (312, 0, 0x0, ...
 03092  1356   NtWaitForSingleObject  ... ) == 0x0
 03139   808   NtSetEventBoostPriority  ... ) == 0x0
 03140  1736   NtAllocateVirtualMemory  ... 116195328, 1048576, ) == 0x0
 03143  2016   NtWaitForSingleObject  (312, 0, 0x0, ...
 03144  1356   NtSetEventBoostPriority  (312, ...
 03145   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 03094  1028   NtWaitForSingleObject  ... ) == 0x0
 03144  1356   NtSetEventBoostPriority  ... ) == 0x0
 03146  1028   NtSetEventBoostPriority  (312, ...
 03098  1580   NtWaitForSingleObject  ... ) == 0x0
 03147  1580   NtSetEventBoostPriority  (312, ...
 03105  1292   NtWaitForSingleObject  ... ) == 0x0
 03148  1292   NtSetEventBoostPriority  (312, ...
 03110   868   NtWaitForSingleObject  ... ) == 0x0
 03149   868   NtSetEventBoostPriority  (312, ...
 03114  1180   NtWaitForSingleObject  ... ) == 0x0
 03150  1180   NtSetEventBoostPriority  (312, ...
 03113   896   NtWaitForSingleObject  ... ) == 0x0
 03151   896   NtSetEventBoostPriority  (312, ...
 03125  1304   NtWaitForSingleObject  ... ) == 0x0
 03152  1304   NtSetEventBoostPriority  (312, ...
 03127  2020   NtWaitForSingleObject  ... ) == 0x0
 03153  2020   NtSetEventBoostPriority  (312, ...
 03133   252   NtWaitForSingleObject  ... ) == 0x0
 03154   252   NtSetEventBoostPriority  (312, ...
 03136  1756   NtWaitForSingleObject  ... ) == 0x0
 03155  1756   NtSetEventBoostPriority  (312, ...
 03141   384   NtWaitForSingleObject  ... ) == 0x0
 03156   384   NtSetEventBoostPriority  (312, ...
 03142  2012   NtWaitForSingleObject  ... ) == 0x0
 03157  2012   NtSetEventBoostPriority  (312, ...
 03134  1252   NtWaitForSingleObject  ... ) == 0x0
 03158  1252   NtSetEventBoostPriority  (312, ...
 03143  2016   NtWaitForSingleObject  ... ) == 0x0
 03159  2016   NtSetEventBoostPriority  (312, ...
 03145   808   NtWaitForSingleObject  ... ) == 0x0
 03160   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 1040, ) == 0x0
 03161   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03159  2016   NtSetEventBoostPriority  ... ) == 0x0
 03157  2012   NtSetEventBoostPriority  ... ) == 0x0
 03156   384   NtSetEventBoostPriority  ... ) == 0x0
 03155  1756   NtSetEventBoostPriority  ... ) == 0x0
 03154   252   NtSetEventBoostPriority  ... ) == 0x0
 03153  2020   NtSetEventBoostPriority  ... ) == 0x0
 03152  1304   NtSetEventBoostPriority  ... ) == 0x0
 03150  1180   NtSetEventBoostPriority  ... ) == 0x0
 03149   868   NtSetEventBoostPriority  ... ) == 0x0
 03148  1292   NtSetEventBoostPriority  ... ) == 0x0
 03147  1580   NtSetEventBoostPriority  ... ) == 0x0
 03146  1028   NtSetEventBoostPriority  ... ) == 0x0
 03162  1356   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03158  1252   NtSetEventBoostPriority  ... ) == 0x0
 03151   896   NtSetEventBoostPriority  ... ) == 0x0
 03163  1736   NtAllocateVirtualMemory  (-1, 117235712, 0, 8192, 4096, 4, ...
 03161   808   NtDuplicateObject  ... 1044, ) == 0x0
 03164  2016   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ...
 03165  2012   NtWaitForSingleObject  (312, 0, 0x0, ...
 03166   384   NtAllocateVirtualMemory  (-1, 21811200, 0, 4096, 4096, 260, ...
 03167  1756   NtWaitForSingleObject  (316, 0, 0x0, ...
 03168  2020   NtWaitForSingleObject  (312, 0, 0x0, ...
 03169   252   NtSetEventBoostPriority  (136, ...
 03170  1304   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03171   868   NtSetEventBoostPriority  (316, ...
 03172  1180   NtWaitForSingleObject  (312, 0, 0x0, ...
 03173  1580   NtWaitForSingleObject  (316, 0, 0x0, ...
 03174  1028   NtWaitForSingleObject  (312, 0, 0x0, ...
 03175  1292   NtSetEventBoostPriority  (88, ...
 03176  1252   NtWaitForSingleObject  (312, 0, 0x0, ...
 03177   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 03163  1736   NtAllocateVirtualMemory  ... 117235712, 8192, ) == 0x0
 03178   808   NtWaitForSingleObject  (312, 0, 0x0, ...
 03164  2016   NtAllocateVirtualMemory  ... 1454080, 4096, ) == 0x0
 03166   384   NtAllocateVirtualMemory  ... 21811200, 4096, ) == 0x0
 03162  1356   NtCreateKey  ... 1048, 2, ) == 0x0
 01269  1024   NtWaitForSingleObject  ... ) == 0x0
 03169   252   NtSetEventBoostPriority  ... ) == 0x0
 03170  1304   NtDuplicateObject  ... 1052, ) == 0x0
 03167  1756   NtWaitForSingleObject  ... ) == 0x0
 03171   868   NtSetEventBoostPriority  ... ) == 0x0
 03138   540   NtWaitForSingleObject  ... ) == 0x0
 03175  1292   NtSetEventBoostPriority  ... ) == 0x0
 03179  1736   NtProtectVirtualMemory  (-1, (0x6fce000), 4096, 260, ...
 03180  2016   NtSetEventBoostPriority  (312, ...
 03181   384   NtWaitForSingleObject  (312, 0, 0x0, ...
 03182  1024   NtWaitForSingleObject  (312, 0, 0x0, ...
 03183  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03184   252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03185  1304   NtWaitForSingleObject  (316, 0, 0x0, ...
 03186  1756   NtWaitForSingleObject  (312, 0, 0x0, ...
 03187   540   NtWaitForSingleObject  (312, 0, 0x0, ...
 03188   868   NtWaitForSingleObject  (316, 0, 0x0, ...
 03189  1292   NtTestAlert  (...
 03179  1736   NtProtectVirtualMemory  ... (0x6fce000), 4096, 4, ) == 0x0
 03165  2012   NtWaitForSingleObject  ... ) == 0x0
 03180  2016   NtSetEventBoostPriority  ... ) == 0x0
 03183  1356   NtOpenKey  ... 1056, ) == 0x0
 03184   252   NtCreateEvent  ... 1060, ) == 0x0
 03189  1292   NtTestAlert  ... ) == 0x0
 03190  2012   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ...
 03191  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03192  2016   NtWaitForSingleObject  (312, 0, 0x0, ...
 03193  1356   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03194   252   NtWaitForSingleObject  (312, 0, 0x0, ...
 03190  2012   NtAllocateVirtualMemory  ... 1458176, 4096, ) == 0x0
 03195  1292   NtContinue  (115146032, 1, ...
 03191  1736   NtCreateThread  ... 1064, {1636, 1956}, ) == 0x0
 03193  1356   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03196  2012   NtSetEventBoostPriority  (312, ...
 03197  1292   NtRegisterThreadTerminatePort  (24, ...
 03198  1356   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 03199  1736   NtQueryInformationThread  (1064, Basic, 28, ...
 03168  2020   NtWaitForSingleObject  ... ) == 0x0
 03196  2012   NtSetEventBoostPriority  ... ) == 0x0
 03197  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 03199  1736   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1636,Tid=1956,}, 0x0, ) == 0x0
 03200  2020   NtSetEventBoostPriority  (312, ...
 03201  2012   NtWaitForSingleObject  (312, 0, 0x0, ...
 03202  1292   NtWaitForSingleObject  (312, 0, 0x0, ...
 03203  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0d\6\0\0\244\7\0\0" ...  ...
 03172  1180   NtWaitForSingleObject  ... ) == 0x0
 03203  1736   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1636, 1736, 75605, 0}  ... {28, 56, reply, 0, 1636, 1736, 75605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0d\6\0\0\244\7\0\0" )  ) == 0x0
 03204  1180   NtSetEventBoostPriority  (312, ...
 03205  1736   NtResumeThread  (1064, ...
 03176  1252   NtWaitForSingleObject  ... ) == 0x0
 03204  1180   NtSetEventBoostPriority  ... ) == 0x0