Summary:





NtCallbackReturn(>)  1 
NtOpenThreadTokenEx(>)  2 
NtQueryVirtualMemory(>)  9 
NtContinue(>)  88 


NtGdiCreateBitmap(>)  1 
NtQueryDefaultLocale(>)  2 
NtSetInformationThread(>)  9 
NtOpenKey(>)  105 


NtGdiInit(>)  1 
NtQueryPerformanceCounter(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtQuerySystemInformation(>)  108 


NtGdiQueryFontAssocInfo(>)  1 
NtQuerySystemTime(>)  2 
NtOpenThreadToken(>)  10 
NtTestAlert(>)  165 


NtGdiSelectBitmap(>)  1 
NtSetInformationObject(>)  2 
NtSetInformationFile(>)  10 
NtRegisterThreadTerminatePort(>)  168 


NtOpenKeyedEvent(>)  1 
NtFreeVirtualMemory(>)  3 
NtQuerySection(>)  12 
NtDuplicateObject(>)  172 


NtOpenSymbolicLinkObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryDirectoryFile(>)  14 
NtQueryValueKey(>)  225 


NtQueryObject(>)  1 
NtSecureConnectPort(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtQueryInformationThread(>)  232 


NtQuerySymbolicLinkObject(>)  1 
NtWriteFile(>)  3 
NtCreateFile(>)  15 
NtResumeThread(>)  232 


NtRaiseException(>)  1 
NtCreateIoCompletion(>)  4 
NtSetValueKey(>)  17 
NtCreateThread(>)  245 


NtSetInformationProcess(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateKey(>)  19 
NtRequestWaitReplyPort(>)  264 


NtUserCallNoParam(>)  1 
NtQueryInformationToken(>)  5 
NtOpenSection(>)  21 
NtClose(>)  291 


NtUserGetThreadDesktop(>)  1 
NtQueryVolumeInformationFile(>)  5 
NtOpenFile(>)  22 
NtProtectVirtualMemory(>)  328 


NtCreateMutant(>)  2 
NtConnectPort(>)  6 
NtQueryAttributesFile(>)  31 
NtSetEventBoostPriority(>)  437 


NtGdiCreateSolidBrush(>)  2 
NtFsControlFile(>)  6 
NtMapViewOfSection(>)  32 
NtAllocateVirtualMemory(>)  605 


NtNotifyChangeKey(>)  2 
NtReadFile(>)  6 
NtDeviceIoControlFile(>)  36 
NtWaitForSingleObject(>)  771 


NtOpenDirectoryObject(>)  2 
NtUnmapViewOfSection(>)  7 
NtFlushInstructionCache(>)  45 


NtOpenProcessToken(>)  2 
NtQueryInformationFile(>)  8 
NtCreateEvent(>)  63 


NtOpenProcessTokenEx(>)  2 



Trace:

 00001  2016   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147481368, {status=0x0, info=1}, ) }, 0, 32, ... -2147481368, {status=0x0, info=1}, ) == 0x0
 00002  2016   NtQueryInformationFile  (-2147481368, -135238604, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003  2016   NtReadFile  (-2147481368, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147481368, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004  2016   NtClose  (-2147481368, ... ) == 0x0
 00005  2016   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147481368, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147481368, {status=0x0, info=0}, ) == 0x0
 00006  2016   NtQueryVolumeInformationFile  (-2147481368, -135238648, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007  2016   NtClose  (-2147481368, ... ) == 0x0
 00008  2016   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009  2016   NtContinue  (-135243448, 0, ...
 00008  2016   NtCreateFile  ... -2147481368, {status=0x0, info=1}, ) == 0x0
 00010  2016   NtQueryVolumeInformationFile  (-2147481368, -135238660, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011  2016   NtFsControlFile  (-2147481368, 0, 0x0, 0x0, 0x90120,  (-2147481368, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015  2016   NtClose  (-2147482764, ... ) == 0x0
 00016  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019  2016   NtClose  (-2147482764, ... ) == 0x0
 00020  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027  2016   NtClose  (-2147482764, ... ) == 0x0
 00028  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031  2016   NtClose  (-2147482764, ... ) == 0x0
 00032  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035  2016   NtClose  (-2147482764, ... ) == 0x0
 00036  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037  2016   NtClose  (-2147482688, ... ) == 0x0
 00038  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039  2016   NtClose  (-2147482660, ... ) == 0x0
 00040  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041  2016   NtClose  (-2147482656, ... ) == 0x0
 00042  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043  2016   NtClose  (-2147482652, ... ) == 0x0
 00044  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045  2016   NtClose  (-2147482724, ... ) == 0x0
 00046  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047  2016   NtClose  (-2147481452, ... ) == 0x0
 00048  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049  2016   NtClose  (-2147482684, ... ) == 0x0
 00050  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051  2016   NtClose  (-2147482680, ... ) == 0x0
 00052  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053  2016   NtClose  (-2147482760, ... ) == 0x0
 00054  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055  2016   NtClose  (-2147481628, ... ) == 0x0
 00056  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057  2016   NtClose  (-2147481484, ... ) == 0x0
 00058  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147481480, ) == 0x0
 00059  2016   NtClose  (-2147481480, ... ) == 0x0
 00060  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481480, ... -2147482136, ) == 0x0
 00061  2016   NtClose  (-2147482136, ... ) == 0x0
 00062  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482136, ... -2147482748, ) == 0x0
 00063  2016   NtClose  (-2147482748, ... ) == 0x0
 00064  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482748, ... -2147482676, ) == 0x0
 00065  2016   NtClose  (-2147482676, ... ) == 0x0
 00066  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067  2016   NtClose  (-2147482672, ... ) == 0x0
 00068  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069  2016   NtClose  (-2147482668, ... ) == 0x0
 00070  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071  2016   NtClose  (-2147482664, ... ) == 0x0
 00072  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073  2016   NtClose  (-2147481588, ... ) == 0x0
 00074  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075  2016   NtClose  (-2147481584, ... ) == 0x0
 00076  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077  2016   NtClose  (-2147482692, ... ) == 0x0
 00078  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079  2016   NtClose  (-2147481512, ... ) == 0x0
 00080  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081  2016   NtClose  (-2147481580, ... ) == 0x0
 00082  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083  2016   NtClose  (-2147481552, ... ) == 0x0
 00084  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085  2016   NtClose  (-2147481592, ... ) == 0x0
 00086  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087  2016   NtClose  (-2147481596, ... ) == 0x0
 00088  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089  2016   NtClose  (-2147482108, ... ) == 0x0
 00090  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091  2016   NtClose  (-2147482732, ... ) == 0x0
 00092  2016   NtClose  (-2147482764, ... ) == 0x0
 00093  2016   NtClose  (-2147482688, ... ) == 0x0
 00094  2016   NtClose  (-2147482660, ... ) == 0x0
 00095  2016   NtClose  (-2147482656, ... ) == 0x0
 00096  2016   NtClose  (-2147482652, ... ) == 0x0
 00097  2016   NtClose  (-2147482724, ... ) == 0x0
 00098  2016   NtClose  (-2147481452, ... ) == 0x0
 00099  2016   NtClose  (-2147482684, ... ) == 0x0
 00100  2016   NtClose  (-2147482680, ... ) == 0x0
 00101  2016   NtClose  (-2147482760, ... ) == 0x0
 00102  2016   NtClose  (-2147481628, ... ) == 0x0
 00103  2016   NtClose  (-2147481484, ... ) == 0x0
 00104  2016   NtClose  (-2147481480, ... ) == 0x0
 00105  2016   NtClose  (-2147482136, ... ) == 0x0
 00106  2016   NtClose  (-2147482748, ... ) == 0x0
 00107  2016   NtClose  (-2147482676, ... ) == 0x0
 00108  2016   NtClose  (-2147482672, ... ) == 0x0
 00109  2016   NtClose  (-2147482668, ... ) == 0x0
 00110  2016   NtClose  (-2147482664, ... ) == 0x0
 00111  2016   NtClose  (-2147481588, ... ) == 0x0
 00112  2016   NtClose  (-2147481584, ... ) == 0x0
 00113  2016   NtClose  (-2147482692, ... ) == 0x0
 00114  2016   NtClose  (-2147481512, ... ) == 0x0
 00115  2016   NtClose  (-2147481580, ... ) == 0x0
 00116  2016   NtClose  (-2147481552, ... ) == 0x0
 00117  2016   NtClose  (-2147481592, ... ) == 0x0
 00118  2016   NtClose  (-2147481596, ... ) == 0x0
 00119  2016   NtClose  (-2147482108, ... ) == 0x0
 00120  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121  2016   NtClose  (-2147481596, ... ) == 0x0
 00122  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123  2016   NtClose  (-2147481592, ... ) == 0x0
 00124  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125  2016   NtClose  (-2147481552, ... ) == 0x0
 00126  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127  2016   NtClose  (-2147481580, ... ) == 0x0
 00128  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129  2016   NtClose  (-2147481512, ... ) == 0x0
 00130  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131  2016   NtClose  (-2147482692, ... ) == 0x0
 00132  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133  2016   NtClose  (-2147481584, ... ) == 0x0
 00134  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135  2016   NtClose  (-2147481588, ... ) == 0x0
 00136  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137  2016   NtClose  (-2147482664, ... ) == 0x0
 00138  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139  2016   NtClose  (-2147482668, ... ) == 0x0
 00140  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141  2016   NtClose  (-2147482672, ... ) == 0x0
 00142  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143  2016   NtClose  (-2147482676, ... ) == 0x0
 00144  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147482748, ) == 0x0
 00145  2016   NtClose  (-2147482748, ... ) == 0x0
 00146  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482748, ... -2147482136, ) == 0x0
 00147  2016   NtClose  (-2147482136, ... ) == 0x0
 00148  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482136, ... -2147481480, ) == 0x0
 00149  2016   NtClose  (-2147481480, ... ) == 0x0
 00150  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481480, ... -2147481484, ) == 0x0
 00151  2016   NtClose  (-2147481484, ... ) == 0x0
 00152  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153  2016   NtClose  (-2147481628, ... ) == 0x0
 00154  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155  2016   NtClose  (-2147482760, ... ) == 0x0
 00156  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157  2016   NtClose  (-2147482680, ... ) == 0x0
 00158  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159  2016   NtClose  (-2147482684, ... ) == 0x0
 00160  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161  2016   NtClose  (-2147481452, ... ) == 0x0
 00162  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163  2016   NtClose  (-2147482724, ... ) == 0x0
 00164  2016   NtClose  (-2147482108, ... ) == 0x0
 00165  2016   NtClose  (-2147481596, ... ) == 0x0
 00166  2016   NtClose  (-2147481592, ... ) == 0x0
 00167  2016   NtClose  (-2147481552, ... ) == 0x0
 00168  2016   NtClose  (-2147481580, ... ) == 0x0
 00169  2016   NtClose  (-2147481512, ... ) == 0x0
 00170  2016   NtClose  (-2147482692, ... ) == 0x0
 00171  2016   NtClose  (-2147481584, ... ) == 0x0
 00172  2016   NtClose  (-2147481588, ... ) == 0x0
 00173  2016   NtClose  (-2147482664, ... ) == 0x0
 00174  2016   NtClose  (-2147482668, ... ) == 0x0
 00175  2016   NtClose  (-2147482672, ... ) == 0x0
 00176  2016   NtClose  (-2147482676, ... ) == 0x0
 00177  2016   NtClose  (-2147482748, ... ) == 0x0
 00178  2016   NtClose  (-2147482136, ... ) == 0x0
 00179  2016   NtClose  (-2147481480, ... ) == 0x0
 00180  2016   NtClose  (-2147481484, ... ) == 0x0
 00181  2016   NtClose  (-2147481628, ... ) == 0x0
 00182  2016   NtClose  (-2147482760, ... ) == 0x0
 00183  2016   NtClose  (-2147482680, ... ) == 0x0
 00184  2016   NtClose  (-2147482684, ... ) == 0x0
 00185  2016   NtClose  (-2147481452, ... ) == 0x0
 00186  2016   NtClose  (-2147481368, ... ) == 0x0
 00187  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  2016   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191  2016   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192  2016   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195  2016   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196  2016   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197  2016   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198  2016   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199  2016   NtClose  (12, ... ) == 0x0
 00200  2016   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201  2016   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205  2016   NtClose  (16, ... ) == 0x0
 00206  2016   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207  2016   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208  2016   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210  2016   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212  2016   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213  2016   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214  2016   NtClose  (16, ... ) == 0x0
 00215  2016   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216  2016   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218  2016   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219  2016   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81831, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222  2016   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224  2016   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225  2016   NtClose  (16, ... ) == 0x0
 00226  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228  2016   NtClose  (16, ... ) == 0x0
 00229  2016   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232  2016   NtClose  (16, ... ) == 0x0
 00233  2016   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235  2016   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236  2016   NtClose  (16, ... ) == 0x0
 00237  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239  2016   NtClose  (16, ... ) == 0x0
 00240  2016   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243  2016   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244  2016   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 896, 2016, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 896, 2016, 81832, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 896, 2016, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81833, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246  2016   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00247  2016   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00248  2016   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00249  2016   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00251  2016   NtReadFile  (16, 0, 0, 0, 4, {25596, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {25596, 0}, 0, ... {status=0x0, info=4}, "\0\0\0\0", ) , ) == 0x0
 00252  2016   NtReadFile  (16, 0, 0, 0, 8, {25588, 0}, 0, ... {status=0x0, info=8},  (16, 0, 0, 0, 8, {25588, 0}, 0, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00253  2016   NtReadFile  (16, 0, 0, 0, 4, {0, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {0, 0}, 0, ... {status=0x0, info=4}, "MZ\220\0", ) , ) == 0x0
 00254  2016   NtClose  (16, ... ) == 0x0
 00255  2016   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00256  2016   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00257  2016   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00258  2016   NtClose  (16, ... ) == 0x0
 00259  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00260  2016   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00261  2016   NtClose  (16, ... ) == 0x0
 00262  2016   NtTestAlert  (... ) == 0x0
 00263  2016   NtContinue  (1244464, 1, ...
 00264  2016   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00265  2016   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00266  2016   NtContinue  (1244400, 0, ...
 00267  2016   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00268  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00269  2016   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270  2016   NtClose  (16, ... ) == 0x0
 00271  2016   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00272  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00273  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00274  2016   NtClose  (16, ... ) == 0x0
 00275  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00276  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00277  2016   NtClose  (16, ... ) == 0x0
 00278  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00279  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00280  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00281  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00282  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00283  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00284  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00285  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00286  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00287  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00288  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00289  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00290  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00291  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00292  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00293  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00294  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00295  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00296  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00297  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00299  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81834, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81834, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81834, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00300  2016   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00301  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00302  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00303  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00304  2016   NtClose  (16, ... ) == 0x0
 00305  2016   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00306  2016   NtClose  (28, ... ) == 0x0
 00307  2016   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00308  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00309  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00310  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00311  2016   NtClose  (28, ... ) == 0x0
 00312  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00313  2016   NtClose  (16, ... ) == 0x0
 00314  2016   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00315  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00316  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00317  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00318  2016   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00319  2016   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00320  2016   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00321  2016   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00323  2016   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00324  2016   NtClose  (36, ... ) == 0x0
 00325  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00326  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00327  2016   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00328  2016   NtClose  (36, ... ) == 0x0
 00329  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330  2016   NtClose  (32, ... ) == 0x0
 00331  2016   NtClose  (16, ... ) == 0x0
 00332  2016   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00333  2016   NtClose  (28, ... ) == 0x0
 00334  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00335  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00336  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00337  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00338  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00339  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00340  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00341  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00342  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00343  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00344  2016   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00345  2016   NtClose  (28, ... ) == 0x0
 00346  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00347  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00348  2016   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00349  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00350  2016   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00351  2016   NtClose  (28, ... ) == 0x0
 00352  2016   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00353  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00354  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00355  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00356  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00357  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00358  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00359  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00360  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00361  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00362  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00363  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00364  2016   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00365  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366  2016   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00367  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00368  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00369  2016   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00370  2016   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00371  2016   NtClose  (28, ... ) == 0x0
 00372  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00373  2016   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374  2016   NtClose  (28, ... ) == 0x0
 00375  2016   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00376  2016   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00377  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00380  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00381  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00384  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00386  2016   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00387  2016   NtClose  (16, ... ) == 0x0
 00388  2016   NtMapViewOfSection  (-2147481368, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00389  2016   NtClose  (-2147481368, ... ) == 0x0
 00390  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00391  2016   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00392  2016   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481368, ) == 0x0
 00393  2016   NtQueryInformationToken  (-2147481368, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00394  2016   NtQueryInformationToken  (-2147481368, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00395  2016   NtClose  (-2147481368, ... ) == 0x0
 00396  2016   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00397  2016   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00398  2016   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00399  2016   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00400  2016   NtQueryValueKey  (-2147481368,  (-2147481368, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401  2016   NtClose  (-2147481368, ... ) == 0x0
 00402  2016   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481368, ) }, ... -2147481368, ) == 0x0
 00403  2016   NtQueryValueKey  (-2147481368,  (-2147481368, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404  2016   NtClose  (-2147481368, ... ) == 0x0
 00405  2016   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00406  2016   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00407  2016   NtUserCallNoParam  (24, ... ) == 0x0
 00408  2016   NtGdiCreateCompatibleDC  (0, ...
 00409  2016   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00408  2016   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00410  2016   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00411  2016   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00412  2016   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00413  2016   NtGdiCreateSolidBrush  (0, 0, ...
 00414  2016   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00413  2016   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00415  2016   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00416  2016   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00417  2016   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00418  2016   NtUserGetThreadDesktop  (2016, 0, ... ) == 0x24
 00419  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00420  2016   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00421  2016   NtClose  (44, ... ) == 0x0
 00422  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00423  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8177c017
 00424  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00425  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8177c01c
 00426  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00427  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8177c01e
 00428  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00429  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81778002
 00430  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00431  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8177c018
 00432  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00433  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8177c01a
 00434  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00435  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8177c01d
 00436  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00437  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8177c026
 00438  2016   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00439  2016   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8177c019
 00440  2016   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c020
 00441  2016   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c022
 00442  2016   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c023
 00443  2016   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c024
 00444  2016   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c025
 00445  2016   NtCallbackReturn  (0, 0, 0, ...
 00446  2016   NtGdiInit  (... ) == 0x1
 00447  2016   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00448  2016   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00449  2016   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8716288, 28672, ) == 0x0
 00450  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00451  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00452  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00453  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00454  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00455  2016   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00456  2016   NtClose  (44, ... ) == 0x0
 00457  2016   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00458  2016   NtClose  (48, ... ) == 0x0
 00459  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00460  2016   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00461  2016   NtClose  (48, ... ) == 0x0
 00462  2016   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00463  2016   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00464  2016   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00465  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00466  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00467  2016   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00468  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00469  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00470  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00471  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00472  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00473  2016   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00474  2016   NtClose  (48, ... ) == 0x0
 00475  2016   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00476  2016   NtClose  (44, ... ) == 0x0
 00477  2016   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00478  2016   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00479  2016   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00480  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00481  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00482  2016   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00483  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00484  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00485  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00486  2016   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00487  2016   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00488  2016   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00489  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00490  2016   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00491  2016   NtClose  (44, ... ) == 0x0
 00492  2016   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00493  2016   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00494  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00495  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00496  2016   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00497  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00499  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00500  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00501  2016   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00502  2016   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00503  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00504  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00505  2016   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00506  2016   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00507  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8912896, 1048576, ) == 0x0
 00508  2016   NtAllocateVirtualMemory  (-1, 8912896, 0, 32768, 4096, 4, ... 8912896, 32768, ) == 0x0
 00509  2016   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00510  2016   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00511  2016   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00512  2016   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00513  2016   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00514  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00515  2016   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00516  2016   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00517  2016   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00518  2016   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00519  2016   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520  2016   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00521  2016   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00522  2016   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00523  2016   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00524  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00525  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00526  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00527  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\21\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\21\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\21\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00528  2016   NtClose  (68, ... ) == 0x0
 00529  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00530  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00531  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00532  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\26\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\26\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\26\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00533  2016   NtClose  (68, ... ) == 0x0
 00534  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00535  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00536  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00537  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\32\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\32\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\33\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\34\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\32\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\32\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\33\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\34\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\32\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\32\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\33\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\34\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\34\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\35\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00538  2016   NtClose  (68, ... ) == 0x0
 00539  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00540  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00541  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00542  2016   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00543  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0 \2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0!\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0 \2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0!\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0 \2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0!\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0 \2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0!\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00544  2016   NtClose  (68, ... ) == 0x0
 00545  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00546  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00547  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00548  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0%\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0&\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0%\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0&\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0%\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0&\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00549  2016   NtClose  (68, ... ) == 0x0
 00550  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00551  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00552  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00553  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0*\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0+\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0*\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0+\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0*\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0+\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00554  2016   NtClose  (68, ... ) == 0x0
 00555  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00556  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00557  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00558  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0/\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0/\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\00\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\01\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\01\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0/\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0/\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\00\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\01\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\01\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\01\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0/\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0/\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\00\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\01\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\01\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00559  2016   NtClose  (68, ... ) == 0x0
 00560  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00561  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00562  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00563  2016   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00564  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\05\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\360\375\177\6\0\0\0\4m\360\367\224\377\22\0\217_a\200\340\377\22\0d\222@\0\30\321@\0\0\0\0\0\360\377\22\0\327o\201|\24\0\0\0\0\0\0\0\0\360\375\177\375?T\200\310\377\22\0 \307h\201\377\377\377\377\250\232\203|\340o\201|\0\0\0\0\0\0\0\0\0\0\0\0\206m@\0\0\0\0\0Actx \0\0\0\1\0\0\0\230$\0\0\304\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\6\0\0\04\0\0\0\24\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\2\0\0\234\1\0\0\0\0\0\0[IY-\260\3\0\02\0\0\0\344\3\0\0\322\2\0\0\0\0\0\0\344\2\2\203\270\6\0\0F\0\0\0\0\7\0\0\352\2\0\0\0\0\0\0\322\325\214\321\354\11\0\0F\0\0\04\12\0\0\352\2\0\0\0\0\0\0.\255j\330 \15\0\0F\0\0\0h\15\0\0\4\3\0\0\20\0\0\0\4\0\0\0\324\0\0\0\2\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\05\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\211e@\0\0\2\0\0\4\0\0\0\0\0\0\08\275D\0\12D@\0:n@\0\2\0\0\0\240\16\210\0@\15\210\0\24\0\0\0\0\0\0\0\0\360\375\177\6\0\0\0\4m\360\367\224\377\22\0\217_a\200\340\377\22\0d\222@\0\30\321@\0\0\0\0\0\360\377\22\0\327o\201|\24\0\0\0\0\0\0\0\0\360\375\177\375?T\200\310\377\22\0 \307h\201\377\377\377\377\250\232\203|\340o\201|\0\0\0\0\0\0\0\0\0\0\0\0\206m@\0\0\0\0\0Actx \0\0\0\1\0\0\0\230$\0\0\304\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\6\0\0\04\0\0\0\24\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\2\0\0\234\1\0\0\0\0\0\0[IY-\260\3\0\02\0\0\0\344\3\0\0\322\2\0\0\0\0\0\0\344\2\2\203\270\6\0\0F\0\0\0\0\7\0\0\352\2\0\0\0\0\0\0\322\325\214\321\354\11\0\0F\0\0\04\12\0\0\352\2\0\0\0\0\0\0.\255j\330 \15\0\0F\0\0\0h\15\0\0\4\3\0\0\20\0\0\0\4\0\0\0\324\0\0\0\2\0\0\0"}, 900, ) }, 900, ) == 0x0
 00565  2016   NtClose  (68, ... ) == 0x0
 00566  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00567  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00568  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00569  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0;\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0;\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0;\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00570  2016   NtClose  (68, ... ) == 0x0
 00571  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00572  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00573  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00574  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0?\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0@\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0?\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0@\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0?\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0@\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00575  2016   NtClose  (68, ... ) == 0x0
 00576  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00577  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00578  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00579  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0E\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0E\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0E\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00580  2016   NtClose  (68, ... ) == 0x0
 00581  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00582  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00583  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00584  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0I\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0I\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0J\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0J\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0K\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0K\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0L\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0I\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0I\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0J\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0J\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0K\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0K\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0L\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0K\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0L\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0I\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0I\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0J\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0J\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0K\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0K\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0L\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00585  2016   NtClose  (68, ... ) == 0x0
 00586  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00587  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00588  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00589  2016   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00590  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0P\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0P\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0P\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00591  2016   NtClose  (68, ... ) == 0x0
 00592  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00593  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00594  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00595  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0T\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0U\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0T\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0U\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0T\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0U\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00596  2016   NtClose  (68, ... ) == 0x0
 00597  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00598  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00599  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00600  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0Z\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0Z\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0Z\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00601  2016   NtClose  (68, ... ) == 0x0
 00602  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00603  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00604  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00605  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0^\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0^\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0_\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0`\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0^\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0^\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0_\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0`\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0^\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0^\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0_\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0_\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0`\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0`\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0a\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00606  2016   NtClose  (68, ... ) == 0x0
 00607  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00608  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00609  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00610  2016   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00611  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0e\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0e\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0e\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00612  2016   NtClose  (68, ... ) == 0x0
 00613  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00614  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00615  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00616  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0i\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0j\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0i\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0j\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0i\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0j\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00617  2016   NtClose  (68, ... ) == 0x0
 00618  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00619  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00620  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00621  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0o\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0o\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0o\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00622  2016   NtClose  (68, ... ) == 0x0
 00623  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00624  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00625  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00626  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0s\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0t\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0s\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0t\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0s\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0t\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00627  2016   NtClose  (68, ... ) == 0x0
 00628  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00629  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00630  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00631  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0x\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0x\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0y\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0z\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0x\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0x\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0y\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0z\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0x\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0x\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0y\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0z\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\2\0\0\200\3\0\0\340\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\374\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00632  2016   NtClose  (68, ... ) == 0x0
 00633  2016   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00634  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00635  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00636  2016   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00637  2016   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0~\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\177\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\2\0\0\200\3\0\0\340\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\2\0\0\200\3\0\0\340\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\201\2\0\0\200\3\0\0\340\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\201\2\0\0\200\3\0\0\340\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\202\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0~\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\177\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\2\0\0\200\3\0\0\340\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\2\0\0\200\3\0\0\340\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\201\2\0\0\200\3\0\0\340\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\201\2\0\0\200\3\0\0\340\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\202\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0~\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0~\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\177\2\0\0\200\3\0\0\340\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\2\0\0\200\3\0\0\340\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\2\0\0\200\3\0\0\340\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\201\2\0\0\200\3\0\0\340\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\201\2\0\0\200\3\0\0\340\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\202\2\0\0\200\3\0\0\340\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00638  2016   NtClose  (68, ... ) == 0x0
 00639  2016   NtClose  (64, ... ) == 0x0
 00640  2016   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00641  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00642  2016   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00643  2016   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00644  2016   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00645  2016   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00646  2016   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647  2016   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00648  2016   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00649  2016   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00650  2016   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00651  2016   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00652  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00653  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00654  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00655  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00656  2016   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00657  2016   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00658  2016   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00659  2016   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00660  2016   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00661  2016   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00662  2016   NtClose  (76, ... ) == 0x0
 00663  2016   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00664  2016   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00665  2016   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00666  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00667  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00668  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00669  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00670  2016   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00671  2016   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672  2016   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00673  2016   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00674  2016   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00675  2016   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00676  2016   NtClose  (76, ... ) == 0x0
 00677  2016   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00678  2016   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00679  2016   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00680  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00681  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00682  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00683  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00684  2016   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00685  2016   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686  2016   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00687  2016   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00688  2016   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00689  2016   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00690  2016   NtClose  (76, ... ) == 0x0
 00691  2016   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00692  2016   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00693  2016   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00694  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00695  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00696  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00697  2016   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00698  2016   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00699  2016   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700  2016   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00701  2016   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00702  2016   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00703  2016   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00704  2016   NtClose  (76, ... ) == 0x0
 00705  2016   NtClose  (72, ... ) == 0x0
 00706  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00707  2016   NtClose  (52, ... ) == 0x0
 00708  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00709  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00710  2016   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00711  2016   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00712  2016   NtClose  (52, ... ) == 0x0
 00713  2016   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00714  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00715  2016   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00716  2016   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00717  2016   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00718  2016   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00719  2016   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00720  2016   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00721  2016   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00722  2016   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00723  2016   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00724  2016   NtClose  (-2147481368, ... ) == 0x0
 00723  2016   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00725  2016   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00726  2016   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00727  2016   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00728  2016   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00729  2016   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00730  2016   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 28672, ) == 0x0
 00731  2016   NtClose  (80, ... ) == 0x0
 00732  2016   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0i\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 25600, 0x0, 0, ... {status=0x0, info=25600}, ) == 0x0
 00733  2016   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00734  2016   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00735  2016   NtClose  (72, ... ) == 0x0
 00736  2016   NtClose  (76, ... ) == 0x0
 00737  2016   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00738  2016   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00739  2016   NtSetInformationFile  (-2147482448, -135747792, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00740  2016   NtSetInformationFile  (-2147482448, -135747884, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00741  2016   NtSetInformationFile  (-2147482448, -135748192, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00742  2016   NtSetInformationFile  (-2147482448, -135748288, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00738  2016   NtSetValueKey  ... ) == 0x0
 00743  2016   NtClose  (76, ... ) == 0x0
 00744  2016   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00745  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9961472, 1048576, ) == 0x0
 00746  2016   NtAllocateVirtualMemory  (-1, 11001856, 0, 8192, 4096, 4, ... 11001856, 8192, ) == 0x0
 00747  2016   NtProtectVirtualMemory  (-1, (0xa7e000), 4096, 260, ... (0xa7e000), 4096, 4, ) == 0x0
 00748  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {896, 596}, ) == 0x0
 00749  2016   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=896,Tid=596,}, 0x0, ) == 0x0
 00750  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\200\3\0\0T\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81837, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\200\3\0\0T\2\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81837, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\200\3\0\0T\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81837, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\200\3\0\0T\2\0\0" )  ) == 0x0
 00751  2016   NtResumeThread  (72, ... 1, ) == 0x0
 00752  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11010048, 1048576, ) == 0x0
 00753  2016   NtAllocateVirtualMemory  (-1, 12050432, 0, 8192, 4096, 4, ... 12050432, 8192, ) == 0x0
 00754   596   NtTestAlert  (... ) == 0x0
 00755   596   NtContinue  (11009328, 1, ...
 00756   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00757   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00758   596   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00759   596   NtAllocateVirtualMemory  (-1, 10997760, 0, 4096, 4096, 260, ...
 00760  2016   NtProtectVirtualMemory  (-1, (0xb7e000), 4096, 260, ... (0xb7e000), 4096, 4, ) == 0x0
 00761  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {896, 376}, ) == 0x0
 00762  2016   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=896,Tid=376,}, 0x0, ) == 0x0
 00763  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81837, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81837, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\200\3\0\0x\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81838, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\200\3\0\0x\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81838, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81837, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\200\3\0\0x\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81838, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\200\3\0\0x\1\0\0" )  ) == 0x0
 00764  2016   NtResumeThread  (84, ... 1, ) == 0x0
 00765  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00759   596   NtAllocateVirtualMemory  ... 10997760, 4096, ) == 0x0
 00766   376   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00767   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006452, ... }, 11006452, ...
 00766   376   NtCreateEvent  ... 88, ) == 0x0
 00767   596   NtQueryAttributesFile  ... ) == 0x0
 00768   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 00769   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00770   596   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00771   596   NtClose  (92, ... ) == 0x0
 00772   596   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb80000), 0x0, 245760, ) == 0x0
 00773   596   NtClose  (96, ...
 00765  2016   NtAllocateVirtualMemory  ... 12320768, 1048576, ) == 0x0
 00774  2016   NtAllocateVirtualMemory  (-1, 13361152, 0, 8192, 4096, 4, ... 13361152, 8192, ) == 0x0
 00775  2016   NtProtectVirtualMemory  (-1, (0xcbe000), 4096, 260, ... (0xcbe000), 4096, 4, ) == 0x0
 00776  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {896, 420}, ) == 0x0
 00777  2016   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=896,Tid=420,}, 0x0, ) == 0x0
 00778  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81838, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81838, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\200\3\0\0\244\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\200\3\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81839, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81838, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\200\3\0\0\244\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\200\3\0\0\244\1\0\0" )  ) == 0x0
 00773   596   NtClose  ... ) == 0x0
 00779   596   NtUnmapViewOfSection  (-1, 0xb80000, ... ) == 0x0
 00780   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006760, ... ) }, 11006760, ... ) == 0x0
 00781   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00782   596   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00783   596   NtQuerySection  (100, Image, 48, ...
 00784  2016   NtResumeThread  (92, ... 1, ) == 0x0
 00785  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13369344, 1048576, ) == 0x0
 00786  2016   NtAllocateVirtualMemory  (-1, 14409728, 0, 8192, 4096, 4, ... 14409728, 8192, ) == 0x0
 00787  2016   NtProtectVirtualMemory  (-1, (0xdbe000), 4096, 260, ... (0xdbe000), 4096, 4, ) == 0x0
 00788  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {896, 384}, ) == 0x0
 00789  2016   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=896,Tid=384,}, 0x0, ) == 0x0
 00783   596   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00790   420   NtWaitForSingleObject  (88, 0, 0x0, ...
 00791   596   NtClose  (96, ... ) == 0x0
 00792   596   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00793   596   NtClose  (100, ... ) == 0x0
 00794   596   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00795  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81839, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\200\3\0\0\200\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\200\3\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81840, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\200\3\0\0\200\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\200\3\0\0\200\1\0\0" )  ) == 0x0
 00796  2016   NtResumeThread  (104, ... 1, ) == 0x0
 00797  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00798   596   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00799   384   NtWaitForSingleObject  (88, 0, 0x0, ...
 00798   596   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00800   596   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00801   596   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00802   596   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00803   596   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00797  2016   NtAllocateVirtualMemory  ... 14417920, 1048576, ) == 0x0
 00804  2016   NtAllocateVirtualMemory  (-1, 15458304, 0, 8192, 4096, 4, ... 15458304, 8192, ) == 0x0
 00805  2016   NtProtectVirtualMemory  (-1, (0xebe000), 4096, 260, ... (0xebe000), 4096, 4, ) == 0x0
 00806  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {896, 1028}, ) == 0x0
 00807  2016   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=896,Tid=1028,}, 0x0, ) == 0x0
 00808  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81840, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\200\3\0\0\4\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\200\3\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81841, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\200\3\0\0\4\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\200\3\0\0\4\4\0\0" )  ) == 0x0
 00809   596   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00810   596   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00811   596   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00812  2016   NtResumeThread  (100, ... 1, ) == 0x0
 00813  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15466496, 1048576, ) == 0x0
 00814  2016   NtAllocateVirtualMemory  (-1, 16506880, 0, 8192, 4096, 4, ... 16506880, 8192, ) == 0x0
 00815  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00816   596   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   596   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00818   596   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00819   596   NtSetEventBoostPriority  (88, ...
 00768   376   NtWaitForSingleObject  ... ) == 0x0
 00820   376   NtSetEventBoostPriority  (88, ...
 00790   420   NtWaitForSingleObject  ... ) == 0x0
 00821   420   NtSetEventBoostPriority  (88, ...
 00799   384   NtWaitForSingleObject  ... ) == 0x0
 00822   384   NtSetEventBoostPriority  (88, ...
 00815  1028   NtWaitForSingleObject  ... ) == 0x0
 00823  1028   NtTestAlert  (... ) == 0x0
 00822   384   NtSetEventBoostPriority  ... ) == 0x0
 00821   420   NtSetEventBoostPriority  ... ) == 0x0
 00820   376   NtSetEventBoostPriority  ... ) == 0x0
 00819   596   NtSetEventBoostPriority  ... ) == 0x0
 00824  2016   NtProtectVirtualMemory  (-1, (0xfbe000), 4096, 260, ...
 00825  1028   NtContinue  (15465776, 1, ...
 00826   384   NtTestAlert  (...
 00827   420   NtTestAlert  (...
 00828   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00824  2016   NtProtectVirtualMemory  ... (0xfbe000), 4096, 4, ) == 0x0
 00829  1028   NtRegisterThreadTerminatePort  (24, ...
 00826   384   NtTestAlert  ... ) == 0x0
 00827   420   NtTestAlert  ... ) == 0x0
 00828   596   NtCreateEvent  ... 96, ) == 0x0
 00830  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00829  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00831   384   NtContinue  (14417200, 1, ...
 00832   420   NtContinue  (13368624, 1, ...
 00833   376   NtTestAlert  (...
 00830  2016   NtCreateThread  ... 108, {896, 2012}, ) == 0x0
 00834  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00835   384   NtRegisterThreadTerminatePort  (24, ...
 00836   420   NtRegisterThreadTerminatePort  (24, ...
 00833   376   NtTestAlert  ... ) == 0x0
 00837  2016   NtQueryInformationThread  (108, Basic, 28, ...
 00834  1028   NtDuplicateObject  ... 112, ) == 0x0
 00835   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00836   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 00838   376   NtContinue  (12057904, 1, ...
 00837  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=896,Tid=2012,}, 0x0, ) == 0x0
 00839  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00840   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00841   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00842   376   NtRegisterThreadTerminatePort  (24, ...
 00843   596   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00844  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81841, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\200\3\0\0\334\7\0\0" ...  ...
 00839  1028   NtWaitForSingleObject  ... ) == 0x102
 00840   384   NtDuplicateObject  ... 116, ) == 0x0
 00842   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 00843   596   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81842, 0}  ... {28, 56, reply, 0, 896, 2016, 81842, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\200\3\0\0\334\7\0\0" )  ) == 0x0
 00845  1028   NtAllocateVirtualMemory  (-1, 15454208, 0, 4096, 4096, 260, ...
 00846   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00847   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00848   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00849  2016   NtResumeThread  (108, ...
 00845  1028   NtAllocateVirtualMemory  ... 15454208, 4096, ) == 0x0
 00846   384   NtWaitForSingleObject  ... ) == 0x102
 00841   420   NtDuplicateObject  ... 120, ) == 0x0
 00849  2016   NtResumeThread  ... 1, ) == 0x0
 00850  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 00851   384   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00852   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00853  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00851   384   NtCreateEvent  ... 124, ) == 0x0
 00852   420   NtWaitForSingleObject  ... ) == 0x102
 00847   376   NtDuplicateObject  ... 128, ) == 0x0
 00854  2012   NtWaitForSingleObject  (88, 0, 0x0, ...
 00853  2016   NtAllocateVirtualMemory  ... 16515072, 1048576, ) == 0x0
 00855   420   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00856   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00857  2016   NtAllocateVirtualMemory  (-1, 17555456, 0, 8192, 4096, 4, ...
 00855   420   NtCreateEvent  ... 132, ) == 0x0
 00856   376   NtWaitForSingleObject  ... ) == 0x102
 00857  2016   NtAllocateVirtualMemory  ... 17555456, 8192, ) == 0x0
 00858   384   NtWaitForSingleObject  (124, 0, 0x0, ...
 00859   376   NtWaitForSingleObject  (124, 0, 0x0, ...
 00860  2016   NtProtectVirtualMemory  (-1, (0x10be000), 4096, 260, ... (0x10be000), 4096, 4, ) == 0x0
 00861  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {896, 1168}, ) == 0x0
 00862  2016   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=896,Tid=1168,}, 0x0, ) == 0x0
 00863  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81842, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81842, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\200\3\0\0\220\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81843, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\200\3\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81843, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81842, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\200\3\0\0\220\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81843, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\200\3\0\0\220\4\0\0" )  ) == 0x0
 00864   420   NtClose  (132, ... ) == 0x0
 00865   420   NtWaitForSingleObject  (124, 0, 0x0, ...
 00866  2016   NtResumeThread  (136, ... 1, ) == 0x0
 00867  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17563648, 1048576, ) == 0x0
 00868  2016   NtAllocateVirtualMemory  (-1, 18604032, 0, 8192, 4096, 4, ... 18604032, 8192, ) == 0x0
 00869  1168   NtWaitForSingleObject  (88, 0, 0x0, ...
 00870  2016   NtProtectVirtualMemory  (-1, (0x11be000), 4096, 260, ... (0x11be000), 4096, 4, ) == 0x0
 00871  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 132, {896, 1180}, ) == 0x0
 00872  2016   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=896,Tid=1180,}, 0x0, ) == 0x0
 00873  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81843, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81843, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\200\3\0\0\234\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\200\3\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81844, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81843, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\200\3\0\0\234\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\0\0\0\200\3\0\0\234\4\0\0" )  ) == 0x0
 00874  2016   NtResumeThread  (132, ... 1, ) == 0x0
 00875  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00848   596   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876  1180   NtWaitForSingleObject  (88, 0, 0x0, ...
 00877   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11006372, ... ) }, 11006372, ... ) == 0x0
 00878   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 00879   596   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 140, ... 144, ) == 0x0
 00880   596   NtQuerySection  (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00881   596   NtClose  (140, ... ) == 0x0
 00882   596   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00875  2016   NtAllocateVirtualMemory  ... 18612224, 1048576, ) == 0x0
 00883  2016   NtAllocateVirtualMemory  (-1, 19652608, 0, 8192, 4096, 4, ... 19652608, 8192, ) == 0x0
 00884  2016   NtProtectVirtualMemory  (-1, (0x12be000), 4096, 260, ... (0x12be000), 4096, 4, ) == 0x0
 00885  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 140, {896, 928}, ) == 0x0
 00886  2016   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=896,Tid=928,}, 0x0, ) == 0x0
 00887  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81844, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\200\3\0\0\240\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\200\3\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81845, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\200\3\0\0\240\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\0\0\0\200\3\0\0\240\3\0\0" )  ) == 0x0
 00882   596   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 00888   596   NtClose  (144, ... ) == 0x0
 00889   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00890   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00891   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00892   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00893   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00894  2016   NtResumeThread  (140, ... 1, ) == 0x0
 00895  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19660800, 1048576, ) == 0x0
 00896  2016   NtAllocateVirtualMemory  (-1, 20701184, 0, 8192, 4096, 4, ... 20701184, 8192, ) == 0x0
 00897  2016   NtProtectVirtualMemory  (-1, (0x13be000), 4096, 260, ... (0x13be000), 4096, 4, ) == 0x0
 00898  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {896, 428}, ) == 0x0
 00899  2016   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=896,Tid=428,}, 0x0, ) == 0x0
 00893   596   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00900   928   NtWaitForSingleObject  (88, 0, 0x0, ...
 00901   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00902   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00903   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00904   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00905   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00906   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00907  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81845, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\200\3\0\0\254\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\200\3\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81846, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\200\3\0\0\254\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\200\3\0\0\254\1\0\0" )  ) == 0x0
 00908  2016   NtResumeThread  (144, ... 1, ) == 0x0
 00909  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20709376, 1048576, ) == 0x0
 00910  2016   NtAllocateVirtualMemory  (-1, 21749760, 0, 8192, 4096, 4, ... 21749760, 8192, ) == 0x0
 00911  2016   NtProtectVirtualMemory  (-1, (0x14be000), 4096, 260, ... (0x14be000), 4096, 4, ) == 0x0
 00912  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00906   596   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00913   428   NtWaitForSingleObject  (88, 0, 0x0, ...
 00914   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00915   596   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00916   596   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00917   596   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00918   596   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   596   NtSetEventBoostPriority  (88, ...
 00912  2016   NtCreateThread  ... 148, {896, 1732}, ) == 0x0
 00920  2016   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=896,Tid=1732,}, 0x0, ) == 0x0
 00921  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81846, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\200\3\0\0\304\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\200\3\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81847, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\200\3\0\0\304\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\200\3\0\0\304\6\0\0" )  ) == 0x0
 00922  2016   NtResumeThread  (148, ... 1, ) == 0x0
 00923  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21757952, 1048576, ) == 0x0
 00924  2016   NtAllocateVirtualMemory  (-1, 22798336, 0, 8192, 4096, 4, ... 22798336, 8192, ) == 0x0
 00850  1028   NtWaitForSingleObject  ... ) == 0x0
 00919   596   NtSetEventBoostPriority  ... ) == 0x0
 00925  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 00926  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15461328, ... }, 15461328, ...
 00927   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00926  1028   NtQueryAttributesFile  ... ) == 0x0
 00928  2016   NtProtectVirtualMemory  (-1, (0x15be000), 4096, 260, ... (0x15be000), 4096, 4, ) == 0x0
 00929  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {896, 748}, ) == 0x0
 00930  2016   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=896,Tid=748,}, 0x0, ) == 0x0
 00931  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81847, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\200\3\0\0\354\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\200\3\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81848, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\200\3\0\0\354\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\200\3\0\0\354\2\0\0" )  ) == 0x0
 00932  2016   NtResumeThread  (152, ... 1, ) == 0x0
 00933  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00934  1028   NtSetEventBoostPriority  (88, ...
 00935   748   NtWaitForSingleObject  (88, 0, 0x0, ...
 00854  2012   NtWaitForSingleObject  ... ) == 0x0
 00934  1028   NtSetEventBoostPriority  ... ) == 0x0
 00936  2012   NtSetEventBoostPriority  (88, ...
 00869  1168   NtWaitForSingleObject  ... ) == 0x0
 00937  1168   NtSetEventBoostPriority  (88, ...
 00876  1180   NtWaitForSingleObject  ... ) == 0x0
 00938  1180   NtSetEventBoostPriority  (88, ...
 00900   928   NtWaitForSingleObject  ... ) == 0x0
 00939   928   NtSetEventBoostPriority  (88, ...
 00913   428   NtWaitForSingleObject  ... ) == 0x0
 00940   428   NtSetEventBoostPriority  (88, ...
 00925  1732   NtWaitForSingleObject  ... ) == 0x0
 00941  1732   NtSetEventBoostPriority  (88, ...
 00927   596   NtWaitForSingleObject  ... ) == 0x0
 00942   596   NtSetEventBoostPriority  (88, ...
 00935   748   NtWaitForSingleObject  ... ) == 0x0
 00943   748   NtTestAlert  (... ) == 0x0
 00942   596   NtSetEventBoostPriority  ... ) == 0x0
 00941  1732   NtSetEventBoostPriority  ... ) == 0x0
 00940   428   NtSetEventBoostPriority  ... ) == 0x0
 00939   928   NtSetEventBoostPriority  ... ) == 0x0
 00938  1180   NtSetEventBoostPriority  ... ) == 0x0
 00937  1168   NtSetEventBoostPriority  ... ) == 0x0
 00936  2012   NtSetEventBoostPriority  ... ) == 0x0
 00944  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00933  2016   NtAllocateVirtualMemory  ... 22806528, 1048576, ) == 0x0
 00945   748   NtContinue  (22805808, 1, ...
 00946   596   NtQuerySystemInformation  (Basic, 44, ...
 00947  1732   NtTestAlert  (...
 00948   428   NtTestAlert  (...
 00949   928   NtTestAlert  (...
 00950  1180   NtTestAlert  (...
 00951  1168   NtTestAlert  (...
 00944  1028   NtCreateEvent  ... 156, ) == 0x0
 00952  2016   NtAllocateVirtualMemory  (-1, 23846912, 0, 8192, 4096, 4, ...
 00953   748   NtRegisterThreadTerminatePort  (24, ...
 00946   596   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00947  1732   NtTestAlert  ... ) == 0x0
 00948   428   NtTestAlert  ... ) == 0x0
 00949   928   NtTestAlert  ... ) == 0x0
 00950  1180   NtTestAlert  ... ) == 0x0
 00951  1168   NtTestAlert  ... ) == 0x0
 00954  1028   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00952  2016   NtAllocateVirtualMemory  ... 23846912, 8192, ) == 0x0
 00953   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 00955   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00956  1732   NtContinue  (21757232, 1, ...
 00957   428   NtContinue  (20708656, 1, ...
 00958   928   NtContinue  (19660080, 1, ...
 00959  1180   NtContinue  (18611504, 1, ...
 00960  1168   NtContinue  (17562928, 1, ...
 00954  1028   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961  2016   NtProtectVirtualMemory  (-1, (0x16be000), 4096, 260, ...
 00962   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00955   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963  1732   NtRegisterThreadTerminatePort  (24, ...
 00964   428   NtRegisterThreadTerminatePort  (24, ...
 00965   928   NtRegisterThreadTerminatePort  (24, ...
 00966  1180   NtRegisterThreadTerminatePort  (24, ...
 00967  1168   NtRegisterThreadTerminatePort  (24, ...
 00968  2012   NtTestAlert  (...
 00961  2016   NtProtectVirtualMemory  ... (0x16be000), 4096, 4, ) == 0x0
 00962   748   NtDuplicateObject  ... 160, ) == 0x0
 00969   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00963  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 00964   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 00965   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 00966  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 00967  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 00968  2012   NtTestAlert  ... ) == 0x0
 00970  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00971   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00969   596   NtOpenKey  ... 164, ) == 0x0
 00972  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00973   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00974   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00975  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00976  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00977  2012   NtContinue  (16514352, 1, ...
 00978  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15461432, ... }, 15461432, ...
 00970  2016   NtCreateThread  ... 168, {896, 900}, ) == 0x0
 00971   748   NtWaitForSingleObject  ... ) == 0x102
 00979   596   NtQueryValueKey  (164,  (164, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00972  1732   NtDuplicateObject  ... 172, ) == 0x0
 00973   428   NtDuplicateObject  ... 176, ) == 0x0
 00974   928   NtDuplicateObject  ... 180, ) == 0x0
 00975  1180   NtDuplicateObject  ... 184, ) == 0x0
 00980  2012   NtRegisterThreadTerminatePort  (24, ...
 00981  2016   NtQueryInformationThread  (168, Basic, 28, ...
 00982   748   NtWaitForSingleObject  (124, 0, 0x0, ...
 00979   596   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00984   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00985   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00986  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00980  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00981  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=896,Tid=900,}, 0x0, ) == 0x0
 00987   596   NtClose  (164, ...
 00983  1732   NtWaitForSingleObject  ... ) == 0x102
 00984   428   NtWaitForSingleObject  ... ) == 0x102
 00985   928   NtWaitForSingleObject  ... ) == 0x102
 00986  1180   NtWaitForSingleObject  ... ) == 0x102
 00988  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00989  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81848, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\200\3\0\0\204\3\0\0" ...  ...
 00987   596   NtClose  ... ) == 0x0
 00990  1732   NtWaitForSingleObject  (124, 0, 0x0, ...
 00991   428   NtWaitForSingleObject  (124, 0, 0x0, ...
 00992   928   NtWaitForSingleObject  (124, 0, 0x0, ...
 00993  1180   NtWaitForSingleObject  (124, 0, 0x0, ...
 00976  1168   NtDuplicateObject  ... 164, ) == 0x0
 00989  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81849, 0}  ... {28, 56, reply, 0, 896, 2016, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\0\0\0\200\3\0\0\204\3\0\0" )  ) == 0x0
 00994   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 00995  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00988  2012   NtDuplicateObject  ... 188, ) == 0x0
 00994   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995  1168   NtWaitForSingleObject  ... ) == 0x102
 00996  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00997  2016   NtResumeThread  (168, ...
 00998  1168   NtWaitForSingleObject  (124, 0, 0x0, ...
 00996  2012   NtWaitForSingleObject  ... ) == 0x102
 00997  2016   NtResumeThread  ... 1, ) == 0x0
 00999  2012   NtWaitForSingleObject  (124, 0, 0x0, ...
 01000  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23855104, 1048576, ) == 0x0
 01001  2016   NtAllocateVirtualMemory  (-1, 24895488, 0, 8192, 4096, 4, ... 24895488, 8192, ) == 0x0
 01002  2016   NtProtectVirtualMemory  (-1, (0x17be000), 4096, 260, ... (0x17be000), 4096, 4, ) == 0x0
 01003  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {896, 1388}, ) == 0x0
 01004  2016   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=896,Tid=1388,}, 0x0, ) == 0x0
 01005   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00978  1028   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   900   NtWaitForSingleObject  (88, 0, 0x0, ...
 01005   596   NtCreateEvent  ... 196, ) == 0x0
 01007  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 15461432, ... }, 15461432, ...
 01008   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01009  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81849, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\200\3\0\0l\5\0\0" ...  ...
 01008   596   NtCreateEvent  ... 200, ) == 0x0
 01009  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81850, 0}  ... {28, 56, reply, 0, 896, 2016, 81850, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\200\3\0\0l\5\0\0" )  ) == 0x0
 01010   596   NtQuerySystemTime  (...
 01011  2016   NtResumeThread  (192, ...
 01010   596   NtQuerySystemTime  ... {1418360414, 29929616}, ) == 0x0
 01011  2016   NtResumeThread  ... 1, ) == 0x0
 01007  1028   NtQueryAttributesFile  ... ) == 0x0
 01012  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01013  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01014   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01015  1388   NtWaitForSingleObject  (88, 0, 0x0, ...
 01013  1028   NtOpenFile  ... 204, {status=0x0, info=1}, ) == 0x0
 01014   596   NtCreateEvent  ... 208, ) == 0x0
 01016  1028   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 204, ...
 01017   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 01016  1028   NtCreateSection  ... 212, ) == 0x0
 01017   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018  1028   NtQuerySection  (212, Image, 48, ...
 01019   596   NtQuerySystemInformation  (Performance, 312, ...
 01012  2016   NtAllocateVirtualMemory  ... 24903680, 1048576, ) == 0x0
 01019   596   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01020  2016   NtAllocateVirtualMemory  (-1, 25944064, 0, 8192, 4096, 4, ...
 01018  1028   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01020  2016   NtAllocateVirtualMemory  ... 25944064, 8192, ) == 0x0
 01021  1028   NtClose  (204, ...
 01022  2016   NtProtectVirtualMemory  (-1, (0x18be000), 4096, 260, ...
 01021  1028   NtClose  ... ) == 0x0
 01022  2016   NtProtectVirtualMemory  ... (0x18be000), 4096, 4, ) == 0x0
 01023  1028   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01024  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01023  1028   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 01025   596   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 01026  1028   NtClose  (212, ...
 01025   596   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01024  2016   NtCreateThread  ... 204, {896, 2036}, ) == 0x0
 01027   596   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01028  2016   NtQueryInformationThread  (204, Basic, 28, ...
 01027   596   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01028  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=896,Tid=2036,}, 0x0, ) == 0x0
 01029   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 01030  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81850, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81850, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\200\3\0\0\364\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\200\3\0\0\364\7\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81851, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81850, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\200\3\0\0\364\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\200\3\0\0\364\7\0\0" )  ) == 0x0
 01031  2016   NtResumeThread  (204, ... 1, ) == 0x0
 01032  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25952256, 1048576, ) == 0x0
 01033  2016   NtAllocateVirtualMemory  (-1, 26992640, 0, 8192, 4096, 4, ... 26992640, 8192, ) == 0x0
 01026  1028   NtClose  ... ) == 0x0
 01034  2036   NtWaitForSingleObject  (88, 0, 0x0, ...
 01035  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01036  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01037  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01038  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01039  2016   NtProtectVirtualMemory  (-1, (0x19be000), 4096, 260, ... (0x19be000), 4096, 4, ) == 0x0
 01040  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {896, 1372}, ) == 0x0
 01041  2016   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=896,Tid=1372,}, 0x0, ) == 0x0
 01042  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81851, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\200\3\0\0\\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\200\3\0\0\\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81852, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\200\3\0\0\\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\200\3\0\0\\5\0\0" )  ) == 0x0
 01043  2016   NtResumeThread  (212, ... 1, ) == 0x0
 01044  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01045  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01046  1372   NtWaitForSingleObject  (88, 0, 0x0, ...
 01045  1028   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01047  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01048  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01049  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01050  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01051  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01044  2016   NtAllocateVirtualMemory  ... 27000832, 1048576, ) == 0x0
 01052  2016   NtAllocateVirtualMemory  (-1, 28041216, 0, 8192, 4096, 4, ... 28041216, 8192, ) == 0x0
 01053  2016   NtProtectVirtualMemory  (-1, (0x1abe000), 4096, 260, ... (0x1abe000), 4096, 4, ) == 0x0
 01054  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {896, 1600}, ) == 0x0
 01055  2016   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=896,Tid=1600,}, 0x0, ) == 0x0
 01056  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81852, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\200\3\0\0@\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\200\3\0\0@\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81853, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\200\3\0\0@\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\200\3\0\0@\6\0\0" )  ) == 0x0
 01057  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01058  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01059  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01060  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01061  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01062  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01063  2016   NtResumeThread  (216, ... 1, ) == 0x0
 01064  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28049408, 1048576, ) == 0x0
 01065  2016   NtAllocateVirtualMemory  (-1, 29089792, 0, 8192, 4096, 4, ... 29089792, 8192, ) == 0x0
 01066  2016   NtProtectVirtualMemory  (-1, (0x1bbe000), 4096, 260, ... (0x1bbe000), 4096, 4, ) == 0x0
 01067  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {896, 1948}, ) == 0x0
 01068  2016   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=896,Tid=1948,}, 0x0, ) == 0x0
 01069  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 01070  1600   NtWaitForSingleObject  (88, 0, 0x0, ...
 01069  1028   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 01071  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01072  1028   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01073  1028   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 224, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 224, 2, ) , 0, ... 224, 2, ) == 0x0
 01074  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01075  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01076  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81853, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\200\3\0\0\234\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\200\3\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81854, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\200\3\0\0\234\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\200\3\0\0\234\7\0\0" )  ) == 0x0
 01077  2016   NtResumeThread  (220, ... 1, ) == 0x0
 01078  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29097984, 1048576, ) == 0x0
 01079  2016   NtAllocateVirtualMemory  (-1, 30138368, 0, 8192, 4096, 4, ... 30138368, 8192, ) == 0x0
 01080  2016   NtProtectVirtualMemory  (-1, (0x1cbe000), 4096, 260, ... (0x1cbe000), 4096, 4, ) == 0x0
 01081  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01082  1028   NtQueryValueKey  (228,  (228, "QueryAdapterName", Partial, 144, ... , Partial, 144, ...
 01083  1948   NtWaitForSingleObject  (88, 0, 0x0, ...
 01082  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01084  1028   NtQueryValueKey  (224,  (224, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01085  1028   NtQueryValueKey  (228,  (228, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086  1028   NtQueryValueKey  (224,  (224, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01087  1028   NtQueryValueKey  (228,  (228, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088  1028   NtQueryValueKey  (224,  (224, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081  2016   NtCreateThread  ... 232, {896, 252}, ) == 0x0
 01089  2016   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=896,Tid=252,}, 0x0, ) == 0x0
 01090  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81854, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\200\3\0\0\374\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\200\3\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81855, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\200\3\0\0\374\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\200\3\0\0\374\0\0\0" )  ) == 0x0
 01091  2016   NtResumeThread  (232, ... 1, ) == 0x0
 01092  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30146560, 1048576, ) == 0x0
 01093  2016   NtAllocateVirtualMemory  (-1, 31186944, 0, 8192, 4096, 4, ... 31186944, 8192, ) == 0x0
 01094  1028   NtQueryValueKey  (228,  (228, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 01095   252   NtWaitForSingleObject  (88, 0, 0x0, ...
 01094  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01096  1028   NtQueryValueKey  (224,  (224, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097  1028   NtQueryValueKey  (228,  (228, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098  1028   NtQueryValueKey  (228,  (228, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099  1028   NtQueryValueKey  (228,  (228, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100  1028   NtQueryValueKey  (228,  (228, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101  2016   NtProtectVirtualMemory  (-1, (0x1dbe000), 4096, 260, ... (0x1dbe000), 4096, 4, ) == 0x0
 01102  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {896, 1300}, ) == 0x0
 01103  2016   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=896,Tid=1300,}, 0x0, ) == 0x0
 01104  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81855, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\200\3\0\0\24\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\200\3\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81856, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\200\3\0\0\24\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\200\3\0\0\24\5\0\0" )  ) == 0x0
 01105  2016   NtResumeThread  (236, ... 1, ) == 0x0
 01106  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01107  1028   NtQueryValueKey  (228,  (228, "WaitForNameErrorOnAll", Partial, 144, ... , Partial, 144, ...
 01108  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 01107  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109  1028   NtQueryValueKey  (228,  (228, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110  1028   NtQueryValueKey  (228,  (228, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01111  1028   NtQueryValueKey  (228,  (228, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112  1028   NtQueryValueKey  (228,  (228, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113  1028   NtQueryValueKey  (224,  (224, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106  2016   NtAllocateVirtualMemory  ... 31195136, 1048576, ) == 0x0
 01114  2016   NtAllocateVirtualMemory  (-1, 32235520, 0, 8192, 4096, 4, ... 32235520, 8192, ) == 0x0
 01115  2016   NtProtectVirtualMemory  (-1, (0x1ebe000), 4096, 260, ... (0x1ebe000), 4096, 4, ) == 0x0
 01116  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {896, 1096}, ) == 0x0
 01117  2016   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=896,Tid=1096,}, 0x0, ) == 0x0
 01118  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81856, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\200\3\0\0H\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\200\3\0\0H\4\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81857, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\200\3\0\0H\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\200\3\0\0H\4\0\0" )  ) == 0x0
 01119  1028   NtQueryValueKey  (228,  (228, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120  1028   NtQueryValueKey  (228,  (228, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121  1028   NtQueryValueKey  (224,  (224, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122  1028   NtQueryValueKey  (228,  (228, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01123  1028   NtQueryValueKey  (224,  (224, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124  1028   NtQueryValueKey  (228,  (228, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125  2016   NtResumeThread  (240, ... 1, ) == 0x0
 01126  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32243712, 1048576, ) == 0x0
 01127  2016   NtAllocateVirtualMemory  (-1, 33284096, 0, 8192, 4096, 4, ... 33284096, 8192, ) == 0x0
 01128  2016   NtProtectVirtualMemory  (-1, (0x1fbe000), 4096, 260, ... (0x1fbe000), 4096, 4, ) == 0x0
 01129  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {896, 1708}, ) == 0x0
 01130  2016   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=896,Tid=1708,}, 0x0, ) == 0x0
 01131  1028   NtQueryValueKey  (224,  (224, "DisableWanDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 01132  1096   NtWaitForSingleObject  (88, 0, 0x0, ...
 01131  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133  1028   NtQueryValueKey  (228,  (228, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134  1028   NtQueryValueKey  (224,  (224, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135  1028   NtQueryValueKey  (228,  (228, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136  1028   NtQueryValueKey  (224,  (224, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137  1028   NtQueryValueKey  (228,  (228, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81857, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\200\3\0\0\254\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\200\3\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81858, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\200\3\0\0\254\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\200\3\0\0\254\6\0\0" )  ) == 0x0
 01139  2016   NtResumeThread  (244, ... 1, ) == 0x0
 01140  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33292288, 1048576, ) == 0x0
 01141  2016   NtAllocateVirtualMemory  (-1, 34332672, 0, 8192, 4096, 4, ... 34332672, 8192, ) == 0x0
 01142  2016   NtProtectVirtualMemory  (-1, (0x20be000), 4096, 260, ... (0x20be000), 4096, 4, ) == 0x0
 01143  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01144  1028   NtQueryValueKey  (224,  (224, "MaxNumberOfAddressesToRegister", Partial, 144, ... , Partial, 144, ...
 01145  1708   NtWaitForSingleObject  (88, 0, 0x0, ...
 01144  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146  1028   NtQueryValueKey  (228,  (228, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147  1028   NtQueryValueKey  (224,  (224, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148  1028   NtQueryValueKey  (228,  (228, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149  1028   NtQueryValueKey  (228,  (228, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150  1028   NtQueryValueKey  (228,  (228, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01143  2016   NtCreateThread  ... 248, {896, 1024}, ) == 0x0
 01151  2016   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=896,Tid=1024,}, 0x0, ) == 0x0
 01152  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81858, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\200\3\0\0\0\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\200\3\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81859, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\200\3\0\0\0\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\200\3\0\0\0\4\0\0" )  ) == 0x0
 01153  2016   NtResumeThread  (248, ... 1, ) == 0x0
 01154  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34340864, 1048576, ) == 0x0
 01155  2016   NtAllocateVirtualMemory  (-1, 35381248, 0, 8192, 4096, 4, ... 35381248, 8192, ) == 0x0
 01156  1028   NtQueryValueKey  (228,  (228, "MaxCacheSize", Partial, 144, ... , Partial, 144, ...
 01157  1024   NtWaitForSingleObject  (88, 0, 0x0, ...
 01156  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158  1028   NtQueryValueKey  (228,  (228, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159  1028   NtQueryValueKey  (228,  (228, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160  1028   NtQueryValueKey  (228,  (228, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161  1028   NtQueryValueKey  (228,  (228, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162  1028   NtQueryValueKey  (228,  (228, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163  2016   NtProtectVirtualMemory  (-1, (0x21be000), 4096, 260, ... (0x21be000), 4096, 4, ) == 0x0
 01164  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {896, 1324}, ) == 0x0
 01165  2016   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=896,Tid=1324,}, 0x0, ) == 0x0
 01166  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81859, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\200\3\0\0,\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\200\3\0\0,\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81860, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\200\3\0\0,\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\200\3\0\0,\5\0\0" )  ) == 0x0
 01167  2016   NtResumeThread  (252, ... 1, ) == 0x0
 01168  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01169  1028   NtQueryValueKey  (228,  (228, "MulticastListenLevel", Partial, 144, ... , Partial, 144, ...
 01170  1324   NtWaitForSingleObject  (88, 0, 0x0, ...
 01169  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171  1028   NtQueryValueKey  (228,  (228, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 256, ) }, ... 256, ) == 0x0
 01173  1028   NtQueryValueKey  (256,  (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01174  1028   NtClose  (256, ... ) == 0x0
 01175  1028   NtClose  (224, ... ) == 0x0
 01168  2016   NtAllocateVirtualMemory  ... 35389440, 1048576, ) == 0x0
 01176  2016   NtAllocateVirtualMemory  (-1, 36429824, 0, 8192, 4096, 4, ... 36429824, 8192, ) == 0x0
 01177  2016   NtProtectVirtualMemory  (-1, (0x22be000), 4096, 260, ... (0x22be000), 4096, 4, ) == 0x0
 01178  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {896, 1776}, ) == 0x0
 01179  2016   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=896,Tid=1776,}, 0x0, ) == 0x0
 01180  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81860, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\200\3\0\0\360\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\200\3\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81861, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\200\3\0\0\360\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\200\3\0\0\360\6\0\0" )  ) == 0x0
 01181  1028   NtClose  (228, ... ) == 0x0
 01182  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01183  1028   NtQueryValueKey  (228,  (228, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184  1028   NtQueryValueKey  (228,  (228, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185  1028   NtQueryValueKey  (228,  (228, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186  1028   NtClose  (228, ... ) == 0x0
 01187  2016   NtResumeThread  (224, ... 1, ) == 0x0
 01188  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36438016, 1048576, ) == 0x0
 01189  2016   NtAllocateVirtualMemory  (-1, 37478400, 0, 8192, 4096, 4, ... 37478400, 8192, ) == 0x0
 01190  2016   NtProtectVirtualMemory  (-1, (0x23be000), 4096, 260, ... (0x23be000), 4096, 4, ) == 0x0
 01191  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {896, 500}, ) == 0x0
 01192  2016   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=896,Tid=500,}, 0x0, ) == 0x0
 01193  1028   NtSetEventBoostPriority  (88, ...
 01194  1776   NtWaitForSingleObject  (88, 0, 0x0, ...
 01006   900   NtWaitForSingleObject  ... ) == 0x0
 01193  1028   NtSetEventBoostPriority  ... ) == 0x0
 01195   900   NtSetEventBoostPriority  (88, ...
 01015  1388   NtWaitForSingleObject  ... ) == 0x0
 01196  1388   NtSetEventBoostPriority  (88, ...
 01029   596   NtWaitForSingleObject  ... ) == 0x0
 01197   596   NtSetEventBoostPriority  (88, ...
 01034  2036   NtWaitForSingleObject  ... ) == 0x0
 01198  2036   NtSetEventBoostPriority  (88, ...
 01046  1372   NtWaitForSingleObject  ... ) == 0x0
 01199  1372   NtSetEventBoostPriority  (88, ...
 01070  1600   NtWaitForSingleObject  ... ) == 0x0
 01200  1600   NtSetEventBoostPriority  (88, ...
 01083  1948   NtWaitForSingleObject  ... ) == 0x0
 01201  1948   NtSetEventBoostPriority  (88, ...
 01095   252   NtWaitForSingleObject  ... ) == 0x0
 01202   252   NtSetEventBoostPriority  (88, ...
 01108  1300   NtWaitForSingleObject  ... ) == 0x0
 01203  1300   NtSetEventBoostPriority  (88, ...
 01132  1096   NtWaitForSingleObject  ... ) == 0x0
 01204  1096   NtSetEventBoostPriority  (88, ...
 01145  1708   NtWaitForSingleObject  ... ) == 0x0
 01205  1708   NtSetEventBoostPriority  (88, ...
 01157  1024   NtWaitForSingleObject  ... ) == 0x0
 01206  1024   NtSetEventBoostPriority  (88, ...
 01170  1324   NtWaitForSingleObject  ... ) == 0x0
 01207  1324   NtSetEventBoostPriority  (88, ...
 01194  1776   NtWaitForSingleObject  ... ) == 0x0
 01208  1776   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ... 8802304, 4096, ) == 0x0
 01207  1324   NtSetEventBoostPriority  ... ) == 0x0
 01206  1024   NtSetEventBoostPriority  ... ) == 0x0
 01205  1708   NtSetEventBoostPriority  ... ) == 0x0
 01204  1096   NtSetEventBoostPriority  ... ) == 0x0
 01203  1300   NtSetEventBoostPriority  ... ) == 0x0
 01202   252   NtSetEventBoostPriority  ... ) == 0x0
 01201  1948   NtSetEventBoostPriority  ... ) == 0x0
 01200  1600   NtSetEventBoostPriority  ... ) == 0x0
 01199  1372   NtSetEventBoostPriority  ... ) == 0x0
 01198  2036   NtSetEventBoostPriority  ... ) == 0x0
 01197   596   NtSetEventBoostPriority  ... ) == 0x0
 01196  1388   NtSetEventBoostPriority  ... ) == 0x0
 01195   900   NtSetEventBoostPriority  ... ) == 0x0
 01209  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 01210  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81861, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\200\3\0\0\364\1\0\0" ...  ...
 01211  1776   NtSetEventBoostPriority  (88, ...
 01212  1324   NtTestAlert  (...
 01213  1024   NtTestAlert  (...
 01214  1708   NtTestAlert  (...
 01215  1096   NtTestAlert  (...
 01216  1300   NtTestAlert  (...
 01217   252   NtTestAlert  (...
 01218  1948   NtTestAlert  (...
 01219  1600   NtTestAlert  (...
 01220  1372   NtTestAlert  (...
 01221  2036   NtTestAlert  (...
 01222   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01223  1388   NtTestAlert  (...
 01210  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81862, 0}  ... {28, 56, reply, 0, 896, 2016, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\200\3\0\0\364\1\0\0" )  ) == 0x0
 01209  1028   NtWaitForSingleObject  ... ) == 0x0
 01211  1776   NtSetEventBoostPriority  ... ) == 0x0
 01212  1324   NtTestAlert  ... ) == 0x0
 01213  1024   NtTestAlert  ... ) == 0x0
 01214  1708   NtTestAlert  ... ) == 0x0
 01215  1096   NtTestAlert  ... ) == 0x0
 01216  1300   NtTestAlert  ... ) == 0x0
 01217   252   NtTestAlert  ... ) == 0x0
 01218  1948   NtTestAlert  ... ) == 0x0
 01219  1600   NtTestAlert  ... ) == 0x0
 01220  1372   NtTestAlert  ... ) == 0x0
 01221  2036   NtTestAlert  ... ) == 0x0
 01222   596   NtCreateEvent  ... 256, ) == 0x0
 01223  1388   NtTestAlert  ... ) == 0x0
 01224  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01225  2016   NtResumeThread  (228, ...
 01226  1776   NtTestAlert  (...
 01227  1324   NtContinue  (35388720, 1, ...
 01228  1024   NtContinue  (34340144, 1, ...
 01229  1708   NtContinue  (33291568, 1, ...
 01230  1096   NtContinue  (32242992, 1, ...
 01231  1300   NtContinue  (31194416, 1, ...
 01232   252   NtContinue  (30145840, 1, ...
 01233  1948   NtContinue  (29097264, 1, ...
 01234  1600   NtContinue  (28048688, 1, ...
 01235  1372   NtContinue  (27000112, 1, ...
 01236  2036   NtContinue  (25951536, 1, ...
 01237   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01224  1028   NtCreateEvent  ... 260, ) == 0x0
 01238  1388   NtContinue  (24902960, 1, ...
 01225  2016   NtResumeThread  ... 1, ) == 0x0
 01226  1776   NtTestAlert  ... ) == 0x0
 01239  1324   NtRegisterThreadTerminatePort  (24, ...
 01240  1024   NtRegisterThreadTerminatePort  (24, ...
 01241  1708   NtRegisterThreadTerminatePort  (24, ...
 01242  1096   NtRegisterThreadTerminatePort  (24, ...
 01243  1300   NtRegisterThreadTerminatePort  (24, ...
 01244   252   NtRegisterThreadTerminatePort  (24, ...
 01245  1948   NtRegisterThreadTerminatePort  (24, ...
 01246  1600   NtRegisterThreadTerminatePort  (24, ...
 01247  1372   NtRegisterThreadTerminatePort  (24, ...
 01248  2036   NtRegisterThreadTerminatePort  (24, ...
 01237   596   NtDuplicateObject  ... 264, ) == 0x0
 01249   900   NtTestAlert  (...
 01250   500   NtTestAlert  (...
 01251  1388   NtRegisterThreadTerminatePort  (24, ...
 01252  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01253  1776   NtContinue  (36437296, 1, ...
 01239  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01240  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01241  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01242  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01243  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01244   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01245  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01246  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01247  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01248  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01254   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01249   900   NtTestAlert  ... ) == 0x0
 01250   500   NtTestAlert  ... ) == 0x0
 01251  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01255  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01256  1776   NtRegisterThreadTerminatePort  (24, ...
 01257  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01258  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01259  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01260  1096   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01261  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01262   252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01263  1948   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01264  1600   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01265  1372   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01266  2036   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01254   596   NtOpenKey  ... 268, ) == 0x0
 01267   900   NtContinue  (23854384, 1, ...
 01268   500   NtContinue  (37485872, 1, ...
 01269  1388   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01255  1028   NtDuplicateObject  ... 272, ) == 0x0
 01252  2016   NtAllocateVirtualMemory  ... 37486592, 1048576, ) == 0x0
 01256  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01257  1324   NtDuplicateObject  ... 276, ) == 0x0
 01258  1024   NtDuplicateObject  ... 280, ) == 0x0
 01259  1708   NtDuplicateObject  ... 284, ) == 0x0
 01260  1096   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01261  1300   NtCreateEvent  ... 288, ) == 0x0
 01262   252   NtCreateEvent  ... 292, ) == 0x0
 01263  1948   NtCreateEvent  ... 296, ) == 0x0
 01264  1600   NtCreateEvent  ... 300, ) == 0x0
 01265  1372   NtCreateEvent  ... 304, ) == 0x0
 01266  2036   NtCreateEvent  ... 308, ) == 0x0
 01270   900   NtRegisterThreadTerminatePort  (24, ...
 01271   500   NtRegisterThreadTerminatePort  (24, ...
 01272   596   NtQueryValueKey  (268,  (268, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01273  1028   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01274  2016   NtAllocateVirtualMemory  (-1, 38526976, 0, 8192, 4096, 4, ...
 01275  1776   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01276  1324   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01277  1024   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01278  1708   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01279  1096   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01280  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01281   252   NtClose  (292, ...
 01282  1948   NtClose  (296, ...
 01283  1600   NtClose  (300, ...
 01284  1372   NtClose  (304, ...
 01285  2036   NtClose  (308, ...
 01270   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01271   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01272   596   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273  1028   NtCreateEvent  ... 312, ) == 0x0
 01274  2016   NtAllocateVirtualMemory  ... 38526976, 8192, ) == 0x0
 01275  1776   NtCreateEvent  ... 316, ) == 0x0
 01276  1324   NtCreateEvent  ... 320, ) == 0x0
 01277  1024   NtCreateEvent  ... 324, ) == 0x0
 01278  1708   NtCreateEvent  ... 328, ) == 0x0
 01279  1096   NtCreateEvent  ... 332, ) == 0x0
 01281   252   NtClose  ... ) == 0x0
 01282  1948   NtClose  ... ) == 0x0
 01283  1600   NtClose  ... ) == 0x0
 01284  1372   NtClose  ... ) == 0x0
 01285  2036   NtClose  ... ) == 0x0
 01286   900   NtWaitForSingleObject  (288, 0, 0x0, ...
 01269  1388   NtCreateEvent  ... 308, ) == 0x0
 01287   596   NtClose  (268, ...
 01288  1028   NtClose  (312, ...
 01289  2016   NtProtectVirtualMemory  (-1, (0x24be000), 4096, 260, ...
 01290  1776   NtClose  (316, ...
 01291  1324   NtClose  (320, ...
 01292  1024   NtClose  (324, ...
 01293  1708   NtClose  (328, ...
 01294  1096   NtClose  (332, ...
 01295   252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01296  1948   NtWaitForSingleObject  (288, 0, 0x0, ...
 01297  1600   NtWaitForSingleObject  (288, 0, 0x0, ...
 01298  1372   NtWaitForSingleObject  (288, 0, 0x0, ...
 01299  2036   NtWaitForSingleObject  (288, 0, 0x0, ...
 01300   500   NtWaitForSingleObject  (288, 0, 0x0, ...
 01301  1388   NtClose  (308, ...
 01287   596   NtClose  ... ) == 0x0
 01288  1028   NtClose  ... ) == 0x0
 01289  2016   NtProtectVirtualMemory  ... (0x24be000), 4096, 4, ) == 0x0
 01290  1776   NtClose  ... ) == 0x0
 01291  1324   NtClose  ... ) == 0x0
 01292  1024   NtClose  ... ) == 0x0
 01293  1708   NtClose  ... ) == 0x0
 01294  1096   NtClose  ... ) == 0x0
 01301  1388   NtClose  ... ) == 0x0
 01302   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01303  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01304  1776   NtWaitForSingleObject  (288, 0, 0x0, ...
 01305  1324   NtWaitForSingleObject  (288, 0, 0x0, ...
 01306  1024   NtWaitForSingleObject  (288, 0, 0x0, ...
 01307  1708   NtWaitForSingleObject  (288, 0, 0x0, ...
 01308  1096   NtSetEventBoostPriority  (288, ...
 01309  1388   NtWaitForSingleObject  (288, 0, 0x0, ...
 01310  1028   NtWaitForSingleObject  (288, 0, 0x0, ...
 01303  2016   NtCreateThread  ... 308, {896, 248}, ) == 0x0
 01311  2016   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=896,Tid=248,}, 0x0, ) == 0x0
 01312  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81862, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\200\3\0\0\370\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\200\3\0\0\370\0\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81863, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\200\3\0\0\370\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\1\0\0\200\3\0\0\370\0\0\0" )  ) == 0x0
 01313  2016   NtResumeThread  (308, ... 1, ) == 0x0
 01314  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38535168, 1048576, ) == 0x0
 01315  2016   NtAllocateVirtualMemory  (-1, 39575552, 0, 8192, 4096, 4, ... 39575552, 8192, ) == 0x0
 01280  1300   NtWaitForSingleObject  ... ) == 0x0
 01308  1096   NtSetEventBoostPriority  ... ) == 0x0
 01316   248   NtTestAlert  (...
 01317  1300   NtSetEventBoostPriority  (288, ...
 01318  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01316   248   NtTestAlert  ... ) == 0x0
 01295   252   NtWaitForSingleObject  ... ) == 0x0
 01317  1300   NtSetEventBoostPriority  ... ) == 0x0
 01318  1096   NtDuplicateObject  ... 332, ) == 0x0
 01319   252   NtSetEventBoostPriority  (288, ...
 01320   248   NtContinue  (38534448, 1, ...
 01321  2016   NtProtectVirtualMemory  (-1, (0x25be000), 4096, 260, ...
 01296  1948   NtWaitForSingleObject  ... ) == 0x0
 01319   252   NtSetEventBoostPriority  ... ) == 0x0
 01322  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01323   248   NtRegisterThreadTerminatePort  (24, ...
 01324  1948   NtSetEventBoostPriority  (288, ...
 01321  2016   NtProtectVirtualMemory  ... (0x25be000), 4096, 4, ) == 0x0
 01325  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01297  1600   NtWaitForSingleObject  ... ) == 0x0
 01324  1948   NtSetEventBoostPriority  ... ) == 0x0
 01323   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01326  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01327  1600   NtSetEventBoostPriority  (288, ...
 01325  1300   NtDuplicateObject  ... 328, ) == 0x0
 01328   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01329  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01298  1372   NtWaitForSingleObject  ... ) == 0x0
 01327  1600   NtSetEventBoostPriority  ... ) == 0x0
 01326  2016   NtCreateThread  ... 324, {896, 1884}, ) == 0x0
 01330  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01328   252   NtDuplicateObject  ... 320, ) == 0x0
 01331  1372   NtSetEventBoostPriority  (288, ...
 01329  1948   NtDuplicateObject  ... 316, ) == 0x0
 01332   248   NtWaitForSingleObject  (288, 0, 0x0, ...
 01333  2016   NtQueryInformationThread  (324, Basic, 28, ...
 01299  2036   NtWaitForSingleObject  ... ) == 0x0
 01331  1372   NtSetEventBoostPriority  ... ) == 0x0
 01334   252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01335  1948   NtWaitForSingleObject  (288, 0, 0x0, ...
 01336  2036   NtSetEventBoostPriority  (288, ...
 01333  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=896,Tid=1884,}, 0x0, ) == 0x0
 01337  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01300   500   NtWaitForSingleObject  ... ) == 0x0
 01336  2036   NtSetEventBoostPriority  ... ) == 0x0
 01338  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01339   500   NtSetEventBoostPriority  (288, ...
 01337  1600   NtDuplicateObject  ... 312, ) == 0x0
 01340  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81863, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\200\3\0\0\\7\0\0" ...  ...
 01286   900   NtWaitForSingleObject  ... ) == 0x0
 01339   500   NtSetEventBoostPriority  ... ) == 0x0
 01338  1372   NtDuplicateObject  ... 268, ) == 0x0
 01341  1600   NtWaitForSingleObject  (288, 0, 0x0, ...
 01342   900   NtSetEventBoostPriority  (288, ...
 01340  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81864, 0}  ... {28, 56, reply, 0, 896, 2016, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\1\0\0\200\3\0\0\\7\0\0" )  ) == 0x0
 01343   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01344  1372   NtWaitForSingleObject  (288, 0, 0x0, ...
 01302   596   NtWaitForSingleObject  ... ) == 0x0
 01345  2016   NtResumeThread  (324, ...
 01342   900   NtSetEventBoostPriority  ... ) == 0x0
 01346  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01347   596   NtSetEventBoostPriority  (288, ...
 01345  2016   NtResumeThread  ... 1, ) == 0x0
 01348   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01346  2036   NtDuplicateObject  ... 304, ) == 0x0
 01304  1776   NtWaitForSingleObject  ... ) == 0x0
 01347   596   NtSetEventBoostPriority  ... ) == 0x0
 01349  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01348   900   NtDuplicateObject  ... 300, ) == 0x0
 01350  1776   NtSetEventBoostPriority  (288, ...
 01351  2036   NtWaitForSingleObject  (288, 0, 0x0, ...
 01343   500   NtDuplicateObject  ... 296, ) == 0x0
 01352  1884   NtTestAlert  (...
 01353   596   NtOpenThreadToken  (-2, 0xc, 1, ...
 01349  2016   NtAllocateVirtualMemory  ... 39583744, 1048576, ) == 0x0
 01305  1324   NtWaitForSingleObject  ... ) == 0x0
 01354   500   NtWaitForSingleObject  (288, 0, 0x0, ...
 01352  1884   NtTestAlert  ... ) == 0x0
 01353   596   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01355  2016   NtAllocateVirtualMemory  (-1, 40624128, 0, 8192, 4096, 4, ...
 01356  1324   NtSetEventBoostPriority  (288, ...
 01357  1884   NtContinue  (39583024, 1, ...
 01358   596   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01355  2016   NtAllocateVirtualMemory  ... 40624128, 8192, ) == 0x0
 01306  1024   NtWaitForSingleObject  ... ) == 0x0
 01359  1884   NtRegisterThreadTerminatePort  (24, ...
 01358   596   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01360  2016   NtProtectVirtualMemory  (-1, (0x26be000), 4096, 260, ...
 01361  1024   NtSetEventBoostPriority  (288, ...
 01359  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01362   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01360  2016   NtProtectVirtualMemory  ... (0x26be000), 4096, 4, ) == 0x0
 01307  1708   NtWaitForSingleObject  ... ) == 0x0
 01361  1024   NtSetEventBoostPriority  ... ) == 0x0
 01356  1324   NtSetEventBoostPriority  ... ) == 0x0
 01350  1776   NtSetEventBoostPriority  ... ) == 0x0
 01363   900   NtWaitForSingleObject  (288, 0, 0x0, ...
 01364  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01365  1708   NtSetEventBoostPriority  (288, ...
 01366  1024   NtWaitForSingleObject  (288, 0, 0x0, ...
 01367  1324   NtWaitForSingleObject  (288, 0, 0x0, ...
 01368  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01369  1884   NtWaitForSingleObject  (288, 0, 0x0, ...
 01309  1388   NtWaitForSingleObject  ... ) == 0x0
 01368  1776   NtDuplicateObject  ... 292, ) == 0x0
 01370  1388   NtSetEventBoostPriority  (288, ...
 01365  1708   NtSetEventBoostPriority  ... ) == 0x0
 01364  2016   NtCreateThread  ... 336, {896, 1308}, ) == 0x0
 01310  1028   NtWaitForSingleObject  ... ) == 0x0
 01370  1388   NtSetEventBoostPriority  ... ) == 0x0
 01371  1708   NtWaitForSingleObject  (288, 0, 0x0, ...
 01372  1028   NtSetEventBoostPriority  (288, ...
 01373  2016   NtQueryInformationThread  (336, Basic, 28, ...
 01374  1776   NtWaitForSingleObject  (288, 0, 0x0, ...
 01322  1096   NtWaitForSingleObject  ... ) == 0x0
 01372  1028   NtSetEventBoostPriority  ... ) == 0x0
 01373  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=896,Tid=1308,}, 0x0, ) == 0x0
 01375  1096   NtSetEventBoostPriority  (288, ...
 01376  1028   NtWaitForSingleObject  (288, 0, 0x0, ...
 01330  1300   NtWaitForSingleObject  ... ) == 0x0
 01375  1096   NtSetEventBoostPriority  ... ) == 0x0
 01377  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81864, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\200\3\0\0\34\5\0\0" ...  ...
 01378  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01379  1300   NtSetEventBoostPriority  (288, ...
 01377  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81865, 0}  ... {28, 56, reply, 0, 896, 2016, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\200\3\0\0\34\5\0\0" )  ) == 0x0
 01332   248   NtWaitForSingleObject  ... ) == 0x0
 01379  1300   NtSetEventBoostPriority  ... ) == 0x0
 01378  1388   NtDuplicateObject  ... 340, ) == 0x0
 01380  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01381   248   NtSetEventBoostPriority  (288, ...
 01382  2016   NtResumeThread  (336, ...
 01383  1388   NtWaitForSingleObject  (288, 0, 0x0, ...
 01334   252   NtWaitForSingleObject  ... ) == 0x0
 01381   248   NtSetEventBoostPriority  ... ) == 0x0
 01382  2016   NtResumeThread  ... 1, ) == 0x0
 01384   252   NtSetEventBoostPriority  (288, ...
 01385   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01335  1948   NtWaitForSingleObject  ... ) == 0x0
 01384   252   NtSetEventBoostPriority  ... ) == 0x0
 01386  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01387  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01388  1308   NtTestAlert  (...
 01389  1948   NtSetEventBoostPriority  (288, ...
 01385   248   NtDuplicateObject  ... 344, ) == 0x0
 01386  2016   NtAllocateVirtualMemory  ... 40632320, 1048576, ) == 0x0
 01341  1600   NtWaitForSingleObject  ... ) == 0x0
 01389  1948   NtSetEventBoostPriority  ... ) == 0x0
 01388  1308   NtTestAlert  ... ) == 0x0
 01390   248   NtWaitForSingleObject  (288, 0, 0x0, ...
 01391  1600   NtSetEventBoostPriority  (288, ...
 01392  2016   NtAllocateVirtualMemory  (-1, 41672704, 0, 8192, 4096, 4, ...
 01393   252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01394  1308   NtContinue  (40631600, 1, ...
 01344  1372   NtWaitForSingleObject  ... ) == 0x0
 01391  1600   NtSetEventBoostPriority  ... ) == 0x0
 01392  2016   NtAllocateVirtualMemory  ... 41672704, 8192, ) == 0x0
 01395  1372   NtSetEventBoostPriority  (288, ...
 01396  1308   NtRegisterThreadTerminatePort  (24, ...
 01397  1948   NtWaitForSingleObject  (288, 0, 0x0, ...
 01398  1600   NtWaitForSingleObject  (288, 0, 0x0, ...
 01351  2036   NtWaitForSingleObject  ... ) == 0x0
 01395  1372   NtSetEventBoostPriority  ... ) == 0x0
 01396  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01399  2036   NtSetEventBoostPriority  (288, ...
 01400  2016   NtProtectVirtualMemory  (-1, (0x27be000), 4096, 260, ...
 01401  1372   NtWaitForSingleObject  (288, 0, 0x0, ...
 01354   500   NtWaitForSingleObject  ... ) == 0x0
 01399  2036   NtSetEventBoostPriority  ... ) == 0x0
 01400  2016   NtProtectVirtualMemory  ... (0x27be000), 4096, 4, ) == 0x0
 01402   500   NtSetEventBoostPriority  (288, ...
 01403  1308   NtWaitForSingleObject  (288, 0, 0x0, ...
 01362   596   NtWaitForSingleObject  ... ) == 0x0
 01402   500   NtSetEventBoostPriority  ... ) == 0x0
 01404  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01405   596   NtSetEventBoostPriority  (288, ...
 01406  2036   NtWaitForSingleObject  (288, 0, 0x0, ...
 01363   900   NtWaitForSingleObject  ... ) == 0x0
 01405   596   NtSetEventBoostPriority  ... ) == 0x0
 01404  2016   NtCreateThread  ... 348, {896, 1676}, ) == 0x0
 01407   900   NtSetEventBoostPriority  (288, ...
 01408   500   NtWaitForSingleObject  (288, 0, 0x0, ...
 01366  1024   NtWaitForSingleObject  ... ) == 0x0
 01407   900   NtSetEventBoostPriority  ... ) == 0x0
 01409  2016   NtQueryInformationThread  (348, Basic, 28, ...
 01410  1024   NtSetEventBoostPriority  (288, ...
 01411   900   NtWaitForSingleObject  (288, 0, 0x0, ...
 01367  1324   NtWaitForSingleObject  ... ) == 0x0
 01410  1024   NtSetEventBoostPriority  ... ) == 0x0
 01409  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=896,Tid=1676,}, 0x0, ) == 0x0
 01412   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01413  1324   NtSetEventBoostPriority  (288, ...
 01414  1024   NtWaitForSingleObject  (288, 0, 0x0, ...
 01369  1884   NtWaitForSingleObject  ... ) == 0x0
 01413  1324   NtSetEventBoostPriority  ... ) == 0x0
 01415  1884   NtSetEventBoostPriority  (288, ...
 01416  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81865, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\200\3\0\0\214\6\0\0" ...  ...
 01371  1708   NtWaitForSingleObject  ... ) == 0x0
 01415  1884   NtSetEventBoostPriority  ... ) == 0x0
 01417  1708   NtSetEventBoostPriority  (288, ...
 01416  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81866, 0}  ... {28, 56, reply, 0, 896, 2016, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\1\0\0\200\3\0\0\214\6\0\0" )  ) == 0x0
 01374  1776   NtWaitForSingleObject  ... ) == 0x0
 01417  1708   NtSetEventBoostPriority  ... ) == 0x0
 01418  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01419  1776   NtSetEventBoostPriority  (288, ...
 01420  2016   NtResumeThread  (348, ...
 01421  1324   NtWaitForSingleObject  (288, 0, 0x0, ...
 01422  1708   NtWaitForSingleObject  (288, 0, 0x0, ...
 01376  1028   NtWaitForSingleObject  ... ) == 0x0
 01419  1776   NtSetEventBoostPriority  ... ) == 0x0
 01420  2016   NtResumeThread  ... 1, ) == 0x0
 01423  1028   NtSetEventBoostPriority  (288, ...
 01424  1776   NtWaitForSingleObject  (288, 0, 0x0, ...
 01380  1096   NtWaitForSingleObject  ... ) == 0x0
 01425  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01423  1028   NtSetEventBoostPriority  ... ) == 0x0
 01418  1884   NtDuplicateObject  ... 352, ) == 0x0
 01426  1676   NtTestAlert  (...
 01427  1096   NtSetEventBoostPriority  (288, ...
 01428  1028   NtWaitForSingleObject  (288, 0, 0x0, ...
 01429  1884   NtWaitForSingleObject  (288, 0, 0x0, ...
 01426  1676   NtTestAlert  ... ) == 0x0
 01383  1388   NtWaitForSingleObject  ... ) == 0x0
 01427  1096   NtSetEventBoostPriority  ... ) == 0x0
 01430  1388   NtSetEventBoostPriority  (288, ...
 01431  1676   NtContinue  (41680176, 1, ...
 01387  1300   NtWaitForSingleObject  ... ) == 0x0
 01430  1388   NtSetEventBoostPriority  ... ) == 0x0
 01432  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01433  1300   NtSetEventBoostPriority  (288, ...
 01434  1676   NtRegisterThreadTerminatePort  (24, ...
 01425  2016   NtAllocateVirtualMemory  ... 41680896, 1048576, ) == 0x0
 01435  1388   NtWaitForSingleObject  (288, 0, 0x0, ...
 01390   248   NtWaitForSingleObject  ... ) == 0x0
 01433  1300   NtSetEventBoostPriority  ... ) == 0x0
 01434  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01436  2016   NtAllocateVirtualMemory  (-1, 42721280, 0, 8192, 4096, 4, ...
 01437   248   NtSetEventBoostPriority  (288, ...
 01438  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01393   252   NtWaitForSingleObject  ... ) == 0x0
 01437   248   NtSetEventBoostPriority  ... ) == 0x0
 01436  2016   NtAllocateVirtualMemory  ... 42721280, 8192, ) == 0x0
 01439  1676   NtWaitForSingleObject  (288, 0, 0x0, ...
 01440   252   NtSetEventBoostPriority  (288, ...
 01441  2016   NtProtectVirtualMemory  (-1, (0x28be000), 4096, 260, ...
 01397  1948   NtWaitForSingleObject  ... ) == 0x0
 01440   252   NtSetEventBoostPriority  ... ) == 0x0
 01442  1948   NtSetEventBoostPriority  (288, ...
 01441  2016   NtProtectVirtualMemory  ... (0x28be000), 4096, 4, ) == 0x0
 01398  1600   NtWaitForSingleObject  ... ) == 0x0
 01442  1948   NtSetEventBoostPriority  ... ) == 0x0
 01443   252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01444  1600   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01445  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01446  1948   NtWaitForSingleObject  (288, 0, 0x0, ...
 01447   248   NtWaitForSingleObject  (288, 0, 0x0, ...
 01444  1600   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01445  2016   NtCreateThread  ... 356, {896, 1620}, ) == 0x0
 01448  1600   NtSetEventBoostPriority  (288, ...
 01449  2016   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=896,Tid=1620,}, 0x0, ) == 0x0
 01450  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81866, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\200\3\0\0T\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\200\3\0\0T\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81867, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\200\3\0\0T\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\200\3\0\0T\6\0\0" )  ) == 0x0
 01451  2016   NtResumeThread  (356, ... 1, ) == 0x0
 01452  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42729472, 1048576, ) == 0x0
 01453  2016   NtAllocateVirtualMemory  (-1, 43769856, 0, 8192, 4096, 4, ... 43769856, 8192, ) == 0x0
 01401  1372   NtWaitForSingleObject  ... ) == 0x0
 01448  1600   NtSetEventBoostPriority  ... ) == 0x0
 01454  1620   NtTestAlert  (...
 01455  1372   NtSetEventBoostPriority  (288, ...
 01456  1600   NtWaitForSingleObject  (288, 0, 0x0, ...
 01454  1620   NtTestAlert  ... ) == 0x0
 01403  1308   NtWaitForSingleObject  ... ) == 0x0
 01455  1372   NtSetEventBoostPriority  ... ) == 0x0
 01457  1308   NtSetEventBoostPriority  (288, ...
 01458  1620   NtContinue  (42728752, 1, ...
 01406  2036   NtWaitForSingleObject  ... ) == 0x0
 01457  1308   NtSetEventBoostPriority  ... ) == 0x0
 01459  1372   NtWaitForSingleObject  (288, 0, 0x0, ...
 01460  2036   NtSetEventBoostPriority  (288, ...
 01461  1620   NtRegisterThreadTerminatePort  (24, ...
 01462  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01463  2016   NtProtectVirtualMemory  (-1, (0x29be000), 4096, 260, ...
 01408   500   NtWaitForSingleObject  ... ) == 0x0
 01460  2036   NtSetEventBoostPriority  ... ) == 0x0
 01461  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01464   500   NtSetEventBoostPriority  (288, ...
 01463  2016   NtProtectVirtualMemory  ... (0x29be000), 4096, 4, ) == 0x0
 01465  2036   NtWaitForSingleObject  (288, 0, 0x0, ...
 01462  1308   NtDuplicateObject  ... 360, ) == 0x0
 01411   900   NtWaitForSingleObject  ... ) == 0x0
 01464   500   NtSetEventBoostPriority  ... ) == 0x0
 01466  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01467  1620   NtWaitForSingleObject  (288, 0, 0x0, ...
 01468   900   NtSetEventBoostPriority  (288, ...
 01469  1308   NtWaitForSingleObject  (288, 0, 0x0, ...
 01470   500   NtWaitForSingleObject  (288, 0, 0x0, ...
 01466  2016   NtCreateThread  ... 364, {896, 1296}, ) == 0x0
 01412   596   NtWaitForSingleObject  ... ) == 0x0
 01468   900   NtSetEventBoostPriority  ... ) == 0x0
 01471  2016   NtQueryInformationThread  (364, Basic, 28, ...
 01472   596   NtSetEventBoostPriority  (288, ...
 01473   900   NtWaitForSingleObject  (288, 0, 0x0, ...
 01471  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=896,Tid=1296,}, 0x0, ) == 0x0
 01414  1024   NtWaitForSingleObject  ... ) == 0x0
 01472   596   NtSetEventBoostPriority  ... ) == 0x0
 01474  1024   NtSetEventBoostPriority  (288, ...
 01421  1324   NtWaitForSingleObject  ... ) == 0x0
 01475  1324   NtSetEventBoostPriority  (288, ...
 01422  1708   NtWaitForSingleObject  ... ) == 0x0
 01476  1708   NtSetEventBoostPriority  (288, ...
 01424  1776   NtWaitForSingleObject  ... ) == 0x0
 01477  1776   NtSetEventBoostPriority  (288, ...
 01428  1028   NtWaitForSingleObject  ... ) == 0x0
 01478  1028   NtSetEventBoostPriority  (288, ...
 01429  1884   NtWaitForSingleObject  ... ) == 0x0
 01479  1884   NtSetEventBoostPriority  (288, ...
 01435  1388   NtWaitForSingleObject  ... ) == 0x0
 01480  1388   NtSetEventBoostPriority  (288, ...
 01432  1096   NtWaitForSingleObject  ... ) == 0x0
 01481  1096   NtSetEventBoostPriority  (288, ...
 01438  1300   NtWaitForSingleObject  ... ) == 0x0
 01482  1300   NtSetEventBoostPriority  (288, ...
 01439  1676   NtWaitForSingleObject  ... ) == 0x0
 01483  1676   NtSetEventBoostPriority  (288, ...
 01443   252   NtWaitForSingleObject  ... ) == 0x0
 01484   252   NtSetEventBoostPriority  (288, ...
 01447   248   NtWaitForSingleObject  ... ) == 0x0
 01485   248   NtSetEventBoostPriority  (288, ...
 01446  1948   NtWaitForSingleObject  ... ) == 0x0
 01486  1948   NtSetEventBoostPriority  (288, ...
 01456  1600   NtWaitForSingleObject  ... ) == 0x0
 01487  1600   NtSetEventBoostPriority  (288, ...
 01459  1372   NtWaitForSingleObject  ... ) == 0x0
 01488  1372   NtSetEventBoostPriority  (288, ...
 01467  1620   NtWaitForSingleObject  ... ) == 0x0
 01489  1620   NtSetEventBoostPriority  (288, ...
 01469  1308   NtWaitForSingleObject  ... ) == 0x0
 01490  1308   NtSetEventBoostPriority  (288, ...
 01465  2036   NtWaitForSingleObject  ... ) == 0x0
 01491  2036   NtSetEventBoostPriority  (288, ...
 01473   900   NtWaitForSingleObject  ... ) == 0x0
 01492   900   NtSetEventBoostPriority  (288, ...
 01470   500   NtWaitForSingleObject  ... ) == 0x0
 01493   500   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 368, ) == 0x0
 01494   500   NtWaitForSingleObject  (368, 0, 0x0, ...
 01492   900   NtSetEventBoostPriority  ... ) == 0x0
 01490  1308   NtSetEventBoostPriority  ... ) == 0x0
 01489  1620   NtSetEventBoostPriority  ... ) == 0x0
 01487  1600   NtSetEventBoostPriority  ... ) == 0x0
 01485   248   NtSetEventBoostPriority  ... ) == 0x0
 01483  1676   NtSetEventBoostPriority  ... ) == 0x0
 01480  1388   NtSetEventBoostPriority  ... ) == 0x0
 01479  1884   NtSetEventBoostPriority  ... ) == 0x0
 01478  1028   NtSetEventBoostPriority  ... ) == 0x0
 01476  1708   NtSetEventBoostPriority  ... ) == 0x0
 01475  1324   NtSetEventBoostPriority  ... ) == 0x0
 01474  1024   NtSetEventBoostPriority  ... ) == 0x0
 01495   596   NtSetEventBoostPriority  (368, ...
 01491  2036   NtSetEventBoostPriority  ... ) == 0x0
 01488  1372   NtSetEventBoostPriority  ... ) == 0x0
 01486  1948   NtSetEventBoostPriority  ... ) == 0x0
 01484   252   NtSetEventBoostPriority  ... ) == 0x0
 01482  1300   NtSetEventBoostPriority  ... ) == 0x0
 01481  1096   NtSetEventBoostPriority  ... ) == 0x0
 01477  1776   NtSetEventBoostPriority  ... ) == 0x0
 01496  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81867, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\200\3\0\0\20\5\0\0" ...  ...
 01497   900   NtWaitForSingleObject  (368, 0, 0x0, ...
 01498  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01499  1308   NtWaitForSingleObject  (368, 0, 0x0, ...
 01500   248   NtWaitForSingleObject  (368, 0, 0x0, ...
 01501  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01502  1388   NtWaitForSingleObject  (368, 0, 0x0, ...
 01503  1600   NtWaitForSingleObject  (368, 0, 0x0, ...
 01504  1884   NtWaitForSingleObject  (368, 0, 0x0, ...
 01505  1708   NtWaitForSingleObject  (368, 0, 0x0, ...
 01506  1324   NtWaitForSingleObject  (368, 0, 0x0, ...
 01507  1024   NtWaitForSingleObject  (368, 0, 0x0, ...
 01508  1028   NtWaitForSingleObject  (368, 0, 0x0, ...
 01509  2036   NtWaitForSingleObject  (368, 0, 0x0, ...
 01510  1372   NtWaitForSingleObject  (368, 0, 0x0, ...
 01511  1948   NtWaitForSingleObject  (368, 0, 0x0, ...
 01512   252   NtWaitForSingleObject  (368, 0, 0x0, ...
 01513  1300   NtWaitForSingleObject  (368, 0, 0x0, ...
 01514  1096   NtWaitForSingleObject  (368, 0, 0x0, ...
 01515  1776   NtWaitForSingleObject  (368, 0, 0x0, ...
 01496  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81868, 0}  ... {28, 56, reply, 0, 896, 2016, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\1\0\0\200\3\0\0\20\5\0\0" )  ) == 0x0
 01494   500   NtWaitForSingleObject  ... ) == 0x0
 01495   596   NtSetEventBoostPriority  ... ) == 0x0
 01498  1620   NtDuplicateObject  ... 372, ) == 0x0
 01501  1676   NtDuplicateObject  ... 376, ) == 0x0
 01516   500   NtSetEventBoostPriority  (368, ...
 01517  2016   NtResumeThread  (364, ...
 01518   596   NtWaitForSingleObject  (368, 0, 0x0, ...
 01519  1620   NtWaitForSingleObject  (368, 0, 0x0, ...
 01497   900   NtWaitForSingleObject  ... ) == 0x0
 01520  1676   NtWaitForSingleObject  (368, 0, 0x0, ...
 01517  2016   NtResumeThread  ... 1, ) == 0x0
 01521   900   NtSetEventBoostPriority  (368, ...
 01522  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01499  1308   NtWaitForSingleObject  ... ) == 0x0
 01521   900   NtSetEventBoostPriority  ... ) == 0x0
 01516   500   NtSetEventBoostPriority  ... ) == 0x0
 01523  1296   NtTestAlert  (...
 01524  1308   NtSetEventBoostPriority  (368, ...
 01525   900   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01522  2016   NtAllocateVirtualMemory  ... 43778048, 1048576, ) == 0x0
 01500   248   NtWaitForSingleObject  ... ) == 0x0
 01524  1308   NtSetEventBoostPriority  ... ) == 0x0
 01523  1296   NtTestAlert  ... ) == 0x0
 01526   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01527   248   NtSetEventBoostPriority  (368, ...
 01528  2016   NtAllocateVirtualMemory  (-1, 44818432, 0, 8192, 4096, 4, ...
 01529  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01530  1296   NtContinue  (43777328, 1, ...
 01503  1600   NtWaitForSingleObject  ... ) == 0x0
 01526   500   NtWaitForSingleObject  ... ) == 0x102
 01528  2016   NtAllocateVirtualMemory  ... 44818432, 8192, ) == 0x0
 01527   248   NtSetEventBoostPriority  ... ) == 0x0
 01525   900   NtWaitForSingleObject  ... ) == 0x102
 01531  1296   NtRegisterThreadTerminatePort  (24, ...
 01532  1600   NtSetEventBoostPriority  (368, ...
 01533   500   NtWaitForSingleObject  (124, 0, 0x0, ...
 01534  2016   NtProtectVirtualMemory  (-1, (0x2abe000), 4096, 260, ...
 01535   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01536   900   NtWaitForSingleObject  (124, 0, 0x0, ...
 01531  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01504  1884   NtWaitForSingleObject  ... ) == 0x0
 01532  1600   NtSetEventBoostPriority  ... ) == 0x0
 01534  2016   NtProtectVirtualMemory  ... (0x2abe000), 4096, 4, ) == 0x0
 01529  1308   NtWaitForSingleObject  ... ) == 0x102
 01535   248   NtWaitForSingleObject  ... ) == 0x102
 01537  1884   NtSetEventBoostPriority  (368, ...
 01538  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01539  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01540  1308   NtWaitForSingleObject  (124, 0, 0x0, ...
 01502  1388   NtWaitForSingleObject  ... ) == 0x0
 01537  1884   NtSetEventBoostPriority  ... ) == 0x0
 01541   248   NtWaitForSingleObject  (124, 0, 0x0, ...
 01542  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01538  1600   NtWaitForSingleObject  ... ) == 0x102
 01543  1388   NtSetEventBoostPriority  (368, ...
 01544  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01542  1296   NtDuplicateObject  ... 380, ) == 0x0
 01505  1708   NtWaitForSingleObject  ... ) == 0x0
 01545  1600   NtWaitForSingleObject  (124, 0, 0x0, ...
 01543  1388   NtSetEventBoostPriority  ... ) == 0x0
 01539  2016   NtCreateThread  ... 384, {896, 440}, ) == 0x0
 01546  1296   NtWaitForSingleObject  (368, 0, 0x0, ...
 01547  1708   NtSetEventBoostPriority  (368, ...
 01548  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01549  2016   NtQueryInformationThread  (384, Basic, 28, ...
 01506  1324   NtWaitForSingleObject  ... ) == 0x0
 01549  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=896,Tid=440,}, 0x0, ) == 0x0
 01550  1324   NtSetEventBoostPriority  (368, ...
 01551  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81868, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\200\3\0\0\270\1\0\0" ...  ...
 01508  1028   NtWaitForSingleObject  ... ) == 0x0
 01551  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81869, 0}  ... {28, 56, reply, 0, 896, 2016, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\200\3\0\0\270\1\0\0" )  ) == 0x0
 01552  1028   NtSetEventBoostPriority  (368, ...
 01550  1324   NtSetEventBoostPriority  ... ) == 0x0
 01547  1708   NtSetEventBoostPriority  ... ) == 0x0
 01544  1884   NtWaitForSingleObject  ... ) == 0x102
 01548  1388   NtWaitForSingleObject  ... ) == 0x102
 01509  2036   NtWaitForSingleObject  ... ) == 0x0
 01552  1028   NtSetEventBoostPriority  ... ) == 0x0
 01553  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01554  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01555  1884   NtWaitForSingleObject  (124, 0, 0x0, ...
 01556  2036   NtSetEventBoostPriority  (368, ...
 01557  1388   NtWaitForSingleObject  (124, 0, 0x0, ...
 01558  1028   NtWaitForSingleObject  (368, 0, 0x0, ...
 01510  1372   NtWaitForSingleObject  ... ) == 0x0
 01556  2036   NtSetEventBoostPriority  ... ) == 0x0
 01559  2016   NtResumeThread  (384, ...
 01553  1324   NtWaitForSingleObject  ... ) == 0x102
 01554  1708   NtWaitForSingleObject  ... ) == 0x102
 01560  1372   NtSetEventBoostPriority  (368, ...
 01559  2016   NtResumeThread  ... 1, ) == 0x0
 01561  1324   NtWaitForSingleObject  (124, 0, 0x0, ...
 01511  1948   NtWaitForSingleObject  ... ) == 0x0
 01560  1372   NtSetEventBoostPriority  ... ) == 0x0
 01562  1708   NtWaitForSingleObject  (124, 0, 0x0, ...
 01563  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01564  1948   NtSetEventBoostPriority  (368, ...
 01565  2036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01566   440   NtTestAlert  (...
 01512   252   NtWaitForSingleObject  ... ) == 0x0
 01564  1948   NtSetEventBoostPriority  ... ) == 0x0
 01563  2016   NtAllocateVirtualMemory  ... 44826624, 1048576, ) == 0x0
 01565  2036   NtWaitForSingleObject  ... ) == 0x102
 01567   252   NtSetEventBoostPriority  (368, ...
 01566   440   NtTestAlert  ... ) == 0x0
 01568  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01569  2016   NtAllocateVirtualMemory  (-1, 45867008, 0, 8192, 4096, 4, ...
 01513  1300   NtWaitForSingleObject  ... ) == 0x0
 01567   252   NtSetEventBoostPriority  ... ) == 0x0
 01570  2036   NtWaitForSingleObject  (124, 0, 0x0, ...
 01571   440   NtContinue  (44825904, 1, ...
 01568  1372   NtWaitForSingleObject  ... ) == 0x102
 01572  1300   NtSetEventBoostPriority  (368, ...
 01569  2016   NtAllocateVirtualMemory  ... 45867008, 8192, ) == 0x0
 01573  1948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01574   440   NtRegisterThreadTerminatePort  (24, ...
 01514  1096   NtWaitForSingleObject  ... ) == 0x0
 01572  1300   NtSetEventBoostPriority  ... ) == 0x0
 01575  1372   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01576   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01573  1948   NtWaitForSingleObject  ... ) == 0x102
 01577  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01574   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01578  2016   NtProtectVirtualMemory  (-1, (0x2bbe000), 4096, 260, ...
 01575  1372   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01576   252   NtWaitForSingleObject  ... ) == 0x102
 01579  1948   NtWaitForSingleObject  (288, 0, 0x0, ...
 01580  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01578  2016   NtProtectVirtualMemory  ... (0x2bbe000), 4096, 4, ) == 0x0
 01581  1372   NtSetEventBoostPriority  (288, ...
 01582   252   NtWaitForSingleObject  (288, 0, 0x0, ...
 01580  1300   NtWaitForSingleObject  ... ) == 0x102
 01583  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01584   440   NtWaitForSingleObject  (288, 0, 0x0, ...
 01585  1300   NtWaitForSingleObject  (288, 0, 0x0, ...
 01583  2016   NtCreateThread  ... 388, {896, 1588}, ) == 0x0
 01586  2016   NtQueryInformationThread  (388, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=896,Tid=1588,}, 0x0, ) == 0x0
 01587  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81869, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\200\3\0\04\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\200\3\0\04\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81870, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\200\3\0\04\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\200\3\0\04\6\0\0" )  ) == 0x0
 01588  2016   NtResumeThread  (388, ... 1, ) == 0x0
 01589  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01577  1096   NtWaitForSingleObject  ... ) == 0x0
 01581  1372   NtSetEventBoostPriority  ... ) == 0x0
 01590  1588   NtTestAlert  (...
 01591  1096   NtSetEventBoostPriority  (288, ...
 01592  1372   NtWaitForSingleObject  (124, 0, 0x0, ...
 01579  1948   NtWaitForSingleObject  ... ) == 0x0
 01591  1096   NtSetEventBoostPriority  ... ) == 0x0
 01590  1588   NtTestAlert  ... ) == 0x0
 01593  1948   NtSetEventBoostPriority  (288, ...
 01589  2016   NtAllocateVirtualMemory  ... 45875200, 1048576, ) == 0x0
 01582   252   NtWaitForSingleObject  ... ) == 0x0
 01593  1948   NtSetEventBoostPriority  ... ) == 0x0
 01594  1588   NtContinue  (45874480, 1, ...
 01595   252   NtSetEventBoostPriority  (288, ...
 01596  2016   NtAllocateVirtualMemory  (-1, 46915584, 0, 8192, 4096, 4, ...
 01597  1096   NtSetEventBoostPriority  (368, ...
 01584   440   NtWaitForSingleObject  ... ) == 0x0
 01595   252   NtSetEventBoostPriority  ... ) == 0x0
 01598  1588   NtRegisterThreadTerminatePort  (24, ...
 01596  2016   NtAllocateVirtualMemory  ... 46915584, 8192, ) == 0x0
 01599   440   NtSetEventBoostPriority  (288, ...
 01515  1776   NtWaitForSingleObject  ... ) == 0x0
 01597  1096   NtSetEventBoostPriority  ... ) == 0x0
 01600  1948   NtWaitForSingleObject  (124, 0, 0x0, ...
 01598  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01585  1300   NtWaitForSingleObject  ... ) == 0x0
 01601  1776   NtWaitForSingleObject  (288, 0, 0x0, ...
 01599   440   NtSetEventBoostPriority  ... ) == 0x0
 01602  2016   NtProtectVirtualMemory  (-1, (0x2cbe000), 4096, 260, ...
 01603  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01604   252   NtWaitForSingleObject  (124, 0, 0x0, ...
 01605  1300   NtSetEventBoostPriority  (288, ...
 01606   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01602  2016   NtProtectVirtualMemory  ... (0x2cbe000), 4096, 4, ) == 0x0
 01603  1096   NtWaitForSingleObject  ... ) == 0x102
 01601  1776   NtWaitForSingleObject  ... ) == 0x0
 01605  1300   NtSetEventBoostPriority  ... ) == 0x0
 01607  1588   NtWaitForSingleObject  (288, 0, 0x0, ...
 01608  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01609  1776   NtSetEventBoostPriority  (288, ...
 01610  1096   NtWaitForSingleObject  (288, 0, 0x0, ...
 01606   440   NtDuplicateObject  ... 392, ) == 0x0
 01611  1300   NtWaitForSingleObject  (124, 0, 0x0, ...
 01607  1588   NtWaitForSingleObject  ... ) == 0x0
 01609  1776   NtSetEventBoostPriority  ... ) == 0x0
 01608  2016   NtCreateThread  ... 396, {896, 2044}, ) == 0x0
 01612   440   NtWaitForSingleObject  (288, 0, 0x0, ...
 01613  1588   NtSetEventBoostPriority  (288, ...
 01614  2016   NtQueryInformationThread  (396, Basic, 28, ...
 01610  1096   NtWaitForSingleObject  ... ) == 0x0
 01613  1588   NtSetEventBoostPriority  ... ) == 0x0
 01615  1096   NtSetEventBoostPriority  (288, ...
 01614  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=896,Tid=2044,}, 0x0, ) == 0x0
 01612   440   NtWaitForSingleObject  ... ) == 0x0
 01616  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01615  1096   NtSetEventBoostPriority  ... ) == 0x0
 01617  1776   NtSetEventBoostPriority  (368, ...
 01618   440   NtWaitForSingleObject  (368, 0, 0x0, ...
 01619  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81870, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\200\3\0\0\374\7\0\0" ...  ...
 01620  1096   NtWaitForSingleObject  (124, 0, 0x0, ...
 01518   596   NtWaitForSingleObject  ... ) == 0x0
 01617  1776   NtSetEventBoostPriority  ... ) == 0x0
 01619  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81871, 0}  ... {28, 56, reply, 0, 896, 2016, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\1\0\0\200\3\0\0\374\7\0\0" )  ) == 0x0
 01621   596   NtSetEventBoostPriority  (368, ...
 01622  1776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01519  1620   NtWaitForSingleObject  ... ) == 0x0
 01621   596   NtSetEventBoostPriority  ... ) == 0x0
 01623  2016   NtResumeThread  (396, ...
 01624  1620   NtSetEventBoostPriority  (368, ...
 01622  1776   NtWaitForSingleObject  ... ) == 0x102
 01616  1588   NtDuplicateObject  ... 400, ) == 0x0
 01520  1676   NtWaitForSingleObject  ... ) == 0x0
 01624  1620   NtSetEventBoostPriority  ... ) == 0x0
 01623  2016   NtResumeThread  ... 1, ) == 0x0
 01625  1776   NtWaitForSingleObject  (124, 0, 0x0, ...
 01626  1676   NtSetEventBoostPriority  (368, ...
 01627  1588   NtWaitForSingleObject  (368, 0, 0x0, ...
 01628   596   NtWaitForSingleObject  (368, 0, 0x0, ...
 01629  2044   NtTestAlert  (...
 01630  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01631  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01507  1024   NtWaitForSingleObject  ... ) == 0x0
 01626  1676   NtSetEventBoostPriority  ... ) == 0x0
 01629  2044   NtTestAlert  ... ) == 0x0
 01632  1024   NtSetEventBoostPriority  (368, ...
 01631  1620   NtWaitForSingleObject  ... ) == 0x102
 01630  2016   NtAllocateVirtualMemory  ... 46923776, 1048576, ) == 0x0
 01546  1296   NtWaitForSingleObject  ... ) == 0x0
 01633  2044   NtContinue  (46923056, 1, ...
 01634  1620   NtWaitForSingleObject  (124, 0, 0x0, ...
 01635  2016   NtAllocateVirtualMemory  (-1, 47964160, 0, 8192, 4096, 4, ...
 01636  1296   NtSetEventBoostPriority  (368, ...
 01637  2044   NtRegisterThreadTerminatePort  (24, ...
 01635  2016   NtAllocateVirtualMemory  ... 47964160, 8192, ) == 0x0
 01558  1028   NtWaitForSingleObject  ... ) == 0x0
 01636  1296   NtSetEventBoostPriority  ... ) == 0x0
 01637  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01638  1028   NtSetEventBoostPriority  (368, ...
 01639  2016   NtProtectVirtualMemory  (-1, (0x2dbe000), 4096, 260, ...
 01632  1024   NtSetEventBoostPriority  ... ) == 0x0
 01640  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01641  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01618   440   NtWaitForSingleObject  ... ) == 0x0
 01639  2016   NtProtectVirtualMemory  ... (0x2dbe000), 4096, 4, ) == 0x0
 01642  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01640  1676   NtWaitForSingleObject  ... ) == 0x102
 01641  1296   NtWaitForSingleObject  ... ) == 0x102
 01643   440   NtSetEventBoostPriority  (368, ...
 01644  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01645  1676   NtWaitForSingleObject  (124, 0, 0x0, ...
 01646  1296   NtWaitForSingleObject  (124, 0, 0x0, ...
 01627  1588   NtWaitForSingleObject  ... ) == 0x0
 01643   440   NtSetEventBoostPriority  ... ) == 0x0
 01638  1028   NtSetEventBoostPriority  ... ) == 0x0
 01647  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01642  1024   NtWaitForSingleObject  ... ) == 0x102
 01648  1588   NtSetEventBoostPriority  (368, ...
 01644  2016   NtCreateThread  ... 404, {896, 588}, ) == 0x0
 01649  1028   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01647  2044   NtDuplicateObject  ... 408, ) == 0x0
 01628   596   NtWaitForSingleObject  ... ) == 0x0
 01648  1588   NtSetEventBoostPriority  ... ) == 0x0
 01650  1024   NtWaitForSingleObject  (288, 0, 0x0, ...
 01651  2016   NtQueryInformationThread  (404, Basic, 28, ...
 01649  1028   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01652   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 01653  2044   NtWaitForSingleObject  (288, 0, 0x0, ...
 01654   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01651  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=896,Tid=588,}, 0x0, ) == 0x0
 01655  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01654   440   NtWaitForSingleObject  ... ) == 0x102
 01656  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81871, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\200\3\0\0L\2\0\0" ...  ...
 01655  1588   NtWaitForSingleObject  ... ) == 0x102
 01657   440   NtWaitForSingleObject  (288, 0, 0x0, ...
 01656  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81872, 0}  ... {28, 56, reply, 0, 896, 2016, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\200\3\0\0L\2\0\0" )  ) == 0x0
 01658  1588   NtWaitForSingleObject  (288, 0, 0x0, ...
 01659  1028   NtSetEventBoostPriority  (288, ...
 01650  1024   NtWaitForSingleObject  ... ) == 0x0
 01660  1024   NtSetEventBoostPriority  (288, ...
 01652   596   NtWaitForSingleObject  ... ) == 0x0
 01661   596   NtSetEventBoostPriority  (288, ...
 01653  2044   NtWaitForSingleObject  ... ) == 0x0
 01662  2044   NtSetEventBoostPriority  (288, ...
 01657   440   NtWaitForSingleObject  ... ) == 0x0
 01663   440   NtSetEventBoostPriority  (288, ...
 01658  1588   NtWaitForSingleObject  ... ) == 0x0
 01664  1588   NtWaitForSingleObject  (124, 0, 0x0, ...
 01663   440   NtSetEventBoostPriority  ... ) == 0x0
 01662  2044   NtSetEventBoostPriority  ... ) == 0x0
 01661   596   NtSetEventBoostPriority  ... ) == 0x0
 01660  1024   NtSetEventBoostPriority  ... ) == 0x0
 01659  1028   NtSetEventBoostPriority  ... ) == 0x0
 01665  2016   NtResumeThread  (404, ...
 01666   440   NtWaitForSingleObject  (124, 0, 0x0, ...
 01667  2044   NtWaitForSingleObject  (368, 0, 0x0, ...
 01668   596   NtSetEventBoostPriority  (368, ...
 01669  1028   NtWaitForSingleObject  (368, 0, 0x0, ...
 01665  2016   NtResumeThread  ... 1, ) == 0x0
 01667  2044   NtWaitForSingleObject  ... ) == 0x0
 01668   596   NtSetEventBoostPriority  ... ) == 0x0
 01670  2044   NtSetEventBoostPriority  (368, ...
 01671  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01669  1028   NtWaitForSingleObject  ... ) == 0x0
 01670  2044   NtSetEventBoostPriority  ... ) == 0x0
 01672   596   NtWaitForSingleObject  (368, 0, 0x0, ...
 01673  1028   NtSetEventBoostPriority  (368, ...
 01671  2016   NtAllocateVirtualMemory  ... 47972352, 1048576, ) == 0x0
 01674  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01673  1028   NtSetEventBoostPriority  ... ) == 0x0
 01672   596   NtWaitForSingleObject  ... ) == 0x0
 01675  2016   NtAllocateVirtualMemory  (-1, 49012736, 0, 8192, 4096, 4, ...
 01676  1024   NtWaitForSingleObject  (124, 0, 0x0, ...
 01677   588   NtTestAlert  (...
 01674  2044   NtWaitForSingleObject  ... ) == 0x102
 01678   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006064, ... }, 11006064, ...
 01675  2016   NtAllocateVirtualMemory  ... 49012736, 8192, ) == 0x0
 01677   588   NtTestAlert  ... ) == 0x0
 01679  2044   NtWaitForSingleObject  (124, 0, 0x0, ...
 01680  1028   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01678   596   NtQueryAttributesFile  ... ) == 0x0
 01681   588   NtContinue  (47971632, 1, ...
 01680  1028   NtOpenFile  ... 412, {status=0x0, info=0}, ) == 0x0
 01682   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01683   588   NtRegisterThreadTerminatePort  (24, ...
 01684  1028   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "l\37bs\344\237\300ND\373L\260\12\24\224\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01682   596   NtOpenKey  ... 416, ) == 0x0
 01683   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01685  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01686   596   NtQueryValueKey  (416,  (416, "Transports", Partial, 144, ... , Partial, 144, ...
 01687  2016   NtProtectVirtualMemory  (-1, (0x2ebe000), 4096, 260, ...
 01685  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01686   596   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01687  2016   NtProtectVirtualMemory  ... (0x2ebe000), 4096, 4, ) == 0x0
 01688  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01689   596   NtQueryValueKey  (416,  (416, "Transports", Partial, 144, ... , Partial, 144, ...
 01690  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01691   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01688  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01690  2016   NtCreateThread  ... 420, {896, 1652}, ) == 0x0
 01691   588   NtDuplicateObject  ... 424, ) == 0x0
 01692  1028   NtQuerySystemInformation  (Performance, 312, ...
 01693  2016   NtQueryInformationThread  (420, Basic, 28, ...
 01694   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01692  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01693  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=896,Tid=1652,}, 0x0, ) == 0x0
 01694   588   NtWaitForSingleObject  ... ) == 0x102
 01695  1028   NtQuerySystemInformation  (Exception, 16, ...
 01689   596   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01696   588   NtWaitForSingleObject  (124, 0, 0x0, ...
 01695  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01697   596   NtClose  (416, ...
 01698  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81872, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\200\3\0\0t\6\0\0" ...  ...
 01699  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01697   596   NtClose  ... ) == 0x0
 01698  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81873, 0}  ... {28, 56, reply, 0, 896, 2016, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\200\3\0\0t\6\0\0" )  ) == 0x0
 01700   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01701  2016   NtResumeThread  (420, ...
 01700   596   NtOpenKey  ... 416, ) == 0x0
 01701  2016   NtResumeThread  ... 1, ) == 0x0
 01702   596   NtQueryValueKey  (416,  (416, "Mapping", Partial, 144, ... , Partial, 144, ...
 01703  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01699  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01704  1652   NtTestAlert  (...
 01702   596   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01705  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01704  1652   NtTestAlert  ... ) == 0x0
 01706   596   NtQueryValueKey  (416,  (416, "Mapping", Partial, 144, ... , Partial, 144, ...
 01705  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01707  1652   NtContinue  (49020208, 1, ...
 01706   596   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01708  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01709  1652   NtRegisterThreadTerminatePort  (24, ...
 01710   596   NtQueryValueKey  (416,  (416, "Mapping", Partial, 152, ... , Partial, 152, ...
 01708  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01709  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01710   596   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01711  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01703  2016   NtAllocateVirtualMemory  ... 49020928, 1048576, ) == 0x0
 01712   596   NtClose  (416, ...
 01711  1028   NtCreateKey  ... -2147481368, 2, ) == 0x0
 01713  2016   NtAllocateVirtualMemory  (-1, 50061312, 0, 8192, 4096, 4, ...
 01714  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01715  1028   NtSetValueKey  (-2147481368,  (-2147481368, "Seed", 0, 3, "\213\272\241\12\326\232\20\245\4\311\301\361\313Qz\311.\204\265\2332\324n9\2557\31\4\215k\303%\276\247\30msT6Z\255\366\275+\231\272o\340j\310\371\23\302_bi\16\332k\345;{\33\234N\34\231~\207,\273\223\321\360\266{\240C\e", 80, ... , 0, 3,  (-2147481368, "Seed", 0, 3, "\213\272\241\12\326\232\20\245\4\311\301\361\313Qz\311.\204\265\2332\324n9\2557\31\4\215k\303%\276\247\30msT6Z\255\366\275+\231\272o\340j\310\371\23\302_bi\16\332k\345;{\33\234N\34\231~\207,\273\223\321\360\266{\240C\e", 80, ... , 80, ...
 01713  2016   NtAllocateVirtualMemory  ... 50061312, 8192, ) == 0x0
 01714  1652   NtDuplicateObject  ... 428, ) == 0x0
 01715  1028   NtSetValueKey  ... ) == 0x0
 01716  2016   NtProtectVirtualMemory  (-1, (0x2fbe000), 4096, 260, ...
 01717  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01718  1028   NtClose  (-2147481368, ...
 01716  2016   NtProtectVirtualMemory  ... (0x2fbe000), 4096, 4, ) == 0x0
 01717  1652   NtWaitForSingleObject  ... ) == 0x102
 01718  1028   NtClose  ... ) == 0x0
 01719  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01720  1652   NtWaitForSingleObject  (124, 0, 0x0, ...
 01712   596   NtClose  ... ) == 0x0
 01684  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "H\263m\31Q\333\255a\2/.]b\250\4v\372\353\354#S\20\364\21\221;\276\217\35]\347\323\221\265@\6\301\354\34\36\1/r\0A=\263v\344<\260\262;.\257Ab\323\220\342\262o\2361,J;\207#Xv\31\7\315m\270\337\313\307\232\323\2264^\235YD\326\332R~\313RFS5\30\325\230\367o\1\204HG\301(\221)\327\312\2727\235Jy \300\177\270\232\321SB\320[Q\260\177(#\343\230\371\324\336\3435\177\326\343\370\201\242\205\26\362<\2612\263P\212\301:\376D\331\367\224\233\306\226n\304gh\254\37\235N\320\234\233+\25\178U\345\376\345\225m\304\354\365\14\354\220HZ\262\216\245\230\371Y\5I\2\331wv#\36\232O\307\322k\252m\243}v!\3334\230\211\344&\363QR|=M(\316\15\370'\244\257\28\351N\304\370\203>4\3wn;\35hb\25U", ) , ) == 0x0
 01719  2016   NtCreateThread  ... 416, {896, 1376}, ) == 0x0
 01721   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01722  1028   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01723  2016   NtQueryInformationThread  (416, Basic, 28, ...
 01721   596   NtOpenKey  ... 432, ) == 0x0
 01722  1028   NtCreateEvent  ... 436, ) == 0x0
 01723  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=896,Tid=1376,}, 0x0, ) == 0x0
 01724   596   NtQueryValueKey  (432,  (432, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01725  1028   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01726  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81873, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\200\3\0\0`\5\0\0" ...  ...
 01724   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01725  1028   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01726  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81874, 0}  ... {28, 56, reply, 0, 896, 2016, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\1\0\0\200\3\0\0`\5\0\0" )  ) == 0x0
 01727   596   NtQueryValueKey  (432,  (432, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01728  1028   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15461892, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15461892, 188, ...
 01729  2016   NtResumeThread  (416, ...
 01727   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01729  2016   NtResumeThread  ... 1, ) == 0x0
 01730   596   NtQueryValueKey  (432,  (432, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01731  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01730   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01731  2016   NtAllocateVirtualMemory  ... 50069504, 1048576, ) == 0x0
 01732   596   NtQueryValueKey  (432,  (432, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01733  2016   NtAllocateVirtualMemory  (-1, 51109888, 0, 8192, 4096, 4, ...
 01732   596   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01733  2016   NtAllocateVirtualMemory  ... 51109888, 8192, ) == 0x0
 01734   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007020, ... }, 11007020, ...
 01728  1028   NtConnectPort  ... 440, 0x0, 0x0, 0x0, 188, ) == 0x0
 01735  1376   NtWaitForSingleObject  (88, 0, 0x0, ...
 01736  2016   NtProtectVirtualMemory  (-1, (0x30be000), 4096, 260, ...
 01737  1028   NtRequestWaitReplyPort  (440, {200, 224, new_msg, 0, 1384432, 12, 2, 1310721}  (440, {200, 224, new_msg, 0, 1384432, 12, 2, 1310721} "\0\2\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\340\1\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0u\366\322\271\246\260\36)p\37\25\0\\1\24\0\12\0\0\0\0\0\0\0\0 \0\0(\0\0\0x\37\25\0\243\353\331\255\10\2\24\0\230\37\25\0\\1\24\0\0\0\0\0\0\0\0\0\230\37\25\0P\0\0\0\240\37\25\0\360\6\221|\340\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\353\0\372\31\221|\30\364\353\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01736  2016   NtProtectVirtualMemory  ... (0x30be000), 4096, 4, ) == 0x0
 01738  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {896, 1436}, ) == 0x0
 01739  2016   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=896,Tid=1436,}, 0x0, ) == 0x0
 01737  1028   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 896, 1028, 81876, 0}  ... {200, 224, reply, 0, 896, 1028, 81876, 0} "\7\2\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0u\366\322\271\246\260\36)p\37\25\0\\1\24\0\12\0\0\0\0\0\0\0\0 \0\0(\0\0\0x\37\25\0\243\353\331\255\10\2\24\0\230\37\25\0\\1\24\0\0\0\0\0\0\0\0\0\230\37\25\0P\0\0\0\240\37\25\0\360\6\221|\340\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\353\0\372\31\221|\30\364\353\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01734   596   NtQueryAttributesFile  ... ) == 0x0
 01740  1028   NtRequestWaitReplyPort  (440, {64, 88, new_msg, 0, 0, 0, 0, 0}  (440, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01741   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01742  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81874, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\200\3\0\0\234\5\0\0" ...  ...
 01741   596   NtOpenFile  ... 448, {status=0x0, info=1}, ) == 0x0
 01742  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81877, 0}  ... {28, 56, reply, 0, 896, 2016, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\200\3\0\0\234\5\0\0" )  ) == 0x0
 01743   596   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 448, ...
 01744  2016   NtResumeThread  (444, ...
 01743   596   NtCreateSection  ... 452, ) == 0x0
 01744  2016   NtResumeThread  ... 1, ) == 0x0
 01745   596   NtClose  (448, ...
 01746  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01747  1436   NtWaitForSingleObject  (88, 0, 0x0, ...
 01745   596   NtClose  ... ) == 0x0
 01740  1028   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 896, 1028, 81878, 0}  ... {52, 76, reply, 0, 896, 1028, 81878, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01748   596   NtMapViewOfSection  (452, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01749  1028   NtClose  (436, ...
 01748   596   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 01749  1028   NtClose  ... ) == 0x0
 01750   596   NtClose  (452, ...
 01751  1028   NtClose  (440, ...
 01750   596   NtClose  ... ) == 0x0
 01751  1028   NtClose  ... ) == 0x0
 01746  2016   NtAllocateVirtualMemory  ... 51118080, 1048576, ) == 0x0
 01752  2016   NtAllocateVirtualMemory  (-1, 52158464, 0, 8192, 4096, 4, ... 52158464, 8192, ) == 0x0
 01753  2016   NtProtectVirtualMemory  (-1, (0x31be000), 4096, 260, ... (0x31be000), 4096, 4, ) == 0x0
 01754  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 440, {896, 1368}, ) == 0x0
 01755  2016   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=896,Tid=1368,}, 0x0, ) == 0x0
 01756  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81877, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\200\3\0\0X\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\200\3\0\0X\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81880, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81877, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\200\3\0\0X\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\200\3\0\0X\5\0\0" )  ) == 0x0
 01757  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 01758   596   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01759   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007328, ... ) }, 11007328, ... ) == 0x0
 01760   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 452, {status=0x0, info=1}, ) }, 5, 96, ... 452, {status=0x0, info=1}, ) == 0x0
 01761   596   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 452, ... 436, ) == 0x0
 01762   596   NtQuerySection  (436, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01763   596   NtClose  (452, ...
 01764  2016   NtResumeThread  (440, ... 1, ) == 0x0
 01765  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52166656, 1048576, ) == 0x0
 01766  2016   NtAllocateVirtualMemory  (-1, 53207040, 0, 8192, 4096, 4, ... 53207040, 8192, ) == 0x0
 01767  2016   NtProtectVirtualMemory  (-1, (0x32be000), 4096, 260, ... (0x32be000), 4096, 4, ) == 0x0
 01768  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 448, {896, 724}, ) == 0x0
 01769  2016   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=896,Tid=724,}, 0x0, ) == 0x0
 01763   596   NtClose  ... ) == 0x0
 01770  1368   NtWaitForSingleObject  (88, 0, 0x0, ...
 01771   596   NtMapViewOfSection  (436, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01772   596   NtClose  (436, ... ) == 0x0
 01773   596   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01774   596   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01775   596   NtFlushInstructionCache  (-1, 1906905088, 128, ...
 01776  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81880, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\200\3\0\0\324\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\200\3\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81881, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\200\3\0\0\324\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\1\0\0\200\3\0\0\324\2\0\0" )  ) == 0x0
 01777  2016   NtResumeThread  (448, ... 1, ) == 0x0
 01778  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 53215232, 1048576, ) == 0x0
 01779  2016   NtAllocateVirtualMemory  (-1, 54255616, 0, 8192, 4096, 4, ... 54255616, 8192, ) == 0x0
 01780  2016   NtProtectVirtualMemory  (-1, (0x33be000), 4096, 260, ... (0x33be000), 4096, 4, ) == 0x0
 01781  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01775   596   NtFlushInstructionCache  ... ) == 0x0
 01782   724   NtWaitForSingleObject  (88, 0, 0x0, ...
 01783   596   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   596   NtSetEventBoostPriority  (88, ...
 01735  1376   NtWaitForSingleObject  ... ) == 0x0
 01785  1376   NtSetEventBoostPriority  (88, ...
 01747  1436   NtWaitForSingleObject  ... ) == 0x0
 01786  1436   NtSetEventBoostPriority  (88, ...
 01757  1028   NtWaitForSingleObject  ... ) == 0x0
 01787  1028   NtSetEventBoostPriority  (88, ...
 01770  1368   NtWaitForSingleObject  ... ) == 0x0
 01788  1368   NtSetEventBoostPriority  (88, ...
 01782   724   NtWaitForSingleObject  ... ) == 0x0
 01789   724   NtTestAlert  (... ) == 0x0
 01788  1368   NtSetEventBoostPriority  ... ) == 0x0
 01787  1028   NtSetEventBoostPriority  ... ) == 0x0
 01786  1436   NtSetEventBoostPriority  ... ) == 0x0
 01785  1376   NtSetEventBoostPriority  ... ) == 0x0
 01784   596   NtSetEventBoostPriority  ... ) == 0x0
 01781  2016   NtCreateThread  ... 436, {896, 1276}, ) == 0x0
 01790   724   NtContinue  (53214512, 1, ...
 01791  1028   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01792  1368   NtTestAlert  (...
 01793  1436   NtTestAlert  (...
 01794   596   NtClose  (432, ...
 01795  2016   NtQueryInformationThread  (436, Basic, 28, ...
 01796   724   NtRegisterThreadTerminatePort  (24, ...
 01797  1376   NtTestAlert  (...
 01792  1368   NtTestAlert  ... ) == 0x0
 01793  1436   NtTestAlert  ... ) == 0x0
 01794   596   NtClose  ... ) == 0x0
 01795  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=896,Tid=1276,}, 0x0, ) == 0x0
 01796   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 01797  1376   NtTestAlert  ... ) == 0x0
 01798  1368   NtContinue  (52165936, 1, ...
 01799  1436   NtContinue  (51117360, 1, ...
 01791  1028   NtCreateKey  ... 432, 2, ) == 0x0
 01800  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81881, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\200\3\0\0\374\4\0\0" ...  ...
 01801   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01802  1376   NtContinue  (50068784, 1, ...
 01803  1368   NtRegisterThreadTerminatePort  (24, ...
 01804  1436   NtRegisterThreadTerminatePort  (24, ...
 01805  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01800  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81882, 0}  ... {28, 56, reply, 0, 896, 2016, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\200\3\0\0\374\4\0\0" )  ) == 0x0
 01801   724   NtDuplicateObject  ... 452, ) == 0x0
 01806  1376   NtRegisterThreadTerminatePort  (24, ...
 01803  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 01804  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01805  1028   NtOpenKey  ... 456, ) == 0x0
 01807   596   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11009664, 67, ... }, 0x0, 0, 3, 3, 0, 11009664, 67, ...
 01808   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01806  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01809  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01810  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01811  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01807   596   NtCreateFile  ... 460, {status=0x0, info=0}, ) == 0x0
 01812  2016   NtResumeThread  (436, ...
 01813  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01808   724   NtWaitForSingleObject  ... ) == 0x102
 01809  1368   NtDuplicateObject  ... 464, ) == 0x0
 01811  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01814   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x1207b,  (460, 96, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01812  2016   NtResumeThread  ... 1, ) == 0x0
 01810  1436   NtDuplicateObject  ... 468, ) == 0x0
 01815   724   NtWaitForSingleObject  (124, 0, 0x0, ...
 01816  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01817  1028   NtQueryValueKey  (432,  (432, "Hostname", Partial, 144, ... , Partial, 144, ...
 01814   596   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\230\353s\201", ) , ) == 0x0
 01818  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01819  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01816  1368   NtWaitForSingleObject  ... ) == 0x102
 01813  1376   NtDuplicateObject  ... 472, ) == 0x0
 01820  1276   NtTestAlert  (...
 01821   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x1207b,  (460, 96, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\230\353s\201", 16, 16, ... , 16, 16, ...
 01818  2016   NtAllocateVirtualMemory  ... 54263808, 1048576, ) == 0x0
 01819  1436   NtWaitForSingleObject  ... ) == 0x102
 01822  1368   NtWaitForSingleObject  (124, 0, 0x0, ...
 01823  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01820  1276   NtTestAlert  ... ) == 0x0
 01821   596   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\230\353s\201", ) , ) == 0x0
 01824  2016   NtAllocateVirtualMemory  (-1, 55304192, 0, 8192, 4096, 4, ...
 01825  1436   NtWaitForSingleObject  (124, 0, 0x0, ...
 01823  1376   NtWaitForSingleObject  ... ) == 0x102
 01826  1276   NtContinue  (54263088, 1, ...
 01817  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01824  2016   NtAllocateVirtualMemory  ... 55304192, 8192, ) == 0x0
 01827  1376   NtWaitForSingleObject  (124, 0, 0x0, ...
 01828  1276   NtRegisterThreadTerminatePort  (24, ...
 01829  1028   NtQueryValueKey  (432,  (432, "Hostname", Partial, 144, ... , Partial, 144, ...
 01830   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x12047,  (460, 96, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01828  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 01829  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01830   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01831  2016   NtProtectVirtualMemory  (-1, (0x34be000), 4096, 260, ...
 01832  1028   NtClose  (432, ...
 01833   596   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01831  2016   NtProtectVirtualMemory  ... (0x34be000), 4096, 4, ) == 0x0
 01832  1028   NtClose  ... ) == 0x0
 01833   596   NtWaitForSingleObject  ... ) == 0x102
 01834  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01835  1028   NtClose  (456, ...
 01836   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x12003,  (460, 96, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01834  2016   NtCreateThread  ... 432, {896, 220}, ) == 0x0
 01837  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01835  1028   NtClose  ... ) == 0x0
 01838  2016   NtQueryInformationThread  (432, Basic, 28, ...
 01837  1276   NtDuplicateObject  ... 456, ) == 0x0
 01839  1028   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "l\37bs\344\237\300Q\246\323\307\355M\264%\320^\311\216\255\306\357g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01838  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=896,Tid=220,}, 0x0, ) == 0x0
 01840  1276   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01841  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01836   596   NtDeviceIoControlFile  ... {status=0x0, info=476},  ... {status=0x0, info=476}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01840  1276   NtWaitForSingleObject  ... ) == 0x102
 01841  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01842   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x12047,  (460, 96, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01843  1276   NtWaitForSingleObject  (124, 0, 0x0, ...
 01844  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01842   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01845  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81882, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\200\3\0\0\334\0\0\0" ...  ...
 01844  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01846   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x12037,  (460, 96, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01845  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81883, 0}  ... {28, 56, reply, 0, 896, 2016, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\1\0\0\200\3\0\0\334\0\0\0" )  ) == 0x0
 01846   596   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01847  2016   NtResumeThread  (432, ...
 01848  1028   NtQuerySystemInformation  (Performance, 312, ...
 01847  2016   NtResumeThread  ... 1, ) == 0x0
 01848  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01849  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01850  1028   NtQuerySystemInformation  (Exception, 16, ...
 01851   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x1200b,  (460, 96, 0x0, 0x0, 0x1200b, "\0\376\247\0\5\0\0\0\0\256\24\0", 12, 0, ... , 12, 0, ...
 01852   220   NtTestAlert  (...
 01850  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01851   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01852   220   NtTestAlert  ... ) == 0x0
 01853  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01854   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x12047,  (460, 96, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\247\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01855   220   NtContinue  (55311664, 1, ...
 01853  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01854   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01856   220   NtRegisterThreadTerminatePort  (24, ...
 01849  2016   NtAllocateVirtualMemory  ... 55312384, 1048576, ) == 0x0
 01857   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01856   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01858  2016   NtAllocateVirtualMemory  (-1, 56352768, 0, 8192, 4096, 4, ...
 01857   596   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01859  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01858  2016   NtAllocateVirtualMemory  ... 56352768, 8192, ) == 0x0
 01860   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01859  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01861  2016   NtProtectVirtualMemory  (-1, (0x35be000), 4096, 260, ...
 01860   220   NtDuplicateObject  ... 480, ) == 0x0
 01862  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01861  2016   NtProtectVirtualMemory  ... (0x35be000), 4096, 4, ) == 0x0
 01863   220   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01862  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01864  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01863   220   NtWaitForSingleObject  ... ) == 0x102
 01865  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01866   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01867   220   NtWaitForSingleObject  (124, 0, 0x0, ...
 01865  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 01866   596   NtCreateEvent  ... 484, ) == 0x0
 01864  2016   NtCreateThread  ... 488, {896, 1328}, ) == 0x0
 01868   596   NtWaitForSingleObject  (484, 0, 0x0, ...
 01869  2016   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=896,Tid=1328,}, 0x0, ) == 0x0
 01870  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81883, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\200\3\0\00\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\200\3\0\00\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81884, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\200\3\0\00\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\1\0\0\200\3\0\00\5\0\0" )  ) == 0x0
 01871  2016   NtResumeThread  (488, ... 1, ) == 0x0
 01872  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 56360960, 1048576, ) == 0x0
 01873  2016   NtAllocateVirtualMemory  (-1, 57401344, 0, 8192, 4096, 4, ... 57401344, 8192, ) == 0x0
 01874  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "Szy\202\360\236\205\303\10\5\206E9\3114\220|C}\333\17\37Ww\27\370\354\235\220\234@gD\241\214\26\200\324\17\370\25U}vb\2754\251\265\204\255!\22\360|\277\250\11\25\365n\267\207\217\244\374\23<\25\2252\204\257\254\214\245\340\371\336", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "Szy\202\360\236\205\303\10\5\206E9\3114\220|C}\333\17\37Ww\27\370\354\235\220\234@gD\241\214\26\200\324\17\370\25U}vb\2754\251\265\204\255!\22\360|\277\250\11\25\365n\267\207\217\244\374\23<\25\2252\204\257\254\214\245\340\371\336", 80, ... , 80, ...
 01875  1328   NtTestAlert  (...
 01874  1028   NtSetValueKey  ... ) == 0x0
 01875  1328   NtTestAlert  ... ) == 0x0
 01876  1028   NtClose  (-2147481484, ...
 01877  1328   NtContinue  (56360240, 1, ...
 01876  1028   NtClose  ... ) == 0x0
 01878  1328   NtRegisterThreadTerminatePort  (24, ...
 01839  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "aa\332"\344\251\341k:\326\277/\224\233\353xts\360S_X\37,l\307\237\245?c\22\277\232N\22\203G)\206\242r\372\335\274\316\201V\22\374Z\336\353(\326\3317?lZ\334&Z\266\264\365\223\13\24\26\253\301qAs\35E\33\240\211\2113\373\270M\363Y\200\25\14\361\24,Oko\20\227\326\307f[gO0\227!X\5;M-)\374\204;\245<\276\211N\254\254\217\3208\354)\243\237\325\252\343\375\34\207L\271\332\37\352\233\321Bw\242xjTN\215\226J\325\14\233\372\270\271`w\13j\203\236\250F\14\271\211K\370\212v\325|o\273\236\311\252%\316\377c\2\315\202}\251\206=\266Q\236\201\345\206i\21xp\216:\210\217\22\326\205\210O\354\246Q\320O\3\2101\341\332\376\363\261\222\250q\356\227U\304X\10\3048\352\331\207\3730\177\310\232f\231\34\266\332\364\356\2\357\14\204"", ) \344\251\341k:\326\277/\224\233\353xts\360S_X\37,l\307\237\245?c\22\277\232N\22\203G)\206\242r\372\335\274\316\201V\22\374Z\336\353(\326\3317?lZ\334&Z\266\264\365\223\13\24\26\253\301qAs\35E\33\240\211\2113\373\270M\363Y\200\25\14\361\24,Oko\20\227\326\307f[gO0\227!X\5;M-)\374\204;\245<\276\211N\254\254\217\3208\354)\243\237\325\252\343\375\34\207L\271\332\37\352\233\321Bw\242xjTN\215\226J\325\14\233\372\270\271`w\13j\203\236\250F\14\271\211K\370\212v\325|o\273\236\311\252%\316\377c\2\315\202}\251\206=\266Q\236\201\345\206i\21xp\216:\210\217\22\326\205\210O\354\246Q\320O\3\2101\341\332\376\363\261\222\250q\356\227U\304X\10\3048\352\331\207\3730\177\310\232f\231\34\266\332\364\356\2\357\14\204"", ) == 0x0
 01878  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 01879  1028   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "l\37bs\344\237\300Q\246\323\307\355M\264:2vB\323\352f^\276^\311\216\255\306\357g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01880  2016   NtProtectVirtualMemory  (-1, (0x36be000), 4096, 260, ...
 01881  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01880  2016   NtProtectVirtualMemory  ... (0x36be000), 4096, 4, ) == 0x0
 01881  1328   NtDuplicateObject  ... 492, ) == 0x0
 01882  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01883  1328   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01882  2016   NtCreateThread  ... 496, {896, 1636}, ) == 0x0
 01883  1328   NtWaitForSingleObject  ... ) == 0x102
 01884  2016   NtQueryInformationThread  (496, Basic, 28, ...
 01885  1328   NtWaitForSingleObject  (124, 0, 0x0, ...
 01884  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=896,Tid=1636,}, 0x0, ) == 0x0
 01886  1028   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01887  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01888  1028   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01889  1028   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01890  1028   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01891  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01892  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81884, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\200\3\0\0d\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\200\3\0\0d\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81885, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\200\3\0\0d\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\200\3\0\0d\6\0\0" )  ) == 0x0
 01893  2016   NtResumeThread  (496, ... 1, ) == 0x0
 01894  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57409536, 1048576, ) == 0x0
 01895  2016   NtAllocateVirtualMemory  (-1, 58449920, 0, 8192, 4096, 4, ... 58449920, 8192, ) == 0x0
 01896  2016   NtProtectVirtualMemory  (-1, (0x37be000), 4096, 260, ... (0x37be000), 4096, 4, ) == 0x0
 01897  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01898  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01899  1636   NtTestAlert  (...
 01898  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01899  1636   NtTestAlert  ... ) == 0x0
 01900  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01901  1636   NtContinue  (57408816, 1, ...
 01900  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 01902  1636   NtRegisterThreadTerminatePort  (24, ...
 01903  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\311\312\16;N\\21\347\30\2454\226\25H\340'"\367\362G\1774\270.\267\267R\263\3343Nl!\35n\256L\215\250\336AL\333V\224\276\273\337\362\300W\343\6F\206\272@\364\320\300>|\277g\235\32zIf[\367\274S\230!l\344\32\306", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\311\312\16;N\\21\347\30\2454\226\25H\340'"\367\362G\1774\270.\267\267R\263\3343Nl!\35n\256L\215\250\336AL\333V\224\276\273\337\362\300W\343\6F\206\272@\364\320\300>|\277g\235\32zIf[\367\274S\230!l\344\32\306", 80, ... \367\362G\1774\270.\267\267R\263\3343Nl!\35n\256L\215\250\336AL\333V\224\276\273\337\362\300W\343\6F\206\272@\364\320\300>|\277g\235\32zIf[\367\274S\230!l\344\32\306", 80, ...
 01902  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 01903  1028   NtSetValueKey  ... ) == 0x0
 01897  2016   NtCreateThread  ... 500, {896, 704}, ) == 0x0
 01904  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01905  2016   NtQueryInformationThread  (500, Basic, 28, ...
 01904  1636   NtDuplicateObject  ... 504, ) == 0x0
 01905  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=896,Tid=704,}, 0x0, ) == 0x0
 01906  1636   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01907  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81885, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\200\3\0\0\300\2\0\0" ...  ...
 01906  1636   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01907  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81886, 0}  ... {28, 56, reply, 0, 896, 2016, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\200\3\0\0\300\2\0\0" )  ) == 0x0
 01908  1636   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01909  1028   NtClose  (-2147481484, ... ) == 0x0
 01879  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\7\31\345\357\24\340\3416\335\3571\\342\353H\350\353\3$Mq\375\334R\25^.\227\335\261p\217\33\26\311\12lCn\354\2754dsh\373\277\360Q\331\224\13\344\4\215\24\217zEi\273\205\301\357,\267\255n\317\37%\265F\333\13w-c')\12\24t\267\3214\312\225\305Qb\243\327|\5~i\346$\260\12j\266g\347.\223s\204\333b\241\14\370T\360\5\203\242P\374\37\275\3257d\312\265\331\207\6Y\360\376sI\266\346\364\345\346\224\232\230`\210\203\272\336\257\22\306x\227\226\20\261\316\2649\252(\216R\35, ) , ) == 0x0
 01910  1028   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "l\37bs\344\237\300Q\246\323\307\355M\264:2vB\323\352fA\vB\323\352f^\276^\311\216\255\306\357g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01911  1028   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01912  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01913  1028   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01914  1028   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01915  2016   NtResumeThread  (500, ...
 01908  1636   NtWaitForSingleObject  ... ) == 0x102
 01915  2016   NtResumeThread  ... 1, ) == 0x0
 01916  1636   NtWaitForSingleObject  (124, 0, 0x0, ...
 01917  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58458112, 1048576, ) == 0x0
 01918  2016   NtAllocateVirtualMemory  (-1, 59498496, 0, 8192, 4096, 4, ... 59498496, 8192, ) == 0x0
 01919  2016   NtProtectVirtualMemory  (-1, (0x38be000), 4096, 260, ... (0x38be000), 4096, 4, ) == 0x0
 01920  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 508, {896, 1152}, ) == 0x0
 01921  2016   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=896,Tid=1152,}, 0x0, ) == 0x0
 01922  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01923   704   NtTestAlert  (...
 01922  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01923   704   NtTestAlert  ... ) == 0x0
 01924  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01925   704   NtContinue  (58457392, 1, ...
 01924  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01926   704   NtRegisterThreadTerminatePort  (24, ...
 01927  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01926   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 01927  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01928  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81886, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\200\3\0\0\200\4\0\0" ...  ...
 01929   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01928  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81887, 0}  ... {28, 56, reply, 0, 896, 2016, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\200\3\0\0\200\4\0\0" )  ) == 0x0
 01929   704   NtDuplicateObject  ... 512, ) == 0x0
 01930  2016   NtResumeThread  (508, ...
 01931   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01930  2016   NtResumeThread  ... 1, ) == 0x0
 01931   704   NtWaitForSingleObject  ... ) == 0x102
 01932  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01933   704   NtWaitForSingleObject  (124, 0, 0x0, ...
 01934  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01935  1152   NtTestAlert  (...
 01932  2016   NtAllocateVirtualMemory  ... 59506688, 1048576, ) == 0x0
 01934  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 01935  1152   NtTestAlert  ... ) == 0x0
 01936  2016   NtAllocateVirtualMemory  (-1, 60547072, 0, 8192, 4096, 4, ...
 01937  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\343\34I\272\224\215\346bd4\1:\275\307\4\357e\27\303\3006\276\207\240u|iZ-\322CU!0\2601\310`S\4*c,\204\312\231T\3\232=\324H\2222\350\227\310\325\326\262\32H\356\241q\376<>\255\237\246\321\246b\232\205\266\316\217 ", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\343\34I\272\224\215\346bd4\1:\275\307\4\357e\27\303\3006\276\207\240u|iZ-\322CU!0\2601\310`S\4*c,\204\312\231T\3\232=\324H\2222\350\227\310\325\326\262\32H\356\241q\376<>\255\237\246\321\246b\232\205\266\316\217 ", 80, ... , 80, ...
 01938  1152   NtContinue  (59505968, 1, ...
 01936  2016   NtAllocateVirtualMemory  ... 60547072, 8192, ) == 0x0
 01937  1028   NtSetValueKey  ... ) == 0x0
 01939  1152   NtRegisterThreadTerminatePort  (24, ...
 01940  2016   NtProtectVirtualMemory  (-1, (0x39be000), 4096, 260, ...
 01941  1028   NtClose  (-2147481484, ...
 01939  1152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01940  2016   NtProtectVirtualMemory  ... (0x39be000), 4096, 4, ) == 0x0
 01941  1028   NtClose  ... ) == 0x0
 01942  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01943  1152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01910  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "A\227\262\11\263\31\242\277\2e\22S\223iC\353\200)\322\242$\204\21:\276\34\16\304\361&\231$\374N\206\3744Ua\272L\227\301m*\6\330\241\5,n\213w#\4N*b\337\26\342D4U\234\241\243<\230\275t\243\231\221\345\0\201j\13f"\233\366ld\356\213I\243Wkg\15\366\317\310\22\265\264\324\15\35\272\11a\256\246\0'\232m#h5\352]\256\2241\272"\257\237w\363\262\374a\222\14&\361\273K\263\265\30C\16\35{Ec\351\302\341\357"0\3\200-R\352\351\364(h\276\23u"zzw\257\5\375J\365V\203\322\244\313\375\30\254\320\302\371\327\14\2\7\177T\227\16\271A`\240\2039Q\305\341\351\257\320x\362,p\33\244\4\16\257*\335\240#?\15`V\275\243\227\334Qb\317d\347\200\322\275M\314\376\275\3\233\261\20@\260\34z\2577=>1\247C\375\257\252b\257\32\225", ) \233\366ld\356\213I\243Wkg\15\366\317\310\22\265\264\324\15\35\272\11a\256\246\0'\232m#h5\352]\256\2241\272 ... {status=0x0, info=256}, "A\227\262\11\263\31\242\277\2e\22S\223iC\353\200)\322\242$\204\21:\276\34\16\304\361&\231$\374N\206\3744Ua\272L\227\301m*\6\330\241\5,n\213w#\4N*b\337\26\342D4U\234\241\243<\230\275t\243\231\221\345\0\201j\13f"\233\366ld\356\213I\243Wkg\15\366\317\310\22\265\264\324\15\35\272\11a\256\246\0'\232m#h5\352]\256\2241\272"\257\237w\363\262\374a\222\14&\361\273K\263\265\30C\16\35{Ec\351\302\341\357"0\3\200-R\352\351\364(h\276\23u"zzw\257\5\375J\365V\203\322\244\313\375\30\254\320\302\371\327\14\2\7\177T\227\16\271A`\240\2039Q\305\341\351\257\320x\362,p\33\244\4\16\257*\335\240#?\15`V\275\243\227\334Qb\317d\347\200\322\275M\314\376\275\3\233\261\20@\260\34z\2577=>1\247C\375\257\252b\257\32\225", ) 0\3\200-R\352\351\364(h\276\23u ... {status=0x0, info=256}, "A\227\262\11\263\31\242\277\2e\22S\223iC\353\200)\322\242$\204\21:\276\34\16\304\361&\231$\374N\206\3744Ua\272L\227\301m*\6\330\241\5,n\213w#\4N*b\337\26\342D4U\234\241\243<\230\275t\243\231\221\345\0\201j\13f"\233\366ld\356\213I\243Wkg\15\366\317\310\22\265\264\324\15\35\272\11a\256\246\0'\232m#h5\352]\256\2241\272"\257\237w\363\262\374a\222\14&\361\273K\263\265\30C\16\35{Ec\351\302\341\357"0\3\200-R\352\351\364(h\276\23u"zzw\257\5\375J\365V\203\322\244\313\375\30\254\320\302\371\327\14\2\7\177T\227\16\271A`\240\2039Q\305\341\351\257\320x\362,p\33\244\4\16\257*\335\240#?\15`V\275\243\227\334Qb\317d\347\200\322\275M\314\376\275\3\233\261\20@\260\34z\2577=>1\247C\375\257\252b\257\32\225", ) , ) == 0x0
 01943  1152   NtDuplicateObject  ... 516, ) == 0x0
 01944  1028   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "l\37bs\344\237\300Q\246\323\307\355M\264:2vB\323\352fA\vB\323\352fA\vB\323\352f^\276^\311\216\255\306\357g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01945  1152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01946  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01945  1152   NtWaitForSingleObject  ... ) == 0x102
 01946  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01947  1152   NtWaitForSingleObject  (124, 0, 0x0, ...
 01948  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01942  2016   NtCreateThread  ... 520, {896, 1228}, ) == 0x0
 01948  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01949  2016   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=896,Tid=1228,}, 0x0, ) == 0x0
 01950  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81887, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\200\3\0\0\314\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\200\3\0\0\314\4\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81888, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\200\3\0\0\314\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\200\3\0\0\314\4\0\0" )  ) == 0x0
 01951  2016   NtResumeThread  (520, ... 1, ) == 0x0
 01952  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60555264, 1048576, ) == 0x0
 01953  2016   NtAllocateVirtualMemory  (-1, 61595648, 0, 8192, 4096, 4, ... 61595648, 8192, ) == 0x0
 01954  1028   NtQuerySystemInformation  (Performance, 312, ...
 01955  1228   NtTestAlert  (...
 01954  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01955  1228   NtTestAlert  ... ) == 0x0
 01956  1028   NtQuerySystemInformation  (Exception, 16, ...
 01957  1228   NtContinue  (60554544, 1, ...
 01956  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01958  1228   NtRegisterThreadTerminatePort  (24, ...
 01959  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01958  1228   NtRegisterThreadTerminatePort  ... ) == 0x0
 01959  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01960  2016   NtProtectVirtualMemory  (-1, (0x3abe000), 4096, 260, ...
 01961  1228   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01960  2016   NtProtectVirtualMemory  ... (0x3abe000), 4096, 4, ) == 0x0
 01961  1228   NtDuplicateObject  ... 524, ) == 0x0
 01962  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01963  1228   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01962  2016   NtCreateThread  ... 528, {896, 792}, ) == 0x0
 01963  1228   NtWaitForSingleObject  ... ) == 0x102
 01964  2016   NtQueryInformationThread  (528, Basic, 28, ...
 01965  1228   NtWaitForSingleObject  (124, 0, 0x0, ...
 01964  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=896,Tid=792,}, 0x0, ) == 0x0
 01966  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01967  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01968  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 01969  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\232b/m\272`\272<_\2#Rc\200\10\214\3\271\257,\73G\347\375\325\357\3366\375\265\302p\237k\346\372\225\24\2122\22\323\365I\314\205\21|\256\321N}\177\21\271o\371\351L\14>z\336\350\256Q\375\203\337\267\222\270f}\226\305\215\33V", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "\232b/m\272`\272<_\2#Rc\200\10\214\3\271\257,\73G\347\375\325\357\3366\375\265\302p\237k\346\372\225\24\2122\22\323\365I\314\205\21|\256\321N}\177\21\271o\371\351L\14>z\336\350\256Q\375\203\337\267\222\270f}\226\305\215\33V", 80, ... ) , 80, ... ) == 0x0
 01970  1028   NtClose  (-2147481484, ... ) == 0x0
 01971  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81888, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\200\3\0\0\30\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\200\3\0\0\30\3\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81889, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\200\3\0\0\30\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\200\3\0\0\30\3\0\0" )  ) == 0x0
 01972  2016   NtResumeThread  (528, ... 1, ) == 0x0
 01973  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01944  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\35?\315\364_\362\230\240\205\205s\303\211\323}kp\216u\0\254\271$\302\275O\361\22\11Z*\23\354K\203\3432&\3540\353\311t\371\350\355}(\215\224\11d\244\36u\201(\304\366kLnr\306\375\363\241\317:\311N\216\304\21\224\377\21\325\331\223CSpD\244D\304\231v@\364\27\365>\343\225\306\201\5%c\305\237\322\25\322\325\22\223\250\350\201\243A\230i1\17\0\254\30Y\327\221gT\221\342>\27!\202\316\355\264n\231Fp!R\222\353\273\364\332`VC\334\345@\325P\362I"f\215{\257\246\234}\207\340\3774Dc\224\11B\330AZ\2733\261ag\360\217\232\17\335\270mZ\235\357\211>\312\@7\366\330\357\243\3106P.0\0\34\351\214\375\246h9\344\240\217\300*k\362RQc\177\275\361\273\220\341\5\216\235\263\2\362\256\363\300_\215{\257\246\234}\207\340\3774Dc\224\11B\330AZ\2733\261ag\360\217\232\17\335\270mZ\235\357\211>\312\@7\366\330\357\243\3106P.0\0\34\351\214\375\246h9\344\240\217\300*k\362RQc\177\275\361\273\220\341\5\216\235\263\2\362\256\363\300_\300\\313F\4\301T.\234\233\263]F", ) == 0x0
 01974   792   NtTestAlert  (...
 01975  1028   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "l\37bs\344\237\300Q\246\323\307\355M\264:2vB\323\352fA\vB\323\352fA\vB\323\352fA\vB\323\352f^\276^\311\216\255\306\357g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01974   792   NtTestAlert  ... ) == 0x0
 01976  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01977   792   NtContinue  (61603120, 1, ...
 01976  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01978   792   NtRegisterThreadTerminatePort  (24, ...
 01979  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01978   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 01979  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01973  2016   NtAllocateVirtualMemory  ... 61603840, 1048576, ) == 0x0
 01980   792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01981  2016   NtAllocateVirtualMemory  (-1, 62644224, 0, 8192, 4096, 4, ...
 01980   792   NtDuplicateObject  ... 532, ) == 0x0
 01981  2016   NtAllocateVirtualMemory  ... 62644224, 8192, ) == 0x0
 01982   792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01983  2016   NtProtectVirtualMemory  (-1, (0x3bbe000), 4096, 260, ...
 01982   792   NtWaitForSingleObject  ... ) == 0x102
 01983  2016   NtProtectVirtualMemory  ... (0x3bbe000), 4096, 4, ) == 0x0
 01984   792   NtWaitForSingleObject  (124, 0, 0x0, ...
 01985  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01986  1028   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01987  1028   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01988  1028   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01989  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01990  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01991  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 01985  2016   NtCreateThread  ... 536, {896, 1484}, ) == 0x0
 01992  2016   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=896,Tid=1484,}, 0x0, ) == 0x0
 01993  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81889, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\200\3\0\0\314\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\200\3\0\0\314\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81890, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\200\3\0\0\314\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\2\0\0\200\3\0\0\314\5\0\0" )  ) == 0x0
 01994  2016   NtResumeThread  (536, ... 1, ) == 0x0
 01995  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 62652416, 1048576, ) == 0x0
 01996  2016   NtAllocateVirtualMemory  (-1, 63692800, 0, 8192, 4096, 4, ... 63692800, 8192, ) == 0x0
 01997  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\336^\315\274\316\5M\373\330\334\223\361\305\337\237\365\305(K\217f\206((\342GY\235\254\200V\332\243w\373.d\307b\267/\3566A\234\273\217-\337\300)\270\222\272\246\3339]Z'W\261\250\325l\26+\370\315\352\300p<\14\242\36\244\21\326", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\336^\315\274\316\5M\373\330\334\223\361\305\337\237\365\305(K\217f\206((\342GY\235\254\200V\332\243w\373.d\307b\267/\3566A\234\273\217-\337\300)\270\222\272\246\3339]Z'W\261\250\325l\26+\370\315\352\300p<\14\242\36\244\21\326", 80, ... , 80, ...
 01998  1484   NtTestAlert  (...
 01997  1028   NtSetValueKey  ... ) == 0x0
 01998  1484   NtTestAlert  ... ) == 0x0
 01999  1028   NtClose  (-2147481484, ...
 02000  1484   NtContinue  (62651696, 1, ...
 01999  1028   NtClose  ... ) == 0x0
 02001  1484   NtRegisterThreadTerminatePort  (24, ...
 01975  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "g\257\3774\36\211\325\202z*\201\236\246\301k\266\335\212\15\324\333(\260?\322\33\3gG\11\274VK\335\326B\250\202\34J\343\15\12\343b\217W\254\223\207\371\356\317S\322\3152\16\0\255\366\222&zJ\373\307\301\236\210;\245\35\324\367\257>\311G\273\324]\3776\5\16.M\5J\350f\304\4\324\271\371x\33\241\351\306%\243\265\335h\215/\31[;\354A\233\34w\206\376\260!l\337i|\377V\351\344\361\310&\364\2644\265\331{\313\23\252G2\342\7\375\4\265\353\23\303\220\12Y\377\27&\273\272\34W\304\177\331\347\353F\\4g\244\204N\201\35\351\324\27\313##\357q\3231\267\36\257t\262\370A\2321A\201\3402\31)\373G\310+o*\366\10\20)ZMN\320\7\302\343\10\342\304\24t!\221|\377\331/>\201\316\21`\34\207'\264'\364\254E\246\207\16*\333\3307\351\374\1\323\253C\1\204", ) , ) == 0x0
 02001  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02002  1028   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "l\37bs\344\237\300Q\246\323\307\355M\264:2vB\323\352fA\vB\323\352fA\vB\323\352fA\vB\323\352fA\vB\323\352f^\276^\311\216\255\306\357g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02003  2016   NtProtectVirtualMemory  (-1, (0x3cbe000), 4096, 260, ...
 02004  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02003  2016   NtProtectVirtualMemory  ... (0x3cbe000), 4096, 4, ) == 0x0
 02004  1484   NtDuplicateObject  ... 540, ) == 0x0
 02005  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02006  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02005  2016   NtCreateThread  ... 544, {896, 888}, ) == 0x0
 02006  1484   NtWaitForSingleObject  ... ) == 0x102
 02007  2016   NtQueryInformationThread  (544, Basic, 28, ...
 02008  1484   NtWaitForSingleObject  (124, 0, 0x0, ...
 02007  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=896,Tid=888,}, 0x0, ) == 0x0
 02009  1028   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02010  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02011  1028   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02012  1028   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02013  1028   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02014  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02015  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81890, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\200\3\0\0x\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\200\3\0\0x\3\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81891, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\200\3\0\0x\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\200\3\0\0x\3\0\0" )  ) == 0x0
 02016  2016   NtResumeThread  (544, ... 1, ) == 0x0
 02017  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 63700992, 1048576, ) == 0x0
 02018  2016   NtAllocateVirtualMemory  (-1, 64741376, 0, 8192, 4096, 4, ... 64741376, 8192, ) == 0x0
 02019  2016   NtProtectVirtualMemory  (-1, (0x3dbe000), 4096, 260, ... (0x3dbe000), 4096, 4, ) == 0x0
 02020  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02021  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02022   888   NtTestAlert  (...
 02021  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02022   888   NtTestAlert  ... ) == 0x0
 02023  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02024   888   NtContinue  (63700272, 1, ...
 02023  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02025   888   NtRegisterThreadTerminatePort  (24, ...
 02026  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "e\332\221\21\277\230D\3215\270\212I \305\346\365\356\344\377\253\35\342c\371\253\373\274'\37\275\337V!\266\325\373b\1\252\357\36emb\367.\325\15\276\273`e\367\373|q\2160@h\13\357I0[\5\340\346 &W\257\346"\37`6a\371w", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "e\332\221\21\277\230D\3215\270\212I \305\346\365\356\344\377\253\35\342c\371\253\373\274'\37\275\337V!\266\325\373b\1\252\357\36emb\367.\325\15\276\273`e\367\373|q\2160@h\13\357I0[\5\340\346 &W\257\346"\37`6a\371w", 80, ... \37`6a\371w", 80, ...
 02025   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02026  1028   NtSetValueKey  ... ) == 0x0
 02020  2016   NtCreateThread  ... 548, {896, 1120}, ) == 0x0
 02027   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02028  2016   NtQueryInformationThread  (548, Basic, 28, ...
 02027   888   NtDuplicateObject  ... 552, ) == 0x0
 02028  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=896,Tid=1120,}, 0x0, ) == 0x0
 02029   888   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02030  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81891, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\200\3\0\0`\4\0\0" ...  ...
 02029   888   NtWaitForSingleObject  ... ) == 0x102
 02030  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81892, 0}  ... {28, 56, reply, 0, 896, 2016, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\200\3\0\0`\4\0\0" )  ) == 0x0
 02031   888   NtWaitForSingleObject  (124, 0, 0x0, ...
 02032  1028   NtClose  (-2147481484, ...
 02033  2016   NtResumeThread  (548, ...
 02032  1028   NtClose  ... ) == 0x0
 02033  2016   NtResumeThread  ... 1, ) == 0x0
 02002  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "K\306\261\242\2414\203\212H\324\231;_\272\216\222\306\361g3\30\333YLNy0;J\7\362\253\326\344\177\11]\211\314&\255\260\2\273\361;\343\330\257d2\25\315\332\323f\350vo\355\345\342\347\345\337g\241\251*3j\333\207V\\260]\353\14M(i\202\371\312\363\177\354\5h\222\17\273Hs\337\12\3\261\220\3205K8_\231IX\244\366\301I\203\242\221\236\312\!\315(\24\301\4\352w\304C\210\341uX\200\270yC;-\225|\312E\12\261\207\232\325\236\234h(\214\231\207\204\305\32\356/\277\332\272eV\256>\222\267\24\210\372H4?-\353\206x'\224h\344\315\23\340\261\321\267^m\213\236gXh\253\252\237N\323\20{\363!\324\376\233\302)\330\213!\306M\337\270\317\247J\265\243\351\32%3|\375\335]e\267\\357e\257\220", ) , ) == 0x0
 02034  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02035  1028   NtDeviceIoControlFile  (412, 0, 0x0, 0x0, 0x390008,  (412, 0, 0x0, 0x0, 0x390008, "l\37bs\344\237\300Q\246\323\307\355M\264:2vB\323\352fA\vB\323\352fA\vB\323\352fA\vB\323\352fA\vB\323\352fA\vB\323\352f^\276^\311\216\255\306\357g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02034  2016   NtAllocateVirtualMemory  ... 64749568, 1048576, ) == 0x0
 02036  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 02037  2016   NtAllocateVirtualMemory  (-1, 65789952, 0, 8192, 4096, 4, ...
 02036  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 02037  2016   NtAllocateVirtualMemory  ... 65789952, 8192, ) == 0x0
 02038  1120   NtTestAlert  (...
 02039  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 02038  1120   NtTestAlert  ... ) == 0x0
 02039  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 02040  1120   NtContinue  (64748848, 1, ...
 02041  1028   NtQuerySystemInformation  (Performance, 312, ...
 02042  1120   NtRegisterThreadTerminatePort  (24, ...
 02041  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 02042  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02043  1028   NtQuerySystemInformation  (Exception, 16, ...
 02044  2016   NtProtectVirtualMemory  (-1, (0x3ebe000), 4096, 260, ...
 02043  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 02044  2016   NtProtectVirtualMemory  ... (0x3ebe000), 4096, 4, ) == 0x0
 02045  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02046  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02045  1120   NtDuplicateObject  ... 556, ) == 0x0
 02046  2016   NtCreateThread  ... 560, {896, 840}, ) == 0x0
 02047  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02048  2016   NtQueryInformationThread  (560, Basic, 28, ...
 02047  1120   NtWaitForSingleObject  ... ) == 0x102
 02048  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=896,Tid=840,}, 0x0, ) == 0x0
 02049  1120   NtWaitForSingleObject  (124, 0, 0x0, ...
 02050  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 02051  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81892, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\200\3\0\0H\3\0\0" ...  ...
 02050  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 02051  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81893, 0}  ... {28, 56, reply, 0, 896, 2016, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\2\0\0\200\3\0\0H\3\0\0" )  ) == 0x0
 02052  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 02053  2016   NtResumeThread  (560, ...
 02052  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 02053  2016   NtResumeThread  ... 1, ) == 0x0
 02054  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 02055  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02054  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 02056   840   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ...
 02055  2016   NtAllocateVirtualMemory  ... 65798144, 1048576, ) == 0x0
 02056   840   NtAllocateVirtualMemory  ... 8806400, 4096, ) == 0x0
 02057  2016   NtAllocateVirtualMemory  (-1, 66838528, 0, 8192, 4096, 4, ...
 02058   840   NtTestAlert  (...
 02057  2016   NtAllocateVirtualMemory  ... 66838528, 8192, ) == 0x0
 02058   840   NtTestAlert  ... ) == 0x0
 02059  2016   NtProtectVirtualMemory  (-1, (0x3fbe000), 4096, 260, ...
 02060   840   NtContinue  (65797424, 1, ...
 02059  2016   NtProtectVirtualMemory  ... (0x3fbe000), 4096, 4, ) == 0x0
 02061  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02062  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02061  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 02063   840   NtRegisterThreadTerminatePort  (24, ...
 02064  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\277\317\300\340\335w\272s\273\325\246r$\313\5\15-\361\212\352\273\6w\252OT\200k\213\201OV\242\215L\322\352\213\331\16Q\37\270l\27 \15C\235\36p\375\372\376RDxY\327(\345e\302N\257\321\11\333\324W\222\263e\221\353\227)\354]y", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\277\317\300\340\335w\272s\273\325\246r$\313\5\15-\361\212\352\273\6w\252OT\200k\213\201OV\242\215L\322\352\213\331\16Q\37\270l\27 \15C\235\36p\375\372\376RDxY\327(\345e\302N\257\321\11\333\324W\222\263e\221\353\227)\354]y", 80, ... , 80, ...
 02063   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 02064  1028   NtSetValueKey  ... ) == 0x0
 02065   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02066  1028   NtClose  (-2147481484, ...
 02065   840   NtDuplicateObject  ... 564, ) == 0x0
 02066  1028   NtClose  ... ) == 0x0
 02067   840   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02062  2016   NtCreateThread  ... 568, {896, 876}, ) == 0x0
 02068  2016   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=896,Tid=876,}, 0x0, ) == 0x0
 02069  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81893, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\200\3\0\0l\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\200\3\0\0l\3\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81894, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81893, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\200\3\0\0l\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\2\0\0\200\3\0\0l\3\0\0" )  ) == 0x0
 02070  2016   NtResumeThread  (568, ... 1, ) == 0x0
 02071  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 66846720, 1048576, ) == 0x0
 02072  2016   NtAllocateVirtualMemory  (-1, 67887104, 0, 8192, 4096, 4, ... 67887104, 8192, ) == 0x0
 02035  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "]\306M\330x\227\10H[ DD\6\20\336z\253\337\326.\274\23\374\367o\360-}\204\323\331lb\24?\274\305X\270L\321}\344\364\303\375s|\205O\14+2\355\362d\212\376wV\366A,\177Qr$\255R<\32x\274%n\367\260\353\323\3240\2011\204~]6\246>\177\36\326N\355A\267/\316\336\357\330a\200\332mp\20\200\332`49F{\3764\342\336\6\362]\226\313Cx\250\260\311C\246\13\7\317\330\35$=\30\32c)\373O[\375\260\267Z\36\2Q\177\325v\17}v#\273o\261Wa\250\346\204\324k\0x\205\27\334\16\257\25"xD \260\1\33}+\354+>g\26\324e\370\353\233u\326,\237\23\233\32\177\3\17"\247\334]C\364h[\314|\25\313*\225{\205\374\362\247\203K\4`\357\13\331\3210\226\332o6\2046p\20\2453\340\352\\305\1772\252\242h\245o\3008", ) xD \260\1\33}+\354+>g\26\324e\370\353\233u\326,\237\23\233\32\177\3\17 ... {status=0x0, info=256}, "]\306M\330x\227\10H[ DD\6\20\336z\253\337\326.\274\23\374\367o\360-}\204\323\331lb\24?\274\305X\270L\321}\344\364\303\375s|\205O\14+2\355\362d\212\376wV\366A,\177Qr$\255R<\32x\274%n\367\260\353\323\3240\2011\204~]6\246>\177\36\326N\355A\267/\316\336\357\330a\200\332mp\20\200\332`49F{\3764\342\336\6\362]\226\313Cx\250\260\311C\246\13\7\317\330\35$=\30\32c)\373O[\375\260\267Z\36\2Q\177\325v\17}v#\273o\261Wa\250\346\204\324k\0x\205\27\334\16\257\25"xD \260\1\33}+\354+>g\26\324e\370\353\233u\326,\237\23\233\32\177\3\17"\247\334]C\364h[\314|\25\313*\225{\205\374\362\247\203K\4`\357\13\331\3210\226\332o6\2046p\20\2453\340\352\\305\1772\252\242h\245o\3008", ) , ) == 0x0
 02073   876   NtTestAlert  (...
 02067   840   NtWaitForSingleObject  ... ) == 0x102
 02074  1028   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02073   876   NtTestAlert  ... ) == 0x0
 02075   840   NtWaitForSingleObject  (124, 0, 0x0, ...
 02074  1028   NtCreateEvent  ... 572, ) == 0x0
 02076   876   NtContinue  (66846000, 1, ...
 02077  1028   NtSetEventBoostPriority  (484, ...
 02078   876   NtRegisterThreadTerminatePort  (24, ...
 01868   596   NtWaitForSingleObject  ... ) == 0x0
 02077  1028   NtSetEventBoostPriority  ... ) == 0x0
 02079   596   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02078   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02079   596   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02080  1028   NtWaitForSingleObject  (288, 0, 0x0, ...
 02081  2016   NtProtectVirtualMemory  (-1, (0x40be000), 4096, 260, ...
 02082   876   NtWaitForSingleObject  (288, 0, 0x0, ...
 02083   596   NtSetEventBoostPriority  (288, ...
 02081  2016   NtProtectVirtualMemory  ... (0x40be000), 4096, 4, ) == 0x0
 02082   876   NtWaitForSingleObject  ... ) == 0x0
 02083   596   NtSetEventBoostPriority  ... ) == 0x0
 02084   876   NtSetEventBoostPriority  (288, ...
 02085  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02084   876   NtSetEventBoostPriority  ... ) == 0x0
 02086   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 02087   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02085  2016   NtCreateThread  ... 576, {896, 1104}, ) == 0x0
 02086   596   NtWaitForSingleObject  ... ) == 0x0
 02088  2016   NtQueryInformationThread  (576, Basic, 28, ...
 02089   596   NtSetEventBoostPriority  (288, ...
 02088  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=896,Tid=1104,}, 0x0, ) == 0x0
 02087   876   NtDuplicateObject  ... 580, ) == 0x0
 02080  1028   NtWaitForSingleObject  ... ) == 0x0
 02089   596   NtSetEventBoostPriority  ... ) == 0x0
 02090   876   NtWaitForSingleObject  (288, 0, 0x0, ...
 02091  1028   NtSetEventBoostPriority  (288, ...
 02092   596   NtWaitForSingleObject  (288, 0, 0x0, ...
 02090   876   NtWaitForSingleObject  ... ) == 0x0
 02093   876   NtSetEventBoostPriority  (288, ...
 02092   596   NtWaitForSingleObject  ... ) == 0x0
 02094   596   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 02093   876   NtSetEventBoostPriority  ... ) == 0x0
 02091  1028   NtSetEventBoostPriority  ... ) == 0x0
 02095  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81894, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81894, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\200\3\0\0P\4\0\0" ...  ...
 02096   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02097  1028   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 15461740, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 15461740, 188, ...
 02095  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81895, 0}  ... {28, 56, reply, 0, 896, 2016, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\200\3\0\0P\4\0\0" )  ) == 0x0
 02096   596   NtCreateEvent  ... 584, ) == 0x0
 02098  2016   NtResumeThread  (576, ...
 02099   596   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ...
 02098  2016   NtResumeThread  ... 1, ) == 0x0
 02100  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02099   596   NtConnectPort  ... 588, 0x0, 0x0, 0x0, 188, ) == 0x0
 02101   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02097  1028   NtConnectPort  ... 592, 0x0, 0x0, 0x0, 188, ) == 0x0
 02102  1104   NtTestAlert  (...
 02103   596   NtRequestWaitReplyPort  (588, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (588, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\240<\24\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0w\211\253N\321{\363\355XU\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\00U\25\0+#E\333x\1\24\0PU\25\0h\1\24\0\0\0\0\0\0\0\0\0PU\25\0P\0\0\0XU\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02101   876   NtWaitForSingleObject  ... ) == 0x102
 02104  1028   NtRequestWaitReplyPort  (592, {200, 224, new_msg, 0, 1384432, 12, 2, 1310721}  (592, {200, 224, new_msg, 0, 1384432, 12, 2, 1310721} "\0\3\24\0\274\0\0\0$?\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\336\314O6Q\304\201\225\30A\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\320=\25\0A\356@9\260\3\24\0\20A\25\0h\1\24\0\0\0\0\0\0\0\0\0\20A\25\0P\0\0\0\30A\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\353\0\372\31\221|\200\363\353\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02102  1104   NtTestAlert  ... ) == 0x0
 02100  2016   NtAllocateVirtualMemory  ... 67895296, 1048576, ) == 0x0
 02105   876   NtWaitForSingleObject  (124, 0, 0x0, ...
 02106  1104   NtContinue  (67894576, 1, ...
 02107  2016   NtAllocateVirtualMemory  (-1, 68935680, 0, 8192, 4096, 4, ...
 02104  1028   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 896, 1028, 81898, 0}  ... {200, 224, reply, 0, 896, 1028, 81898, 0} "\7\3\24\0\274\0\0\0$?\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0\336\314O6Q\304\201\225\30A\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\320=\25\0A\356@9\260\3\24\0\20A\25\0h\1\24\0\0\0\0\0\0\0\0\0\20A\25\0P\0\0\0\30A\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\353\0\372\31\221|\200\363\353\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02108  1104   NtRegisterThreadTerminatePort  (24, ...
 02107  2016   NtAllocateVirtualMemory  ... 68935680, 8192, ) == 0x0
 02109  1028   NtRequestWaitReplyPort  (592, {44, 68, new_msg, 0, 896, 1028, 81878, 0}  (592, {44, 68, new_msg, 0, 896, 1028, 81878, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02108  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02110  2016   NtProtectVirtualMemory  (-1, (0x41be000), 4096, 260, ...
 02103   596   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 896, 596, 81900, 0}  ... {200, 224, reply, 0, 896, 596, 81900, 0} "\7\1\24\0\10\0\0\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\3\0\0\0w\211\253N\321{\363\355XU\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\00U\25\0+#E\333x\1\24\0PU\25\0h\1\24\0\0\0\0\0\0\0\0\0PU\25\0P\0\0\0XU\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02110  2016   NtProtectVirtualMemory  ... (0x41be000), 4096, 4, ) == 0x0
 02111   596   NtRequestWaitReplyPort  (588, {44, 68, new_msg, 56, 0, 0, 0, 0}  (588, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\230W\25\0\322\0\0\0" ...  ...
 02112  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02111   596   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 896, 596, 81901, 0}  ... {40, 64, reply, 0, 896, 596, 81901, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02113  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02109  1028   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 896, 1028, 81899, 0}  ... {40, 64, reply, 0, 896, 1028, 81899, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\1\0\0X-\12\0" )  ) == 0x0
 02114   596   NtRequestWaitReplyPort  (588, {64, 88, new_msg, 56, 1310720, 11006452, 1398672, 0}  (588, {64, 88, new_msg, 56, 1310720, 11006452, 1398672, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\360X\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02113  1104   NtDuplicateObject  ... 596, ) == 0x0
 02115  1028   NtRequestWaitReplyPort  (592, {64, 88, new_msg, 56, 1373528, 15462252, 15462352, 0}  (592, {64, 88, new_msg, 56, 1373528, 15462252, 15462352, 0} "\10\357\353\0@\0\24\0\346\277\347w\320\357\353\0l\357\353\0\20\0\0\0\250.\362v\314\365\24\0\1\0\0\0\320Z\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0h\334\24\0" ...  ...
 02112  2016   NtCreateThread  ... 600, {896, 860}, ) == 0x0
 02116  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02117  2016   NtQueryInformationThread  (600, Basic, 28, ...
 02116  1104   NtWaitForSingleObject  ... ) == 0x102
 02117  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=896,Tid=860,}, 0x0, ) == 0x0
 02118  1104   NtWaitForSingleObject  (124, 0, 0x0, ...
 02119  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81895, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81895, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\200\3\0\0\\3\0\0" ...  ...
 02114   596   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 896, 596, 81903, 0}  ... {64, 88, reply, 56, 896, 596, 81903, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\360X\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02115  1028   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 896, 1028, 81902, 0}  ... {64, 88, reply, 56, 896, 1028, 81902, 0} "\10\357\353\0@\0\24\0\346\277\347w\320\357\353\0l\357\353\0\20\0\0\0\250.\362v\314\365\24\0\1\0\0\0\320Z\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0h\334\24\0" )  ) == 0x0
 02119  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81904, 0}  ... {28, 56, reply, 0, 896, 2016, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\200\3\0\0\\3\0\0" )  ) == 0x0
 02120   596   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02121  1028   NtWaitForSingleObject  (288, 0, 0x0, ...
 02120   596   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02122   596   NtSetEventBoostPriority  (288, ...
 02121  1028   NtWaitForSingleObject  ... ) == 0x0
 02123  1028   NtClose  (572, ... ) == 0x0
 02122   596   NtSetEventBoostPriority  ... ) == 0x0
 02124  2016   NtResumeThread  (600, ...
 02125  1028   NtClose  (592, ...
 02124  2016   NtResumeThread  ... 1, ) == 0x0
 02125  1028   NtClose  ... ) == 0x0
 02126  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02127  1028   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02126  2016   NtAllocateVirtualMemory  ... 68943872, 1048576, ) == 0x0
 02127  1028   NtCreateKey  ... 592, 2, ) == 0x0
 02128  2016   NtAllocateVirtualMemory  (-1, 69984256, 0, 8192, 4096, 4, ...
 02129  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02128  2016   NtAllocateVirtualMemory  ... 69984256, 8192, ) == 0x0
 02129  1028   NtOpenKey  ... 572, ) == 0x0
 02130   596   NtRequestWaitReplyPort  (588, {44, 68, new_msg, 56, 896, 596, 81901, 0}  (588, {44, 68, new_msg, 56, 896, 596, 81901, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\230W\25\0\322\0\0\0" ...  ...
 02131   860   NtTestAlert  (...
 02132  2016   NtProtectVirtualMemory  (-1, (0x42be000), 4096, 260, ...
 02131   860   NtTestAlert  ... ) == 0x0
 02132  2016   NtProtectVirtualMemory  ... (0x42be000), 4096, 4, ) == 0x0
 02130   596   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 896, 596, 81906, 0}  ... {40, 64, reply, 0, 896, 596, 81906, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02133   860   NtContinue  (68943152, 1, ...
 02134  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02135   596   NtRequestWaitReplyPort  (588, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (588, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0@l\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02136   860   NtRegisterThreadTerminatePort  (24, ...
 02134  2016   NtCreateThread  ... 604, {896, 1516}, ) == 0x0
 02136   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 02137  2016   NtQueryInformationThread  (604, Basic, 28, ...
 02135   596   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 896, 596, 81907, 0}  ... {64, 88, reply, 56, 896, 596, 81907, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0@l\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02138  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02137  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=896,Tid=1516,}, 0x0, ) == 0x0
 02139   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02138  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02140   596   NtRequestWaitReplyPort  (588, {44, 68, new_msg, 56, 896, 596, 81906, 0}  (588, {44, 68, new_msg, 56, 896, 596, 81906, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\230W\25\0\322\0\0\0" ...  ...
 02139   860   NtDuplicateObject  ... 608, ) == 0x0
 02141  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02142   860   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02141  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02140   596   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 896, 596, 81908, 0}  ... {40, 64, reply, 0, 896, 596, 81908, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 02142   860   NtWaitForSingleObject  ... ) == 0x102
 02143  1028   NtQueryValueKey  (592,  (592, "Domain", Partial, 144, ... , Partial, 144, ...
 02144   596   NtRequestWaitReplyPort  (588, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (588, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0`J\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02145   860   NtWaitForSingleObject  (124, 0, 0x0, ...
 02143  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02144   596   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 896, 596, 81909, 0}  ... {64, 88, reply, 56, 896, 596, 81909, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0`J\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02146  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81904, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81904, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\200\3\0\0\354\5\0\0" ...  ...
 02147  1028   NtQueryValueKey  (592,  (592, "Domain", Partial, 144, ... , Partial, 144, ...
 02146  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81910, 0}  ... {28, 56, reply, 0, 896, 2016, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\200\3\0\0\354\5\0\0" )  ) == 0x0
 02147  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02148  2016   NtResumeThread  (604, ...
 02149  1028   NtClose  (592, ...
 02148  2016   NtResumeThread  ... 1, ) == 0x0
 02149  1028   NtClose  ... ) == 0x0
 02150  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02151  1028   NtClose  (572, ...
 02152   596   NtClose  (584, ...
 02153  1516   NtTestAlert  (...
 02151  1028   NtClose  ... ) == 0x0
 02152   596   NtClose  ... ) == 0x0
 02153  1516   NtTestAlert  ... ) == 0x0
 02150  2016   NtAllocateVirtualMemory  ... 69992448, 1048576, ) == 0x0
 02154   596   NtClose  (588, ...
 02155  1516   NtContinue  (69991728, 1, ...
 02156  2016   NtAllocateVirtualMemory  (-1, 71032832, 0, 8192, 4096, 4, ...
 02154   596   NtClose  ... ) == 0x0
 02157  1516   NtRegisterThreadTerminatePort  (24, ...
 02156  2016   NtAllocateVirtualMemory  ... 71032832, 8192, ) == 0x0
 02158   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02157  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 02159  2016   NtProtectVirtualMemory  (-1, (0x43be000), 4096, 260, ...
 02158   596   NtCreateEvent  ... 588, ) == 0x0
 02160  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02159  2016   NtProtectVirtualMemory  ... (0x43be000), 4096, 4, ) == 0x0
 02161  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02160  1028   NtOpenKey  ... 584, ) == 0x0
 02162  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02161  1516   NtDuplicateObject  ... 572, ) == 0x0
 02163  1028   NtQueryValueKey  (584,  (584, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02164   596   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02165  1516   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02163  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   596   NtOpenKey  ... 592, ) == 0x0
 02165  1516   NtWaitForSingleObject  ... ) == 0x102
 02166  1028   NtClose  (584, ...
 02167   596   NtOpenKey  (0x20019, {24, 592, 0x40, 0, 0,  (0x20019, {24, 592, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02168  1516   NtWaitForSingleObject  (124, 0, 0x0, ...
 02166  1028   NtClose  ... ) == 0x0
 02167   596   NtOpenKey  ... 584, ) == 0x0
 02162  2016   NtCreateThread  ... 612, {896, 780}, ) == 0x0
 02169   596   NtQueryValueKey  (584,  (584, "ComputerName", Full, 108, ... , Full, 108, ...
 02170  2016   NtQueryInformationThread  (612, Basic, 28, ...
 02169   596   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02170  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=896,Tid=780,}, 0x0, ) == 0x0
 02171  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15461328, ... }, 15461328, ...
 02172  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81910, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\200\3\0\0\14\3\0\0" ...  ...
 02171  1028   NtQueryAttributesFile  ... ) == 0x0
 02172  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81912, 0}  ... {28, 56, reply, 0, 896, 2016, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\200\3\0\0\14\3\0\0" )  ) == 0x0
 02173  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02174   596   NtClose  (584, ...
 02173  1028   NtOpenFile  ... 616, {status=0x0, info=1}, ) == 0x0
 02174   596   NtClose  ... ) == 0x0
 02175  1028   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 616, ...
 02176   596   NtClose  (592, ...
 02175  1028   NtCreateSection  ... 584, ) == 0x0
 02176   596   NtClose  ... ) == 0x0
 02177  2016   NtResumeThread  (612, ...
 02178   596   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 02177  2016   NtResumeThread  ... 1, ) == 0x0
 02178   596   NtCreateIoCompletion  ... 592, ) == 0x0
 02179  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02180  1028   NtClose  (616, ...
 02181   780   NtWaitForSingleObject  (88, 0, 0x0, ...
 02179  2016   NtAllocateVirtualMemory  ... 71041024, 1048576, ) == 0x0
 02180  1028   NtClose  ... ) == 0x0
 02182  2016   NtAllocateVirtualMemory  (-1, 72081408, 0, 8192, 4096, 4, ...
 02183  1028   NtMapViewOfSection  (584, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02182  2016   NtAllocateVirtualMemory  ... 72081408, 8192, ) == 0x0
 02183  1028   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 02184   596   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 02185  1028   NtClose  (584, ...
 02184   596   NtCreateIoCompletion  ... 616, ) == 0x0
 02185  1028   NtClose  ... ) == 0x0
 02186   596   NtDuplicateObject  (-1, 592, -1, 0x0, 0, 2, ...
 02187  2016   NtProtectVirtualMemory  (-1, (0x44be000), 4096, 260, ...
 02186   596   NtDuplicateObject  ... 584, ) == 0x0
 02187  2016   NtProtectVirtualMemory  ... (0x44be000), 4096, 4, ) == 0x0
 02188   596   NtOpenThreadToken  (-2, 0xc, 1, ...
 02189  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02188   596   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02189  2016   NtCreateThread  ... 620, {896, 940}, ) == 0x0
 02190  2016   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=896,Tid=940,}, 0x0, ) == 0x0
 02191  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81912, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\200\3\0\0\254\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\200\3\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81913, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81912, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\200\3\0\0\254\3\0\0" ... {28, 56, reply, 0, 896, 2016, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\200\3\0\0\254\3\0\0" )  ) == 0x0
 02192  2016   NtResumeThread  (620, ... 1, ) == 0x0
 02193  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02194   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02195   940   NtWaitForSingleObject  (88, 0, 0x0, ...
 02196  1028   NtUnmapViewOfSection  (-1, 0x850000, ...
 02194   596   NtCreateEvent  ... 624, ) == 0x0
 02193  2016   NtAllocateVirtualMemory  ... 72089600, 1048576, ) == 0x0
 02197   596   NtOpenThreadToken  (-2, 0xc, 1, ...
 02198  2016   NtAllocateVirtualMemory  (-1, 73129984, 0, 8192, 4096, 4, ...
 02197   596   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02198  2016   NtAllocateVirtualMemory  ... 73129984, 8192, ) == 0x0
 02199   596   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02200  2016   NtProtectVirtualMemory  (-1, (0x45be000), 4096, 260, ...
 02199   596   NtSetInformationThread  ... ) == 0x0
 02200  2016   NtProtectVirtualMemory  ... (0x45be000), 4096, 4, ) == 0x0
 02196  1028   NtUnmapViewOfSection  ... ) == 0x0
 02201  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02202  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15461636, ... }, 15461636, ...
 02203   596   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11006144,  (0xc0100080, {24, 0, 0x40, 0, 11006144, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02202  1028   NtQueryAttributesFile  ... ) == 0x0
 02203   596   NtCreateFile  ... 628, {status=0x0, info=1}, ) == 0x0
 02204  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02205   596   NtSetInformationFile  (628, 11006200, 8, Pipe, ...
 02204  1028   NtOpenFile  ... 632, {status=0x0, info=1}, ) == 0x0
 02205   596   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02206  1028   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 632, ...
 02207   596   NtSetInformationFile  (628, 11006188, 8, Completion, ...
 02201  2016   NtCreateThread  ... 636, {896, 1268}, ) == 0x0
 02207   596   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02208  2016   NtQueryInformationThread  (636, Basic, 28, ...
 02206  1028   NtCreateSection  ... 640, ) == 0x0
 02208  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=896,Tid=1268,}, 0x0, ) == 0x0
 02209  1028   NtQuerySection  (640, Image, 48, ...
 02210  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81913, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81913, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\200\3\0\0\364\4\0\0" ...  ...
 02209  1028   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02210  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81914, 0}  ... {28, 56, reply, 0, 896, 2016, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\200\3\0\0\364\4\0\0" )  ) == 0x0
 02211  1028   NtClose  (632, ...
 02212   596   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02211  1028   NtClose  ... ) == 0x0
 02212   596   NtSetInformationThread  ... ) == 0x0
 02213  1028   NtMapViewOfSection  (640, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02214   596   NtWriteFile  (628, 257, 0, 0,  (628, 257, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02215  2016   NtResumeThread  (636, ...
 02214   596   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02215  2016   NtResumeThread  ... 1, ) == 0x0
 02216   596   NtReadFile  (628, 257, 0, 0, 1024, {0, 0}, 0, ...
 02217  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02216   596   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02217  2016   NtAllocateVirtualMemory  ... 73138176, 1048576, ) == 0x0
 02213  1028   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02218  1268   NtWaitForSingleObject  (88, 0, 0x0, ...
 02219  2016   NtAllocateVirtualMemory  (-1, 74178560, 0, 8192, 4096, 4, ...
 02220  1028   NtClose  (640, ...
 02219  2016   NtAllocateVirtualMemory  ... 74178560, 8192, ) == 0x0
 02220  1028   NtClose  ... ) == 0x0
 02221   596   NtFsControlFile  (628, 257, 0x0, 0x0, 0x11c017,  (628, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\247\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 02222  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02221   596   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02222  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02223   596   NtFsControlFile  (628, 257, 0x0, 0x0, 0x11c017,  (628, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\1\0\0\0\1\0\0\0&\0(\0\200o\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) , 136, 1024, ... {status=0x103, info=48},  (628, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\1\0\0\0\1\0\0\0&\0(\0\200o\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) , ) == 0x103
 02224   596   NtFsControlFile  (628, 257, 0x0, 0x0, 0x11c017,  (628, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\220c\25\0\1\0\0\0\234c\25\0 \0\0\0\1\0\0\0\30\0\32\0\250c\25\0\304c\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\230k\25\0\1\0\0\0\5\0i\0\250k\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=156},  (628, 257, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\220c\25\0\1\0\0\0\234c\25\0 \0\0\0\1\0\0\0\30\0\32\0\250c\25\0\304c\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\230k\25\0\1\0\0\0\5\0i\0\250k\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02225   596   NtClose  (624, ... ) == 0x0
 02226   596   NtClose  (628, ... ) == 0x0
 02227   596   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1384432, 0x0, 11008068, 188, ... , {12, 2, 1, 1}, 0x0, 1384432, 0x0, 11008068, 188, ...
 02228  2016   NtProtectVirtualMemory  (-1, (0x46be000), 4096, 260, ... (0x46be000), 4096, 4, ) == 0x0
 02229  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {896, 644}, ) == 0x0
 02230  2016   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=896,Tid=644,}, 0x0, ) == 0x0
 02231  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02227   596   NtSecureConnectPort  ... 624, 0x0, 0x0, 0x0, 188, ) == 0x0
 02231  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02232   596   NtOpenThreadToken  (-2, 0xc, 1, ...
 02233  1028   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02232   596   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02233  1028   NtFlushInstructionCache  ... ) == 0x0
 02234   596   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02235  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02234   596   NtSetInformationThread  ... ) == 0x0
 02236  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81914, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81914, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\200\3\0\0\204\2\0\0" ...  ...
 02237   596   NtRequestWaitReplyPort  (624, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (624, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\362\3521W\377<\12\224R\215\243_HQ\240\14\12\0\0\0\365wWqU\264\277U\0\0\0\0\0*\25\0\360=\270\15R\322(\27(\0\0\0\33\14\0u\0\0\24\0\240\366\247\0\263\314\20\365\0\0\0\0XU\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02236  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 81916, 0}  ... {28, 56, reply, 0, 896, 2016, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\200\3\0\0\204\2\0\0" )  ) == 0x0
 02235  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02238  2016   NtResumeThread  (628, ...
 02239  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02238  2016   NtResumeThread  ... 1, ) == 0x0
 02239  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02240  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02241  1028   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02237   596   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 896, 596, 81917, 0}  ... {200, 224, reply, 0, 896, 596, 81917, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\362\3521W\377<\12\224R\215\243_HQ\240\14\12\0\0\0\365wWqU\264\277U\0\0\0\0\0*\25\0\360=\270\15R\322(\27(\0\0\0\33\14\0u\0\0\24\0\240\366\247\0\263\314\20\365\0\0\0\0XU\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02242   644   NtWaitForSingleObject  (88, 0, 0x0, ...
 02241  1028   NtFlushInstructionCache  ... ) == 0x0
 02243   596   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02244  1028   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 02243   596   NtSetInformationThread  ... ) == 0x0
 02240  2016   NtAllocateVirtualMemory  ... 74186752, 1048576, ) == 0x0
 02245   596   NtRequestWaitReplyPort  (624, {56, 80, new_msg, 0, 44, 3, 20, 0}  (624, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0gS\263F\252\227\2L\355h\28\1\0\0\0\0\0\0\0&\0(\0\314\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02246  2016   NtAllocateVirtualMemory  (-1, 75227136, 0, 8192, 4096, 4, ... 75227136, 8192, ) == 0x0
 02247  2016   NtProtectVirtualMemory  (-1, (0x47be000), 4096, 260, ... (0x47be000), 4096, 4, ) == 0x0
 02248  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02244  1028   NtOpenSection  ... 640, ) == 0x0
 02249  1028   NtMapViewOfSection  (640, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02250  1028   NtClose  (640, ... ) == 0x0
 02251  1028   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02248  2016   NtCreateThread  ... 640, {896, 1736}, ) == 0x0
 02252  2016   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=896,Tid=1736,}, 0x0, ) == 0x0
 02253  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81916, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\200\3\0\0\310\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\200\3\0\0\310\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81919, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\200\3\0\0\310\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\200\3\0\0\310\6\0\0" )  ) == 0x0
 02254  2016   NtResumeThread  (640, ... 1, ) == 0x0
 02255  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75235328, 1048576, ) == 0x0
 02256  2016   NtAllocateVirtualMemory  (-1, 76275712, 0, 8192, 4096, 4, ... 76275712, 8192, ) == 0x0
 02257  1736   NtWaitForSingleObject  (88, 0, 0x0, ...
 02258  2016   NtProtectVirtualMemory  (-1, (0x48be000), 4096, 260, ... (0x48be000), 4096, 4, ) == 0x0
 02259  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {896, 320}, ) == 0x0
 02260  2016   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=896,Tid=320,}, 0x0, ) == 0x0
 02261  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81919, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\200\3\0\0@\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\200\3\0\0@\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81920, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\200\3\0\0@\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\200\3\0\0@\1\0\0" )  ) == 0x0
 02262  2016   NtResumeThread  (632, ... 1, ) == 0x0
 02263  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02264   320   NtWaitForSingleObject  (88, 0, 0x0, ...
 02263  2016   NtAllocateVirtualMemory  ... 76283904, 1048576, ) == 0x0
 02265  2016   NtAllocateVirtualMemory  (-1, 77324288, 0, 8192, 4096, 4, ... 77324288, 8192, ) == 0x0
 02266  2016   NtProtectVirtualMemory  (-1, (0x49be000), 4096, 260, ... (0x49be000), 4096, 4, ) == 0x0
 02267  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {896, 380}, ) == 0x0
 02268  2016   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=896,Tid=380,}, 0x0, ) == 0x0
 02269  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81920, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\200\3\0\0|\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\200\3\0\0|\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81921, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\200\3\0\0|\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\200\3\0\0|\1\0\0" )  ) == 0x0
 02270  2016   NtResumeThread  (644, ... 1, ) == 0x0
 02271  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77332480, 1048576, ) == 0x0
 02272  2016   NtAllocateVirtualMemory  (-1, 78372864, 0, 8192, 4096, 4, ... 78372864, 8192, ) == 0x0
 02273   380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02274  2016   NtProtectVirtualMemory  (-1, (0x4abe000), 4096, 260, ... (0x4abe000), 4096, 4, ) == 0x0
 02275  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {896, 1332}, ) == 0x0
 02276  2016   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=896,Tid=1332,}, 0x0, ) == 0x0
 02277  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81921, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\200\3\0\04\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\200\3\0\04\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81922, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\200\3\0\04\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\200\3\0\04\5\0\0" )  ) == 0x0
 02278  2016   NtResumeThread  (648, ... 1, ) == 0x0
 02279  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02280  1332   NtWaitForSingleObject  (88, 0, 0x0, ...
 02279  2016   NtAllocateVirtualMemory  ... 78381056, 1048576, ) == 0x0
 02281  2016   NtAllocateVirtualMemory  (-1, 79421440, 0, 8192, 4096, 4, ... 79421440, 8192, ) == 0x0
 02282  2016   NtProtectVirtualMemory  (-1, (0x4bbe000), 4096, 260, ... (0x4bbe000), 4096, 4, ) == 0x0
 02283  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {896, 1336}, ) == 0x0
 02284  2016   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=896,Tid=1336,}, 0x0, ) == 0x0
 02285  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81922, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\200\3\0\08\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\200\3\0\08\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81923, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\200\3\0\08\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\200\3\0\08\5\0\0" )  ) == 0x0
 02286  2016   NtResumeThread  (652, ... 1, ) == 0x0
 02287  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79429632, 1048576, ) == 0x0
 02288  2016   NtAllocateVirtualMemory  (-1, 80470016, 0, 8192, 4096, 4, ... 80470016, 8192, ) == 0x0
 02289  1336   NtWaitForSingleObject  (88, 0, 0x0, ...
 02290  2016   NtProtectVirtualMemory  (-1, (0x4cbe000), 4096, 260, ... (0x4cbe000), 4096, 4, ) == 0x0
 02291  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {896, 1808}, ) == 0x0
 02292  2016   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=896,Tid=1808,}, 0x0, ) == 0x0
 02293  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81923, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\200\3\0\0\20\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\200\3\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81924, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\200\3\0\0\20\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\200\3\0\0\20\7\0\0" )  ) == 0x0
 02294  2016   NtResumeThread  (656, ... 1, ) == 0x0
 02295  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02296  1808   NtWaitForSingleObject  (88, 0, 0x0, ...
 02295  2016   NtAllocateVirtualMemory  ... 80478208, 1048576, ) == 0x0
 02297  2016   NtAllocateVirtualMemory  (-1, 81518592, 0, 8192, 4096, 4, ... 81518592, 8192, ) == 0x0
 02298  2016   NtProtectVirtualMemory  (-1, (0x4dbe000), 4096, 260, ... (0x4dbe000), 4096, 4, ) == 0x0
 02299  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {896, 468}, ) == 0x0
 02300  2016   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=896,Tid=468,}, 0x0, ) == 0x0
 02301  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81924, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\200\3\0\0\324\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\200\3\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81925, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\200\3\0\0\324\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\200\3\0\0\324\1\0\0" )  ) == 0x0
 02302  2016   NtResumeThread  (660, ... 1, ) == 0x0
 02303  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81526784, 1048576, ) == 0x0
 02304  2016   NtAllocateVirtualMemory  (-1, 82567168, 0, 8192, 4096, 4, ... 82567168, 8192, ) == 0x0
 02305   468   NtWaitForSingleObject  (88, 0, 0x0, ...
 02306  2016   NtProtectVirtualMemory  (-1, (0x4ebe000), 4096, 260, ... (0x4ebe000), 4096, 4, ) == 0x0
 02307  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {896, 752}, ) == 0x0
 02308  2016   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=896,Tid=752,}, 0x0, ) == 0x0
 02309  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81925, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\200\3\0\0\360\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\200\3\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81926, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\200\3\0\0\360\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\200\3\0\0\360\2\0\0" )  ) == 0x0
 02310  2016   NtResumeThread  (664, ... 1, ) == 0x0
 02311  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02312   752   NtWaitForSingleObject  (88, 0, 0x0, ...
 02311  2016   NtAllocateVirtualMemory  ... 82575360, 1048576, ) == 0x0
 02313  2016   NtAllocateVirtualMemory  (-1, 83615744, 0, 8192, 4096, 4, ... 83615744, 8192, ) == 0x0
 02314  2016   NtProtectVirtualMemory  (-1, (0x4fbe000), 4096, 260, ... (0x4fbe000), 4096, 4, ) == 0x0
 02315  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {896, 1512}, ) == 0x0
 02316  2016   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=896,Tid=1512,}, 0x0, ) == 0x0
 02317  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81926, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\200\3\0\0\350\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\200\3\0\0\350\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81927, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\200\3\0\0\350\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\200\3\0\0\350\5\0\0" )  ) == 0x0
 02318  2016   NtResumeThread  (668, ... 1, ) == 0x0
 02319  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83623936, 1048576, ) == 0x0
 02320  2016   NtAllocateVirtualMemory  (-1, 84664320, 0, 8192, 4096, 4, ... 84664320, 8192, ) == 0x0
 02321  1512   NtWaitForSingleObject  (88, 0, 0x0, ...
 02322  2016   NtProtectVirtualMemory  (-1, (0x50be000), 4096, 260, ... (0x50be000), 4096, 4, ) == 0x0
 02323  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {896, 1380}, ) == 0x0
 02324  2016   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=896,Tid=1380,}, 0x0, ) == 0x0
 02325  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81927, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\200\3\0\0d\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\200\3\0\0d\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81928, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\200\3\0\0d\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\200\3\0\0d\5\0\0" )  ) == 0x0
 02326  2016   NtResumeThread  (672, ... 1, ) == 0x0
 02327  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 84672512, 1048576, ) == 0x0
 02328  2016   NtAllocateVirtualMemory  (-1, 85712896, 0, 8192, 4096, 4, ... 85712896, 8192, ) == 0x0
 02329  1380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02330  2016   NtProtectVirtualMemory  (-1, (0x51be000), 4096, 260, ... (0x51be000), 4096, 4, ) == 0x0
 02331  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {896, 1564}, ) == 0x0
 02332  2016   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=896,Tid=1564,}, 0x0, ) == 0x0
 02333  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81928, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\200\3\0\0\34\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\200\3\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81929, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\200\3\0\0\34\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\200\3\0\0\34\6\0\0" )  ) == 0x0
 02334  2016   NtResumeThread  (676, ... 1, ) == 0x0
 02335  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02336  1564   NtWaitForSingleObject  (88, 0, 0x0, ...
 02335  2016   NtAllocateVirtualMemory  ... 85721088, 1048576, ) == 0x0
 02337  2016   NtAllocateVirtualMemory  (-1, 86761472, 0, 8192, 4096, 4, ... 86761472, 8192, ) == 0x0
 02338  2016   NtProtectVirtualMemory  (-1, (0x52be000), 4096, 260, ... (0x52be000), 4096, 4, ) == 0x0
 02339  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {896, 164}, ) == 0x0
 02340  2016   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=896,Tid=164,}, 0x0, ) == 0x0
 02341  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81929, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\200\3\0\0\244\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\200\3\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81930, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\200\3\0\0\244\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\200\3\0\0\244\0\0\0" )  ) == 0x0
 02342  2016   NtResumeThread  (680, ... 1, ) == 0x0
 02343  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86769664, 1048576, ) == 0x0
 02344  2016   NtAllocateVirtualMemory  (-1, 87810048, 0, 8192, 4096, 4, ... 87810048, 8192, ) == 0x0
 02345   164   NtWaitForSingleObject  (88, 0, 0x0, ...
 02346  2016   NtProtectVirtualMemory  (-1, (0x53be000), 4096, 260, ... (0x53be000), 4096, 4, ) == 0x0
 02347  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {896, 312}, ) == 0x0
 02348  2016   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=896,Tid=312,}, 0x0, ) == 0x0
 02349  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81930, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\200\3\0\08\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\200\3\0\08\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81931, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\200\3\0\08\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\200\3\0\08\1\0\0" )  ) == 0x0
 02350  2016   NtResumeThread  (684, ... 1, ) == 0x0
 02351  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02352   312   NtWaitForSingleObject  (88, 0, 0x0, ...
 02351  2016   NtAllocateVirtualMemory  ... 87818240, 1048576, ) == 0x0
 02353  2016   NtAllocateVirtualMemory  (-1, 88858624, 0, 8192, 4096, 4, ... 88858624, 8192, ) == 0x0
 02354  2016   NtProtectVirtualMemory  (-1, (0x54be000), 4096, 260, ... (0x54be000), 4096, 4, ) == 0x0
 02355  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {896, 1964}, ) == 0x0
 02356  2016   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=896,Tid=1964,}, 0x0, ) == 0x0
 02357  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81931, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\200\3\0\0\254\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\200\3\0\0\254\7\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81932, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\200\3\0\0\254\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\200\3\0\0\254\7\0\0" )  ) == 0x0
 02358  2016   NtResumeThread  (688, ... 1, ) == 0x0
 02359  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88866816, 1048576, ) == 0x0
 02360  2016   NtAllocateVirtualMemory  (-1, 89907200, 0, 8192, 4096, 4, ... 89907200, 8192, ) == 0x0
 02361  1964   NtWaitForSingleObject  (88, 0, 0x0, ...
 02362  2016   NtProtectVirtualMemory  (-1, (0x55be000), 4096, 260, ... (0x55be000), 4096, 4, ) == 0x0
 02363  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {896, 1568}, ) == 0x0
 02364  2016   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=896,Tid=1568,}, 0x0, ) == 0x0
 02365  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81932, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\200\3\0\0 \6\0\0" ... {28, 56, reply, 0, 896, 2016, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\200\3\0\0 \6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81933, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\200\3\0\0 \6\0\0" ... {28, 56, reply, 0, 896, 2016, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\200\3\0\0 \6\0\0" )  ) == 0x0
 02366  2016   NtResumeThread  (692, ... 1, ) == 0x0
 02367  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02368  1568   NtWaitForSingleObject  (88, 0, 0x0, ...
 02367  2016   NtAllocateVirtualMemory  ... 89915392, 1048576, ) == 0x0
 02369  2016   NtAllocateVirtualMemory  (-1, 90955776, 0, 8192, 4096, 4, ... 90955776, 8192, ) == 0x0
 02370  2016   NtProtectVirtualMemory  (-1, (0x56be000), 4096, 260, ... (0x56be000), 4096, 4, ) == 0x0
 02371  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {896, 1624}, ) == 0x0
 02372  2016   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=896,Tid=1624,}, 0x0, ) == 0x0
 02373  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81933, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\200\3\0\0X\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\200\3\0\0X\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81934, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\200\3\0\0X\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\200\3\0\0X\6\0\0" )  ) == 0x0
 02374  2016   NtResumeThread  (696, ... 1, ) == 0x0
 02375  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90963968, 1048576, ) == 0x0
 02376  2016   NtAllocateVirtualMemory  (-1, 92004352, 0, 8192, 4096, 4, ... 92004352, 8192, ) == 0x0
 02377  1624   NtWaitForSingleObject  (88, 0, 0x0, ...
 02378  2016   NtProtectVirtualMemory  (-1, (0x57be000), 4096, 260, ... (0x57be000), 4096, 4, ) == 0x0
 02379  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {896, 1716}, ) == 0x0
 02380  2016   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=896,Tid=1716,}, 0x0, ) == 0x0
 02381  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81934, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\200\3\0\0\264\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\200\3\0\0\264\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81935, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\200\3\0\0\264\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\200\3\0\0\264\6\0\0" )  ) == 0x0
 02382  2016   NtResumeThread  (700, ... 1, ) == 0x0
 02383  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02384  1716   NtWaitForSingleObject  (88, 0, 0x0, ...
 02383  2016   NtAllocateVirtualMemory  ... 92012544, 1048576, ) == 0x0
 02385  2016   NtAllocateVirtualMemory  (-1, 93052928, 0, 8192, 4096, 4, ... 93052928, 8192, ) == 0x0
 02386  2016   NtProtectVirtualMemory  (-1, (0x58be000), 4096, 260, ... (0x58be000), 4096, 4, ) == 0x0
 02387  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {896, 1440}, ) == 0x0
 02388  2016   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=896,Tid=1440,}, 0x0, ) == 0x0
 02389  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81935, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\200\3\0\0\240\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\200\3\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81936, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\200\3\0\0\240\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\200\3\0\0\240\5\0\0" )  ) == 0x0
 02390  2016   NtResumeThread  (704, ... 1, ) == 0x0
 02391  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93061120, 1048576, ) == 0x0
 02392  2016   NtAllocateVirtualMemory  (-1, 94101504, 0, 8192, 4096, 4, ... 94101504, 8192, ) == 0x0
 02393  1440   NtWaitForSingleObject  (88, 0, 0x0, ...
 02394  2016   NtProtectVirtualMemory  (-1, (0x59be000), 4096, 260, ... (0x59be000), 4096, 4, ) == 0x0
 02395  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {896, 1664}, ) == 0x0
 02396  2016   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=896,Tid=1664,}, 0x0, ) == 0x0
 02397  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81936, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\200\3\0\0\200\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\200\3\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81937, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\200\3\0\0\200\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\200\3\0\0\200\6\0\0" )  ) == 0x0
 02398  2016   NtResumeThread  (708, ... 1, ) == 0x0
 02399  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02400  1664   NtWaitForSingleObject  (88, 0, 0x0, ...
 02399  2016   NtAllocateVirtualMemory  ... 94109696, 1048576, ) == 0x0
 02401  2016   NtAllocateVirtualMemory  (-1, 95150080, 0, 8192, 4096, 4, ... 95150080, 8192, ) == 0x0
 02402  2016   NtProtectVirtualMemory  (-1, (0x5abe000), 4096, 260, ... (0x5abe000), 4096, 4, ) == 0x0
 02403  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {896, 1972}, ) == 0x0
 02404  2016   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=896,Tid=1972,}, 0x0, ) == 0x0
 02405  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81937, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\200\3\0\0\264\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\200\3\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81938, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\200\3\0\0\264\7\0\0" ... {28, 56, reply, 0, 896, 2016, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\200\3\0\0\264\7\0\0" )  ) == 0x0
 02406  2016   NtResumeThread  (712, ... 1, ) == 0x0
 02407  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95158272, 1048576, ) == 0x0
 02408  2016   NtAllocateVirtualMemory  (-1, 96198656, 0, 8192, 4096, 4, ... 96198656, 8192, ) == 0x0
 02409  1972   NtWaitForSingleObject  (88, 0, 0x0, ...
 02410  2016   NtProtectVirtualMemory  (-1, (0x5bbe000), 4096, 260, ... (0x5bbe000), 4096, 4, ) == 0x0
 02411  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {896, 1036}, ) == 0x0
 02412  2016   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=896,Tid=1036,}, 0x0, ) == 0x0
 02413  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81938, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\200\3\0\0\14\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\200\3\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81939, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\200\3\0\0\14\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\200\3\0\0\14\4\0\0" )  ) == 0x0
 02414  2016   NtResumeThread  (716, ... 1, ) == 0x0
 02415  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02416  1036   NtWaitForSingleObject  (88, 0, 0x0, ...
 02415  2016   NtAllocateVirtualMemory  ... 96206848, 1048576, ) == 0x0
 02417  2016   NtAllocateVirtualMemory  (-1, 97247232, 0, 8192, 4096, 4, ... 97247232, 8192, ) == 0x0
 02418  2016   NtProtectVirtualMemory  (-1, (0x5cbe000), 4096, 260, ... (0x5cbe000), 4096, 4, ) == 0x0
 02419  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {896, 1248}, ) == 0x0
 02420  2016   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=896,Tid=1248,}, 0x0, ) == 0x0
 02421  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81939, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\200\3\0\0\340\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\200\3\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81940, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\200\3\0\0\340\4\0\0" ... {28, 56, reply, 0, 896, 2016, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\200\3\0\0\340\4\0\0" )  ) == 0x0
 02422  2016   NtResumeThread  (720, ... 1, ) == 0x0
 02423  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 97255424, 1048576, ) == 0x0
 02424  2016   NtAllocateVirtualMemory  (-1, 98295808, 0, 8192, 4096, 4, ... 98295808, 8192, ) == 0x0
 02425  1248   NtWaitForSingleObject  (88, 0, 0x0, ...
 02426  2016   NtProtectVirtualMemory  (-1, (0x5dbe000), 4096, 260, ... (0x5dbe000), 4096, 4, ) == 0x0
 02427  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {896, 1656}, ) == 0x0
 02428  2016   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=896,Tid=1656,}, 0x0, ) == 0x0
 02429  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81940, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\200\3\0\0x\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\200\3\0\0x\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81941, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\200\3\0\0x\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\200\3\0\0x\6\0\0" )  ) == 0x0
 02430  2016   NtResumeThread  (724, ... 1, ) == 0x0
 02431  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02432  1656   NtWaitForSingleObject  (88, 0, 0x0, ...
 02431  2016   NtAllocateVirtualMemory  ... 98304000, 1048576, ) == 0x0
 02433  2016   NtAllocateVirtualMemory  (-1, 99344384, 0, 8192, 4096, 4, ... 99344384, 8192, ) == 0x0
 02434  2016   NtProtectVirtualMemory  (-1, (0x5ebe000), 4096, 260, ... (0x5ebe000), 4096, 4, ) == 0x0
 02435  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {896, 760}, ) == 0x0
 02436  2016   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=896,Tid=760,}, 0x0, ) == 0x0
 02437  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81941, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\200\3\0\0\370\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\200\3\0\0\370\2\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81942, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\200\3\0\0\370\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\200\3\0\0\370\2\0\0" )  ) == 0x0
 02438  2016   NtResumeThread  (728, ... 1, ) == 0x0
 02439  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 99352576, 1048576, ) == 0x0
 02440  2016   NtAllocateVirtualMemory  (-1, 100392960, 0, 8192, 4096, 4, ... 100392960, 8192, ) == 0x0
 02441   760   NtWaitForSingleObject  (88, 0, 0x0, ...
 02442  2016   NtProtectVirtualMemory  (-1, (0x5fbe000), 4096, 260, ... (0x5fbe000), 4096, 4, ) == 0x0
 02443  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {896, 484}, ) == 0x0
 02444  2016   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=896,Tid=484,}, 0x0, ) == 0x0
 02445  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81942, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\200\3\0\0\344\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\200\3\0\0\344\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81943, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\200\3\0\0\344\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\200\3\0\0\344\1\0\0" )  ) == 0x0
 02446  2016   NtResumeThread  (732, ... 1, ) == 0x0
 02447  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02448   484   NtWaitForSingleObject  (88, 0, 0x0, ...
 02447  2016   NtAllocateVirtualMemory  ... 100401152, 1048576, ) == 0x0
 02449  2016   NtAllocateVirtualMemory  (-1, 101441536, 0, 8192, 4096, 4, ... 101441536, 8192, ) == 0x0
 02450  2016   NtProtectVirtualMemory  (-1, (0x60be000), 4096, 260, ... (0x60be000), 4096, 4, ) == 0x0
 02451  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {896, 1580}, ) == 0x0
 02452  2016   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=896,Tid=1580,}, 0x0, ) == 0x0
 02453  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81943, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\200\3\0\0,\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\200\3\0\0,\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81944, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\200\3\0\0,\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\200\3\0\0,\6\0\0" )  ) == 0x0
 02454  2016   NtResumeThread  (736, ... 1, ) == 0x0
 02455  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 101449728, 1048576, ) == 0x0
 02456  2016   NtAllocateVirtualMemory  (-1, 102490112, 0, 8192, 4096, 4, ... 102490112, 8192, ) == 0x0
 02457  1580   NtWaitForSingleObject  (88, 0, 0x0, ...
 02458  2016   NtProtectVirtualMemory  (-1, (0x61be000), 4096, 260, ... (0x61be000), 4096, 4, ) == 0x0
 02459  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {896, 1756}, ) == 0x0
 02460  2016   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=896,Tid=1756,}, 0x0, ) == 0x0
 02461  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81944, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\200\3\0\0\334\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\200\3\0\0\334\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81945, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\200\3\0\0\334\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\200\3\0\0\334\6\0\0" )  ) == 0x0
 02462  2016   NtResumeThread  (740, ... 1, ) == 0x0
 02463  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02464  1756   NtWaitForSingleObject  (88, 0, 0x0, ...
 02463  2016   NtAllocateVirtualMemory  ... 102498304, 1048576, ) == 0x0
 02465  2016   NtAllocateVirtualMemory  (-1, 103538688, 0, 8192, 4096, 4, ... 103538688, 8192, ) == 0x0
 02466  2016   NtProtectVirtualMemory  (-1, (0x62be000), 4096, 260, ... (0x62be000), 4096, 4, ) == 0x0
 02467  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {896, 1304}, ) == 0x0
 02468  2016   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=896,Tid=1304,}, 0x0, ) == 0x0
 02469  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81945, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\200\3\0\0\30\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\200\3\0\0\30\5\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81946, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\200\3\0\0\30\5\0\0" ... {28, 56, reply, 0, 896, 2016, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\200\3\0\0\30\5\0\0" )  ) == 0x0
 02470  2016   NtResumeThread  (744, ... 1, ) == 0x0
 02471  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 103546880, 1048576, ) == 0x0
 02472  2016   NtAllocateVirtualMemory  (-1, 104587264, 0, 8192, 4096, 4, ... 104587264, 8192, ) == 0x0
 02473  1304   NtWaitForSingleObject  (88, 0, 0x0, ...
 02474  2016   NtProtectVirtualMemory  (-1, (0x63be000), 4096, 260, ... (0x63be000), 4096, 4, ) == 0x0
 02475  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {896, 2052}, ) == 0x0
 02476  2016   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=896,Tid=2052,}, 0x0, ) == 0x0
 02477  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81946, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\200\3\0\0\4\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\200\3\0\0\4\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81947, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\200\3\0\0\4\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\200\3\0\0\4\10\0\0" )  ) == 0x0
 02478  2016   NtResumeThread  (748, ... 1, ) == 0x0
 02479  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104595456, 1048576, ) == 0x0
 02480  2016   NtAllocateVirtualMemory  (-1, 105635840, 0, 8192, 4096, 4, ... 105635840, 8192, ) == 0x0
 02481  2052   NtWaitForSingleObject  (88, 0, 0x0, ...
 02482  2016   NtProtectVirtualMemory  (-1, (0x64be000), 4096, 260, ... (0x64be000), 4096, 4, ) == 0x0
 02483  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {896, 2056}, ) == 0x0
 02484  2016   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=896,Tid=2056,}, 0x0, ) == 0x0
 02485  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81947, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\200\3\0\0\10\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\200\3\0\0\10\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81948, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\200\3\0\0\10\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\200\3\0\0\10\10\0\0" )  ) == 0x0
 02486  2016   NtResumeThread  (752, ... 1, ) == 0x0
 02487  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02488  2056   NtWaitForSingleObject  (88, 0, 0x0, ...
 02487  2016   NtAllocateVirtualMemory  ... 105644032, 1048576, ) == 0x0
 02489  2016   NtAllocateVirtualMemory  (-1, 106684416, 0, 8192, 4096, 4, ... 106684416, 8192, ) == 0x0
 02490  2016   NtProtectVirtualMemory  (-1, (0x65be000), 4096, 260, ... (0x65be000), 4096, 4, ) == 0x0
 02491  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {896, 2060}, ) == 0x0
 02492  2016   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=896,Tid=2060,}, 0x0, ) == 0x0
 02493  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81948, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\200\3\0\0\14\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\200\3\0\0\14\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81949, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\200\3\0\0\14\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\200\3\0\0\14\10\0\0" )  ) == 0x0
 02494  2016   NtResumeThread  (756, ... 1, ) == 0x0
 02495  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 106692608, 1048576, ) == 0x0
 02496  2016   NtAllocateVirtualMemory  (-1, 107732992, 0, 8192, 4096, 4, ... 107732992, 8192, ) == 0x0
 02497  2060   NtWaitForSingleObject  (88, 0, 0x0, ...
 02498  2016   NtProtectVirtualMemory  (-1, (0x66be000), 4096, 260, ... (0x66be000), 4096, 4, ) == 0x0
 02499  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {896, 2064}, ) == 0x0
 02500  2016   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=896,Tid=2064,}, 0x0, ) == 0x0
 02501  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81949, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\200\3\0\0\20\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\200\3\0\0\20\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81950, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\200\3\0\0\20\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\200\3\0\0\20\10\0\0" )  ) == 0x0
 02502  2016   NtResumeThread  (760, ... 1, ) == 0x0
 02503  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02504  2064   NtWaitForSingleObject  (88, 0, 0x0, ...
 02503  2016   NtAllocateVirtualMemory  ... 107741184, 1048576, ) == 0x0
 02505  2016   NtAllocateVirtualMemory  (-1, 108781568, 0, 8192, 4096, 4, ... 108781568, 8192, ) == 0x0
 02506  2016   NtProtectVirtualMemory  (-1, (0x67be000), 4096, 260, ... (0x67be000), 4096, 4, ) == 0x0
 02507  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {896, 2068}, ) == 0x0
 02508  2016   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=896,Tid=2068,}, 0x0, ) == 0x0
 02509  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81950, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\200\3\0\0\24\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\200\3\0\0\24\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81951, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\200\3\0\0\24\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\200\3\0\0\24\10\0\0" )  ) == 0x0
 02510  2016   NtResumeThread  (764, ... 1, ) == 0x0
 02511  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108789760, 1048576, ) == 0x0
 02512  2016   NtAllocateVirtualMemory  (-1, 109830144, 0, 8192, 4096, 4, ... 109830144, 8192, ) == 0x0
 02513  2068   NtWaitForSingleObject  (88, 0, 0x0, ...
 02514  2016   NtProtectVirtualMemory  (-1, (0x68be000), 4096, 260, ... (0x68be000), 4096, 4, ) == 0x0
 02515  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {896, 2072}, ) == 0x0
 02516  2016   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=896,Tid=2072,}, 0x0, ) == 0x0
 02517  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81951, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\200\3\0\0\30\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\200\3\0\0\30\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81952, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\200\3\0\0\30\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\200\3\0\0\30\10\0\0" )  ) == 0x0
 02518  2016   NtResumeThread  (768, ... 1, ) == 0x0
 02519  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02520  2072   NtWaitForSingleObject  (88, 0, 0x0, ...
 02519  2016   NtAllocateVirtualMemory  ... 109838336, 1048576, ) == 0x0
 02521  2016   NtAllocateVirtualMemory  (-1, 110878720, 0, 8192, 4096, 4, ... 110878720, 8192, ) == 0x0
 02522  2016   NtProtectVirtualMemory  (-1, (0x69be000), 4096, 260, ... (0x69be000), 4096, 4, ) == 0x0
 02523  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 772, {896, 2076}, ) == 0x0
 02524  2016   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=896,Tid=2076,}, 0x0, ) == 0x0
 02525  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81952, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\200\3\0\0\34\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\200\3\0\0\34\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81953, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81952, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\200\3\0\0\34\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\200\3\0\0\34\10\0\0" )  ) == 0x0
 02526  2016   NtResumeThread  (772, ... 1, ) == 0x0
 02527  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110886912, 1048576, ) == 0x0
 02528  2016   NtAllocateVirtualMemory  (-1, 111927296, 0, 8192, 4096, 4, ... 111927296, 8192, ) == 0x0
 02529  2076   NtWaitForSingleObject  (88, 0, 0x0, ...
 02530  2016   NtProtectVirtualMemory  (-1, (0x6abe000), 4096, 260, ... (0x6abe000), 4096, 4, ) == 0x0
 02531  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 776, {896, 2080}, ) == 0x0
 02532  2016   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=896,Tid=2080,}, 0x0, ) == 0x0
 02533  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81953, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\200\3\0\0 \10\0\0" ... {28, 56, reply, 0, 896, 2016, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\200\3\0\0 \10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81954, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81953, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\200\3\0\0 \10\0\0" ... {28, 56, reply, 0, 896, 2016, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\200\3\0\0 \10\0\0" )  ) == 0x0
 02534  2016   NtResumeThread  (776, ... 1, ) == 0x0
 02535  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02536  2080   NtWaitForSingleObject  (88, 0, 0x0, ...
 02535  2016   NtAllocateVirtualMemory  ... 111935488, 1048576, ) == 0x0
 02537  2016   NtAllocateVirtualMemory  (-1, 112975872, 0, 8192, 4096, 4, ... 112975872, 8192, ) == 0x0
 02538  2016   NtProtectVirtualMemory  (-1, (0x6bbe000), 4096, 260, ... (0x6bbe000), 4096, 4, ) == 0x0
 02539  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 780, {896, 2084}, ) == 0x0
 02540  2016   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=896,Tid=2084,}, 0x0, ) == 0x0
 02541  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81954, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\200\3\0\0$\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\200\3\0\0$\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81955, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81954, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\200\3\0\0$\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\3\0\0\200\3\0\0$\10\0\0" )  ) == 0x0
 02542  2016   NtResumeThread  (780, ... 1, ) == 0x0
 02543  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112984064, 1048576, ) == 0x0
 02544  2016   NtAllocateVirtualMemory  (-1, 114024448, 0, 8192, 4096, 4, ... 114024448, 8192, ) == 0x0
 02545  2084   NtWaitForSingleObject  (88, 0, 0x0, ...
 02546  2016   NtProtectVirtualMemory  (-1, (0x6cbe000), 4096, 260, ... (0x6cbe000), 4096, 4, ) == 0x0
 02547  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 784, {896, 2088}, ) == 0x0
 02548  2016   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=896,Tid=2088,}, 0x0, ) == 0x0
 02549  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81955, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\200\3\0\0(\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\200\3\0\0(\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81956, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81955, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\200\3\0\0(\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\3\0\0\200\3\0\0(\10\0\0" )  ) == 0x0
 02550  2016   NtResumeThread  (784, ... 1, ) == 0x0
 02551  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02552  2088   NtWaitForSingleObject  (88, 0, 0x0, ...
 02551  2016   NtAllocateVirtualMemory  ... 114032640, 1048576, ) == 0x0
 02553  2016   NtAllocateVirtualMemory  (-1, 115073024, 0, 8192, 4096, 4, ... 115073024, 8192, ) == 0x0
 02554  2016   NtProtectVirtualMemory  (-1, (0x6dbe000), 4096, 260, ... (0x6dbe000), 4096, 4, ) == 0x0
 02555  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 788, {896, 2092}, ) == 0x0
 02556  2016   NtQueryInformationThread  (788, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=896,Tid=2092,}, 0x0, ) == 0x0
 02557  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81956, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\200\3\0\0,\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\200\3\0\0,\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81957, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81956, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\200\3\0\0,\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\3\0\0\200\3\0\0,\10\0\0" )  ) == 0x0
 02558  2016   NtResumeThread  (788, ... 1, ) == 0x0
 02559  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 115081216, 1048576, ) == 0x0
 02560  2016   NtAllocateVirtualMemory  (-1, 116121600, 0, 8192, 4096, 4, ... 116121600, 8192, ) == 0x0
 02561  2092   NtWaitForSingleObject  (88, 0, 0x0, ...
 02562  2016   NtProtectVirtualMemory  (-1, (0x6ebe000), 4096, 260, ... (0x6ebe000), 4096, 4, ) == 0x0
 02563  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 792, {896, 2096}, ) == 0x0
 02564  2016   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=896,Tid=2096,}, 0x0, ) == 0x0
 02565  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81957, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\200\3\0\00\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\200\3\0\00\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81958, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81957, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\200\3\0\00\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\3\0\0\200\3\0\00\10\0\0" )  ) == 0x0
 02566  2016   NtResumeThread  (792, ... 1, ) == 0x0
 02567  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02568  2096   NtWaitForSingleObject  (88, 0, 0x0, ...
 02567  2016   NtAllocateVirtualMemory  ... 116129792, 1048576, ) == 0x0
 02569  2016   NtAllocateVirtualMemory  (-1, 117170176, 0, 8192, 4096, 4, ... 117170176, 8192, ) == 0x0
 02570  2016   NtProtectVirtualMemory  (-1, (0x6fbe000), 4096, 260, ... (0x6fbe000), 4096, 4, ) == 0x0
 02571  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 796, {896, 2100}, ) == 0x0
 02572  2016   NtQueryInformationThread  (796, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=896,Tid=2100,}, 0x0, ) == 0x0
 02573  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81958, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\200\3\0\04\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\200\3\0\04\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81959, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81958, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\200\3\0\04\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\3\0\0\200\3\0\04\10\0\0" )  ) == 0x0
 02574  2016   NtResumeThread  (796, ... 1, ) == 0x0
 02575  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 117178368, 1048576, ) == 0x0
 02576  2016   NtAllocateVirtualMemory  (-1, 118218752, 0, 8192, 4096, 4, ... 118218752, 8192, ) == 0x0
 02577  2100   NtWaitForSingleObject  (88, 0, 0x0, ...
 02578  2016   NtProtectVirtualMemory  (-1, (0x70be000), 4096, 260, ... (0x70be000), 4096, 4, ) == 0x0
 02579  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 800, {896, 2104}, ) == 0x0
 02580  2016   NtQueryInformationThread  (800, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=896,Tid=2104,}, 0x0, ) == 0x0
 02581  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81959, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\200\3\0\08\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\200\3\0\08\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81960, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81959, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\200\3\0\08\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \3\0\0\200\3\0\08\10\0\0" )  ) == 0x0
 02582  2016   NtResumeThread  (800, ... 1, ) == 0x0
 02583  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02584  2104   NtWaitForSingleObject  (88, 0, 0x0, ...
 02583  2016   NtAllocateVirtualMemory  ... 118226944, 1048576, ) == 0x0
 02585  2016   NtAllocateVirtualMemory  (-1, 119267328, 0, 8192, 4096, 4, ... 119267328, 8192, ) == 0x0
 02586  2016   NtProtectVirtualMemory  (-1, (0x71be000), 4096, 260, ... (0x71be000), 4096, 4, ) == 0x0
 02587  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 804, {896, 2108}, ) == 0x0
 02588  2016   NtQueryInformationThread  (804, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=896,Tid=2108,}, 0x0, ) == 0x0
 02589  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81960, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0\200\3\0\0<\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0\200\3\0\0<\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81961, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81960, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0\200\3\0\0<\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\3\0\0\200\3\0\0<\10\0\0" )  ) == 0x0
 02590  2016   NtResumeThread  (804, ... 1, ) == 0x0
 02591  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 119275520, 1048576, ) == 0x0
 02592  2016   NtAllocateVirtualMemory  (-1, 120315904, 0, 8192, 4096, 4, ... 120315904, 8192, ) == 0x0
 02593  2108   NtWaitForSingleObject  (88, 0, 0x0, ...
 02594  2016   NtProtectVirtualMemory  (-1, (0x72be000), 4096, 260, ... (0x72be000), 4096, 4, ) == 0x0
 02595  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 808, {896, 2112}, ) == 0x0
 02596  2016   NtQueryInformationThread  (808, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=896,Tid=2112,}, 0x0, ) == 0x0
 02597  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81961, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\200\3\0\0@\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\200\3\0\0@\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81962, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81961, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\200\3\0\0@\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\200\3\0\0@\10\0\0" )  ) == 0x0
 02598  2016   NtResumeThread  (808, ... 1, ) == 0x0
 02599  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02600  2112   NtWaitForSingleObject  (88, 0, 0x0, ...
 02599  2016   NtAllocateVirtualMemory  ... 120324096, 1048576, ) == 0x0
 02601  2016   NtAllocateVirtualMemory  (-1, 121364480, 0, 8192, 4096, 4, ... 121364480, 8192, ) == 0x0
 02602  2016   NtProtectVirtualMemory  (-1, (0x73be000), 4096, 260, ... (0x73be000), 4096, 4, ) == 0x0
 02603  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 812, {896, 2116}, ) == 0x0
 02604  2016   NtQueryInformationThread  (812, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=896,Tid=2116,}, 0x0, ) == 0x0
 02605  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81962, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0\200\3\0\0D\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0\200\3\0\0D\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81963, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81962, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0\200\3\0\0D\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\3\0\0\200\3\0\0D\10\0\0" )  ) == 0x0
 02606  2016   NtResumeThread  (812, ... 1, ) == 0x0
 02607  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 121372672, 1048576, ) == 0x0
 02608  2016   NtAllocateVirtualMemory  (-1, 122413056, 0, 8192, 4096, 4, ... 122413056, 8192, ) == 0x0
 02609  2116   NtWaitForSingleObject  (88, 0, 0x0, ...
 02610  2016   NtProtectVirtualMemory  (-1, (0x74be000), 4096, 260, ... (0x74be000), 4096, 4, ) == 0x0
 02611  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 816, {896, 2120}, ) == 0x0
 02612  2016   NtQueryInformationThread  (816, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=896,Tid=2120,}, 0x0, ) == 0x0
 02613  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81963, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\200\3\0\0H\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\200\3\0\0H\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81964, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81963, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\200\3\0\0H\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\3\0\0\200\3\0\0H\10\0\0" )  ) == 0x0
 02614  2016   NtResumeThread  (816, ... 1, ) == 0x0
 02615  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02616  2120   NtWaitForSingleObject  (88, 0, 0x0, ...
 02615  2016   NtAllocateVirtualMemory  ... 122421248, 1048576, ) == 0x0
 02617  2016   NtAllocateVirtualMemory  (-1, 123461632, 0, 8192, 4096, 4, ... 123461632, 8192, ) == 0x0
 02618  2016   NtProtectVirtualMemory  (-1, (0x75be000), 4096, 260, ... (0x75be000), 4096, 4, ) == 0x0
 02619  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 820, {896, 2124}, ) == 0x0
 02620  2016   NtQueryInformationThread  (820, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=896,Tid=2124,}, 0x0, ) == 0x0
 02621  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81964, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\200\3\0\0L\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\200\3\0\0L\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81965, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81964, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\200\3\0\0L\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\3\0\0\200\3\0\0L\10\0\0" )  ) == 0x0
 02622  2016   NtResumeThread  (820, ... 1, ) == 0x0
 02623  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 123469824, 1048576, ) == 0x0
 02624  2016   NtAllocateVirtualMemory  (-1, 124510208, 0, 8192, 4096, 4, ... 124510208, 8192, ) == 0x0
 02625  2124   NtWaitForSingleObject  (88, 0, 0x0, ...
 02626  2016   NtProtectVirtualMemory  (-1, (0x76be000), 4096, 260, ... (0x76be000), 4096, 4, ) == 0x0
 02627  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 824, {896, 2128}, ) == 0x0
 02628  2016   NtQueryInformationThread  (824, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=896,Tid=2128,}, 0x0, ) == 0x0
 02629  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81965, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\200\3\0\0P\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\200\3\0\0P\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81966, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81965, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\200\3\0\0P\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\3\0\0\200\3\0\0P\10\0\0" )  ) == 0x0
 02630  2016   NtResumeThread  (824, ... 1, ) == 0x0
 02631  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02632  2128   NtWaitForSingleObject  (88, 0, 0x0, ...
 02631  2016   NtAllocateVirtualMemory  ... 124518400, 1048576, ) == 0x0
 02633  2016   NtAllocateVirtualMemory  (-1, 125558784, 0, 8192, 4096, 4, ... 125558784, 8192, ) == 0x0
 02634  2016   NtProtectVirtualMemory  (-1, (0x77be000), 4096, 260, ... (0x77be000), 4096, 4, ) == 0x0
 02635  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 828, {896, 2132}, ) == 0x0
 02636  2016   NtQueryInformationThread  (828, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=896,Tid=2132,}, 0x0, ) == 0x0
 02637  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81966, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\200\3\0\0T\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\200\3\0\0T\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81967, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81966, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\200\3\0\0T\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\200\3\0\0T\10\0\0" )  ) == 0x0
 02638  2016   NtResumeThread  (828, ... 1, ) == 0x0
 02639  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 125566976, 1048576, ) == 0x0
 02640  2016   NtAllocateVirtualMemory  (-1, 126607360, 0, 8192, 4096, 4, ... 126607360, 8192, ) == 0x0
 02641  2132   NtWaitForSingleObject  (88, 0, 0x0, ...
 02642  2016   NtProtectVirtualMemory  (-1, (0x78be000), 4096, 260, ... (0x78be000), 4096, 4, ) == 0x0
 02643  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 832, {896, 2136}, ) == 0x0
 02644  2016   NtQueryInformationThread  (832, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=896,Tid=2136,}, 0x0, ) == 0x0
 02645  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81967, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\200\3\0\0X\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\200\3\0\0X\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81968, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81967, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\200\3\0\0X\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\3\0\0\200\3\0\0X\10\0\0" )  ) == 0x0
 02646  2016   NtResumeThread  (832, ... 1, ) == 0x0
 02647  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02648  2136   NtWaitForSingleObject  (88, 0, 0x0, ...
 02647  2016   NtAllocateVirtualMemory  ... 126615552, 1048576, ) == 0x0
 02649  2016   NtAllocateVirtualMemory  (-1, 127655936, 0, 8192, 4096, 4, ... 127655936, 8192, ) == 0x0
 02650  2016   NtProtectVirtualMemory  (-1, (0x79be000), 4096, 260, ... (0x79be000), 4096, 4, ) == 0x0
 02651  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 836, {896, 2140}, ) == 0x0
 02652  2016   NtQueryInformationThread  (836, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=896,Tid=2140,}, 0x0, ) == 0x0
 02653  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81968, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0\200\3\0\0\\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0\200\3\0\0\\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81969, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81968, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0\200\3\0\0\\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\3\0\0\200\3\0\0\\10\0\0" )  ) == 0x0
 02654  2016   NtResumeThread  (836, ... 1, ) == 0x0
 02655  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 127664128, 1048576, ) == 0x0
 02656  2016   NtAllocateVirtualMemory  (-1, 128704512, 0, 8192, 4096, 4, ... 128704512, 8192, ) == 0x0
 02657  2140   NtWaitForSingleObject  (88, 0, 0x0, ...
 02658  2016   NtProtectVirtualMemory  (-1, (0x7abe000), 4096, 260, ... (0x7abe000), 4096, 4, ) == 0x0
 02659  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 840, {896, 2144}, ) == 0x0
 02660  2016   NtQueryInformationThread  (840, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=896,Tid=2144,}, 0x0, ) == 0x0
 02661  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81969, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\200\3\0\0`\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\200\3\0\0`\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81970, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81969, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\200\3\0\0`\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\200\3\0\0`\10\0\0" )  ) == 0x0
 02662  2016   NtResumeThread  (840, ... 1, ) == 0x0
 02663  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02664  2144   NtWaitForSingleObject  (88, 0, 0x0, ...
 02663  2016   NtAllocateVirtualMemory  ... 128712704, 1048576, ) == 0x0
 02665  2016   NtAllocateVirtualMemory  (-1, 129753088, 0, 8192, 4096, 4, ... 129753088, 8192, ) == 0x0
 02666  2016   NtProtectVirtualMemory  (-1, (0x7bbe000), 4096, 260, ... (0x7bbe000), 4096, 4, ) == 0x0
 02667  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 844, {896, 2148}, ) == 0x0
 02668  2016   NtQueryInformationThread  (844, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=896,Tid=2148,}, 0x0, ) == 0x0
 02669  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81970, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\200\3\0\0d\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\200\3\0\0d\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81971, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81970, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\200\3\0\0d\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\200\3\0\0d\10\0\0" )  ) == 0x0
 02670  2016   NtResumeThread  (844, ... 1, ) == 0x0
 02671  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 129761280, 1048576, ) == 0x0
 02672  2016   NtAllocateVirtualMemory  (-1, 130801664, 0, 8192, 4096, 4, ... 130801664, 8192, ) == 0x0
 02673  2148   NtWaitForSingleObject  (88, 0, 0x0, ...
 02674  2016   NtProtectVirtualMemory  (-1, (0x7cbe000), 4096, 260, ... (0x7cbe000), 4096, 4, ) == 0x0
 02675  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 848, {896, 2152}, ) == 0x0
 02676  2016   NtQueryInformationThread  (848, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=896,Tid=2152,}, 0x0, ) == 0x0
 02677  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81971, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\200\3\0\0h\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\200\3\0\0h\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81972, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81971, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\200\3\0\0h\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\3\0\0\200\3\0\0h\10\0\0" )  ) == 0x0
 02678  2016   NtResumeThread  (848, ... 1, ) == 0x0
 02679  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02680  2152   NtWaitForSingleObject  (88, 0, 0x0, ...
 02679  2016   NtAllocateVirtualMemory  ... 130809856, 1048576, ) == 0x0
 02681  2016   NtAllocateVirtualMemory  (-1, 131850240, 0, 8192, 4096, 4, ... 131850240, 8192, ) == 0x0
 02682  2016   NtProtectVirtualMemory  (-1, (0x7dbe000), 4096, 260, ... (0x7dbe000), 4096, 4, ) == 0x0
 02683  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 852, {896, 2156}, ) == 0x0
 02684  2016   NtQueryInformationThread  (852, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=896,Tid=2156,}, 0x0, ) == 0x0
 02685  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81972, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\200\3\0\0l\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\200\3\0\0l\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81973, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81972, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\200\3\0\0l\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\200\3\0\0l\10\0\0" )  ) == 0x0
 02686  2016   NtResumeThread  (852, ... 1, ) == 0x0
 02687  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 131858432, 1048576, ) == 0x0
 02688  2016   NtAllocateVirtualMemory  (-1, 132898816, 0, 8192, 4096, 4, ... 132898816, 8192, ) == 0x0
 02689  2156   NtWaitForSingleObject  (88, 0, 0x0, ...
 02690  2016   NtProtectVirtualMemory  (-1, (0x7ebe000), 4096, 260, ... (0x7ebe000), 4096, 4, ) == 0x0
 02691  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 856, {896, 2160}, ) == 0x0
 02692  2016   NtQueryInformationThread  (856, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=896,Tid=2160,}, 0x0, ) == 0x0
 02693  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81973, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\200\3\0\0p\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\200\3\0\0p\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81974, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81973, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\200\3\0\0p\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\200\3\0\0p\10\0\0" )  ) == 0x0
 02694  2016   NtResumeThread  (856, ... 1, ) == 0x0
 02695  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02696  2160   NtWaitForSingleObject  (88, 0, 0x0, ...
 02695  2016   NtAllocateVirtualMemory  ... 132907008, 1048576, ) == 0x0
 02697  2016   NtAllocateVirtualMemory  (-1, 133947392, 0, 8192, 4096, 4, ... 133947392, 8192, ) == 0x0
 02698  2016   NtProtectVirtualMemory  (-1, (0x7fbe000), 4096, 260, ... (0x7fbe000), 4096, 4, ) == 0x0
 02699  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 860, {896, 2164}, ) == 0x0
 02700  2016   NtQueryInformationThread  (860, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=896,Tid=2164,}, 0x0, ) == 0x0
 02701  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81974, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\200\3\0\0t\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\200\3\0\0t\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81975, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\200\3\0\0t\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\3\0\0\200\3\0\0t\10\0\0" )  ) == 0x0
 02702  2016   NtResumeThread  (860, ... 1, ) == 0x0
 02703  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02704  2164   NtWaitForSingleObject  (88, 0, 0x0, ...
 02703  2016   NtAllocateVirtualMemory  ... 133955584, 1048576, ) == 0x0
 02705  2016   NtAllocateVirtualMemory  (-1, 134995968, 0, 8192, 4096, 4, ... 134995968, 8192, ) == 0x0
 02706  2016   NtProtectVirtualMemory  (-1, (0x80be000), 4096, 260, ... (0x80be000), 4096, 4, ) == 0x0
 02707  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 864, {896, 2168}, ) == 0x0
 02708  2016   NtQueryInformationThread  (864, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=896,Tid=2168,}, 0x0, ) == 0x0
 02709  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81975, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\200\3\0\0x\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\200\3\0\0x\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81976, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\200\3\0\0x\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\3\0\0\200\3\0\0x\10\0\0" )  ) == 0x0
 02710  2016   NtResumeThread  (864, ... 1, ) == 0x0
 02711  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 135004160, 1048576, ) == 0x0
 02712  2016   NtAllocateVirtualMemory  (-1, 136044544, 0, 8192, 4096, 4, ... 136044544, 8192, ) == 0x0
 02713  2168   NtWaitForSingleObject  (88, 0, 0x0, ...
 02714  2016   NtProtectVirtualMemory  (-1, (0x81be000), 4096, 260, ... (0x81be000), 4096, 4, ) == 0x0
 02715  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 868, {896, 2172}, ) == 0x0
 02716  2016   NtQueryInformationThread  (868, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=896,Tid=2172,}, 0x0, ) == 0x0
 02717  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81976, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\200\3\0\0|\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\200\3\0\0|\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81977, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\200\3\0\0|\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\200\3\0\0|\10\0\0" )  ) == 0x0
 02718  2016   NtResumeThread  (868, ... 1, ) == 0x0
 02719  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02720  2172   NtWaitForSingleObject  (88, 0, 0x0, ...
 02719  2016   NtAllocateVirtualMemory  ... 136052736, 1048576, ) == 0x0
 02721  2016   NtAllocateVirtualMemory  (-1, 137093120, 0, 8192, 4096, 4, ... 137093120, 8192, ) == 0x0
 02722  2016   NtProtectVirtualMemory  (-1, (0x82be000), 4096, 260, ... (0x82be000), 4096, 4, ) == 0x0
 02723  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 872, {896, 2176}, ) == 0x0
 02724  2016   NtQueryInformationThread  (872, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=896,Tid=2176,}, 0x0, ) == 0x0
 02725  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81977, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\200\3\0\0\200\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\200\3\0\0\200\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81978, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\200\3\0\0\200\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\200\3\0\0\200\10\0\0" )  ) == 0x0
 02726  2016   NtResumeThread  (872, ... 1, ) == 0x0
 02727  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 137101312, 1048576, ) == 0x0
 02728  2016   NtAllocateVirtualMemory  (-1, 138141696, 0, 8192, 4096, 4, ... 138141696, 8192, ) == 0x0
 02729  2176   NtWaitForSingleObject  (88, 0, 0x0, ...
 02730  2016   NtProtectVirtualMemory  (-1, (0x83be000), 4096, 260, ... (0x83be000), 4096, 4, ) == 0x0
 02731  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 876, {896, 2180}, ) == 0x0
 02732  2016   NtQueryInformationThread  (876, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=896,Tid=2180,}, 0x0, ) == 0x0
 02733  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81978, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\200\3\0\0\204\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\200\3\0\0\204\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81979, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\200\3\0\0\204\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\3\0\0\200\3\0\0\204\10\0\0" )  ) == 0x0
 02734  2016   NtResumeThread  (876, ... 1, ) == 0x0
 02735  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02736  2180   NtWaitForSingleObject  (88, 0, 0x0, ...
 02735  2016   NtAllocateVirtualMemory  ... 138149888, 1048576, ) == 0x0
 02737  2016   NtAllocateVirtualMemory  (-1, 139190272, 0, 8192, 4096, 4, ... 139190272, 8192, ) == 0x0
 02738  2016   NtProtectVirtualMemory  (-1, (0x84be000), 4096, 260, ... (0x84be000), 4096, 4, ) == 0x0
 02739  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 880, {896, 2184}, ) == 0x0
 02740  2016   NtQueryInformationThread  (880, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=896,Tid=2184,}, 0x0, ) == 0x0
 02741  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81979, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\200\3\0\0\210\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\200\3\0\0\210\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81980, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\200\3\0\0\210\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\3\0\0\200\3\0\0\210\10\0\0" )  ) == 0x0
 02742  2016   NtResumeThread  (880, ... 1, ) == 0x0
 02743  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 139198464, 1048576, ) == 0x0
 02744  2016   NtAllocateVirtualMemory  (-1, 140238848, 0, 8192, 4096, 4, ... 140238848, 8192, ) == 0x0
 02745  2184   NtWaitForSingleObject  (88, 0, 0x0, ...
 02746  2016   NtProtectVirtualMemory  (-1, (0x85be000), 4096, 260, ... (0x85be000), 4096, 4, ) == 0x0
 02747  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 884, {896, 2188}, ) == 0x0
 02748  2016   NtQueryInformationThread  (884, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=896,Tid=2188,}, 0x0, ) == 0x0
 02749  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81980, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\200\3\0\0\214\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\200\3\0\0\214\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81981, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\200\3\0\0\214\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\3\0\0\200\3\0\0\214\10\0\0" )  ) == 0x0
 02750  2016   NtResumeThread  (884, ... 1, ) == 0x0
 02751  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02752  2188   NtWaitForSingleObject  (88, 0, 0x0, ...
 02751  2016   NtAllocateVirtualMemory  ... 140247040, 1048576, ) == 0x0
 02753  2016   NtAllocateVirtualMemory  (-1, 141287424, 0, 8192, 4096, 4, ... 141287424, 8192, ) == 0x0
 02754  2016   NtProtectVirtualMemory  (-1, (0x86be000), 4096, 260, ... (0x86be000), 4096, 4, ) == 0x0
 02755  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 888, {896, 2192}, ) == 0x0
 02756  2016   NtQueryInformationThread  (888, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=896,Tid=2192,}, 0x0, ) == 0x0
 02757  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81981, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\200\3\0\0\220\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\200\3\0\0\220\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81982, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\200\3\0\0\220\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\200\3\0\0\220\10\0\0" )  ) == 0x0
 02758  2016   NtResumeThread  (888, ... 1, ) == 0x0
 02759  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 141295616, 1048576, ) == 0x0
 02760  2016   NtAllocateVirtualMemory  (-1, 142336000, 0, 8192, 4096, 4, ... 142336000, 8192, ) == 0x0
 02761  2192   NtWaitForSingleObject  (88, 0, 0x0, ...
 02762  2016   NtProtectVirtualMemory  (-1, (0x87be000), 4096, 260, ... (0x87be000), 4096, 4, ) == 0x0
 02763  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 892, {896, 2196}, ) == 0x0
 02764  2016   NtQueryInformationThread  (892, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=896,Tid=2196,}, 0x0, ) == 0x0
 02765  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81982, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\200\3\0\0\224\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\200\3\0\0\224\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81983, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\200\3\0\0\224\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\3\0\0\200\3\0\0\224\10\0\0" )  ) == 0x0
 02766  2016   NtResumeThread  (892, ... 1, ) == 0x0
 02767  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02768  2196   NtWaitForSingleObject  (88, 0, 0x0, ...
 02767  2016   NtAllocateVirtualMemory  ... 142344192, 1048576, ) == 0x0
 02769  2016   NtAllocateVirtualMemory  (-1, 143384576, 0, 8192, 4096, 4, ... 143384576, 8192, ) == 0x0
 02770  2016   NtProtectVirtualMemory  (-1, (0x88be000), 4096, 260, ... (0x88be000), 4096, 4, ) == 0x0
 02771  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 896, {896, 2200}, ) == 0x0
 02772  2016   NtQueryInformationThread  (896, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=896,Tid=2200,}, 0x0, ) == 0x0
 02773  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81983, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\200\3\0\0\230\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\200\3\0\0\230\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81984, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\200\3\0\0\230\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\3\0\0\200\3\0\0\230\10\0\0" )  ) == 0x0
 02774  2016   NtResumeThread  (896, ... 1, ) == 0x0
 02775  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 143392768, 1048576, ) == 0x0
 02776  2016   NtAllocateVirtualMemory  (-1, 144433152, 0, 8192, 4096, 4, ... 144433152, 8192, ) == 0x0
 02777  2200   NtWaitForSingleObject  (88, 0, 0x0, ...
 02778  2016   NtProtectVirtualMemory  (-1, (0x89be000), 4096, 260, ... (0x89be000), 4096, 4, ) == 0x0
 02779  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 900, {896, 2204}, ) == 0x0
 02780  2016   NtQueryInformationThread  (900, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=896,Tid=2204,}, 0x0, ) == 0x0
 02781  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81984, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\200\3\0\0\234\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\200\3\0\0\234\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81985, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\200\3\0\0\234\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\200\3\0\0\234\10\0\0" )  ) == 0x0
 02782  2016   NtResumeThread  (900, ... 1, ) == 0x0
 02783  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02784  2204   NtWaitForSingleObject  (88, 0, 0x0, ...
 02783  2016   NtAllocateVirtualMemory  ... 144441344, 1048576, ) == 0x0
 02785  2016   NtAllocateVirtualMemory  (-1, 145481728, 0, 8192, 4096, 4, ... 145481728, 8192, ) == 0x0
 02786  2016   NtProtectVirtualMemory  (-1, (0x8abe000), 4096, 260, ... (0x8abe000), 4096, 4, ) == 0x0
 02787  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 904, {896, 2208}, ) == 0x0
 02788  2016   NtQueryInformationThread  (904, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=896,Tid=2208,}, 0x0, ) == 0x0
 02789  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81985, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\200\3\0\0\240\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\200\3\0\0\240\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81986, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\200\3\0\0\240\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\3\0\0\200\3\0\0\240\10\0\0" )  ) == 0x0
 02790  2016   NtResumeThread  (904, ... 1, ) == 0x0
 02791  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 145489920, 1048576, ) == 0x0
 02792  2016   NtAllocateVirtualMemory  (-1, 146530304, 0, 8192, 4096, 4, ... 146530304, 8192, ) == 0x0
 02793  2208   NtWaitForSingleObject  (88, 0, 0x0, ...
 02794  2016   NtProtectVirtualMemory  (-1, (0x8bbe000), 4096, 260, ... (0x8bbe000), 4096, 4, ) == 0x0
 02795  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 908, {896, 2212}, ) == 0x0
 02796  2016   NtQueryInformationThread  (908, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=896,Tid=2212,}, 0x0, ) == 0x0
 02797  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81986, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\200\3\0\0\244\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\200\3\0\0\244\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81987, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\200\3\0\0\244\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\200\3\0\0\244\10\0\0" )  ) == 0x0
 02798  2016   NtResumeThread  (908, ... 1, ) == 0x0
 02799  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02800  2212   NtWaitForSingleObject  (88, 0, 0x0, ...
 02799  2016   NtAllocateVirtualMemory  ... 146538496, 1048576, ) == 0x0
 02801  2016   NtAllocateVirtualMemory  (-1, 147578880, 0, 8192, 4096, 4, ... 147578880, 8192, ) == 0x0
 02802  2016   NtProtectVirtualMemory  (-1, (0x8cbe000), 4096, 260, ... (0x8cbe000), 4096, 4, ) == 0x0
 02803  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 912, {896, 2216}, ) == 0x0
 02804  2016   NtQueryInformationThread  (912, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff37000,Pid=896,Tid=2216,}, 0x0, ) == 0x0
 02805  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81987, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\200\3\0\0\250\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\200\3\0\0\250\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81988, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\200\3\0\0\250\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\3\0\0\200\3\0\0\250\10\0\0" )  ) == 0x0
 02806  2016   NtResumeThread  (912, ... 1, ) == 0x0
 02807  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 147587072, 1048576, ) == 0x0
 02808  2016   NtAllocateVirtualMemory  (-1, 148627456, 0, 8192, 4096, 4, ... 148627456, 8192, ) == 0x0
 02809  2216   NtWaitForSingleObject  (88, 0, 0x0, ...
 02810  2016   NtProtectVirtualMemory  (-1, (0x8dbe000), 4096, 260, ... (0x8dbe000), 4096, 4, ) == 0x0
 02811  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 916, {896, 2220}, ) == 0x0
 02812  2016   NtQueryInformationThread  (916, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff36000,Pid=896,Tid=2220,}, 0x0, ) == 0x0
 02813  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81988, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\200\3\0\0\254\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\200\3\0\0\254\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81989, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\200\3\0\0\254\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\3\0\0\200\3\0\0\254\10\0\0" )  ) == 0x0
 02814  2016   NtResumeThread  (916, ... 1, ) == 0x0
 02815  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02816  2220   NtWaitForSingleObject  (88, 0, 0x0, ...
 02815  2016   NtAllocateVirtualMemory  ... 148635648, 1048576, ) == 0x0
 02817  2016   NtAllocateVirtualMemory  (-1, 149676032, 0, 8192, 4096, 4, ... 149676032, 8192, ) == 0x0
 02818  2016   NtProtectVirtualMemory  (-1, (0x8ebe000), 4096, 260, ... (0x8ebe000), 4096, 4, ) == 0x0
 02819  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 920, {896, 2224}, ) == 0x0
 02820  2016   NtQueryInformationThread  (920, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff35000,Pid=896,Tid=2224,}, 0x0, ) == 0x0
 02821  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81989, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\200\3\0\0\260\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\200\3\0\0\260\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81990, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\200\3\0\0\260\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\3\0\0\200\3\0\0\260\10\0\0" )  ) == 0x0
 02822  2016   NtResumeThread  (920, ... 1, ) == 0x0
 02823  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 149684224, 1048576, ) == 0x0
 02824  2016   NtAllocateVirtualMemory  (-1, 150724608, 0, 8192, 4096, 4, ... 150724608, 8192, ) == 0x0
 02825  2224   NtWaitForSingleObject  (88, 0, 0x0, ...
 02826  2016   NtProtectVirtualMemory  (-1, (0x8fbe000), 4096, 260, ... (0x8fbe000), 4096, 4, ) == 0x0
 02827  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 924, {896, 2228}, ) == 0x0
 02828  2016   NtQueryInformationThread  (924, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff34000,Pid=896,Tid=2228,}, 0x0, ) == 0x0
 02829  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81990, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\200\3\0\0\264\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\200\3\0\0\264\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81991, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\200\3\0\0\264\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\200\3\0\0\264\10\0\0" )  ) == 0x0
 02830  2016   NtResumeThread  (924, ... 1, ) == 0x0
 02831  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02832  2228   NtWaitForSingleObject  (88, 0, 0x0, ...
 02831  2016   NtAllocateVirtualMemory  ... 150732800, 1048576, ) == 0x0
 02833  2016   NtAllocateVirtualMemory  (-1, 151773184, 0, 8192, 4096, 4, ... 151773184, 8192, ) == 0x0
 02834  2016   NtProtectVirtualMemory  (-1, (0x90be000), 4096, 260, ... (0x90be000), 4096, 4, ) == 0x0
 02835  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 928, {896, 2232}, ) == 0x0
 02836  2016   NtQueryInformationThread  (928, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff33000,Pid=896,Tid=2232,}, 0x0, ) == 0x0
 02837  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81991, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\200\3\0\0\270\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\200\3\0\0\270\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81992, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\200\3\0\0\270\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\3\0\0\200\3\0\0\270\10\0\0" )  ) == 0x0
 02838  2016   NtResumeThread  (928, ... 1, ) == 0x0
 02839  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 151781376, 1048576, ) == 0x0
 02840  2016   NtAllocateVirtualMemory  (-1, 152821760, 0, 8192, 4096, 4, ... 152821760, 8192, ) == 0x0
 02841  2232   NtWaitForSingleObject  (88, 0, 0x0, ...
 02842  2016   NtProtectVirtualMemory  (-1, (0x91be000), 4096, 260, ... (0x91be000), 4096, 4, ) == 0x0
 02843  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 932, {896, 2236}, ) == 0x0
 02844  2016   NtQueryInformationThread  (932, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff32000,Pid=896,Tid=2236,}, 0x0, ) == 0x0
 02845  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81992, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\200\3\0\0\274\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\200\3\0\0\274\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81993, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\200\3\0\0\274\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\3\0\0\200\3\0\0\274\10\0\0" )  ) == 0x0
 02846  2016   NtResumeThread  (932, ... 1, ) == 0x0
 02847  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02848  2236   NtWaitForSingleObject  (88, 0, 0x0, ...
 02847  2016   NtAllocateVirtualMemory  ... 152829952, 1048576, ) == 0x0
 02849  2016   NtAllocateVirtualMemory  (-1, 153870336, 0, 8192, 4096, 4, ... 153870336, 8192, ) == 0x0
 02850  2016   NtProtectVirtualMemory  (-1, (0x92be000), 4096, 260, ... (0x92be000), 4096, 4, ) == 0x0
 02851  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 936, {896, 2240}, ) == 0x0
 02852  2016   NtQueryInformationThread  (936, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff31000,Pid=896,Tid=2240,}, 0x0, ) == 0x0
 02853  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81993, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\200\3\0\0\300\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\200\3\0\0\300\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81994, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\200\3\0\0\300\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\200\3\0\0\300\10\0\0" )  ) == 0x0
 02854  2016   NtResumeThread  (936, ... 1, ) == 0x0
 02855  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02856  2240   NtWaitForSingleObject  (88, 0, 0x0, ...
 02855  2016   NtAllocateVirtualMemory  ... 153878528, 1048576, ) == 0x0
 02857  2016   NtAllocateVirtualMemory  (-1, 154918912, 0, 8192, 4096, 4, ... 154918912, 8192, ) == 0x0
 02858  2016   NtProtectVirtualMemory  (-1, (0x93be000), 4096, 260, ... (0x93be000), 4096, 4, ) == 0x0
 02859  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 940, {896, 2244}, ) == 0x0
 02860  2016   NtQueryInformationThread  (940, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff30000,Pid=896,Tid=2244,}, 0x0, ) == 0x0
 02861  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81994, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\200\3\0\0\304\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\200\3\0\0\304\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81995, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\200\3\0\0\304\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\3\0\0\200\3\0\0\304\10\0\0" )  ) == 0x0
 02862  2016   NtResumeThread  (940, ... 1, ) == 0x0
 02863  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 154927104, 1048576, ) == 0x0
 02864  2016   NtAllocateVirtualMemory  (-1, 155967488, 0, 8192, 4096, 4, ... 155967488, 8192, ) == 0x0
 02865  2244   NtWaitForSingleObject  (88, 0, 0x0, ...
 02866  2016   NtProtectVirtualMemory  (-1, (0x94be000), 4096, 260, ... (0x94be000), 4096, 4, ) == 0x0
 02867  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 944, {896, 2248}, ) == 0x0
 02868  2016   NtQueryInformationThread  (944, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2f000,Pid=896,Tid=2248,}, 0x0, ) == 0x0
 02869  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81995, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\200\3\0\0\310\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\200\3\0\0\310\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81996, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\200\3\0\0\310\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\200\3\0\0\310\10\0\0" )  ) == 0x0
 02870  2016   NtResumeThread  (944, ... 1, ) == 0x0
 02871  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02872  2248   NtWaitForSingleObject  (88, 0, 0x0, ...
 02871  2016   NtAllocateVirtualMemory  ... 155975680, 1048576, ) == 0x0
 02873  2016   NtAllocateVirtualMemory  (-1, 157016064, 0, 8192, 4096, 4, ... 157016064, 8192, ) == 0x0
 02874  2016   NtProtectVirtualMemory  (-1, (0x95be000), 4096, 260, ... (0x95be000), 4096, 4, ) == 0x0
 02875  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 948, {896, 2252}, ) == 0x0
 02876  2016   NtQueryInformationThread  (948, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2e000,Pid=896,Tid=2252,}, 0x0, ) == 0x0
 02877  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81996, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\200\3\0\0\314\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\200\3\0\0\314\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81997, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\200\3\0\0\314\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\200\3\0\0\314\10\0\0" )  ) == 0x0
 02878  2016   NtResumeThread  (948, ... 1, ) == 0x0
 02879  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 157024256, 1048576, ) == 0x0
 02880  2016   NtAllocateVirtualMemory  (-1, 158064640, 0, 8192, 4096, 4, ... 158064640, 8192, ) == 0x0
 02881  2252   NtWaitForSingleObject  (88, 0, 0x0, ...
 02882  2016   NtProtectVirtualMemory  (-1, (0x96be000), 4096, 260, ... (0x96be000), 4096, 4, ) == 0x0
 02883  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 952, {896, 2256}, ) == 0x0
 02884  2016   NtQueryInformationThread  (952, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2d000,Pid=896,Tid=2256,}, 0x0, ) == 0x0
 02885  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81997, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\200\3\0\0\320\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\200\3\0\0\320\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81998, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\200\3\0\0\320\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\3\0\0\200\3\0\0\320\10\0\0" )  ) == 0x0
 02886  2016   NtResumeThread  (952, ... 1, ) == 0x0
 02887  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02888  2256   NtWaitForSingleObject  (88, 0, 0x0, ...
 02887  2016   NtAllocateVirtualMemory  ... 158072832, 1048576, ) == 0x0
 02889  2016   NtAllocateVirtualMemory  (-1, 159113216, 0, 8192, 4096, 4, ... 159113216, 8192, ) == 0x0
 02890  2016   NtProtectVirtualMemory  (-1, (0x97be000), 4096, 260, ... (0x97be000), 4096, 4, ) == 0x0
 02891  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 956, {896, 2260}, ) == 0x0
 02892  2016   NtQueryInformationThread  (956, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2c000,Pid=896,Tid=2260,}, 0x0, ) == 0x0
 02893  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81998, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\200\3\0\0\324\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\200\3\0\0\324\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81999, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\200\3\0\0\324\10\0\0" ... {28, 56, reply, 0, 896, 2016, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\3\0\0\200\3\0\0\324\10\0\0" )  ) == 0x0
 02894  2016   NtResumeThread  (956, ... 1, ) == 0x0
 02895  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 159121408, 1048576, ) == 0x0
 02896  2016   NtAllocateVirtualMemory  (-1, 160161792, 0, 8192, 4096, 4, ... 160161792, 8192, ) == 0x0
 02897  2260   NtWaitForSingleObject  (88, 0, 0x0, ...
 02898  2016   NtProtectVirtualMemory  (-1, (0x98be000), 4096, 260, ... (0x98be000), 4096, 4, ) == 0x0
 02899  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 960, {896, 2264}, ) == 0x0
 02900  2016   NtQueryInformationThread  (960, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2b000,Pid=896,Tid=2264,}, 0x0, ) == 0x0
 02901  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 81999, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\200\3\0\0\330\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\200\3\0\0\330\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82000, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 81999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\200\3\0\0\330\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\200\3\0\0\330\10\0\0" )  ) == 0x0
 02902  2016   NtResumeThread  (960, ... 1, ) == 0x0
 02903  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02904  2264   NtWaitForSingleObject  (88, 0, 0x0, ...
 02903  2016   NtAllocateVirtualMemory  ... 160169984, 1048576, ) == 0x0
 02905  2016   NtAllocateVirtualMemory  (-1, 161210368, 0, 8192, 4096, 4, ... 161210368, 8192, ) == 0x0
 02906  2016   NtProtectVirtualMemory  (-1, (0x99be000), 4096, 260, ... (0x99be000), 4096, 4, ) == 0x0
 02907  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 964, {896, 2268}, ) == 0x0
 02908  2016   NtQueryInformationThread  (964, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff2a000,Pid=896,Tid=2268,}, 0x0, ) == 0x0
 02909  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82000, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\200\3\0\0\334\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\200\3\0\0\334\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82001, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\200\3\0\0\334\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\200\3\0\0\334\10\0\0" )  ) == 0x0
 02910  2016   NtResumeThread  (964, ... 1, ) == 0x0
 02911  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 161218560, 1048576, ) == 0x0
 02912  2016   NtAllocateVirtualMemory  (-1, 162258944, 0, 8192, 4096, 4, ... 162258944, 8192, ) == 0x0
 02913  2268   NtWaitForSingleObject  (88, 0, 0x0, ...
 02914  2016   NtProtectVirtualMemory  (-1, (0x9abe000), 4096, 260, ... (0x9abe000), 4096, 4, ) == 0x0
 02915  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 968, {896, 2272}, ) == 0x0
 02916  2016   NtQueryInformationThread  (968, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff29000,Pid=896,Tid=2272,}, 0x0, ) == 0x0
 02917  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82001, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\200\3\0\0\340\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\200\3\0\0\340\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82002, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\200\3\0\0\340\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\200\3\0\0\340\10\0\0" )  ) == 0x0
 02918  2016   NtResumeThread  (968, ... 1, ) == 0x0
 02919  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02920  2272   NtWaitForSingleObject  (88, 0, 0x0, ...
 02919  2016   NtAllocateVirtualMemory  ... 162267136, 1048576, ) == 0x0
 02921  2016   NtAllocateVirtualMemory  (-1, 163307520, 0, 8192, 4096, 4, ... 163307520, 8192, ) == 0x0
 02922  2016   NtProtectVirtualMemory  (-1, (0x9bbe000), 4096, 260, ... (0x9bbe000), 4096, 4, ) == 0x0
 02923  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 972, {896, 2276}, ) == 0x0
 02924  2016   NtQueryInformationThread  (972, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff28000,Pid=896,Tid=2276,}, 0x0, ) == 0x0
 02925  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82002, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0\200\3\0\0\344\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0\200\3\0\0\344\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82003, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0\200\3\0\0\344\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\3\0\0\200\3\0\0\344\10\0\0" )  ) == 0x0
 02926  2016   NtResumeThread  (972, ... 1, ) == 0x0
 02927  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 163315712, 1048576, ) == 0x0
 02928  2016   NtAllocateVirtualMemory  (-1, 164356096, 0, 8192, 4096, 4, ... 164356096, 8192, ) == 0x0
 02929  2276   NtWaitForSingleObject  (88, 0, 0x0, ...
 02930  2016   NtProtectVirtualMemory  (-1, (0x9cbe000), 4096, 260, ... (0x9cbe000), 4096, 4, ) == 0x0
 02931  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 976, {896, 2280}, ) == 0x0
 02932  2016   NtQueryInformationThread  (976, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff27000,Pid=896,Tid=2280,}, 0x0, ) == 0x0
 02933  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82003, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\200\3\0\0\350\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\200\3\0\0\350\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82004, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\200\3\0\0\350\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\3\0\0\200\3\0\0\350\10\0\0" )  ) == 0x0
 02934  2016   NtResumeThread  (976, ... 1, ) == 0x0
 02935  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02936  2280   NtWaitForSingleObject  (88, 0, 0x0, ...
 02935  2016   NtAllocateVirtualMemory  ... 164364288, 1048576, ) == 0x0
 02937  2016   NtAllocateVirtualMemory  (-1, 165404672, 0, 8192, 4096, 4, ... 165404672, 8192, ) == 0x0
 02938  2016   NtProtectVirtualMemory  (-1, (0x9dbe000), 4096, 260, ... (0x9dbe000), 4096, 4, ) == 0x0
 02939  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 980, {896, 2284}, ) == 0x0
 02940  2016   NtQueryInformationThread  (980, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff26000,Pid=896,Tid=2284,}, 0x0, ) == 0x0
 02941  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82004, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\200\3\0\0\354\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\200\3\0\0\354\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82005, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\200\3\0\0\354\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\200\3\0\0\354\10\0\0" )  ) == 0x0
 02942  2016   NtResumeThread  (980, ... 1, ) == 0x0
 02943  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 165412864, 1048576, ) == 0x0
 02944  2016   NtAllocateVirtualMemory  (-1, 166453248, 0, 8192, 4096, 4, ... 166453248, 8192, ) == 0x0
 02945  2284   NtWaitForSingleObject  (88, 0, 0x0, ...
 02946  2016   NtProtectVirtualMemory  (-1, (0x9ebe000), 4096, 260, ... (0x9ebe000), 4096, 4, ) == 0x0
 02947  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 984, {896, 2288}, ) == 0x0
 02948  2016   NtQueryInformationThread  (984, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff25000,Pid=896,Tid=2288,}, 0x0, ) == 0x0
 02949  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82005, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\200\3\0\0\360\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\200\3\0\0\360\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82006, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\200\3\0\0\360\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\3\0\0\200\3\0\0\360\10\0\0" )  ) == 0x0
 02950  2016   NtResumeThread  (984, ... 1, ) == 0x0
 02951  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02952  2288   NtWaitForSingleObject  (88, 0, 0x0, ...
 02951  2016   NtAllocateVirtualMemory  ... 166461440, 1048576, ) == 0x0
 02953  2016   NtAllocateVirtualMemory  (-1, 167501824, 0, 8192, 4096, 4, ... 167501824, 8192, ) == 0x0
 02954  2016   NtProtectVirtualMemory  (-1, (0x9fbe000), 4096, 260, ... (0x9fbe000), 4096, 4, ) == 0x0
 02955  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 988, {896, 2292}, ) == 0x0
 02956  2016   NtQueryInformationThread  (988, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff24000,Pid=896,Tid=2292,}, 0x0, ) == 0x0
 02957  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82006, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\200\3\0\0\364\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\200\3\0\0\364\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82007, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\200\3\0\0\364\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\200\3\0\0\364\10\0\0" )  ) == 0x0
 02958  2016   NtResumeThread  (988, ... 1, ) == 0x0
 02959  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 167510016, 1048576, ) == 0x0
 02960  2016   NtAllocateVirtualMemory  (-1, 168550400, 0, 8192, 4096, 4, ... 168550400, 8192, ) == 0x0
 02961  2292   NtWaitForSingleObject  (88, 0, 0x0, ...
 02962  2016   NtProtectVirtualMemory  (-1, (0xa0be000), 4096, 260, ... (0xa0be000), 4096, 4, ) == 0x0
 02963  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 992, {896, 2296}, ) == 0x0
 02964  2016   NtQueryInformationThread  (992, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff23000,Pid=896,Tid=2296,}, 0x0, ) == 0x0
 02965  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82007, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\200\3\0\0\370\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\200\3\0\0\370\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82008, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\200\3\0\0\370\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\3\0\0\200\3\0\0\370\10\0\0" )  ) == 0x0
 02966  2016   NtResumeThread  (992, ... 1, ) == 0x0
 02967  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02968  2296   NtWaitForSingleObject  (88, 0, 0x0, ...
 02967  2016   NtAllocateVirtualMemory  ... 168558592, 1048576, ) == 0x0
 02969  2016   NtAllocateVirtualMemory  (-1, 169598976, 0, 8192, 4096, 4, ... 169598976, 8192, ) == 0x0
 02970  2016   NtProtectVirtualMemory  (-1, (0xa1be000), 4096, 260, ... (0xa1be000), 4096, 4, ) == 0x0
 02971  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 996, {896, 2300}, ) == 0x0
 02972  2016   NtQueryInformationThread  (996, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff22000,Pid=896,Tid=2300,}, 0x0, ) == 0x0
 02973  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82008, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0\200\3\0\0\374\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0\200\3\0\0\374\10\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82009, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82008, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0\200\3\0\0\374\10\0\0" ... {28, 56, reply, 0, 896, 2016, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\3\0\0\200\3\0\0\374\10\0\0" )  ) == 0x0
 02974  2016   NtResumeThread  (996, ... 1, ) == 0x0
 02975  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 169607168, 1048576, ) == 0x0
 02976  2016   NtAllocateVirtualMemory  (-1, 170647552, 0, 8192, 4096, 4, ... 170647552, 8192, ) == 0x0
 02977  2300   NtWaitForSingleObject  (88, 0, 0x0, ...
 02978  2016   NtProtectVirtualMemory  (-1, (0xa2be000), 4096, 260, ... (0xa2be000), 4096, 4, ) == 0x0
 02979  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1000, {896, 2304}, ) == 0x0
 02980  2016   NtQueryInformationThread  (1000, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff21000,Pid=896,Tid=2304,}, 0x0, ) == 0x0
 02981  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82009, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\200\3\0\0\0\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\200\3\0\0\0\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82010, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\200\3\0\0\0\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\200\3\0\0\0\11\0\0" )  ) == 0x0
 02982  2016   NtResumeThread  (1000, ... 1, ) == 0x0
 02983  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02984  2304   NtWaitForSingleObject  (88, 0, 0x0, ...
 02983  2016   NtAllocateVirtualMemory  ... 170655744, 1048576, ) == 0x0
 02985  2016   NtAllocateVirtualMemory  (-1, 171696128, 0, 8192, 4096, 4, ... 171696128, 8192, ) == 0x0
 02986  2016   NtProtectVirtualMemory  (-1, (0xa3be000), 4096, 260, ... (0xa3be000), 4096, 4, ) == 0x0
 02987  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1004, {896, 2308}, ) == 0x0
 02988  2016   NtQueryInformationThread  (1004, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff20000,Pid=896,Tid=2308,}, 0x0, ) == 0x0
 02989  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82010, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0\200\3\0\0\4\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0\200\3\0\0\4\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82011, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82010, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0\200\3\0\0\4\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\3\0\0\200\3\0\0\4\11\0\0" )  ) == 0x0
 02990  2016   NtResumeThread  (1004, ... 1, ) == 0x0
 02991  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02992  2308   NtWaitForSingleObject  (88, 0, 0x0, ...
 02991  2016   NtAllocateVirtualMemory  ... 171704320, 1048576, ) == 0x0
 02993  2016   NtAllocateVirtualMemory  (-1, 172744704, 0, 8192, 4096, 4, ... 172744704, 8192, ) == 0x0
 02994  2016   NtProtectVirtualMemory  (-1, (0xa4be000), 4096, 260, ... (0xa4be000), 4096, 4, ) == 0x0
 02995  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1008, {896, 2312}, ) == 0x0
 02996  2016   NtQueryInformationThread  (1008, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1f000,Pid=896,Tid=2312,}, 0x0, ) == 0x0
 02997  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82011, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\200\3\0\0\10\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\200\3\0\0\10\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82012, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82011, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\200\3\0\0\10\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\3\0\0\200\3\0\0\10\11\0\0" )  ) == 0x0
 02998  2016   NtResumeThread  (1008, ... 1, ) == 0x0
 02999  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 172752896, 1048576, ) == 0x0
 03000  2016   NtAllocateVirtualMemory  (-1, 173793280, 0, 8192, 4096, 4, ... 173793280, 8192, ) == 0x0
 03001  2312   NtWaitForSingleObject  (88, 0, 0x0, ...
 03002  2016   NtProtectVirtualMemory  (-1, (0xa5be000), 4096, 260, ... (0xa5be000), 4096, 4, ) == 0x0
 03003  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1012, {896, 2316}, ) == 0x0
 03004  2016   NtQueryInformationThread  (1012, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1e000,Pid=896,Tid=2316,}, 0x0, ) == 0x0
 03005  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82012, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\200\3\0\0\14\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\200\3\0\0\14\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82013, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\200\3\0\0\14\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\200\3\0\0\14\11\0\0" )  ) == 0x0
 03006  2016   NtResumeThread  (1012, ... 1, ) == 0x0
 03007  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03008  2316   NtWaitForSingleObject  (88, 0, 0x0, ...
 03007  2016   NtAllocateVirtualMemory  ... 173801472, 1048576, ) == 0x0
 03009  2016   NtAllocateVirtualMemory  (-1, 174841856, 0, 8192, 4096, 4, ... 174841856, 8192, ) == 0x0
 03010  2016   NtProtectVirtualMemory  (-1, (0xa6be000), 4096, 260, ... (0xa6be000), 4096, 4, ) == 0x0
 03011  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1016, {896, 2320}, ) == 0x0
 03012  2016   NtQueryInformationThread  (1016, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1d000,Pid=896,Tid=2320,}, 0x0, ) == 0x0
 03013  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82013, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\200\3\0\0\20\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\200\3\0\0\20\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82014, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\200\3\0\0\20\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\3\0\0\200\3\0\0\20\11\0\0" )  ) == 0x0
 03014  2016   NtResumeThread  (1016, ... 1, ) == 0x0
 03015  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 174850048, 1048576, ) == 0x0
 03016  2016   NtAllocateVirtualMemory  (-1, 175890432, 0, 8192, 4096, 4, ... 175890432, 8192, ) == 0x0
 03017  2320   NtWaitForSingleObject  (88, 0, 0x0, ...
 03018  2016   NtProtectVirtualMemory  (-1, (0xa7be000), 4096, 260, ... (0xa7be000), 4096, 4, ) == 0x0
 03019  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1020, {896, 2324}, ) == 0x0
 03020  2016   NtQueryInformationThread  (1020, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1c000,Pid=896,Tid=2324,}, 0x0, ) == 0x0
 03021  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82014, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\200\3\0\0\24\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\200\3\0\0\24\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82015, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82014, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\200\3\0\0\24\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\3\0\0\200\3\0\0\24\11\0\0" )  ) == 0x0
 03022  2016   NtResumeThread  (1020, ... 1, ) == 0x0
 03023  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03024  2324   NtWaitForSingleObject  (88, 0, 0x0, ...
 03023  2016   NtAllocateVirtualMemory  ... 175898624, 1048576, ) == 0x0
 03025  2016   NtAllocateVirtualMemory  (-1, 176939008, 0, 8192, 4096, 4, ... 176939008, 8192, ) == 0x0
 03026  2016   NtProtectVirtualMemory  (-1, (0xa8be000), 4096, 260, ... (0xa8be000), 4096, 4, ) == 0x0
 03027  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1024, {896, 2328}, ) == 0x0
 03028  2016   NtQueryInformationThread  (1024, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1b000,Pid=896,Tid=2328,}, 0x0, ) == 0x0
 03029  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82015, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\200\3\0\0\30\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\200\3\0\0\30\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82016, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\200\3\0\0\30\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\4\0\0\200\3\0\0\30\11\0\0" )  ) == 0x0
 03030  2016   NtResumeThread  (1024, ... 1, ) == 0x0
 03031  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 176947200, 1048576, ) == 0x0
 03032  2016   NtAllocateVirtualMemory  (-1, 177987584, 0, 8192, 4096, 4, ... 177987584, 8192, ) == 0x0
 03033  2328   NtWaitForSingleObject  (88, 0, 0x0, ...
 03034  2016   NtProtectVirtualMemory  (-1, (0xa9be000), 4096, 260, ... (0xa9be000), 4096, 4, ) == 0x0
 03035  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1028, {896, 2332}, ) == 0x0
 03036  2016   NtQueryInformationThread  (1028, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff1a000,Pid=896,Tid=2332,}, 0x0, ) == 0x0
 03037  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82016, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0\200\3\0\0\34\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0\200\3\0\0\34\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82017, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0\200\3\0\0\34\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\4\0\0\200\3\0\0\34\11\0\0" )  ) == 0x0
 03038  2016   NtResumeThread  (1028, ... 1, ) == 0x0
 03039  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03040  2332   NtWaitForSingleObject  (88, 0, 0x0, ...
 03039  2016   NtAllocateVirtualMemory  ... 177995776, 1048576, ) == 0x0
 03041  2016   NtAllocateVirtualMemory  (-1, 179036160, 0, 8192, 4096, 4, ... 179036160, 8192, ) == 0x0
 03042  2016   NtProtectVirtualMemory  (-1, (0xaabe000), 4096, 260, ... (0xaabe000), 4096, 4, ) == 0x0
 03043  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1032, {896, 2336}, ) == 0x0
 03044  2016   NtQueryInformationThread  (1032, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff19000,Pid=896,Tid=2336,}, 0x0, ) == 0x0
 03045  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82017, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\200\3\0\0 \11\0\0" ... {28, 56, reply, 0, 896, 2016, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\200\3\0\0 \11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82018, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\200\3\0\0 \11\0\0" ... {28, 56, reply, 0, 896, 2016, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\200\3\0\0 \11\0\0" )  ) == 0x0
 03046  2016   NtResumeThread  (1032, ... 1, ) == 0x0
 03047  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 179044352, 1048576, ) == 0x0
 03048  2016   NtAllocateVirtualMemory  (-1, 180084736, 0, 8192, 4096, 4, ... 180084736, 8192, ) == 0x0
 03049  2336   NtWaitForSingleObject  (88, 0, 0x0, ...
 03050  2016   NtProtectVirtualMemory  (-1, (0xabbe000), 4096, 260, ... (0xabbe000), 4096, 4, ) == 0x0
 03051  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1036, {896, 2340}, ) == 0x0
 03052  2016   NtQueryInformationThread  (1036, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff18000,Pid=896,Tid=2340,}, 0x0, ) == 0x0
 03053  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82018, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0\200\3\0\0$\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0\200\3\0\0$\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82019, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0\200\3\0\0$\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\4\0\0\200\3\0\0$\11\0\0" )  ) == 0x0
 03054  2016   NtResumeThread  (1036, ... 1, ) == 0x0
 03055  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03056  2340   NtWaitForSingleObject  (88, 0, 0x0, ...
 03055  2016   NtAllocateVirtualMemory  ... 180092928, 1048576, ) == 0x0
 03057  2016   NtAllocateVirtualMemory  (-1, 181133312, 0, 8192, 4096, 4, ... 181133312, 8192, ) == 0x0
 03058  2016   NtProtectVirtualMemory  (-1, (0xacbe000), 4096, 260, ... (0xacbe000), 4096, 4, ) == 0x0
 03059  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1040, {896, 2344}, ) == 0x0
 03060  2016   NtQueryInformationThread  (1040, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff17000,Pid=896,Tid=2344,}, 0x0, ) == 0x0
 03061  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82019, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\200\3\0\0(\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\200\3\0\0(\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82020, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\200\3\0\0(\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\4\0\0\200\3\0\0(\11\0\0" )  ) == 0x0
 03062  2016   NtResumeThread  (1040, ... 1, ) == 0x0
 03063  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 181141504, 1048576, ) == 0x0
 03064  2016   NtAllocateVirtualMemory  (-1, 182181888, 0, 8192, 4096, 4, ... 182181888, 8192, ) == 0x0
 03065  2344   NtWaitForSingleObject  (88, 0, 0x0, ...
 03066  2016   NtProtectVirtualMemory  (-1, (0xadbe000), 4096, 260, ... (0xadbe000), 4096, 4, ) == 0x0
 03067  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1044, {896, 2348}, ) == 0x0
 03068  2016   NtQueryInformationThread  (1044, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff16000,Pid=896,Tid=2348,}, 0x0, ) == 0x0
 03069  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82020, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\200\3\0\0,\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\200\3\0\0,\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82021, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\200\3\0\0,\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\200\3\0\0,\11\0\0" )  ) == 0x0
 03070  2016   NtResumeThread  (1044, ... 1, ) == 0x0
 03071  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03072  2348   NtWaitForSingleObject  (88, 0, 0x0, ...
 03071  2016   NtAllocateVirtualMemory  ... 182190080, 1048576, ) == 0x0
 03073  2016   NtAllocateVirtualMemory  (-1, 183230464, 0, 8192, 4096, 4, ... 183230464, 8192, ) == 0x0
 03074  2016   NtProtectVirtualMemory  (-1, (0xaebe000), 4096, 260, ... (0xaebe000), 4096, 4, ) == 0x0
 03075  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1048, {896, 2352}, ) == 0x0
 03076  2016   NtQueryInformationThread  (1048, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff15000,Pid=896,Tid=2352,}, 0x0, ) == 0x0
 03077  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82021, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\200\3\0\00\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\200\3\0\00\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82022, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\200\3\0\00\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\200\3\0\00\11\0\0" )  ) == 0x0
 03078  2016   NtResumeThread  (1048, ... 1, ) == 0x0
 03079  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 183238656, 1048576, ) == 0x0
 03080  2016   NtAllocateVirtualMemory  (-1, 184279040, 0, 8192, 4096, 4, ... 184279040, 8192, ) == 0x0
 03081  2352   NtWaitForSingleObject  (88, 0, 0x0, ...
 03082  2016   NtProtectVirtualMemory  (-1, (0xafbe000), 4096, 260, ... (0xafbe000), 4096, 4, ) == 0x0
 03083  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1052, {896, 2356}, ) == 0x0
 03084  2016   NtQueryInformationThread  (1052, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff14000,Pid=896,Tid=2356,}, 0x0, ) == 0x0
 03085  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82022, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\200\3\0\04\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\200\3\0\04\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82023, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82022, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\200\3\0\04\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\4\0\0\200\3\0\04\11\0\0" )  ) == 0x0
 03086  2016   NtResumeThread  (1052, ... 1, ) == 0x0
 03087  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03088  2356   NtWaitForSingleObject  (88, 0, 0x0, ...
 03087  2016   NtAllocateVirtualMemory  ... 184287232, 1048576, ) == 0x0
 03089  2016   NtAllocateVirtualMemory  (-1, 185327616, 0, 8192, 4096, 4, ... 185327616, 8192, ) == 0x0
 03090  2016   NtProtectVirtualMemory  (-1, (0xb0be000), 4096, 260, ... (0xb0be000), 4096, 4, ) == 0x0
 03091  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1056, {896, 2360}, ) == 0x0
 03092  2016   NtQueryInformationThread  (1056, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff13000,Pid=896,Tid=2360,}, 0x0, ) == 0x0
 03093  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82023, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\200\3\0\08\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\200\3\0\08\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82024, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82023, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\200\3\0\08\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \4\0\0\200\3\0\08\11\0\0" )  ) == 0x0
 03094  2016   NtResumeThread  (1056, ... 1, ) == 0x0
 03095  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 185335808, 1048576, ) == 0x0
 03096  2016   NtAllocateVirtualMemory  (-1, 186376192, 0, 8192, 4096, 4, ... 186376192, 8192, ) == 0x0
 03097  2360   NtWaitForSingleObject  (88, 0, 0x0, ...
 03098  2016   NtProtectVirtualMemory  (-1, (0xb1be000), 4096, 260, ... (0xb1be000), 4096, 4, ) == 0x0
 03099  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1060, {896, 2364}, ) == 0x0
 03100  2016   NtQueryInformationThread  (1060, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff12000,Pid=896,Tid=2364,}, 0x0, ) == 0x0
 03101  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82024, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0\200\3\0\0<\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0\200\3\0\0<\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82025, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0\200\3\0\0<\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\4\0\0\200\3\0\0<\11\0\0" )  ) == 0x0
 03102  2016   NtResumeThread  (1060, ... 1, ) == 0x0
 03103  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03104  2364   NtWaitForSingleObject  (88, 0, 0x0, ...
 03103  2016   NtAllocateVirtualMemory  ... 186384384, 1048576, ) == 0x0
 03105  2016   NtAllocateVirtualMemory  (-1, 187424768, 0, 8192, 4096, 4, ... 187424768, 8192, ) == 0x0
 03106  2016   NtProtectVirtualMemory  (-1, (0xb2be000), 4096, 260, ... (0xb2be000), 4096, 4, ) == 0x0
 03107  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1064, {896, 2368}, ) == 0x0
 03108  2016   NtQueryInformationThread  (1064, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff11000,Pid=896,Tid=2368,}, 0x0, ) == 0x0
 03109  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82025, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\200\3\0\0@\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\200\3\0\0@\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82026, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\200\3\0\0@\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\4\0\0\200\3\0\0@\11\0\0" )  ) == 0x0
 03110  2016   NtResumeThread  (1064, ... 1, ) == 0x0
 03111  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 187432960, 1048576, ) == 0x0
 03112  2016   NtAllocateVirtualMemory  (-1, 188473344, 0, 8192, 4096, 4, ... 188473344, 8192, ) == 0x0
 03113  2368   NtWaitForSingleObject  (88, 0, 0x0, ...
 03114  2016   NtProtectVirtualMemory  (-1, (0xb3be000), 4096, 260, ... (0xb3be000), 4096, 4, ) == 0x0
 03115  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1068, {896, 2372}, ) == 0x0
 03116  2016   NtQueryInformationThread  (1068, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff10000,Pid=896,Tid=2372,}, 0x0, ) == 0x0
 03117  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82026, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\200\3\0\0D\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\200\3\0\0D\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82027, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\200\3\0\0D\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\4\0\0\200\3\0\0D\11\0\0" )  ) == 0x0
 03118  2016   NtResumeThread  (1068, ... 1, ) == 0x0
 03119  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03120  2372   NtWaitForSingleObject  (88, 0, 0x0, ...
 03119  2016   NtAllocateVirtualMemory  ... 188481536, 1048576, ) == 0x0
 03121  2016   NtAllocateVirtualMemory  (-1, 189521920, 0, 8192, 4096, 4, ... 189521920, 8192, ) == 0x0
 03122  2016   NtProtectVirtualMemory  (-1, (0xb4be000), 4096, 260, ... (0xb4be000), 4096, 4, ) == 0x0
 03123  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1072, {896, 2376}, ) == 0x0
 03124  2016   NtQueryInformationThread  (1072, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0f000,Pid=896,Tid=2376,}, 0x0, ) == 0x0
 03125  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82027, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\200\3\0\0H\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\200\3\0\0H\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82028, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\200\3\0\0H\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG0\4\0\0\200\3\0\0H\11\0\0" )  ) == 0x0
 03126  2016   NtResumeThread  (1072, ... 1, ) == 0x0
 03127  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 189530112, 1048576, ) == 0x0
 03128  2016   NtAllocateVirtualMemory  (-1, 190570496, 0, 8192, 4096, 4, ... 190570496, 8192, ) == 0x0
 03129  2376   NtWaitForSingleObject  (88, 0, 0x0, ...
 03130  2016   NtProtectVirtualMemory  (-1, (0xb5be000), 4096, 260, ... (0xb5be000), 4096, 4, ) == 0x0
 03131  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1076, {896, 2380}, ) == 0x0
 03132  2016   NtQueryInformationThread  (1076, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0e000,Pid=896,Tid=2380,}, 0x0, ) == 0x0
 03133  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82028, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\200\3\0\0L\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\200\3\0\0L\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82029, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\200\3\0\0L\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\4\0\0\200\3\0\0L\11\0\0" )  ) == 0x0
 03134  2016   NtResumeThread  (1076, ... 1, ) == 0x0
 03135  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03136  2380   NtWaitForSingleObject  (88, 0, 0x0, ...
 03135  2016   NtAllocateVirtualMemory  ... 190578688, 1048576, ) == 0x0
 03137  2016   NtAllocateVirtualMemory  (-1, 191619072, 0, 8192, 4096, 4, ... 191619072, 8192, ) == 0x0
 03138  2016   NtProtectVirtualMemory  (-1, (0xb6be000), 4096, 260, ... (0xb6be000), 4096, 4, ) == 0x0
 03139  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1080, {896, 2384}, ) == 0x0
 03140  2016   NtQueryInformationThread  (1080, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0d000,Pid=896,Tid=2384,}, 0x0, ) == 0x0
 03141  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82029, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\200\3\0\0P\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\200\3\0\0P\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82030, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\200\3\0\0P\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\4\0\0\200\3\0\0P\11\0\0" )  ) == 0x0
 03142  2016   NtResumeThread  (1080, ... 1, ) == 0x0
 03143  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 191627264, 1048576, ) == 0x0
 03144  2016   NtAllocateVirtualMemory  (-1, 192667648, 0, 8192, 4096, 4, ... 192667648, 8192, ) == 0x0
 03145  2384   NtWaitForSingleObject  (88, 0, 0x0, ...
 03146  2016   NtProtectVirtualMemory  (-1, (0xb7be000), 4096, 260, ... (0xb7be000), 4096, 4, ) == 0x0
 03147  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03148  1028   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 03149  1028   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 03147  2016   NtCreateThread  ... 1084, {896, 2388}, ) == 0x0
 03150  2016   NtQueryInformationThread  (1084, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0c000,Pid=896,Tid=2388,}, 0x0, ) == 0x0
 03151  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82030, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\4\0\0\200\3\0\0T\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\4\0\0\200\3\0\0T\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82031, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\4\0\0\200\3\0\0T\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\4\0\0\200\3\0\0T\11\0\0" )  ) == 0x0
 03152  2016   NtResumeThread  (1084, ... 1, ) == 0x0
 03153  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 192675840, 1048576, ) == 0x0
 03154  2016   NtAllocateVirtualMemory  (-1, 193716224, 0, 8192, 4096, 4, ... 193716224, 8192, ) == 0x0
 03149  1028   NtFlushInstructionCache  ... ) == 0x0
 03155  2388   NtWaitForSingleObject  (88, 0, 0x0, ...
 03156  1028   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 03157  1028   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 03158  1028   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 03159  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 03160  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 03161  1028   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 03162  2016   NtProtectVirtualMemory  (-1, (0xb8be000), 4096, 260, ... (0xb8be000), 4096, 4, ) == 0x0
 03163  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1088, {896, 2392}, ) == 0x0
 03164  2016   NtQueryInformationThread  (1088, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0b000,Pid=896,Tid=2392,}, 0x0, ) == 0x0
 03165  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82031, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\4\0\0\200\3\0\0X\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\4\0\0\200\3\0\0X\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82032, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82031, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\4\0\0\200\3\0\0X\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\4\0\0\200\3\0\0X\11\0\0" )  ) == 0x0
 03166  2016   NtResumeThread  (1088, ... 1, ) == 0x0
 03167  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03161  1028   NtFlushInstructionCache  ... ) == 0x0
 03168  2392   NtWaitForSingleObject  (88, 0, 0x0, ...
 03167  2016   NtAllocateVirtualMemory  ... 193724416, 1048576, ) == 0x0
 03169  2016   NtAllocateVirtualMemory  (-1, 194764800, 0, 8192, 4096, 4, ... 194764800, 8192, ) == 0x0
 03170  2016   NtProtectVirtualMemory  (-1, (0xb9be000), 4096, 260, ... (0xb9be000), 4096, 4, ) == 0x0
 03171  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1092, {896, 2396}, ) == 0x0
 03172  2016   NtQueryInformationThread  (1092, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff0a000,Pid=896,Tid=2396,}, 0x0, ) == 0x0
 03173  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82032, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\200\3\0\0\\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\200\3\0\0\\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82033, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82032, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\200\3\0\0\\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\4\0\0\200\3\0\0\\11\0\0" )  ) == 0x0
 03174  2016   NtResumeThread  (1092, ... 1, ) == 0x0
 03175  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 194772992, 1048576, ) == 0x0
 03176  2016   NtAllocateVirtualMemory  (-1, 195813376, 0, 8192, 4096, 4, ... 195813376, 8192, ) == 0x0
 03177  2396   NtWaitForSingleObject  (88, 0, 0x0, ...
 03178  2016   NtProtectVirtualMemory  (-1, (0xbabe000), 4096, 260, ... (0xbabe000), 4096, 4, ) == 0x0
 03179  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1096, {896, 2400}, ) == 0x0
 03180  2016   NtQueryInformationThread  (1096, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff09000,Pid=896,Tid=2400,}, 0x0, ) == 0x0
 03181  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82033, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\200\3\0\0`\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\200\3\0\0`\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82034, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82033, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\200\3\0\0`\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\4\0\0\200\3\0\0`\11\0\0" )  ) == 0x0
 03182  2016   NtResumeThread  (1096, ... 1, ) == 0x0
 03183  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03184  2400   NtWaitForSingleObject  (88, 0, 0x0, ...
 03183  2016   NtAllocateVirtualMemory  ... 195821568, 1048576, ) == 0x0
 03185  2016   NtAllocateVirtualMemory  (-1, 196861952, 0, 8192, 4096, 4, ... 196861952, 8192, ) == 0x0
 03186  2016   NtProtectVirtualMemory  (-1, (0xbbbe000), 4096, 260, ... (0xbbbe000), 4096, 4, ) == 0x0
 03187  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1100, {896, 2404}, ) == 0x0
 03188  2016   NtQueryInformationThread  (1100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff08000,Pid=896,Tid=2404,}, 0x0, ) == 0x0
 03189  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82034, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\200\3\0\0d\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\200\3\0\0d\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82035, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82034, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\200\3\0\0d\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\4\0\0\200\3\0\0d\11\0\0" )  ) == 0x0
 03190  2016   NtResumeThread  (1100, ... 1, ) == 0x0
 03191  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 196870144, 1048576, ) == 0x0
 03192  2016   NtAllocateVirtualMemory  (-1, 197910528, 0, 8192, 4096, 4, ... 197910528, 8192, ) == 0x0
 03193  2404   NtWaitForSingleObject  (88, 0, 0x0, ...
 03194  2016   NtProtectVirtualMemory  (-1, (0xbcbe000), 4096, 260, ... (0xbcbe000), 4096, 4, ) == 0x0
 03195  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1104, {896, 2408}, ) == 0x0
 03196  2016   NtQueryInformationThread  (1104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff07000,Pid=896,Tid=2408,}, 0x0, ) == 0x0
 03197  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82035, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\4\0\0\200\3\0\0h\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\4\0\0\200\3\0\0h\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82036, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82035, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\4\0\0\200\3\0\0h\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\4\0\0\200\3\0\0h\11\0\0" )  ) == 0x0
 03198  2016   NtResumeThread  (1104, ... 1, ) == 0x0
 03199  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03200  2408   NtWaitForSingleObject  (88, 0, 0x0, ...
 03199  2016   NtAllocateVirtualMemory  ... 197918720, 1048576, ) == 0x0
 03201  2016   NtAllocateVirtualMemory  (-1, 198959104, 0, 8192, 4096, 4, ... 198959104, 8192, ) == 0x0
 03202  2016   NtProtectVirtualMemory  (-1, (0xbdbe000), 4096, 260, ... (0xbdbe000), 4096, 4, ) == 0x0
 03203  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1108, {896, 2412}, ) == 0x0
 03204  2016   NtQueryInformationThread  (1108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff06000,Pid=896,Tid=2412,}, 0x0, ) == 0x0
 03205  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82036, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\4\0\0\200\3\0\0l\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\4\0\0\200\3\0\0l\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82037, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\4\0\0\200\3\0\0l\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\4\0\0\200\3\0\0l\11\0\0" )  ) == 0x0
 03206  2016   NtResumeThread  (1108, ... 1, ) == 0x0
 03207  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 198967296, 1048576, ) == 0x0
 03208  2016   NtAllocateVirtualMemory  (-1, 200007680, 0, 8192, 4096, 4, ... 200007680, 8192, ) == 0x0
 03209  2412   NtWaitForSingleObject  (88, 0, 0x0, ...
 03210  2016   NtProtectVirtualMemory  (-1, (0xbebe000), 4096, 260, ... (0xbebe000), 4096, 4, ) == 0x0
 03211  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1112, {896, 2416}, ) == 0x0
 03212  2016   NtQueryInformationThread  (1112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff05000,Pid=896,Tid=2416,}, 0x0, ) == 0x0
 03213  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82037, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\200\3\0\0p\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\200\3\0\0p\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82038, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82037, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\200\3\0\0p\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\4\0\0\200\3\0\0p\11\0\0" )  ) == 0x0
 03214  2016   NtResumeThread  (1112, ... 1, ) == 0x0
 03215  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03216  2416   NtWaitForSingleObject  (88, 0, 0x0, ...
 03215  2016   NtAllocateVirtualMemory  ... 200015872, 1048576, ) == 0x0
 03217  2016   NtAllocateVirtualMemory  (-1, 201056256, 0, 8192, 4096, 4, ... 201056256, 8192, ) == 0x0
 03218  2016   NtProtectVirtualMemory  (-1, (0xbfbe000), 4096, 260, ... (0xbfbe000), 4096, 4, ) == 0x0
 03219  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1116, {896, 2420}, ) == 0x0
 03220  2016   NtQueryInformationThread  (1116, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff04000,Pid=896,Tid=2420,}, 0x0, ) == 0x0
 03221  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82038, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\200\3\0\0t\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\200\3\0\0t\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82039, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82038, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\200\3\0\0t\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\4\0\0\200\3\0\0t\11\0\0" )  ) == 0x0
 03222  2016   NtResumeThread  (1116, ... 1, ) == 0x0
 03223  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 201064448, 1048576, ) == 0x0
 03224  2016   NtAllocateVirtualMemory  (-1, 202104832, 0, 8192, 4096, 4, ... 202104832, 8192, ) == 0x0
 03225  2420   NtWaitForSingleObject  (88, 0, 0x0, ...
 03226  2016   NtProtectVirtualMemory  (-1, (0xc0be000), 4096, 260, ... (0xc0be000), 4096, 4, ) == 0x0
 03227  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1120, {896, 2424}, ) == 0x0
 03228  2016   NtQueryInformationThread  (1120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff03000,Pid=896,Tid=2424,}, 0x0, ) == 0x0
 03229  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82039, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\4\0\0\200\3\0\0x\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\4\0\0\200\3\0\0x\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82040, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82039, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\4\0\0\200\3\0\0x\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\4\0\0\200\3\0\0x\11\0\0" )  ) == 0x0
 03230  2016   NtResumeThread  (1120, ... 1, ) == 0x0
 03231  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03232  2424   NtWaitForSingleObject  (88, 0, 0x0, ...
 03231  2016   NtAllocateVirtualMemory  ... 202113024, 1048576, ) == 0x0
 03233  2016   NtAllocateVirtualMemory  (-1, 203153408, 0, 8192, 4096, 4, ... 203153408, 8192, ) == 0x0
 03234  2016   NtProtectVirtualMemory  (-1, (0xc1be000), 4096, 260, ... (0xc1be000), 4096, 4, ) == 0x0
 03235  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1124, {896, 2428}, ) == 0x0
 03236  2016   NtQueryInformationThread  (1124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff02000,Pid=896,Tid=2428,}, 0x0, ) == 0x0
 03237  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82040, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\4\0\0\200\3\0\0|\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\4\0\0\200\3\0\0|\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82041, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82040, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\4\0\0\200\3\0\0|\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\4\0\0\200\3\0\0|\11\0\0" )  ) == 0x0
 03238  2016   NtResumeThread  (1124, ... 1, ) == 0x0
 03239  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 203161600, 1048576, ) == 0x0
 03240  2016   NtAllocateVirtualMemory  (-1, 204201984, 0, 8192, 4096, 4, ... 204201984, 8192, ) == 0x0
 03241  2428   NtWaitForSingleObject  (88, 0, 0x0, ...
 03242  2016   NtProtectVirtualMemory  (-1, (0xc2be000), 4096, 260, ... (0xc2be000), 4096, 4, ) == 0x0
 03243  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1128, {896, 2432}, ) == 0x0
 03244  2016   NtQueryInformationThread  (1128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff01000,Pid=896,Tid=2432,}, 0x0, ) == 0x0
 03245  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82041, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\200\3\0\0\200\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\200\3\0\0\200\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82042, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82041, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\200\3\0\0\200\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\4\0\0\200\3\0\0\200\11\0\0" )  ) == 0x0
 03246  2016   NtResumeThread  (1128, ... 1, ) == 0x0
 03247  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03248  2432   NtWaitForSingleObject  (88, 0, 0x0, ...
 03247  2016   NtAllocateVirtualMemory  ... 204210176, 1048576, ) == 0x0
 03249  2016   NtAllocateVirtualMemory  (-1, 205250560, 0, 8192, 4096, 4, ... 205250560, 8192, ) == 0x0
 03250  2016   NtProtectVirtualMemory  (-1, (0xc3be000), 4096, 260, ... (0xc3be000), 4096, 4, ) == 0x0
 03251  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1132, {896, 2436}, ) == 0x0
 03252  2016   NtQueryInformationThread  (1132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff00000,Pid=896,Tid=2436,}, 0x0, ) == 0x0
 03253  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82042, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\4\0\0\200\3\0\0\204\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\4\0\0\200\3\0\0\204\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82043, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82042, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\4\0\0\200\3\0\0\204\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\4\0\0\200\3\0\0\204\11\0\0" )  ) == 0x0
 03254  2016   NtResumeThread  (1132, ... 1, ) == 0x0
 03255  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 205258752, 1048576, ) == 0x0
 03256  2016   NtAllocateVirtualMemory  (-1, 206299136, 0, 8192, 4096, 4, ... 206299136, 8192, ) == 0x0
 03257  2436   NtWaitForSingleObject  (88, 0, 0x0, ...
 03258  2016   NtProtectVirtualMemory  (-1, (0xc4be000), 4096, 260, ... (0xc4be000), 4096, 4, ) == 0x0
 03259  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1136, {896, 2440}, ) == 0x0
 03260  2016   NtQueryInformationThread  (1136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7feff000,Pid=896,Tid=2440,}, 0x0, ) == 0x0
 03261  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82043, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\4\0\0\200\3\0\0\210\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\4\0\0\200\3\0\0\210\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82044, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82043, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\4\0\0\200\3\0\0\210\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\4\0\0\200\3\0\0\210\11\0\0" )  ) == 0x0
 03262  2016   NtResumeThread  (1136, ... 1, ) == 0x0
 03263  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03264  2440   NtWaitForSingleObject  (88, 0, 0x0, ...
 03263  2016   NtAllocateVirtualMemory  ... 206307328, 1048576, ) == 0x0
 03265  2016   NtAllocateVirtualMemory  (-1, 207347712, 0, 8192, 4096, 4, ... 207347712, 8192, ) == 0x0
 03266  2016   NtProtectVirtualMemory  (-1, (0xc5be000), 4096, 260, ... (0xc5be000), 4096, 4, ) == 0x0
 03267  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1140, {896, 2444}, ) == 0x0
 03268  2016   NtQueryInformationThread  (1140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefe000,Pid=896,Tid=2444,}, 0x0, ) == 0x0
 03269  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82044, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\200\3\0\0\214\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\200\3\0\0\214\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82045, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\200\3\0\0\214\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\4\0\0\200\3\0\0\214\11\0\0" )  ) == 0x0
 03270  2016   NtResumeThread  (1140, ... 1, ) == 0x0
 03271  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 207355904, 1048576, ) == 0x0
 03272  2016   NtAllocateVirtualMemory  (-1, 208396288, 0, 8192, 4096, 4, ... 208396288, 8192, ) == 0x0
 03273  2444   NtWaitForSingleObject  (88, 0, 0x0, ...
 03274  2016   NtProtectVirtualMemory  (-1, (0xc6be000), 4096, 260, ... (0xc6be000), 4096, 4, ) == 0x0
 03275  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1144, {896, 2448}, ) == 0x0
 03276  2016   NtQueryInformationThread  (1144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefd000,Pid=896,Tid=2448,}, 0x0, ) == 0x0
 03277  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82045, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\4\0\0\200\3\0\0\220\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\4\0\0\200\3\0\0\220\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82046, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82045, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\4\0\0\200\3\0\0\220\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\4\0\0\200\3\0\0\220\11\0\0" )  ) == 0x0
 03278  2016   NtResumeThread  (1144, ... 1, ) == 0x0
 03279  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03280  2448   NtWaitForSingleObject  (88, 0, 0x0, ...
 03279  2016   NtAllocateVirtualMemory  ... 208404480, 1048576, ) == 0x0
 03281  2016   NtAllocateVirtualMemory  (-1, 209444864, 0, 8192, 4096, 4, ... 209444864, 8192, ) == 0x0
 03282  2016   NtProtectVirtualMemory  (-1, (0xc7be000), 4096, 260, ... (0xc7be000), 4096, 4, ) == 0x0
 03283  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1148, {896, 2452}, ) == 0x0
 03284  2016   NtQueryInformationThread  (1148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefc000,Pid=896,Tid=2452,}, 0x0, ) == 0x0
 03285  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82046, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\4\0\0\200\3\0\0\224\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\4\0\0\200\3\0\0\224\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82047, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82046, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\4\0\0\200\3\0\0\224\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\4\0\0\200\3\0\0\224\11\0\0" )  ) == 0x0
 03286  2016   NtResumeThread  (1148, ... 1, ) == 0x0
 03287  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 209453056, 1048576, ) == 0x0
 03288  2016   NtAllocateVirtualMemory  (-1, 210493440, 0, 8192, 4096, 4, ... 210493440, 8192, ) == 0x0
 03289  2452   NtWaitForSingleObject  (88, 0, 0x0, ...
 03290  2016   NtProtectVirtualMemory  (-1, (0xc8be000), 4096, 260, ... (0xc8be000), 4096, 4, ) == 0x0
 03291  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1152, {896, 2456}, ) == 0x0
 03292  2016   NtQueryInformationThread  (1152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefb000,Pid=896,Tid=2456,}, 0x0, ) == 0x0
 03293  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82047, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\200\3\0\0\230\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\200\3\0\0\230\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82048, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82047, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\200\3\0\0\230\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\4\0\0\200\3\0\0\230\11\0\0" )  ) == 0x0
 03294  2016   NtResumeThread  (1152, ... 1, ) == 0x0
 03295  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03296  2456   NtWaitForSingleObject  (88, 0, 0x0, ...
 03295  2016   NtAllocateVirtualMemory  ... 210501632, 1048576, ) == 0x0
 03297  2016   NtAllocateVirtualMemory  (-1, 211542016, 0, 8192, 4096, 4, ... 211542016, 8192, ) == 0x0
 03298  2016   NtProtectVirtualMemory  (-1, (0xc9be000), 4096, 260, ... (0xc9be000), 4096, 4, ) == 0x0
 03299  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1156, {896, 2460}, ) == 0x0
 03300  2016   NtQueryInformationThread  (1156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fefa000,Pid=896,Tid=2460,}, 0x0, ) == 0x0
 03301  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82048, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\4\0\0\200\3\0\0\234\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\4\0\0\200\3\0\0\234\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82049, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\4\0\0\200\3\0\0\234\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\4\0\0\200\3\0\0\234\11\0\0" )  ) == 0x0
 03302  2016   NtResumeThread  (1156, ... 1, ) == 0x0
 03303  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 211550208, 1048576, ) == 0x0
 03304  2016   NtAllocateVirtualMemory  (-1, 212590592, 0, 8192, 4096, 4, ... 212590592, 8192, ) == 0x0
 03305  2460   NtWaitForSingleObject  (88, 0, 0x0, ...
 03306  2016   NtProtectVirtualMemory  (-1, (0xcabe000), 4096, 260, ... (0xcabe000), 4096, 4, ) == 0x0
 03307  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1160, {896, 2464}, ) == 0x0
 03308  2016   NtQueryInformationThread  (1160, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef9000,Pid=896,Tid=2464,}, 0x0, ) == 0x0
 03309  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82049, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\200\3\0\0\240\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\200\3\0\0\240\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82050, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\200\3\0\0\240\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\4\0\0\200\3\0\0\240\11\0\0" )  ) == 0x0
 03310  2016   NtResumeThread  (1160, ... 1, ) == 0x0
 03311  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03312  2464   NtWaitForSingleObject  (88, 0, 0x0, ...
 03311  2016   NtAllocateVirtualMemory  ... 212598784, 1048576, ) == 0x0
 03313  2016   NtAllocateVirtualMemory  (-1, 213639168, 0, 8192, 4096, 4, ... 213639168, 8192, ) == 0x0
 03314  2016   NtProtectVirtualMemory  (-1, (0xcbbe000), 4096, 260, ... (0xcbbe000), 4096, 4, ) == 0x0
 03315  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1164, {896, 2468}, ) == 0x0
 03316  2016   NtQueryInformationThread  (1164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef8000,Pid=896,Tid=2468,}, 0x0, ) == 0x0
 03317  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82050, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\200\3\0\0\244\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\200\3\0\0\244\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82051, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\200\3\0\0\244\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\4\0\0\200\3\0\0\244\11\0\0" )  ) == 0x0
 03318  2016   NtResumeThread  (1164, ... 1, ) == 0x0
 03319  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 213647360, 1048576, ) == 0x0
 03320  2016   NtAllocateVirtualMemory  (-1, 214687744, 0, 8192, 4096, 4, ... 214687744, 8192, ) == 0x0
 03321  2468   NtWaitForSingleObject  (88, 0, 0x0, ...
 03322  2016   NtProtectVirtualMemory  (-1, (0xccbe000), 4096, 260, ... (0xccbe000), 4096, 4, ) == 0x0
 03323  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1168, {896, 2472}, ) == 0x0
 03324  2016   NtQueryInformationThread  (1168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef7000,Pid=896,Tid=2472,}, 0x0, ) == 0x0
 03325  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82051, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\4\0\0\200\3\0\0\250\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\4\0\0\200\3\0\0\250\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82052, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\4\0\0\200\3\0\0\250\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\4\0\0\200\3\0\0\250\11\0\0" )  ) == 0x0
 03326  2016   NtResumeThread  (1168, ... 1, ) == 0x0
 03327  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03328  2472   NtWaitForSingleObject  (88, 0, 0x0, ...
 03327  2016   NtAllocateVirtualMemory  ... 214695936, 1048576, ) == 0x0
 03329  2016   NtAllocateVirtualMemory  (-1, 215736320, 0, 8192, 4096, 4, ... 215736320, 8192, ) == 0x0
 03330  2016   NtProtectVirtualMemory  (-1, (0xcdbe000), 4096, 260, ... (0xcdbe000), 4096, 4, ) == 0x0
 03331  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1172, {896, 2476}, ) == 0x0
 03332  2016   NtQueryInformationThread  (1172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef6000,Pid=896,Tid=2476,}, 0x0, ) == 0x0
 03333  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82052, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\4\0\0\200\3\0\0\254\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\4\0\0\200\3\0\0\254\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82053, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82052, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\4\0\0\200\3\0\0\254\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\4\0\0\200\3\0\0\254\11\0\0" )  ) == 0x0
 03334  2016   NtResumeThread  (1172, ... 1, ) == 0x0
 03335  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 215744512, 1048576, ) == 0x0
 03336  2016   NtAllocateVirtualMemory  (-1, 216784896, 0, 8192, 4096, 4, ... 216784896, 8192, ) == 0x0
 03337  2476   NtWaitForSingleObject  (88, 0, 0x0, ...
 03338  2016   NtProtectVirtualMemory  (-1, (0xcebe000), 4096, 260, ... (0xcebe000), 4096, 4, ) == 0x0
 03339  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1176, {896, 2480}, ) == 0x0
 03340  2016   NtQueryInformationThread  (1176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7fef5000,Pid=896,Tid=2480,}, 0x0, ) == 0x0
 03341  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82053, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\200\3\0\0\260\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\200\3\0\0\260\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82054, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82053, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\200\3\0\0\260\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\4\0\0\200\3\0\0\260\11\0\0" )  ) == 0x0
 03342  2016   NtResumeThread  (1176, ... 1, ) == 0x0
 03343  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03344  2480   NtWaitForSingleObject  (88, 0, 0x0, ...
 03343  2016   NtAllocateVirtualMemory  ... 216793088, 1048576, ) == 0x0
 03345  2016   NtAllocateVirtualMemory  (-1, 217833472, 0, 8192, 4096, 4, ... 217833472, 8192, ) == 0x0
 03346  2016   NtProtectVirtualMemory  (-1, (0xcfbe000), 4096, 260, ... (0xcfbe000), 4096, 4, ) == 0x0
 03347  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 1180, {896, 2484}, ) == 0x0
 03348  2016   NtQueryInformationThread  (1180, Basic, 28, ...
 03349  1028   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03350  1028   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 1184, ) == 0x0
 03351  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 1188, ) }, ... 1188, ) == 0x0
 03352  1028   NtQueryValueKey  (1188,  (1188, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (1188, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03353  1028   NtClose  (1188, ...
 03348  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7fef4000,Pid=896,Tid=2484,}, 0x0, ) == 0x0
 03354  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82054, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\4\0\0\200\3\0\0\264\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\4\0\0\200\3\0\0\264\11\0\0" )  ... {28, 56, reply, 0, 896, 2016, 82055, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\4\0\0\200\3\0\0\264\11\0\0" ... {28, 56, reply, 0, 896, 2016, 82055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\4\0\0\200\3\0\0\264\11\0\0" )  ) == 0x0
 03355  2016   NtResumeThread  (1180, ... 1, ) == 0x0
 03356  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 217841664, 1048576, ) == 0x0
 03357  2016   NtAllocateVirtualMemory  (-1, 218882048, 0, 8192, 4096, 4, ... 218882048, 8192, ) == 0x0
 03353  1028   NtClose  ... ) == 0x0
 02245   596   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 896, 596, 81918, 0}  ... {44, 68, reply, 0, 896, 596, 81918, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03358  2484   NtWaitForSingleObject  (88, 0, 0x0, ...
 03359  1028   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... }, ...
 03360   596   NtRaiseException  (11008528, 11007788, 1, ...
 03359  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03361   596   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 03362  1028   NtQueryPerformanceCounter  (...
 03361   596   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 03363  2016   NtProtectVirtualMemory  (-1, (0xd0be000), 4096, 260, ...
 03364   596   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 03363  2016   NtProtectVirtualMemory  ... (0xd0be000), 4096, 4, ) == 0x0
 03364   596   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 03365  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03362  1028   NtQueryPerformanceCounter  ... {-1448496027, 16}, {3579545, 0}, ) == 0x0
 03366  1028   NtSetEventBoostPriority  (88, ...
 02181   780   NtWaitForSingleObject  ... ) == 0x0
 03367   780   NtSetEventBoostPriority  (88, ...
 02195   940   NtWaitForSingleObject  ... ) == 0x0
 03368   940   NtSetEventBoostPriority  (88, ...
 02218  1268   NtWaitForSingleObject  ... ) == 0x0
 03369  1268   NtSetEventBoostPriority  (88, ...
 02242   644   NtWaitForSingleObject  ... ) == 0x0
 03370   644   NtSetEventBoostPriority  (88, ...
 02257  1736   NtWaitForSingleObject  ... ) == 0x0
 03371  1736   NtSetEventBoostPriority  (88, ...
 02264   320   NtWaitForSingleObject  ... ) == 0x0
 03372   320   NtSetEventBoostPriority  (88, ...
 02273   380   NtWaitForSingleObject  ... ) == 0x0
 03373   380   NtSetEventBoostPriority  (88, ...
 02280  1332   NtWaitForSingleObject  ... ) == 0x0
 03374  1332   NtSetEventBoostPriority  (88, ...
 02289  1336   NtWaitForSingleObject  ... ) == 0x0
 03375  1336   NtSetEventBoostPriority  (88, ...
 02296  1808   NtWaitForSingleObject  ... ) == 0x0
 03376  1808   NtSetEventBoostPriority  (88, ...
 02305   468   NtWaitForSingleObject  ... ) == 0x0
 03377   468   NtSetEventBoostPriority  (88, ...
 02312   752   NtWaitForSingleObject  ... ) == 0x0
 03378   752   NtSetEventBoostPriority  (88, ...
 02321  1512   NtWaitForSingleObject  ... ) == 0x0
 03379  1512   NtSetEventBoostPriority  (88, ...
 02329  1380   NtWaitForSingleObject  ... ) == 0x0
 03380  1380   NtSetEventBoostPriority  (88, ...
 02336  1564   NtWaitForSingleObject  ... ) == 0x0
 03381  1564   NtSetEventBoostPriority  (88, ...
 02345   164   NtWaitForSingleObject  ... ) == 0x0
 03382   164   NtSetEventBoostPriority  (88, ...
 02352   312   NtWaitForSingleObject  ... ) == 0x0
 03383   312   NtSetEventBoostPriority  (88, ...
 02361  1964   NtWaitForSingleObject  ... ) == 0x0
 03384  1964   NtSetEventBoostPriority  (88, ...
 02368  1568   NtWaitForSingleObject  ... ) == 0x0
 03385  1568   NtSetEventBoostPriority  (88, ...
 02377  1624   NtWaitForSingleObject  ... ) == 0x0
 03386  1624   NtSetEventBoostPriority  (88, ...
 02384  1716   NtWaitForSingleObject  ... ) == 0x0
 03387  1716   NtSetEventBoostPriority  (88, ...
 02393  1440   NtWaitForSingleObject  ... ) == 0x0
 03388  1440   NtSetEventBoostPriority  (88, ...
 02400  1664   NtWaitForSingleObject  ... ) == 0x0
 03389  1664   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ... 8810496, 4096, ) == 0x0
 03388  1440   NtSetEventBoostPriority  ... ) == 0x0
 03387  1716   NtSetEventBoostPriority  ... ) == 0x0
 03386  1624   NtSetEventBoostPriority  ... ) == 0x0
 03385  1568   NtSetEventBoostPriority  ... ) == 0x0
 03384  1964   NtSetEventBoostPriority  ... ) == 0x0
 03383   312   NtSetEventBoostPriority  ... ) == 0x0
 03382   164   NtSetEventBoostPriority  ... ) == 0x0
 03381  1564   NtSetEventBoostPriority  ... ) == 0x0
 03380  1380   NtSetEventBoostPriority  ... ) == 0x0
 03379  1512   NtSetEventBoostPriority  ... ) == 0x0
 03378   752   NtSetEventBoostPriority  ... ) == 0x0
 03377   468   NtSetEventBoostPriority  ... ) == 0x0
 03376  1808   NtSetEventBoostPriority  ... ) == 0x0
 03375  1336   NtSetEventBoostPriority  ... ) == 0x0
 03374  1332   NtSetEventBoostPriority  ... ) == 0x0
 03373   380   NtSetEventBoostPriority  ... ) == 0x0
 03372   320   NtSetEventBoostPriority  ... ) == 0x0
 03371  1736   NtSetEventBoostPriority  ... ) == 0x0
 03370   644   NtSetEventBoostPriority  ... ) == 0x0
 03369  1268   NtSetEventBoostPriority  ... ) == 0x0
 03368   940   NtSetEventBoostPriority  ... ) == 0x0
 03367   780   NtSetEventBoostPriority  ... ) == 0x0
 03366  1028   NtSetEventBoostPriority  ... ) == 0x0
 03390   596   NtContinue  (11006756, 0, ...
 03365  2016   NtCreateThread  ... 1188, {896, 2488}, ) == 0x0
 03391  1664   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 03392  1440   NtTestAlert  (...
 03393  1716   NtTestAlert  (...
 03394  1624   NtTestAlert  (...
 03395  1568   NtTestAlert  (...
 03396  1964   NtTestAlert  (...
 03397   312   NtTestAlert  (...
 03398   164   NtTestAlert  (...
 03399  1564   NtTestAlert  (...
 03400  1380   NtTestAlert  (...
 03401  1512   NtTestAlert  (...
 03402   752   NtTestAlert  (...
 03403   468   NtTestAlert  (...
 03404  1808   NtTestAlert  (...
 03405  1336   NtTestAlert  (...
 03406  1332   NtTestAlert  (...
 03407   380   NtTestAlert  (...
 03408   320   NtTestAlert  (...
 03409  1736   NtTestAlert  (...
 03410   644   NtTestAlert  (...
 03411  1268   NtTestAlert  (...
 03412   940   NtTestAlert  (...
 03413  1028   NtWaitForSingleObject  (88, 0, 0x0, ...
 03414   596   NtDeviceIoControlFile  (460, 96, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 03415  2016   NtQueryInformationThread  (1188, Basic, 28, ...
 03391  1664   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 03392  1440   NtTestAlert  ... ) == 0x0
 03393  1716   NtTestAlert  ... ) == 0x0
 03394  1624   NtTestAlert  ... ) == 0x0
 03395  1568   NtTestAlert  ... ) == 0x0
 03396  1964   NtTestAlert  ... ) == 0x0
 03397   312   NtTestAlert  ... ) == 0x0
 03398   164   NtTestAlert  ... ) == 0x0
 03399  1564   NtTestAlert  ... ) == 0x0
 03400  1380   NtTestAlert  ... ) == 0x0
 03401  1512   NtTestAlert  ... ) == 0x0
 03402   752   NtTestAlert  ... ) == 0x0
 03403   468   NtTestAlert  ... ) == 0x0
 03404  1808   NtTestAlert  ... ) == 0x0
 03405  1336   NtTestAlert  ... ) == 0x0
 03406  1332   NtTestAlert  ... ) == 0x0
 03407   380   NtTestAlert  ... ) == 0x0
 03408   320   NtTestAlert  ... ) == 0x0
 03409  1736   NtTestAlert  ... ) == 0x0
 03410   644   NtTestAlert  ... ) == 0x0
 03411  1268   NtTestAlert  ... ) == 0x0
 03412   940   NtTestAlert  ... ) == 0x0
 03414   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 03415  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7fef3000,Pid=896,Tid=2488,}, 0x0, ) == 0x0
 03416  1664   NtSetEventBoostPriority  (88, ...
 03417  1440   NtContinue  (93060400, 1, ...
 03418  1716   NtContinue  (92011824, 1, ...
 03419  1624   NtContinue  (90963248, 1, ...
 03420  1568   NtContinue  (89914672, 1, ...
 03421  1964   NtContinue  (88866096, 1, ...
 03422   312   NtContinue  (87817520, 1, ...
 03423   164   NtContinue  (86768944, 1, ...
 03424  1564   NtContinue  (85720368, 1, ...
 03425  1380   NtContinue  (84671792, 1, ...
 03426  1512   NtContinue  (83623216, 1, ...
 03427   752   NtContinue  (82574640, 1, ...
 03428   468   NtContinue  (81526064, 1, ...
 03429  1808   NtContinue  (80477488, 1, ...
 03430  1336   NtContinue  (79428912, 1, ...
 03431  1332   NtContinue  (78380336, 1, ...
 03432   380   NtContinue  (77331760, 1, ...
 03433   320   NtContinue  (76283184, 1, ...
 03434  1736   NtContinue  (75234608, 1, ...
 03435   644   NtContinue  (74186032, 1, ...
 03436  1268   NtContinue  (73137456, 1, ...
 03437   940   NtContinue  (72088880, 1, ...
 03438   596   NtWaitForSingleObject  (96, 1, {-5000000, -1}, ...
 03439  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82055, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82055, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\4\0\0\200\3\0\0\270\11\0\0" ...  ...
 02409  1972   NtWaitForSingleObject  ... ) == 0x0
 03416  1664   NtSetEventBoostPriority  ... ) == 0x0
 03440  1440   NtRegisterThreadTerminatePort  (24, ...
 03441  1716   NtRegisterThreadTerminatePort  (24, ...
 03442  1624   NtRegisterThreadTerminatePort  (24, ...
 03443  1568   NtRegisterThreadTerminatePort  (24, ...
 03444  1964   NtRegisterThreadTerminatePort  (24, ...
 03445   312   NtRegisterThreadTerminatePort  (24, ...
 03446   164   NtRegisterThreadTerminatePort  (24, ...
 03447  1564   NtRegisterThreadTerminatePort  (24, ...
 03448  1380   NtRegisterThreadTerminatePort  (24, ...
 03449  1512   NtRegisterThreadTerminatePort  (24, ...
 03450   752   NtRegisterThreadTerminatePort  (24, ...
 03451   468   NtRegisterThreadTerminatePort  (24, ...
 03452  1808   NtRegisterThreadTerminatePort  (24, ...
 03453  1336   NtRegisterThreadTerminatePort  (24, ...
 03454  1332   NtRegisterThreadTerminatePort  (24, ...
 03455   380   NtRegisterThreadTerminatePort  (24, ...
 03456   320   NtRegisterThreadTerminatePort  (24, ...
 03457  1736   NtRegisterThreadTerminatePort  (24, ...
 03458   644   NtRegisterThreadTerminatePort  (24, ...
 03459  1268   NtRegisterThreadTerminatePort  (24, ...
 03460   940   NtRegisterThreadTerminatePort  (24, ...
 03461  1972   NtSetEventBoostPriority  (88, ...
 03439  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 82056, 0}  ... {28, 56, reply, 0, 896, 2016, 82056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\4\0\0\200\3\0\0\270\11\0\0" )  ) == 0x0
 03462  1664   NtTestAlert  (...
 03440  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 03441  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 03442  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 03443  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 03444  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 03445   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 03446   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 03447  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 03448  1380   NtRegisterThreadTerminatePort  ... ) == 0x0
 03449  1512   NtRegisterThreadTerminatePort  ... ) == 0x0
 03450   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 03451   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 03452  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 03453  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 03454  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 03455   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 03456   320   NtRegisterThreadTerminatePort  ... ) == 0x0
 03457  1736   NtRegisterThreadTerminatePort  ... ) == 0x0
 03458   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 03459  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02416  1036   NtWaitForSingleObject  ... ) == 0x0
 03461  1972   NtSetEventBoostPriority  ... ) == 0x0
 03460   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 03463   780   NtTestAlert  (...
 03462  1664   NtTestAlert  ... ) == 0x0
 03464  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03465  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03466  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03467  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03468  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03469   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03470   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03471  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03472  1380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03473  1512   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03474   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03475   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03476  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03477  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03478  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03479   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03480   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03481  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03482   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03483  1036   NtSetEventBoostPriority  (88, ...
 03484  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03485  2016   NtResumeThread  (1188, ...
 03486   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03463   780   NtTestAlert  ... ) == 0x0
 03487  1972   NtTestAlert  (...
 03488  1664   NtContinue  (94108976, 1, ...
 03464  1440   NtDuplicateObject  ... 1192, ) == 0x0
 03465  1716   NtDuplicateObject  ... 1196, ) == 0x0
 03466  1624   NtDuplicateObject  ... 1200, ) == 0x0
 03467  1568   NtDuplicateObject  ... 1204, ) == 0x0
 03468  1964   NtDuplicateObject  ... 1208, ) == 0x0
 03469   312   NtDuplicateObject  ... 1212, ) == 0x0
 03470   164   NtDuplicateObject  ... 1216, ) == 0x0
 03471  1564   NtDuplicateObject  ... 1220, ) == 0x0
 03472  1380   NtDuplicateObject  ... 1224, ) == 0x0
 03473  1512   NtDuplicateObject  ... 1228, ) == 0x0
 03474   752   NtDuplicateObject  ... 1232, ) == 0x0
 03475   468   NtDuplicateObject  ... 1236, ) == 0x0
 03476  1808   NtDuplicateObject  ... 1240, ) == 0x0
 03477  1336   NtDuplicateObject  ... 1244, ) == 0x0
 03478  1332   NtDuplicateObject  ... 1248, ) == 0x0
 03479   380   NtDuplicateObject  ... 1252, ) == 0x0
 03480   320   NtDuplicateObject  ... 1256, ) == 0x0
 03481  1736   NtDuplicateObject  ... 1260, ) == 0x0
 02425  1248   NtWaitForSingleObject  ... ) == 0x0
 03483  1036   NtSetEventBoostPriority  ... ) == 0x0
 03482   644   NtDuplicateObject  ... 1264, ) == 0x0
 03485  2016   NtResumeThread  ... 1, ) == 0x0
 03484  1268   NtDuplicateObject  ... 1268, ) == 0x0
 03489   780   NtContinue  (71040304, 1, ...
 03487  1972   NtTestAlert  ... ) == 0x0
 03490  1664   NtRegisterThreadTerminatePort  (24, ...
 03491  1440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03492  1716   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03493  1624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03494  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03495  1964   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03496   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03497   164   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03498  1564   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03499  1380   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 03500  1512   NtWaitForSingleObject  (288, 0, 0x0, ...
 03501   752   NtWaitForSingleObject  (288, 0, 0x0, ...
 03502   468   NtWaitForSingleObject  (288, 0, 0x0, ...
 03503  1808   NtWaitForSingleObject  (288, 0, 0x0, ...
 03504  1336   NtWaitForSingleObject  (288, 0, 0x0, ...
 03505  1332   NtWaitForSingleObject  (288, 0, 0x0, ...
 03506   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 03507   320   NtWaitForSingleObject  (288, 0, 0x0, ...
 03508  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 03509  1736   NtWaitForSingleObject  (288, 0, 0x0, ...
 03486   940   NtDuplicateObject  ... 1272, ) == 0x0
 03510  2488   NtWaitForSingleObject  (88, 0, 0x0, ...
 03511   644   NtWaitForSingleObject  (288, 0, 0x0, ...
 03512  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03513  1268   NtWaitForSingleObject  (288, 0, 0x0, ...
 03514   780   NtRegisterThreadTerminatePort  (24, ...
 03515  1972   NtContinue  (95157552, 1, ...
 03490  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 03491  1440   NtWaitForSingleObject  ... ) == 0x102
 03492  1716   NtWaitForSingleObject  ... ) == 0x102
 03493  1624   NtWaitForSingleObject  ... ) == 0x102
 03494  1568   NtWaitForSingleObject  ... ) == 0x102
 03495  1964   NtWaitForSingleObject  ... ) == 0x102
 03496   312   NtWaitForSingleObject  ... ) == 0x102
 03497   164   NtWaitForSingleObject  ... ) == 0x102
 03498  1564   NtWaitForSingleObject  ... ) == 0x102
 03499  1380   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 03516   940   NtWaitForSingleObject  (288, 0, 0x0, ...
 03512  2016   NtAllocateVirtualMemory  ... 218890240, 1048576, ) == 0x0
 03514   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 03517  1972   NtRegisterThreadTerminatePort  (24, ...
 03518  1664   NtWaitForSingleObject  (288, 0, 0x0, ...
 03519  1440   NtWaitForSingleObject  (288, 0, 0x0, ...
 03520  1716   NtWaitForSingleObject  (288, 0, 0x0, ...
 03521  1624   NtWaitForSingleObject  (288, 0, 0x0, ...
 03522  1568   NtWaitForSingleObject  (288, 0, 0x0, ...
 03523  1964   NtWaitForSingleObject  (288, 0, 0x0, ...
 03524   312   NtWaitForSingleObject  (288, 0, 0x0, ...
 03525   164   NtWaitForSingleObject  (288, 0, 0x0, ...
 03526  1564   NtWaitForSingleObject  (288, 0, 0x0, ...
 03527  1380   NtSetEventBoostPriority  (288, ...
 03528  2016   NtAllocateVirtualMemory  (-1, 219930624, 0, 8192, 4096, 4, ...
 03529   780   NtWaitForSingleObject  (288, 0, 0x0, ...
 03517  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 03500  1512   NtWaitForSingleObject  ... ) == 0x0
 03527  1380   NtSetEventBoostPriority  ... ) == 0x0
 03528  2016   NtAllocateVirtualMemory  ... 219930624, 8192, ) == 0x0
 03530  1036   NtTestAlert  (...
 03531  1512   NtSetEventBoostPriority  (288, ...
 03532  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 03533  1380   NtWaitForSingleObject  (288, 0, 0x0, ...
 03501   752   NtWaitForSingleObject  ... ) == 0x0
 03531  1512   NtSetEventBoostPriority  ... ) == 0x0
 03530  1036   NtTestAlert  ... ) == 0x0
 03534  2016   NtProtectVirtualMemory  (-1, (0xd1be000), 4096, 260, ...
 03535   752   NtSetEventBoostPriority  (288, ...
 03536  1036   NtContinue  (96206128, 1, ...
 03502   468   NtWaitForSingleObject  ... ) == 0x0
 03535   752   NtSetEventBoostPriority  ... ) == 0x0
 03534  2016   NtProtectVirtualMemory  ... (0xd1be000), 4096, 4, ) == 0x0
 03537   468   NtSetEventBoostPriority  (288, ...
 03538  1036   NtRegisterThreadTerminatePort  (24, ...
 03539  1512   NtWaitForSingleObject  (288, 0, 0x0, ...
 03503  1808   NtWaitForSingleObject  ... ) == 0x0
 03537   468   NtSetEventBoostPriority  ... ) == 0x0
 03540  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03538  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 03541  1808   NtSetEventBoostPriority  (288, ...
 03542   752   NtWaitForSingleObject  (288, 0, 0x0, ...
 03540  2016   NtCreateThread  ... 1276, {896, 2492}, ) == 0x0
 03504  1336   NtWaitForSingleObject  ... ) == 0x0
 03541  1808   NtSetEventBoostPriority  ... ) == 0x0
 03543  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 03544  1336   NtSetEventBoostPriority  (288, ...
 03545  2016   NtQueryInformationThread  (1276, Basic, 28, ...
 03546   468   NtWaitForSingleObject  (288, 0, 0x0, ...
 03547  1808   NtWaitForSingleObject  (288, 0, 0x0, ...
 03505  1332   NtWaitForSingleObject  ... ) == 0x0
 03544  1336   NtSetEventBoostPriority  ... ) == 0x0
 03545  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7fef2000,Pid=896,Tid=2492,}, 0x0, ) == 0x0
 03548  1332   NtSetEventBoostPriority  (288, ...
 03549  1336   NtWaitForSingleObject  (288, 0, 0x0, ...
 03506   380   NtWaitForSingleObject  ... ) == 0x0
 03548  1332   NtSetEventBoostPriority  ... ) == 0x0
 03550   380   NtSetEventBoostPriority  (288, ...
 03551  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82056, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\200\3\0\0\274\11\0\0" ...  ...
 03508  1248   NtWaitForSingleObject  ... ) == 0x0
 03550   380   NtSetEventBoostPriority  ... ) == 0x0
 03552  1248   NtSetEventBoostPriority  (288, ...
 03551  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 82057, 0}  ... {28, 56, reply, 0, 896, 2016, 82057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\4\0\0\200\3\0\0\274\11\0\0" )  ) == 0x0
 03553  1332   NtWaitForSingleObject  (288, 0, 0x0, ...
 03507   320   NtWaitForSingleObject  ... ) == 0x0
 03552  1248   NtSetEventBoostPriority  ... ) == 0x0
 03554  2016   NtResumeThread  (1276, ...
 03555   320   NtSetEventBoostPriority  (288, ...
 03556   380   NtWaitForSingleObject  (288, 0, 0x0, ...
 03509  1736   NtWaitForSingleObject  ... ) == 0x0
 03555   320   NtSetEventBoostPriority  ... ) == 0x0
 03554  2016   NtResumeThread  ... 1, ) == 0x0
 03557  1736   NtSetEventBoostPriority  (288, ...
 03558  1248   NtSetEventBoostPriority  (88, ...
 03559  2492   NtWaitForSingleObject  (88, 0, 0x0, ...
 03511   644   NtWaitForSingleObject  ... ) == 0x0
 03557  1736   NtSetEventBoostPriority  ... ) == 0x0
 03560  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02432  1656   NtWaitForSingleObject  ... ) == 0x0
 03558  1248   NtSetEventBoostPriority  ... ) == 0x0
 03561   644   NtSetEventBoostPriority  (288, ...
 03562   320   NtWaitForSingleObject  (288, 0, 0x0, ...
 03563  1736   NtWaitForSingleObject  (288, 0, 0x0, ...
 03564  1656   NtWaitForSingleObject  (288, 0, 0x0, ...
 03513  1268   NtWaitForSingleObject  ... ) == 0x0
 03561   644   NtSetEventBoostPriority  ... ) == 0x0
 03565  1248   NtTestAlert  (...
 03566  1268   NtSetEventBoostPriority  (288, ...
 03560  2016   NtAllocateVirtualMemory  ... 219938816, 1048576, ) == 0x0
 03516   940   NtWaitForSingleObject  ... ) == 0x0
 03566  1268   NtSetEventBoostPriority  ... ) == 0x0
 03565  1248   NtTestAlert  ... ) == 0x0
 03567   940   NtSetEventBoostPriority  (288, ...
 03568  2016   NtAllocateVirtualMemory  (-1, 220979200, 0, 8192, 4096, 4, ...
 03569   644   NtWaitForSingleObject  (288, 0, 0x0, ...
 03518  1664   NtWaitForSingleObject  ... ) == 0x0
 03567   940   NtSetEventBoostPriority  ... ) == 0x0
 03570  1248   NtContinue  (97254704, 1, ...
 03568  2016   NtAllocateVirtualMemory  ... 220979200, 8192, ) == 0x0
 03571  1664   NtSetEventBoostPriority  (288, ...
 03572  1268   NtWaitForSingleObject  (288, 0, 0x0, ...
 03573  1248   NtRegisterThreadTerminatePort  (24, ...
 03519  1440   NtWaitForSingleObject  ... ) == 0x0
 03571  1664   NtSetEventBoostPriority  ... ) == 0x0
 03574  2016   NtProtectVirtualMemory  (-1, (0xd2be000), 4096, 260, ...
 03575   940   NtWaitForSingleObject  (288, 0, 0x0, ...
 03576  1440   NtSetEventBoostPriority  (288, ...
 03573  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 03574  2016   NtProtectVirtualMemory  ... (0xd2be000), 4096, 4, ) == 0x0
 03520  1716   NtWaitForSingleObject  ... ) == 0x0
 03576  1440   NtSetEventBoostPriority  ... ) == 0x0
 03577  1248   NtWaitForSingleObject  (288, 0, 0x0, ...
 03578  1716   NtSetEventBoostPriority  (288, ...
 03579  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03580  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03521  1624   NtWaitForSingleObject  ... ) == 0x0
 03578  1716   NtSetEventBoostPriority  ... ) == 0x0
 03581  1440   NtWaitForSingleObject  (124, 0, 0x0, ...
 03582  1624   NtSetEventBoostPriority  (288, ...
 03580  1664   NtDuplicateObject  ... 1280, ) == 0x0
 03579  2016   NtCreateThread  ... 1284, {896, 2496}, ) == 0x0
 03522  1568   NtWaitForSingleObject  ... ) == 0x0
 03582  1624   NtSetEventBoostPriority  ... ) == 0x0
 03583  1664   NtWaitForSingleObject  (288, 0, 0x0, ...
 03584  1568   NtSetEventBoostPriority  (288, ...
 03585  2016   NtQueryInformationThread  (1284, Basic, 28, ...
 03586  1716   NtWaitForSingleObject  (124, 0, 0x0, ...
 03523  1964   NtWaitForSingleObject  ... ) == 0x0
 03584  1568   NtSetEventBoostPriority  ... ) == 0x0
 03585  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7fef1000,Pid=896,Tid=2496,}, 0x0, ) == 0x0
 03587  1964   NtSetEventBoostPriority  (288, ...
 03588  1624   NtWaitForSingleObject  (124, 0, 0x0, ...
 03524   312   NtWaitForSingleObject  ... ) == 0x0
 03587  1964   NtSetEventBoostPriority  ... ) == 0x0
 03589  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82057, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\200\3\0\0\300\11\0\0" ...  ...
 03590   312   NtSetEventBoostPriority  (288, ...
 03591  1568   NtWaitForSingleObject  (124, 0, 0x0, ...
 03525   164   NtWaitForSingleObject  ... ) == 0x0
 03590   312   NtSetEventBoostPriority  ... ) == 0x0
 03589  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 82058, 0}  ... {28, 56, reply, 0, 896, 2016, 82058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\5\0\0\200\3\0\0\300\11\0\0" )  ) == 0x0
 03592   164   NtSetEventBoostPriority  (288, ...
 03593  1964   NtWaitForSingleObject  (124, 0, 0x0, ...
 03594   312   NtWaitForSingleObject  (124, 0, 0x0, ...
 03526  1564   NtWaitForSingleObject  ... ) == 0x0
 03592   164   NtSetEventBoostPriority  ... ) == 0x0
 03595  1564   NtSetEventBoostPriority  (288, ...
 03596  2016   NtResumeThread  (1284, ...
 03529   780   NtWaitForSingleObject  ... ) == 0x0
 03595  1564   NtSetEventBoostPriority  ... ) == 0x0
 03597   780   NtSetEventBoostPriority  (288, ...
 03596  2016   NtResumeThread  ... 1, ) == 0x0
 03598   164   NtWaitForSingleObject  (124, 0, 0x0, ...
 03532  1972   NtWaitForSingleObject  ... ) == 0x0
 03599  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03600  1972   NtSetEventBoostPriority  (288, ...
 03599  2016   NtAllocateVirtualMemory  ... 220987392, 1048576, ) == 0x0
 03533  1380   NtWaitForSingleObject  ... ) == 0x0
 03601  2016   NtAllocateVirtualMemory  (-1, 222027776, 0, 8192, 4096, 4, ...
 03602  1380   NtSetEventBoostPriority  (288, ...
 03601  2016   NtAllocateVirtualMemory  ... 222027776, 8192, ) == 0x0
 03539  1512   NtWaitForSingleObject  ... ) == 0x0
 03602  1380   NtSetEventBoostPriority  ... ) == 0x0
 03600  1972   NtSetEventBoostPriority  ... ) == 0x0
 03597   780   NtSetEventBoostPriority  ... ) == 0x0
 03603  1564   NtWaitForSingleObject  (124, 0, 0x0, ...
 03604  2496   NtWaitForSingleObject  (88, 0, 0x0, ...
 03605  1512   NtSetEventBoostPriority  (288, ...
 03606  1380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03607  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03608   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03542   752   NtWaitForSingleObject  ... ) == 0x0
 03605  1512   NtSetEventBoostPriority  ... ) == 0x0
 03607  1972   NtDuplicateObject  ... 1288, ) == 0x0
 03609   752   NtSetEventBoostPriority  (288, ...
 03608   780   NtDuplicateObject  ... 1292, ) == 0x0
 03610  1512   NtWaitForSingleObject  (288, 0, 0x0, ...
 03611  2016   NtProtectVirtualMemory  (-1, (0xd3be000), 4096, 260, ...
 03606  1380   NtWaitForSingleObject  ... ) == 0x102
 03546   468   NtWaitForSingleObject  ... ) == 0x0
 03609   752   NtSetEventBoostPriority  ... ) == 0x0
 03612  1972   NtWaitForSingleObject  (288, 0, 0x0, ...
 03613   780   NtWaitForSingleObject  (288, 0, 0x0, ...
 03611  2016   NtProtectVirtualMemory  ... (0xd3be000), 4096, 4, ) == 0x0
 03614   468   NtSetEventBoostPriority  (288, ...
 03615  1380   NtWaitForSingleObject  (288, 0, 0x0, ...
 03616   752   NtWaitForSingleObject  (368, 0, 0x0, ...
 03547  1808   NtWaitForSingleObject  ... ) == 0x0
 03614   468   NtSetEventBoostPriority  ... ) == 0x0
 03617  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03618  1808   NtSetEventBoostPriority  (288, ...
 03619   468   NtWaitForSingleObject  (368, 0, 0x0, ...
 03543  1036   NtWaitForSingleObject  ... ) == 0x0
 03618  1808   NtSetEventBoostPriority  ... ) == 0x0
 03617  2016   NtCreateThread  ... 1296, {896, 2500}, ) == 0x0
 03620  1036   NtSetEventBoostPriority  (288, ...
 03621  1808   NtWaitForSingleObject  (368, 0, 0x0, ...
 03549  1336   NtWaitForSingleObject  ... ) == 0x0
 03622  2016   NtQueryInformationThread  (1296, Basic, 28, ...
 03620  1036   NtSetEventBoostPriority  ... ) == 0x0
 03623  1336   NtSetEventBoostPriority  (288, ...
 03622  2016   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7fef0000,Pid=896,Tid=2500,}, 0x0, ) == 0x0
 03624  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03553  1332   NtWaitForSingleObject  ... ) == 0x0
 03623  1336   NtSetEventBoostPriority  ... ) == 0x0
 03625  1332   NtSetEventBoostPriority  (288, ...
 03624  1036   NtDuplicateObject  ... 1300, ) == 0x0
 03556   380   NtWaitForSingleObject  ... ) == 0x0
 03625  1332   NtSetEventBoostPriority  ... ) == 0x0
 03626  1336   NtWaitForSingleObject  (368, 0, 0x0, ...
 03627  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 896, 2016, 82058, 0}  (24, {28, 56, new_msg, 0, 896, 2016, 82058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\5\0\0\200\3\0\0\304\11\0\0" ...  ...
 03628   380   NtSetEventBoostPriority  (288, ...
 03629  1332   NtWaitForSingleObject  (368, 0, 0x0, ...
 03630  1036   NtWaitForSingleObject  (288, 0, 0x0, ...
 03562   320   NtWaitForSingleObject  ... ) == 0x0
 03628   380   NtSetEventBoostPriority  ... ) == 0x0
 03627  2016   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 896, 2016, 82059, 0}  ... {28, 56, reply, 0, 896, 2016, 82059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\5\0\0\200\3\0\0\304\11\0\0" )  ) == 0x0
 03631   320   NtSetEventBoostPriority  (288, ...
 03632   380   NtWaitForSingleObject  (368, 0, 0x0, ...
 03564  1656   NtWaitForSingleObject  ... ) == 0x0
 03631   320   NtSetEventBoostPriority  ... ) == 0x0
 03633  2016   NtResumeThread  (1296, ...
 03634  1656   NtSetEventBoostPriority  (288, ...
 03635   320   NtWaitForSingleObject  (368, 0, 0x0, ...
 03563  1736   NtWaitForSingleObject  ... ) == 0x0
 03634  1656   NtSetEventBoostPriority  ... ) == 0x0
 03633  2016   NtResumeThread  ... 1, ) == 0x0
 03636  1736   NtSetEventBoostPriority  (288, ...
 03637  2500   NtWaitForSingleObject  (88, 0, 0x0, ...
 03569   644   NtWaitForSingleObject  ... ) == 0x0
 03636  1736   NtSetEventBoostPriority  ... ) == 0x0
 03638  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03639   644   NtSetEventBoostPriority  (288, ...
 03640  1736   NtWaitForSingleObject  (368, 0, 0x0, ...
 03641  1656   NtSetEventBoostPriority  (88, ...
 03572  1268   NtWaitForSingleObject  ... ) == 0x0
 03639   644   NtSetEventBoostPriority  ... ) == 0x0
 03638  2016   NtAllocateVirtualMemory  ... 222035968, 1048576, ) == 0x0
 03642  1268   NtSetEventBoostPriority  (288, ...
 02441   760   NtWaitForSingleObject  ... ) == 0x0
 03641  1656   NtSetEventBoostPriority  ... ) == 0x0
 03643   644   NtWaitForSingleObject  (368, 0, 0x0, ...
 03575   940   NtWaitForSingleObject  ... ) == 0x0
 03644   760   NtWaitForSingleObject  (288, 0, 0x0, ...
 03642  1268   NtSetEventBoostPriority  ... ) == 0x0
 03645  2016   NtAllocateVirtualMemory  (-1, 223076352, 0, 8192, 4096, 4, ...
 03646  1656   NtTestAlert  (...
 03647   940   NtSetEventBoostPriority  (288, ...
 03648  1268   NtWaitForSingleObject  (368, 0, 0x0, ...
 03645  2016   NtAllocateVirtualMemory  ... 223076352, 8192, ) == 0x0
 03577  1248   NtWaitForSingleObject  ... ) == 0x0
 03647   940   NtSetEventBoostPriority  ... ) == 0x0
 03646  1656   NtTestAlert  ... ) == 0x0
 03649  1248   NtSetEventBoostPriority  (288, ...
 03650  2016   NtProtectVirtualMemory  (-1, (0xd4be000), 4096, 260, ...
 03651   940   NtWaitForSingleObject  (368, 0, 0x0, ...
 03583  1664   NtWaitForSingleObject  ... ) == 0x0
 03649  1248   NtSetEventBoostPriority  ... ) == 0x0
 03652  1656   NtContinue  (98303280, 1, ...
 03650  2016   NtProtectVirtualMemory  ... (0xd4be000), 4096, 4, ) == 0x0
 03653  1664   NtSetEventBoostPriority  (288, ...
 03654  1656   NtRegisterThreadTerminatePort  (24, ...
 03612  1972   NtWaitForSingleObject  ... ) == 0x0
 03653  1664   NtSetEventBoostPriority  ... ) == 0x0
 03655  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03656  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03657  1972   NtSetEventBoostPriority  (288, ...
 03654  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 03658  1664   NtWaitForSingleObject  (288, 0, 0x0, ...
 03613   780   NtWaitForSingleObject  ... ) == 0x0