Summary:





NtGdiCreateBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenThreadToken(>)  8 
NtContinue(>)  97 


NtGdiInit(>)  1 
NtOpenProcessToken(>)  2 
NtQueryInformationFile(>)  8 
NtQuerySystemInformation(>)  126 


NtGdiQueryFontAssocInfo(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtQueryInformationProcess(>)  8 
NtCreateEvent(>)  129 


NtGdiSelectBitmap(>)  1 
NtReadFile(>)  2 
NtQueryVirtualMemory(>)  9 
NtCreateThread(>)  130 


NtOpenKeyedEvent(>)  1 
NtSetInformationObject(>)  2 
NtUnmapViewOfSection(>)  9 
NtOpenKey(>)  130 


NtOpenSymbolicLinkObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtUserFindExistingCursorIcon(>)  9 
NtResumeThread(>)  133 


NtQueryInstallUILanguage(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationFile(>)  10 
NtQueryInformationThread(>)  150 


NtQueryObject(>)  1 
NtOpenProcessTokenEx(>)  3 
NtSetValueKey(>)  12 
NtRequestWaitReplyPort(>)  180 


NtQueryPerformanceCounter(>)  1 
NtOpenThreadTokenEx(>)  3 
NtQuerySection(>)  13 
NtTestAlert(>)  182 


NtQuerySymbolicLinkObject(>)  1 
NtSecureConnectPort(>)  3 
NtQueryDirectoryFile(>)  14 
NtRegisterThreadTerminatePort(>)  186 


NtQuerySystemTime(>)  1 
NtWriteFile(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtDuplicateObject(>)  219 


NtRaiseException(>)  1 
NtCreateIoCompletion(>)  4 
NtCreateFile(>)  15 
NtProtectVirtualMemory(>)  241 


NtSetInformationProcess(>)  1 
NtQueryDefaultLocale(>)  4 
NtCreateKey(>)  18 
NtQueryValueKey(>)  252 


NtUserCallNoParam(>)  1 
NtCreateMutant(>)  5 
NtOpenSection(>)  21 
NtClose(>)  312 


NtUserGetObjectInformation(>)  1 
NtFsControlFile(>)  5 
NtOpenFile(>)  23 
NtAllocateVirtualMemory(>)  392 


NtUserGetProcessWindowStation(>)  1 
NtGdiGetStockObject(>)  5 
NtMapViewOfSection(>)  32 
NtSetEventBoostPriority(>)  677 


NtUserGetThreadDesktop(>)  1 
NtConnectPort(>)  6 
NtDeviceIoControlFile(>)  33 
NtWaitForSingleObject(>)  946 


NtCallbackReturn(>)  2 
NtQueryInformationToken(>)  6 
NtQueryAttributesFile(>)  40 


NtGdiCreateSolidBrush(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtFlushInstructionCache(>)  53 


NtNotifyChangeKey(>)  2 



Trace:

 00001   896   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482756, {status=0x0, info=1}, ) }, 0, 32, ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00002   896   NtQueryInformationFile  (-2147482756, -142414796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003   896   NtReadFile  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004   896   NtClose  (-2147482756, ... ) == 0x0
 00005   896   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) == 0x0
 00006   896   NtQueryVolumeInformationFile  (-2147482756, -142414840, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007   896   NtClose  (-2147482756, ... ) == 0x0
 00008   896   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009   896   NtContinue  (-142419640, 0, ...
 00008   896   NtCreateFile  ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00010   896   NtQueryVolumeInformationFile  (-2147482756, -142414852, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011   896   NtFsControlFile  (-2147482756, 0, 0x0, 0x0, 0x90120,  (-2147482756, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015   896   NtClose  (-2147482764, ... ) == 0x0
 00016   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019   896   NtClose  (-2147482764, ... ) == 0x0
 00020   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027   896   NtClose  (-2147482764, ... ) == 0x0
 00028   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031   896   NtClose  (-2147482764, ... ) == 0x0
 00032   896   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034   896   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035   896   NtClose  (-2147482764, ... ) == 0x0
 00036   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037   896   NtClose  (-2147482688, ... ) == 0x0
 00038   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039   896   NtClose  (-2147482660, ... ) == 0x0
 00040   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041   896   NtClose  (-2147482656, ... ) == 0x0
 00042   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043   896   NtClose  (-2147482652, ... ) == 0x0
 00044   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045   896   NtClose  (-2147482724, ... ) == 0x0
 00046   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047   896   NtClose  (-2147481452, ... ) == 0x0
 00048   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049   896   NtClose  (-2147482684, ... ) == 0x0
 00050   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051   896   NtClose  (-2147482680, ... ) == 0x0
 00052   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053   896   NtClose  (-2147482760, ... ) == 0x0
 00054   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055   896   NtClose  (-2147481628, ... ) == 0x0
 00056   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057   896   NtClose  (-2147481484, ... ) == 0x0
 00058   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00059   896   NtClose  (-2147482104, ... ) == 0x0
 00060   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482592, ) == 0x0
 00061   896   NtClose  (-2147482592, ... ) == 0x0
 00062   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482592, ... -2147481624, ) == 0x0
 00063   896   NtClose  (-2147481624, ... ) == 0x0
 00064   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481624, ... -2147482676, ) == 0x0
 00065   896   NtClose  (-2147482676, ... ) == 0x0
 00066   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067   896   NtClose  (-2147482672, ... ) == 0x0
 00068   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069   896   NtClose  (-2147482668, ... ) == 0x0
 00070   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071   896   NtClose  (-2147482664, ... ) == 0x0
 00072   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073   896   NtClose  (-2147481588, ... ) == 0x0
 00074   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075   896   NtClose  (-2147481584, ... ) == 0x0
 00076   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077   896   NtClose  (-2147482692, ... ) == 0x0
 00078   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079   896   NtClose  (-2147481512, ... ) == 0x0
 00080   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081   896   NtClose  (-2147481580, ... ) == 0x0
 00082   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083   896   NtClose  (-2147481552, ... ) == 0x0
 00084   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085   896   NtClose  (-2147481592, ... ) == 0x0
 00086   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087   896   NtClose  (-2147481596, ... ) == 0x0
 00088   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089   896   NtClose  (-2147482108, ... ) == 0x0
 00090   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091   896   NtClose  (-2147482732, ... ) == 0x0
 00092   896   NtClose  (-2147482764, ... ) == 0x0
 00093   896   NtClose  (-2147482688, ... ) == 0x0
 00094   896   NtClose  (-2147482660, ... ) == 0x0
 00095   896   NtClose  (-2147482656, ... ) == 0x0
 00096   896   NtClose  (-2147482652, ... ) == 0x0
 00097   896   NtClose  (-2147482724, ... ) == 0x0
 00098   896   NtClose  (-2147481452, ... ) == 0x0
 00099   896   NtClose  (-2147482684, ... ) == 0x0
 00100   896   NtClose  (-2147482680, ... ) == 0x0
 00101   896   NtClose  (-2147482760, ... ) == 0x0
 00102   896   NtClose  (-2147481628, ... ) == 0x0
 00103   896   NtClose  (-2147481484, ... ) == 0x0
 00104   896   NtClose  (-2147482104, ... ) == 0x0
 00105   896   NtClose  (-2147482592, ... ) == 0x0
 00106   896   NtClose  (-2147481624, ... ) == 0x0
 00107   896   NtClose  (-2147482676, ... ) == 0x0
 00108   896   NtClose  (-2147482672, ... ) == 0x0
 00109   896   NtClose  (-2147482668, ... ) == 0x0
 00110   896   NtClose  (-2147482664, ... ) == 0x0
 00111   896   NtClose  (-2147481588, ... ) == 0x0
 00112   896   NtClose  (-2147481584, ... ) == 0x0
 00113   896   NtClose  (-2147482692, ... ) == 0x0
 00114   896   NtClose  (-2147481512, ... ) == 0x0
 00115   896   NtClose  (-2147481580, ... ) == 0x0
 00116   896   NtClose  (-2147481552, ... ) == 0x0
 00117   896   NtClose  (-2147481592, ... ) == 0x0
 00118   896   NtClose  (-2147481596, ... ) == 0x0
 00119   896   NtClose  (-2147482108, ... ) == 0x0
 00120   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121   896   NtClose  (-2147481596, ... ) == 0x0
 00122   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123   896   NtClose  (-2147481592, ... ) == 0x0
 00124   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125   896   NtClose  (-2147481552, ... ) == 0x0
 00126   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127   896   NtClose  (-2147481580, ... ) == 0x0
 00128   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129   896   NtClose  (-2147481512, ... ) == 0x0
 00130   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131   896   NtClose  (-2147482692, ... ) == 0x0
 00132   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133   896   NtClose  (-2147481584, ... ) == 0x0
 00134   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135   896   NtClose  (-2147481588, ... ) == 0x0
 00136   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137   896   NtClose  (-2147482664, ... ) == 0x0
 00138   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139   896   NtClose  (-2147482668, ... ) == 0x0
 00140   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141   896   NtClose  (-2147482672, ... ) == 0x0
 00142   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143   896   NtClose  (-2147482676, ... ) == 0x0
 00144   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481624, ) == 0x0
 00145   896   NtClose  (-2147481624, ... ) == 0x0
 00146   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481624, ... -2147482592, ) == 0x0
 00147   896   NtClose  (-2147482592, ... ) == 0x0
 00148   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482592, ... -2147482104, ) == 0x0
 00149   896   NtClose  (-2147482104, ... ) == 0x0
 00150   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482104, ... -2147481484, ) == 0x0
 00151   896   NtClose  (-2147481484, ... ) == 0x0
 00152   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153   896   NtClose  (-2147481628, ... ) == 0x0
 00154   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155   896   NtClose  (-2147482760, ... ) == 0x0
 00156   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157   896   NtClose  (-2147482680, ... ) == 0x0
 00158   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159   896   NtClose  (-2147482684, ... ) == 0x0
 00160   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161   896   NtClose  (-2147481452, ... ) == 0x0
 00162   896   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163   896   NtClose  (-2147482724, ... ) == 0x0
 00164   896   NtClose  (-2147482108, ... ) == 0x0
 00165   896   NtClose  (-2147481596, ... ) == 0x0
 00166   896   NtClose  (-2147481592, ... ) == 0x0
 00167   896   NtClose  (-2147481552, ... ) == 0x0
 00168   896   NtClose  (-2147481580, ... ) == 0x0
 00169   896   NtClose  (-2147481512, ... ) == 0x0
 00170   896   NtClose  (-2147482692, ... ) == 0x0
 00171   896   NtClose  (-2147481584, ... ) == 0x0
 00172   896   NtClose  (-2147481588, ... ) == 0x0
 00173   896   NtClose  (-2147482664, ... ) == 0x0
 00174   896   NtClose  (-2147482668, ... ) == 0x0
 00175   896   NtClose  (-2147482672, ... ) == 0x0
 00176   896   NtClose  (-2147482676, ... ) == 0x0
 00177   896   NtClose  (-2147481624, ... ) == 0x0
 00178   896   NtClose  (-2147482592, ... ) == 0x0
 00179   896   NtClose  (-2147482104, ... ) == 0x0
 00180   896   NtClose  (-2147481484, ... ) == 0x0
 00181   896   NtClose  (-2147481628, ... ) == 0x0
 00182   896   NtClose  (-2147482760, ... ) == 0x0
 00183   896   NtClose  (-2147482680, ... ) == 0x0
 00184   896   NtClose  (-2147482684, ... ) == 0x0
 00185   896   NtClose  (-2147481452, ... ) == 0x0
 00186   896   NtClose  (-2147482756, ... ) == 0x0
 00187   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   896   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191   896   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192   896   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195   896   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196   896   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197   896   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198   896   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199   896   NtClose  (12, ... ) == 0x0
 00200   896   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201   896   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205   896   NtClose  (16, ... ) == 0x0
 00206   896   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207   896   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208   896   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210   896   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212   896   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213   896   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214   896   NtClose  (16, ... ) == 0x0
 00215   896   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216   896   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218   896   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219   896   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81831, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222   896   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225   896   NtClose  (16, ... ) == 0x0
 00226   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228   896   NtClose  (16, ... ) == 0x0
 00229   896   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232   896   NtClose  (16, ... ) == 0x0
 00233   896   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235   896   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236   896   NtClose  (16, ... ) == 0x0
 00237   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239   896   NtClose  (16, ... ) == 0x0
 00240   896   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   896   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244   896   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 1252, 896, 81832, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 1252, 896, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81833, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246   896   NtProtectVirtualMemory  (-1, (0x409000), 90128, 4, ... (0x409000), 94208, 128, ) == 0x0
 00247   896   NtProtectVirtualMemory  (-1, (0x409000), 94208, 128, ... (0x409000), 94208, 4, ) == 0x0
 00248   896   NtFlushInstructionCache  (-1, 4231168, 90128, ... ) == 0x0
 00249   896   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250   896   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00251   896   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00252   896   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00253   896   NtClose  (16, ... ) == 0x0
 00254   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00255   896   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00256   896   NtClose  (16, ... ) == 0x0
 00257   896   NtTestAlert  (... ) == 0x0
 00258   896   NtContinue  (1244464, 1, ...
 00259   896   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x419010,}, 4, ... ) == 0x0
 00260   896   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00261   896   NtContinue  (1244400, 0, ...
 00262   896   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00263   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00264   896   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   896   NtClose  (16, ... ) == 0x0
 00266   896   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00267   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00268   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00269   896   NtClose  (16, ... ) == 0x0
 00270   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00271   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00272   896   NtClose  (16, ... ) == 0x0
 00273   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00274   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00275   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00276   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00277   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00278   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00279   896   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00280   896   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00281   896   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00282   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00283   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00284   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00285   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00286   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00287   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00288   896   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00289   896   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00290   896   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00291   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00294   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81834, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81834, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6!\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81834, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00295   896   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00296   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00297   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00298   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00299   896   NtClose  (16, ... ) == 0x0
 00300   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00301   896   NtClose  (28, ... ) == 0x0
 00302   896   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00303   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00304   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00305   896   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00306   896   NtClose  (28, ... ) == 0x0
 00307   896   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00308   896   NtClose  (16, ... ) == 0x0
 00309   896   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00310   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00311   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00312   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00313   896   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00314   896   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00315   896   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00316   896   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00318   896   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00319   896   NtClose  (36, ... ) == 0x0
 00320   896   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00321   896   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00322   896   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00323   896   NtClose  (36, ... ) == 0x0
 00324   896   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   896   NtClose  (32, ... ) == 0x0
 00326   896   NtClose  (16, ... ) == 0x0
 00327   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00328   896   NtClose  (28, ... ) == 0x0
 00329   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00330   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00331   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00332   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00333   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00334   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00335   896   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00336   896   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00337   896   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00338   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00339   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00340   896   NtClose  (28, ... ) == 0x0
 00341   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00342   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00343   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00344   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00345   896   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00346   896   NtClose  (28, ... ) == 0x0
 00347   896   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00348   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00349   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00350   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00351   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00352   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00353   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00354   896   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00355   896   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00356   896   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00357   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00358   896   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00359   896   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00360   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   896   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00362   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00364   896   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00365   896   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00366   896   NtClose  (28, ... ) == 0x0
 00367   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00368   896   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00369   896   NtClose  (28, ... ) == 0x0
 00370   896   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00371   896   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00372   896   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00375   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00376   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00379   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00381   896   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   896   NtClose  (16, ... ) == 0x0
 00383   896   NtMapViewOfSection  (-2147482756, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00384   896   NtClose  (-2147482756, ... ) == 0x0
 00385   896   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00386   896   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00387   896   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482756, ) == 0x0
 00388   896   NtQueryInformationToken  (-2147482756, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00389   896   NtQueryInformationToken  (-2147482756, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00390   896   NtClose  (-2147482756, ... ) == 0x0
 00391   896   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00392   896   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00393   896   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00394   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00395   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00396   896   NtClose  (-2147482756, ... ) == 0x0
 00397   896   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00398   896   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399   896   NtClose  (-2147482756, ... ) == 0x0
 00400   896   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00401   896   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00402   896   NtUserCallNoParam  (24, ... ) == 0x0
 00403   896   NtGdiCreateCompatibleDC  (0, ...
 00404   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00403   896   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00405   896   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00406   896   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00407   896   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00408   896   NtGdiCreateSolidBrush  (0, 0, ...
 00409   896   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00408   896   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00410   896   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00411   896   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00412   896   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00413   896   NtUserGetThreadDesktop  (896, 0, ... ) == 0x24
 00414   896   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00415   896   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00416   896   NtClose  (44, ... ) == 0x0
 00417   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00418   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8177c017
 00419   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00420   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8177c01c
 00421   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00422   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8177c01e
 00423   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00424   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81778002
 00425   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00426   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8177c018
 00427   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00428   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8177c01a
 00429   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00430   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8177c01d
 00431   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00432   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8177c026
 00433   896   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00434   896   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8177c019
 00435   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c020
 00436   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c022
 00437   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c023
 00438   896   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8177c024
 00439   896   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8177c025
 00440   896   NtCallbackReturn  (0, 0, 0, ...
 00441   896   NtGdiInit  (... ) == 0x1
 00442   896   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00443   896   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00444   896   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8716288, 28672, ) == 0x0
 00445   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00446   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00447   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00448   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00449   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00450   896   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00451   896   NtClose  (44, ... ) == 0x0
 00452   896   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00453   896   NtClose  (48, ... ) == 0x0
 00454   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00455   896   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00456   896   NtClose  (48, ... ) == 0x0
 00457   896   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00458   896   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00459   896   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00460   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00461   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00462   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00463   896   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00464   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465   896   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00466   896   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00467   896   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00468   896   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00469   896   NtClose  (48, ... ) == 0x0
 00470   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00471   896   NtClose  (44, ... ) == 0x0
 00472   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00473   896   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00474   896   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00475   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00476   896   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00477   896   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00478   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00479   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00480   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00481   896   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00482   896   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00483   896   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00484   896   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00485   896   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00486   896   NtClose  (44, ... ) == 0x0
 00487   896   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00488   896   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00489   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00490   896   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00491   896   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00492   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   896   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00494   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00495   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00496   896   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00497   896   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00498   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00499   896   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00500   896   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00501   896   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00502   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8912896, 1048576, ) == 0x0
 00503   896   NtAllocateVirtualMemory  (-1, 8912896, 0, 32768, 4096, 4, ... 8912896, 32768, ) == 0x0
 00504   896   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00505   896   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00506   896   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00507   896   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00508   896   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00509   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00510   896   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00511   896   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00512   896   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00513   896   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514   896   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   896   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00516   896   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00517   896   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00518   896   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00519   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00520   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00521   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00522   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\13\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\14\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\15\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\16\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00523   896   NtClose  (68, ... ) == 0x0
 00524   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00525   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00526   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00527   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\20\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\21\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\22\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\23\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00528   896   NtClose  (68, ... ) == 0x0
 00529   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00530   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00531   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00532   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\25\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\26\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\27\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\30\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00533   896   NtClose  (68, ... ) == 0x0
 00534   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00535   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00536   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00537   896   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00538   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\33\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\34\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\35\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00539   896   NtClose  (68, ... ) == 0x0
 00540   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00541   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00542   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00543   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0 \2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0!\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0"\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00544   896   NtClose  (68, ... ) == 0x0
 00545   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00546   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00547   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00548   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0%\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0&\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0'\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00549   896   NtClose  (68, ... ) == 0x0
 00550   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00551   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00552   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00553   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0*\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0+\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0,\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00554   896   NtClose  (68, ... ) == 0x0
 00555   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00556   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00557   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00558   896   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00559   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\00\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\01\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\02\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\03\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00560   896   NtClose  (68, ... ) == 0x0
 00561   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00562   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00563   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00564   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\05\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\06\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\07\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\08\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00565   896   NtClose  (68, ... ) == 0x0
 00566   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00567   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00568   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00569   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0:\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0;\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0<\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0=\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00570   896   NtClose  (68, ... ) == 0x0
 00571   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00572   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00573   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00574   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0?\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0@\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0A\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0B\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00575   896   NtClose  (68, ... ) == 0x0
 00576   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00577   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00578   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00579   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0D\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0E\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0F\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0G\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00580   896   NtClose  (68, ... ) == 0x0
 00581   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00582   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00583   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00584   896   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00585   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0J\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0K\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0L\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0M\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00586   896   NtClose  (68, ... ) == 0x0
 00587   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00588   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00589   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00590   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0O\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0P\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0R\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00591   896   NtClose  (68, ... ) == 0x0
 00592   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00593   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00594   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00595   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0T\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0U\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0V\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0W\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00596   896   NtClose  (68, ... ) == 0x0
 00597   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00598   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00599   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00600   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0Y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0Z\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0[\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00601   896   NtClose  (68, ... ) == 0x0
 00602   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00603   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00604   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00605   896   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00606   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0_\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0`\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0a\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0b\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00607   896   NtClose  (68, ... ) == 0x0
 00608   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00609   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00610   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00611   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0d\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0e\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0f\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0g\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00612   896   NtClose  (68, ... ) == 0x0
 00613   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00614   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00615   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00616   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0i\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0j\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0k\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0l\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00617   896   NtClose  (68, ... ) == 0x0
 00618   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00619   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00620   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00621   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0n\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0o\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00622   896   NtClose  (68, ... ) == 0x0
 00623   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00624   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00625   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00626   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0s\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0t\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00627   896   NtClose  (68, ... ) == 0x0
 00628   896   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00629   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00630   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00631   896   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00632   896   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0}\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0}\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0y\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0z\2\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\2\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0|\2\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0}\2\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00633   896   NtClose  (68, ... ) == 0x0
 00634   896   NtClose  (64, ... ) == 0x0
 00635   896   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00636   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00637   896   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00638   896   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00639   896   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00640   896   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00641   896   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   896   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00643   896   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00644   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00645   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00646   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00647   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00648   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00649   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00650   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00651   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00652   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00654   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00655   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00656   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00657   896   NtClose  (76, ... ) == 0x0
 00658   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00659   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00660   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00661   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00662   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00663   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00664   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00665   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00666   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00668   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00669   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00670   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00671   896   NtClose  (76, ... ) == 0x0
 00672   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00673   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00674   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00675   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00676   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00677   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00678   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00679   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00680   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00682   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00683   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00684   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00685   896   NtClose  (76, ... ) == 0x0
 00686   896   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00687   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00688   896   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00689   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00690   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00691   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00692   896   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00693   896   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00694   896   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695   896   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00696   896   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00697   896   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00698   896   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00699   896   NtClose  (76, ... ) == 0x0
 00700   896   NtClose  (72, ... ) == 0x0
 00701   896   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00702   896   NtClose  (52, ... ) == 0x0
 00703   896   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00704   896   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00705   896   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00706   896   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707   896   NtClose  (52, ... ) == 0x0
 00708   896   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00709   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00710   896   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00711   896   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00712   896   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00713   896   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00714   896   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00715   896   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00716   896   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00717   896   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00718   896   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00719   896   NtClose  (-2147482756, ... ) == 0x0
 00718   896   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00720   896   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00721   896   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00722   896   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00723   896   NtQueryVolumeInformationFile  (72, 1239912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00724   896   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00725   896   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00726   896   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x980000), {0, 0}, 90112, ) == 0x0
 00727   896   NtClose  (80, ... ) == 0x0
 00728   896   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\20\220\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\20\220\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\2\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00729   896   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 24592, 0x0, 0, ... {status=0x0, info=24592}, ) , 24592, 0x0, 0, ... {status=0x0, info=24592}, ) == 0x0
 00730   896   NtUnmapViewOfSection  (-1, 0x980000, ... ) == 0x0
 00731   896   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00732   896   NtClose  (72, ... ) == 0x0
 00733   896   NtClose  (76, ... ) == 0x0
 00734   896   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00735   896   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00736   896   NtSetInformationFile  (-2147482448, -135747792, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00737   896   NtSetInformationFile  (-2147482448, -135747884, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00738   896   NtSetInformationFile  (-2147482448, -135748192, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00739   896   NtSetInformationFile  (-2147482448, -135748288, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00735   896   NtSetValueKey  ... ) == 0x0
 00740   896   NtClose  (76, ... ) == 0x0
 00741   896   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00742   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9961472, 1048576, ) == 0x0
 00743   896   NtAllocateVirtualMemory  (-1, 11001856, 0, 8192, 4096, 4, ... 11001856, 8192, ) == 0x0
 00744   896   NtProtectVirtualMemory  (-1, (0xa7e000), 4096, 260, ... (0xa7e000), 4096, 4, ) == 0x0
 00745   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1252, 2016}, ) == 0x0
 00746   896   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1252,Tid=2016,}, 0x0, ) == 0x0
 00747   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81837, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81837, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81837, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\344\4\0\0\340\7\0\0" )  ) == 0x0
 00748   896   NtResumeThread  (72, ... 1, ) == 0x0
 00749  2016   NtTestAlert  (... ) == 0x0
 00750  2016   NtContinue  (11009328, 1, ...
 00751  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00752  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00753  2016   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00754  2016   NtAllocateVirtualMemory  (-1, 10997760, 0, 4096, 4096, 260, ...
 00755   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11010048, 1048576, ) == 0x0
 00756   896   NtAllocateVirtualMemory  (-1, 12050432, 0, 8192, 4096, 4, ... 12050432, 8192, ) == 0x0
 00757   896   NtProtectVirtualMemory  (-1, (0xb7e000), 4096, 260, ... (0xb7e000), 4096, 4, ) == 0x0
 00758   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1252, 596}, ) == 0x0
 00759   896   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1252,Tid=596,}, 0x0, ) == 0x0
 00760   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81837, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81837, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0T\2\0\0" ...  ...
 00754  2016   NtAllocateVirtualMemory  ... 10997760, 4096, ) == 0x0
 00761  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006452, ... ) }, 11006452, ... ) == 0x0
 00762  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00763  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ...
 00760   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81838, 0}  ... {28, 56, reply, 0, 1252, 896, 81838, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\344\4\0\0T\2\0\0" )  ) == 0x0
 00764   896   NtResumeThread  (84, ... 1, ) == 0x0
 00765   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12058624, 1048576, ) == 0x0
 00766   896   NtAllocateVirtualMemory  (-1, 13099008, 0, 8192, 4096, 4, ... 13099008, 8192, ) == 0x0
 00767   896   NtProtectVirtualMemory  (-1, (0xc7e000), 4096, 260, ... (0xc7e000), 4096, 4, ) == 0x0
 00768   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1252, 376}, ) == 0x0
 00769   896   NtQueryInformationThread  (92, Basic, 28, ...
 00763  2016   NtCreateSection  ... 96, ) == 0x0
 00770   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00771  2016   NtClose  (88, ...
 00770   596   NtCreateEvent  ... 100, ) == 0x0
 00771  2016   NtClose  ... ) == 0x0
 00772   596   NtWaitForSingleObject  (100, 0, 0x0, ...
 00773  2016   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc80000), 0x0, 245760, ) == 0x0
 00774  2016   NtClose  (96, ... ) == 0x0
 00769   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1252,Tid=376,}, 0x0, ) == 0x0
 00775   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81838, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81838, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0x\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81839, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81838, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0x\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\344\4\0\0x\1\0\0" )  ) == 0x0
 00776   896   NtResumeThread  (92, ... 1, ) == 0x0
 00777  2016   NtUnmapViewOfSection  (-1, 0xc80000, ...
 00778   376   NtWaitForSingleObject  (100, 0, 0x0, ...
 00777  2016   NtUnmapViewOfSection  ... ) == 0x0
 00779  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006760, ... ) }, 11006760, ... ) == 0x0
 00780  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00781  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 88, ) == 0x0
 00782  2016   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00783  2016   NtClose  (96, ... ) == 0x0
 00784   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13107200, 1048576, ) == 0x0
 00785   896   NtAllocateVirtualMemory  (-1, 14147584, 0, 8192, 4096, 4, ... 14147584, 8192, ) == 0x0
 00786   896   NtProtectVirtualMemory  (-1, (0xd7e000), 4096, 260, ... (0xd7e000), 4096, 4, ) == 0x0
 00787   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1252, 420}, ) == 0x0
 00788   896   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1252,Tid=420,}, 0x0, ) == 0x0
 00789   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81839, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\4\0\0\244\1\0\0" ...  ...
 00790  2016   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00791  2016   NtClose  (88, ... ) == 0x0
 00792  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00789   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81840, 0}  ... {28, 56, reply, 0, 1252, 896, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\344\4\0\0\244\1\0\0" )  ) == 0x0
 00793   896   NtResumeThread  (96, ... 1, ) == 0x0
 00794   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14155776, 1048576, ) == 0x0
 00795   896   NtAllocateVirtualMemory  (-1, 15196160, 0, 8192, 4096, 4, ... 15196160, 8192, ) == 0x0
 00796   896   NtProtectVirtualMemory  (-1, (0xe7e000), 4096, 260, ... (0xe7e000), 4096, 4, ) == 0x0
 00797   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 88, {1252, 384}, ) == 0x0
 00798   896   NtQueryInformationThread  (88, Basic, 28, ...
 00799  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00800   420   NtWaitForSingleObject  (100, 0, 0x0, ...
 00799  2016   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00801  2016   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00802  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00803  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00804  2016   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00798   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1252,Tid=384,}, 0x0, ) == 0x0
 00805   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81840, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\344\4\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81841, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\344\4\0\0\200\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\0\0\0\344\4\0\0\200\1\0\0" )  ) == 0x0
 00806   896   NtResumeThread  (88, ... 1, ) == 0x0
 00807   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15204352, 1048576, ) == 0x0
 00808   896   NtAllocateVirtualMemory  (-1, 16244736, 0, 8192, 4096, 4, ... 16244736, 8192, ) == 0x0
 00809   896   NtProtectVirtualMemory  (-1, (0xf7e000), 4096, 260, ... (0xf7e000), 4096, 4, ) == 0x0
 00810  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ...
 00811   384   NtWaitForSingleObject  (100, 0, 0x0, ...
 00810  2016   NtProtectVirtualMemory  ... (0x71a51000), 4096, 32, ) == 0x0
 00812  2016   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00813  2016   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00814   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 104, {1252, 1028}, ) == 0x0
 00815   896   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1252,Tid=1028,}, 0x0, ) == 0x0
 00816   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81841, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\4\4\0\0" ...  ...
 00817  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00816   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81842, 0}  ... {28, 56, reply, 0, 1252, 896, 81842, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\344\4\0\0\4\4\0\0" )  ) == 0x0
 00819   896   NtResumeThread  (104, ... 1, ) == 0x0
 00820   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16252928, 1048576, ) == 0x0
 00821   896   NtAllocateVirtualMemory  (-1, 17293312, 0, 8192, 4096, 4, ... 17293312, 8192, ) == 0x0
 00822   896   NtProtectVirtualMemory  (-1, (0x107e000), 4096, 260, ... (0x107e000), 4096, 4, ) == 0x0
 00823   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 108, {1252, 2012}, ) == 0x0
 00824   896   NtQueryInformationThread  (108, Basic, 28, ...
 00825  2016   NtQuerySystemInformation  (Processor, 12, ...
 00826  1028   NtWaitForSingleObject  (100, 0, 0x0, ...
 00825  2016   NtQuerySystemInformation  ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00827  2016   NtSetEventBoostPriority  (100, ...
 00772   596   NtWaitForSingleObject  ... ) == 0x0
 00828   596   NtSetEventBoostPriority  (100, ...
 00778   376   NtWaitForSingleObject  ... ) == 0x0
 00829   376   NtSetEventBoostPriority  (100, ...
 00800   420   NtWaitForSingleObject  ... ) == 0x0
 00830   420   NtSetEventBoostPriority  (100, ...
 00811   384   NtWaitForSingleObject  ... ) == 0x0
 00831   384   NtSetEventBoostPriority  (100, ...
 00826  1028   NtWaitForSingleObject  ... ) == 0x0
 00832  1028   NtTestAlert  (... ) == 0x0
 00831   384   NtSetEventBoostPriority  ... ) == 0x0
 00830   420   NtSetEventBoostPriority  ... ) == 0x0
 00829   376   NtSetEventBoostPriority  ... ) == 0x0
 00828   596   NtSetEventBoostPriority  ... ) == 0x0
 00827  2016   NtSetEventBoostPriority  ... ) == 0x0
 00824   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1252,Tid=2012,}, 0x0, ) == 0x0
 00833  1028   NtContinue  (16252208, 1, ...
 00834   384   NtTestAlert  (...
 00835   420   NtTestAlert  (...
 00836   376   NtTestAlert  (...
 00837  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00838   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81842, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81842, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\344\4\0\0\334\7\0\0" ...  ...
 00839  1028   NtRegisterThreadTerminatePort  (24, ...
 00834   384   NtTestAlert  ... ) == 0x0
 00835   420   NtTestAlert  ... ) == 0x0
 00836   376   NtTestAlert  ... ) == 0x0
 00837  2016   NtCreateEvent  ... 112, ) == 0x0
 00838   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81843, 0}  ... {28, 56, reply, 0, 1252, 896, 81843, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\344\4\0\0\334\7\0\0" )  ) == 0x0
 00839  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 00840   384   NtContinue  (15203632, 1, ...
 00841   420   NtContinue  (14155056, 1, ...
 00842   376   NtContinue  (13106480, 1, ...
 00843   596   NtTestAlert  (...
 00844   896   NtResumeThread  (108, ...
 00845  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00846   384   NtRegisterThreadTerminatePort  (24, ...
 00847   420   NtRegisterThreadTerminatePort  (24, ...
 00848   376   NtRegisterThreadTerminatePort  (24, ...
 00843   596   NtTestAlert  ... ) == 0x0
 00844   896   NtResumeThread  ... 1, ) == 0x0
 00845  1028   NtDuplicateObject  ... 116, ) == 0x0
 00846   384   NtRegisterThreadTerminatePort  ... ) == 0x0
 00847   420   NtRegisterThreadTerminatePort  ... ) == 0x0
 00848   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 00849   596   NtContinue  (12057904, 1, ...
 00850  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00851  2012   NtWaitForSingleObject  (100, 0, 0x0, ...
 00852  1028   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00853   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00854   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00855   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00856   596   NtRegisterThreadTerminatePort  (24, ...
 00850  2016   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00852  1028   NtWaitForSingleObject  ... ) == 0x102
 00853   384   NtDuplicateObject  ... 120, ) == 0x0
 00854   420   NtDuplicateObject  ... 124, ) == 0x0
 00856   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 00858  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00857   896   NtAllocateVirtualMemory  ... 17301504, 1048576, ) == 0x0
 00859  1028   NtAllocateVirtualMemory  (-1, 16240640, 0, 4096, 4096, 260, ...
 00860   384   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00861   420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00862   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00863   896   NtAllocateVirtualMemory  (-1, 18341888, 0, 8192, 4096, 4, ...
 00859  1028   NtAllocateVirtualMemory  ... 16240640, 4096, ) == 0x0
 00860   384   NtWaitForSingleObject  ... ) == 0x102
 00861   420   NtWaitForSingleObject  ... ) == 0x102
 00855   376   NtDuplicateObject  ... 128, ) == 0x0
 00863   896   NtAllocateVirtualMemory  ... 18341888, 8192, ) == 0x0
 00864  1028   NtWaitForSingleObject  (100, 0, 0x0, ...
 00865   384   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00866   420   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00867   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00868   896   NtProtectVirtualMemory  (-1, (0x117e000), 4096, 260, ...
 00865   384   NtCreateEvent  ... 132, ) == 0x0
 00866   420   NtCreateEvent  ... 136, ) == 0x0
 00867   376   NtWaitForSingleObject  ... ) == 0x102
 00868   896   NtProtectVirtualMemory  ... (0x117e000), 4096, 4, ) == 0x0
 00862   596   NtDuplicateObject  ... 140, ) == 0x0
 00869   384   NtWaitForSingleObject  (132, 0, 0x0, ...
 00870   376   NtWaitForSingleObject  (132, 0, 0x0, ...
 00871   420   NtClose  (136, ...
 00872   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00871   420   NtClose  ... ) == 0x0
 00872   596   NtWaitForSingleObject  ... ) == 0x102
 00873   420   NtWaitForSingleObject  (132, 0, 0x0, ...
 00874   596   NtWaitForSingleObject  (132, 0, 0x0, ...
 00875   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 136, {1252, 1168}, ) == 0x0
 00876   896   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1252,Tid=1168,}, 0x0, ) == 0x0
 00877   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81843, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81843, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81844, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81843, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0\220\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\0\0\0\344\4\0\0\220\4\0\0" )  ) == 0x0
 00878   896   NtResumeThread  (136, ... 1, ) == 0x0
 00879   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18350080, 1048576, ) == 0x0
 00880   896   NtAllocateVirtualMemory  (-1, 19390464, 0, 8192, 4096, 4, ...
 00881  1168   NtWaitForSingleObject  (100, 0, 0x0, ...
 00880   896   NtAllocateVirtualMemory  ... 19390464, 8192, ) == 0x0
 00882   896   NtProtectVirtualMemory  (-1, (0x127e000), 4096, 260, ... (0x127e000), 4096, 4, ) == 0x0
 00883   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 144, {1252, 1180}, ) == 0x0
 00884   896   NtQueryInformationThread  (144, Basic, 28, ...
 00858  2016   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11006372, ... ) }, 11006372, ... ) == 0x0
 00886  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 00887  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 152, ) == 0x0
 00888  2016   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00889  2016   NtClose  (148, ... ) == 0x0
 00890  2016   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00884   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1252,Tid=1180,}, 0x0, ) == 0x0
 00891   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81844, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81845, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81844, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\234\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\344\4\0\0\234\4\0\0" )  ) == 0x0
 00892   896   NtResumeThread  (144, ... 1, ) == 0x0
 00893   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19398656, 1048576, ) == 0x0
 00894   896   NtAllocateVirtualMemory  (-1, 20439040, 0, 8192, 4096, 4, ... 20439040, 8192, ) == 0x0
 00895   896   NtProtectVirtualMemory  (-1, (0x137e000), 4096, 260, ... (0x137e000), 4096, 4, ) == 0x0
 00890  2016   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 00896  1180   NtWaitForSingleObject  (100, 0, 0x0, ...
 00897  2016   NtClose  (152, ... ) == 0x0
 00898  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00899  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00900  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00901  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00902  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00903   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1252, 928}, ) == 0x0
 00904   896   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1252,Tid=928,}, 0x0, ) == 0x0
 00905   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81845, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\4\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81846, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81845, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\4\0\0\240\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\344\4\0\0\240\3\0\0" )  ) == 0x0
 00906   896   NtResumeThread  (152, ... 1, ) == 0x0
 00907   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20447232, 1048576, ) == 0x0
 00908   896   NtAllocateVirtualMemory  (-1, 21487616, 0, 8192, 4096, 4, ...
 00902  2016   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00909   928   NtWaitForSingleObject  (100, 0, 0x0, ...
 00910  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00911  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00912  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00913  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00914  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00915  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00908   896   NtAllocateVirtualMemory  ... 21487616, 8192, ) == 0x0
 00916   896   NtProtectVirtualMemory  (-1, (0x147e000), 4096, 260, ... (0x147e000), 4096, 4, ) == 0x0
 00917   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1252, 428}, ) == 0x0
 00918   896   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1252,Tid=428,}, 0x0, ) == 0x0
 00919   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81846, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\0\254\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81847, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81846, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\0\254\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\344\4\0\0\254\1\0\0" )  ) == 0x0
 00920   896   NtResumeThread  (148, ... 1, ) == 0x0
 00915  2016   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00921   428   NtWaitForSingleObject  (100, 0, 0x0, ...
 00922  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00923  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00924  2016   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00925  2016   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00926  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927  2016   NtSetEventBoostPriority  (100, ...
 00928   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21495808, 1048576, ) == 0x0
 00929   896   NtAllocateVirtualMemory  (-1, 22536192, 0, 8192, 4096, 4, ... 22536192, 8192, ) == 0x0
 00930   896   NtProtectVirtualMemory  (-1, (0x157e000), 4096, 260, ... (0x157e000), 4096, 4, ) == 0x0
 00931   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 156, {1252, 1732}, ) == 0x0
 00932   896   NtQueryInformationThread  (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1252,Tid=1732,}, 0x0, ) == 0x0
 00933   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81847, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81847, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\344\4\0\0\304\6\0\0" ...  ...
 00851  2012   NtWaitForSingleObject  ... ) == 0x0
 00934  2012   NtSetEventBoostPriority  (100, ...
 00864  1028   NtWaitForSingleObject  ... ) == 0x0
 00935  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 16247760, ... ) }, 16247760, ... ) == 0x0
 00934  2012   NtSetEventBoostPriority  ... ) == 0x0
 00927  2016   NtSetEventBoostPriority  ... ) == 0x0
 00933   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81848, 0}  ... {28, 56, reply, 0, 1252, 896, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\344\4\0\0\304\6\0\0" )  ) == 0x0
 00936  1028   NtSetEventBoostPriority  (100, ...
 00937  2016   NtWaitForSingleObject  (100, 0, 0x0, ...
 00938   896   NtResumeThread  (156, ...
 00881  1168   NtWaitForSingleObject  ... ) == 0x0
 00936  1028   NtSetEventBoostPriority  ... ) == 0x0
 00939  1168   NtSetEventBoostPriority  (100, ...
 00938   896   NtResumeThread  ... 1, ) == 0x0
 00896  1180   NtWaitForSingleObject  ... ) == 0x0
 00939  1168   NtSetEventBoostPriority  ... ) == 0x0
 00940  1028   NtWaitForSingleObject  (100, 0, 0x0, ...
 00941  1180   NtSetEventBoostPriority  (100, ...
 00942   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00943  2012   NtTestAlert  (...
 00944  1732   NtWaitForSingleObject  (100, 0, 0x0, ...
 00909   928   NtWaitForSingleObject  ... ) == 0x0
 00941  1180   NtSetEventBoostPriority  ... ) == 0x0
 00942   896   NtAllocateVirtualMemory  ... 22544384, 1048576, ) == 0x0
 00943  2012   NtTestAlert  ... ) == 0x0
 00945   928   NtSetEventBoostPriority  (100, ...
 00946  1168   NtTestAlert  (...
 00947   896   NtAllocateVirtualMemory  (-1, 23584768, 0, 8192, 4096, 4, ...
 00921   428   NtWaitForSingleObject  ... ) == 0x0
 00945   928   NtSetEventBoostPriority  ... ) == 0x0
 00948  2012   NtContinue  (17300784, 1, ...
 00946  1168   NtTestAlert  ... ) == 0x0
 00949  1180   NtTestAlert  (...
 00950   428   NtSetEventBoostPriority  (100, ...
 00947   896   NtAllocateVirtualMemory  ... 23584768, 8192, ) == 0x0
 00951  2012   NtRegisterThreadTerminatePort  (24, ...
 00952  1168   NtContinue  (18349360, 1, ...
 00937  2016   NtWaitForSingleObject  ... ) == 0x0
 00950   428   NtSetEventBoostPriority  ... ) == 0x0
 00949  1180   NtTestAlert  ... ) == 0x0
 00953   896   NtProtectVirtualMemory  (-1, (0x167e000), 4096, 260, ...
 00951  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 00954  2016   NtSetEventBoostPriority  (100, ...
 00955  1168   NtRegisterThreadTerminatePort  (24, ...
 00956   928   NtTestAlert  (...
 00957  1180   NtContinue  (19397936, 1, ...
 00953   896   NtProtectVirtualMemory  ... (0x167e000), 4096, 4, ) == 0x0
 00940  1028   NtWaitForSingleObject  ... ) == 0x0
 00954  2016   NtSetEventBoostPriority  ... ) == 0x0
 00958  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00955  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 00956   928   NtTestAlert  ... ) == 0x0
 00959  1180   NtRegisterThreadTerminatePort  (24, ...
 00960  1028   NtSetEventBoostPriority  (100, ...
 00961   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00962   428   NtTestAlert  (...
 00963  2016   NtWaitForSingleObject  (100, 0, 0x0, ...
 00964  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00965   928   NtContinue  (20446512, 1, ...
 00944  1732   NtWaitForSingleObject  ... ) == 0x0
 00960  1028   NtSetEventBoostPriority  ... ) == 0x0
 00959  1180   NtRegisterThreadTerminatePort  ... ) == 0x0
 00961   896   NtCreateThread  ... 160, {1252, 748}, ) == 0x0
 00962   428   NtTestAlert  ... ) == 0x0
 00958  2012   NtDuplicateObject  ... 164, ) == 0x0
 00966  1732   NtSetEventBoostPriority  (100, ...
 00967   928   NtRegisterThreadTerminatePort  (24, ...
 00964  1168   NtDuplicateObject  ... 168, ) == 0x0
 00968  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00969   896   NtQueryInformationThread  (160, Basic, 28, ...
 00970   428   NtContinue  (21495088, 1, ...
 00963  2016   NtWaitForSingleObject  ... ) == 0x0
 00966  1732   NtSetEventBoostPriority  ... ) == 0x0
 00971  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00967   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 00972  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00973  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00968  1180   NtDuplicateObject  ... 172, ) == 0x0
 00974  2016   NtQuerySystemInformation  (Basic, 44, ...
 00975   428   NtRegisterThreadTerminatePort  (24, ...
 00969   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1252,Tid=748,}, 0x0, ) == 0x0
 00971  2012   NtWaitForSingleObject  ... ) == 0x102
 00976   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00972  1168   NtWaitForSingleObject  ... ) == 0x102
 00973  1028   NtCreateEvent  ... 176, ) == 0x0
 00974  2016   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00977  1180   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00975   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 00978   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81848, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0\344\4\0\0\354\2\0\0" ...  ...
 00979  2012   NtWaitForSingleObject  (132, 0, 0x0, ...
 00980  1732   NtTestAlert  (...
 00981  1168   NtWaitForSingleObject  (132, 0, 0x0, ...
 00982  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00983  1028   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00977  1180   NtWaitForSingleObject  ... ) == 0x102
 00984   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00978   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81849, 0}  ... {28, 56, reply, 0, 1252, 896, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\0\0\0\344\4\0\0\354\2\0\0" )  ) == 0x0
 00980  1732   NtTestAlert  ... ) == 0x0
 00976   928   NtDuplicateObject  ... 180, ) == 0x0
 00983  1028   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985  1180   NtWaitForSingleObject  (132, 0, 0x0, ...
 00982  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   896   NtResumeThread  (160, ...
 00987  1732   NtContinue  (22543664, 1, ...
 00988   928   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00989  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 16247864, ... }, 16247864, ...
 00990  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00986   896   NtResumeThread  ... 1, ) == 0x0
 00991  1732   NtRegisterThreadTerminatePort  (24, ...
 00988   928   NtWaitForSingleObject  ... ) == 0x102
 00990  2016   NtOpenKey  ... 184, ) == 0x0
 00984   428   NtDuplicateObject  ... 188, ) == 0x0
 00992   748   NtWaitForSingleObject  (100, 0, 0x0, ...
 00991  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 00993   928   NtWaitForSingleObject  (132, 0, 0x0, ...
 00994  2016   NtQueryValueKey  (184,  (184, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00995   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00996  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00994  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   428   NtWaitForSingleObject  ... ) == 0x102
 00997   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00998  2016   NtClose  (184, ...
 00999   428   NtWaitForSingleObject  (132, 0, 0x0, ...
 00997   896   NtAllocateVirtualMemory  ... 23592960, 1048576, ) == 0x0
 00996  1732   NtDuplicateObject  ... 192, ) == 0x0
 01000   896   NtAllocateVirtualMemory  (-1, 24633344, 0, 8192, 4096, 4, ...
 01001  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01000   896   NtAllocateVirtualMemory  ... 24633344, 8192, ) == 0x0
 01002   896   NtProtectVirtualMemory  (-1, (0x177e000), 4096, 260, ... (0x177e000), 4096, 4, ) == 0x0
 01003   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 196, {1252, 900}, ) == 0x0
 01004   896   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1252,Tid=900,}, 0x0, ) == 0x0
 01005   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81849, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\4\0\0\204\3\0\0" ...  ...
 00998  2016   NtClose  ... ) == 0x0
 01006  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01007  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 01008  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01001  1732   NtWaitForSingleObject  ... ) == 0x102
 01005   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81850, 0}  ... {28, 56, reply, 0, 1252, 896, 81850, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\0\0\0\344\4\0\0\204\3\0\0" )  ) == 0x0
 01009  1732   NtWaitForSingleObject  (132, 0, 0x0, ...
 01010   896   NtResumeThread  (196, ... 1, ) == 0x0
 01011   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24641536, 1048576, ) == 0x0
 01012   896   NtAllocateVirtualMemory  (-1, 25681920, 0, 8192, 4096, 4, ... 25681920, 8192, ) == 0x0
 01013   896   NtProtectVirtualMemory  (-1, (0x187e000), 4096, 260, ... (0x187e000), 4096, 4, ) == 0x0
 01014   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1252, 1388}, ) == 0x0
 01015   896   NtQueryInformationThread  (200, Basic, 28, ...
 01008  2016   NtCreateEvent  ... 204, ) == 0x0
 01016   900   NtWaitForSingleObject  (100, 0, 0x0, ...
 01017  2016   NtQuerySystemTime  (... {1420079164, 29929616}, ) == 0x0
 01018  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01019  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01020  2016   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01021  2016   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01022  2016   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 01015   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1252,Tid=1388,}, 0x0, ) == 0x0
 00989  1028   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01023   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81850, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81850, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\4\0\0l\5\0\0" ...  ...
 01024  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 16247864, ... }, 16247864, ...
 01023   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81851, 0}  ... {28, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\344\4\0\0l\5\0\0" )  ) == 0x0
 01024  1028   NtQueryAttributesFile  ... ) == 0x0
 01025   896   NtResumeThread  (200, ...
 01026  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01025   896   NtResumeThread  ... 1, ) == 0x0
 01022  2016   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01026  1028   NtOpenFile  ... 212, {status=0x0, info=1}, ) == 0x0
 01027  1388   NtWaitForSingleObject  (100, 0, 0x0, ...
 01028  2016   NtWaitForSingleObject  (100, 0, 0x0, ...
 01029  1028   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01030  1028   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01031  1028   NtClose  (212, ... ) == 0x0
 01032  1028   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01033  1028   NtClose  (216, ... ) == 0x0
 01034  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01035   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25690112, 1048576, ) == 0x0
 01036   896   NtAllocateVirtualMemory  (-1, 26730496, 0, 8192, 4096, 4, ... 26730496, 8192, ) == 0x0
 01037   896   NtProtectVirtualMemory  (-1, (0x197e000), 4096, 260, ... (0x197e000), 4096, 4, ) == 0x0
 01038   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1252, 2036}, ) == 0x0
 01039   896   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1252,Tid=2036,}, 0x0, ) == 0x0
 01040   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81851, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\364\7\0\0" ...  ...
 01034  1028   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01041  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01042  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01043  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01040   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81852, 0}  ... {28, 56, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\344\4\0\0\364\7\0\0" )  ) == 0x0
 01044   896   NtResumeThread  (216, ... 1, ) == 0x0
 01045   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26738688, 1048576, ) == 0x0
 01046   896   NtAllocateVirtualMemory  (-1, 27779072, 0, 8192, 4096, 4, ... 27779072, 8192, ) == 0x0
 01047   896   NtProtectVirtualMemory  (-1, (0x1a7e000), 4096, 260, ... (0x1a7e000), 4096, 4, ) == 0x0
 01048   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 212, {1252, 1372}, ) == 0x0
 01049   896   NtQueryInformationThread  (212, Basic, 28, ...
 01043  1028   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01050  2036   NtWaitForSingleObject  (100, 0, 0x0, ...
 01051  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01052  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01053  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01054  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01055  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01056  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01049   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1252,Tid=1372,}, 0x0, ) == 0x0
 01057   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81852, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81853, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81852, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\344\4\0\0\\5\0\0" )  ) == 0x0
 01058   896   NtResumeThread  (212, ... 1, ) == 0x0
 01059   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27787264, 1048576, ) == 0x0
 01060   896   NtAllocateVirtualMemory  (-1, 28827648, 0, 8192, 4096, 4, ... 28827648, 8192, ) == 0x0
 01061   896   NtProtectVirtualMemory  (-1, (0x1b7e000), 4096, 260, ... (0x1b7e000), 4096, 4, ) == 0x0
 01056  1028   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01062  1372   NtWaitForSingleObject  (100, 0, 0x0, ...
 01063  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01064  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01065  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01066  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01067  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01068  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 01069   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1252, 1600}, ) == 0x0
 01070   896   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1252,Tid=1600,}, 0x0, ) == 0x0
 01071   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81853, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0@\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81854, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81853, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0@\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\344\4\0\0@\6\0\0" )  ) == 0x0
 01072   896   NtResumeThread  (220, ... 1, ) == 0x0
 01073   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28835840, 1048576, ) == 0x0
 01074   896   NtAllocateVirtualMemory  (-1, 29876224, 0, 8192, 4096, 4, ...
 01068  1028   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 01075  1600   NtWaitForSingleObject  (100, 0, 0x0, ...
 01076  1028   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01077  1028   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01078  1028   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079  1028   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 224, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 224, 2, ) , 0, ... 224, 2, ) == 0x0
 01080  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01081  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01074   896   NtAllocateVirtualMemory  ... 29876224, 8192, ) == 0x0
 01082   896   NtProtectVirtualMemory  (-1, (0x1c7e000), 4096, 260, ... (0x1c7e000), 4096, 4, ) == 0x0
 01083   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1252, 1948}, ) == 0x0
 01084   896   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1252,Tid=1948,}, 0x0, ) == 0x0
 01085   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81854, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81855, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81854, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\234\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\344\4\0\0\234\7\0\0" )  ) == 0x0
 01086   896   NtResumeThread  (232, ... 1, ) == 0x0
 01081  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01087  1948   NtWaitForSingleObject  (100, 0, 0x0, ...
 01088  1028   NtQueryValueKey  (228,  (228, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089  1028   NtQueryValueKey  (224,  (224, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090  1028   NtQueryValueKey  (228,  (228, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01091  1028   NtQueryValueKey  (224,  (224, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01092  1028   NtQueryValueKey  (228,  (228, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093  1028   NtQueryValueKey  (224,  (224, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01094   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29884416, 1048576, ) == 0x0
 01095   896   NtAllocateVirtualMemory  (-1, 30924800, 0, 8192, 4096, 4, ... 30924800, 8192, ) == 0x0
 01096   896   NtProtectVirtualMemory  (-1, (0x1d7e000), 4096, 260, ... (0x1d7e000), 4096, 4, ) == 0x0
 01097   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1252, 252}, ) == 0x0
 01098   896   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1252,Tid=252,}, 0x0, ) == 0x0
 01099   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81855, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81855, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\374\0\0\0" ...  ...
 01093  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100  1028   NtQueryValueKey  (228,  (228, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101  1028   NtQueryValueKey  (224,  (224, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102  1028   NtQueryValueKey  (228,  (228, "AppendToMultiLabelName", Partial, 144, ... , Partial, 144, ...
 01099   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81856, 0}  ... {28, 56, reply, 0, 1252, 896, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\344\4\0\0\374\0\0\0" )  ) == 0x0
 01103   896   NtResumeThread  (236, ... 1, ) == 0x0
 01104   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30932992, 1048576, ) == 0x0
 01105   896   NtAllocateVirtualMemory  (-1, 31973376, 0, 8192, 4096, 4, ... 31973376, 8192, ) == 0x0
 01106   896   NtProtectVirtualMemory  (-1, (0x1e7e000), 4096, 260, ... (0x1e7e000), 4096, 4, ) == 0x0
 01107   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1252, 1300}, ) == 0x0
 01108   896   NtQueryInformationThread  (240, Basic, 28, ...
 01102  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   252   NtWaitForSingleObject  (100, 0, 0x0, ...
 01110  1028   NtQueryValueKey  (228,  (228, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01111  1028   NtQueryValueKey  (228,  (228, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112  1028   NtQueryValueKey  (228,  (228, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113  1028   NtQueryValueKey  (228,  (228, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114  1028   NtQueryValueKey  (228,  (228, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115  1028   NtQueryValueKey  (228,  (228, "QueryIpMatching", Partial, 144, ... , Partial, 144, ...
 01108   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1252,Tid=1300,}, 0x0, ) == 0x0
 01116   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81856, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81857, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81856, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\24\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\344\4\0\0\24\5\0\0" )  ) == 0x0
 01117   896   NtResumeThread  (240, ... 1, ) == 0x0
 01118   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31981568, 1048576, ) == 0x0
 01119   896   NtAllocateVirtualMemory  (-1, 33021952, 0, 8192, 4096, 4, ... 33021952, 8192, ) == 0x0
 01120   896   NtProtectVirtualMemory  (-1, (0x1f7e000), 4096, 260, ... (0x1f7e000), 4096, 4, ) == 0x0
 01115  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121  1300   NtWaitForSingleObject  (100, 0, 0x0, ...
 01122  1028   NtQueryValueKey  (228,  (228, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01123  1028   NtQueryValueKey  (228,  (228, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124  1028   NtQueryValueKey  (224,  (224, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125  1028   NtQueryValueKey  (228,  (228, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126  1028   NtQueryValueKey  (228,  (228, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127  1028   NtQueryValueKey  (224,  (224, "EnableAdapterDomainNameRegistration", Partial, 144, ... , Partial, 144, ...
 01128   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 244, {1252, 1096}, ) == 0x0
 01129   896   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1252,Tid=1096,}, 0x0, ) == 0x0
 01130   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81857, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81858, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81857, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0H\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\0\0\0\344\4\0\0H\4\0\0" )  ) == 0x0
 01131   896   NtResumeThread  (244, ... 1, ) == 0x0
 01132   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33030144, 1048576, ) == 0x0
 01133   896   NtAllocateVirtualMemory  (-1, 34070528, 0, 8192, 4096, 4, ...
 01127  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134  1096   NtWaitForSingleObject  (100, 0, 0x0, ...
 01135  1028   NtQueryValueKey  (228,  (228, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136  1028   NtQueryValueKey  (224,  (224, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137  1028   NtQueryValueKey  (228,  (228, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138  1028   NtQueryValueKey  (224,  (224, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139  1028   NtQueryValueKey  (228,  (228, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140  1028   NtQueryValueKey  (224,  (224, "DefaultRegistrationTTL", Partial, 144, ... , Partial, 144, ...
 01133   896   NtAllocateVirtualMemory  ... 34070528, 8192, ) == 0x0
 01141   896   NtProtectVirtualMemory  (-1, (0x207e000), 4096, 260, ... (0x207e000), 4096, 4, ) == 0x0
 01142   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 248, {1252, 1708}, ) == 0x0
 01143   896   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1252,Tid=1708,}, 0x0, ) == 0x0
 01144   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81858, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\254\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81859, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81858, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\254\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\0\0\0\344\4\0\0\254\6\0\0" )  ) == 0x0
 01145   896   NtResumeThread  (248, ... 1, ) == 0x0
 01140  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146  1708   NtWaitForSingleObject  (100, 0, 0x0, ...
 01147  1028   NtQueryValueKey  (228,  (228, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148  1028   NtQueryValueKey  (224,  (224, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149  1028   NtQueryValueKey  (228,  (228, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150  1028   NtQueryValueKey  (224,  (224, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151  1028   NtQueryValueKey  (228,  (228, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152  1028   NtQueryValueKey  (224,  (224, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 01153   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34078720, 1048576, ) == 0x0
 01154   896   NtAllocateVirtualMemory  (-1, 35119104, 0, 8192, 4096, 4, ... 35119104, 8192, ) == 0x0
 01155   896   NtProtectVirtualMemory  (-1, (0x217e000), 4096, 260, ... (0x217e000), 4096, 4, ) == 0x0
 01156   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 252, {1252, 1024}, ) == 0x0
 01157   896   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1252,Tid=1024,}, 0x0, ) == 0x0
 01158   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81859, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81859, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0\0\4\0\0" ...  ...
 01152  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159  1028   NtQueryValueKey  (228,  (228, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160  1028   NtQueryValueKey  (228,  (228, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161  1028   NtQueryValueKey  (228,  (228, "DnsTest", Partial, 144, ... , Partial, 144, ...
 01158   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81860, 0}  ... {28, 56, reply, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\0\0\0\344\4\0\0\0\4\0\0" )  ) == 0x0
 01162   896   NtResumeThread  (252, ... 1, ) == 0x0
 01163   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35127296, 1048576, ) == 0x0
 01164   896   NtAllocateVirtualMemory  (-1, 36167680, 0, 8192, 4096, 4, ... 36167680, 8192, ) == 0x0
 01165   896   NtProtectVirtualMemory  (-1, (0x227e000), 4096, 260, ... (0x227e000), 4096, 4, ) == 0x0
 01166   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 256, {1252, 1324}, ) == 0x0
 01167   896   NtQueryInformationThread  (256, Basic, 28, ...
 01161  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168  1024   NtWaitForSingleObject  (100, 0, 0x0, ...
 01169  1028   NtQueryValueKey  (228,  (228, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170  1028   NtQueryValueKey  (228,  (228, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171  1028   NtQueryValueKey  (228,  (228, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172  1028   NtQueryValueKey  (228,  (228, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173  1028   NtQueryValueKey  (228,  (228, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174  1028   NtQueryValueKey  (228,  (228, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ...
 01167   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1252,Tid=1324,}, 0x0, ) == 0x0
 01175   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81860, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\4\0\0,\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81861, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81860, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\4\0\0,\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\1\0\0\344\4\0\0,\5\0\0" )  ) == 0x0
 01176   896   NtResumeThread  (256, ... 1, ) == 0x0
 01177   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36175872, 1048576, ) == 0x0
 01178   896   NtAllocateVirtualMemory  (-1, 37216256, 0, 8192, 4096, 4, ... 37216256, 8192, ) == 0x0
 01179   896   NtProtectVirtualMemory  (-1, (0x237e000), 4096, 260, ... (0x237e000), 4096, 4, ) == 0x0
 01174  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180  1324   NtWaitForSingleObject  (100, 0, 0x0, ...
 01181  1028   NtQueryValueKey  (228,  (228, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182  1028   NtQueryValueKey  (228,  (228, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 260, ) }, ... 260, ) == 0x0
 01184  1028   NtQueryValueKey  (260,  (260, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01185  1028   NtClose  (260, ... ) == 0x0
 01186  1028   NtClose  (224, ...
 01187   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 260, {1252, 1776}, ) == 0x0
 01188   896   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1252,Tid=1776,}, 0x0, ) == 0x0
 01189   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\0\360\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81862, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81861, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\0\360\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\1\0\0\344\4\0\0\360\6\0\0" )  ) == 0x0
 01190   896   NtResumeThread  (260, ... 1, ) == 0x0
 01191   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37224448, 1048576, ) == 0x0
 01192   896   NtAllocateVirtualMemory  (-1, 38264832, 0, 8192, 4096, 4, ...
 01186  1028   NtClose  ... ) == 0x0
 01193  1776   NtWaitForSingleObject  (100, 0, 0x0, ...
 01194  1028   NtClose  (228, ... ) == 0x0
 01195  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01196  1028   NtQueryValueKey  (228,  (228, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01197  1028   NtQueryValueKey  (228,  (228, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198  1028   NtQueryValueKey  (228,  (228, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01199  1028   NtClose  (228, ...
 01192   896   NtAllocateVirtualMemory  ... 38264832, 8192, ) == 0x0
 01200   896   NtProtectVirtualMemory  (-1, (0x247e000), 4096, 260, ... (0x247e000), 4096, 4, ) == 0x0
 01201   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1252, 500}, ) == 0x0
 01202   896   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1252,Tid=500,}, 0x0, ) == 0x0
 01203   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81862, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81863, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81862, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\364\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\344\4\0\0\364\1\0\0" )  ) == 0x0
 01204   896   NtResumeThread  (224, ... 1, ) == 0x0
 01199  1028   NtClose  ... ) == 0x0
 01205   500   NtWaitForSingleObject  (100, 0, 0x0, ...
 01206  1028   NtSetEventBoostPriority  (100, ...
 00992   748   NtWaitForSingleObject  ... ) == 0x0
 01207   748   NtSetEventBoostPriority  (100, ...
 01016   900   NtWaitForSingleObject  ... ) == 0x0
 01208   900   NtSetEventBoostPriority  (100, ...
 01027  1388   NtWaitForSingleObject  ... ) == 0x0
 01209  1388   NtSetEventBoostPriority  (100, ...
 01028  2016   NtWaitForSingleObject  ... ) == 0x0
 01210  2016   NtSetEventBoostPriority  (100, ...
 01050  2036   NtWaitForSingleObject  ... ) == 0x0
 01211  2036   NtSetEventBoostPriority  (100, ...
 01062  1372   NtWaitForSingleObject  ... ) == 0x0
 01212  1372   NtSetEventBoostPriority  (100, ...
 01075  1600   NtWaitForSingleObject  ... ) == 0x0
 01213  1600   NtSetEventBoostPriority  (100, ...
 01087  1948   NtWaitForSingleObject  ... ) == 0x0
 01214  1948   NtSetEventBoostPriority  (100, ...
 01109   252   NtWaitForSingleObject  ... ) == 0x0
 01215   252   NtSetEventBoostPriority  (100, ...
 01121  1300   NtWaitForSingleObject  ... ) == 0x0
 01216  1300   NtSetEventBoostPriority  (100, ...
 01134  1096   NtWaitForSingleObject  ... ) == 0x0
 01217  1096   NtSetEventBoostPriority  (100, ...
 01146  1708   NtWaitForSingleObject  ... ) == 0x0
 01218  1708   NtSetEventBoostPriority  (100, ...
 01168  1024   NtWaitForSingleObject  ... ) == 0x0
 01219  1024   NtSetEventBoostPriority  (100, ...
 01180  1324   NtWaitForSingleObject  ... ) == 0x0
 01220  1324   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ... 8802304, 4096, ) == 0x0
 01219  1024   NtSetEventBoostPriority  ... ) == 0x0
 01218  1708   NtSetEventBoostPriority  ... ) == 0x0
 01217  1096   NtSetEventBoostPriority  ... ) == 0x0
 01216  1300   NtSetEventBoostPriority  ... ) == 0x0
 01215   252   NtSetEventBoostPriority  ... ) == 0x0
 01214  1948   NtSetEventBoostPriority  ... ) == 0x0
 01213  1600   NtSetEventBoostPriority  ... ) == 0x0
 01212  1372   NtSetEventBoostPriority  ... ) == 0x0
 01211  2036   NtSetEventBoostPriority  ... ) == 0x0
 01210  2016   NtSetEventBoostPriority  ... ) == 0x0
 01209  1388   NtSetEventBoostPriority  ... ) == 0x0
 01208   900   NtSetEventBoostPriority  ... ) == 0x0
 01207   748   NtSetEventBoostPriority  ... ) == 0x0
 01206  1028   NtSetEventBoostPriority  ... ) == 0x0
 01221   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01222  1324   NtSetEventBoostPriority  (100, ...
 01223  1024   NtTestAlert  (...
 01224  1708   NtTestAlert  (...
 01225  1096   NtTestAlert  (...
 01226  1300   NtTestAlert  (...
 01227   252   NtTestAlert  (...
 01228  1948   NtTestAlert  (...
 01229  1600   NtTestAlert  (...
 01230  1372   NtTestAlert  (...
 01231  2036   NtTestAlert  (...
 01232  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01233  1388   NtTestAlert  (...
 01234   900   NtTestAlert  (...
 01235  1028   NtWaitForSingleObject  (100, 0, 0x0, ...
 01221   896   NtAllocateVirtualMemory  ... 38273024, 1048576, ) == 0x0
 01193  1776   NtWaitForSingleObject  ... ) == 0x0
 01222  1324   NtSetEventBoostPriority  ... ) == 0x0
 01223  1024   NtTestAlert  ... ) == 0x0
 01224  1708   NtTestAlert  ... ) == 0x0
 01225  1096   NtTestAlert  ... ) == 0x0
 01226  1300   NtTestAlert  ... ) == 0x0
 01227   252   NtTestAlert  ... ) == 0x0
 01228  1948   NtTestAlert  ... ) == 0x0
 01229  1600   NtTestAlert  ... ) == 0x0
 01230  1372   NtTestAlert  ... ) == 0x0
 01231  2036   NtTestAlert  ... ) == 0x0
 01232  2016   NtCreateEvent  ... 228, ) == 0x0
 01233  1388   NtTestAlert  ... ) == 0x0
 01234   900   NtTestAlert  ... ) == 0x0
 01236  1776   NtSetEventBoostPriority  (100, ...
 01237   896   NtAllocateVirtualMemory  (-1, 39313408, 0, 8192, 4096, 4, ...
 01238  1324   NtTestAlert  (...
 01239  1024   NtContinue  (35126576, 1, ...
 01240  1708   NtContinue  (34078000, 1, ...
 01241  1096   NtContinue  (33029424, 1, ...
 01242  1300   NtContinue  (31980848, 1, ...
 01243   252   NtContinue  (30932272, 1, ...
 01244  1948   NtContinue  (29883696, 1, ...
 01245  1600   NtContinue  (28835120, 1, ...
 01246  1372   NtContinue  (27786544, 1, ...
 01247  2036   NtContinue  (26737968, 1, ...
 01248  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01249  1388   NtContinue  (25689392, 1, ...
 01205   500   NtWaitForSingleObject  ... ) == 0x0
 01236  1776   NtSetEventBoostPriority  ... ) == 0x0
 01250   900   NtContinue  (24640816, 1, ...
 01237   896   NtAllocateVirtualMemory  ... 39313408, 8192, ) == 0x0
 01238  1324   NtTestAlert  ... ) == 0x0
 01251  1024   NtRegisterThreadTerminatePort  (24, ...
 01252  1708   NtRegisterThreadTerminatePort  (24, ...
 01253  1096   NtRegisterThreadTerminatePort  (24, ...
 01254  1300   NtRegisterThreadTerminatePort  (24, ...
 01255   252   NtRegisterThreadTerminatePort  (24, ...
 01256  1948   NtRegisterThreadTerminatePort  (24, ...
 01257  1600   NtRegisterThreadTerminatePort  (24, ...
 01258  1372   NtRegisterThreadTerminatePort  (24, ...
 01259  2036   NtRegisterThreadTerminatePort  (24, ...
 01248  2016   NtDuplicateObject  ... 264, ) == 0x0
 01260   500   NtSetEventBoostPriority  (100, ...
 01261  1388   NtRegisterThreadTerminatePort  (24, ...
 01262   748   NtTestAlert  (...
 01263   900   NtRegisterThreadTerminatePort  (24, ...
 01264   896   NtProtectVirtualMemory  (-1, (0x257e000), 4096, 260, ...
 01265  1324   NtContinue  (36175152, 1, ...
 01251  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01252  1708   NtRegisterThreadTerminatePort  ... ) == 0x0
 01253  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 01254  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 01255   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 01256  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01257  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 01258  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 01259  2036   NtRegisterThreadTerminatePort  ... ) == 0x0
 01235  1028   NtWaitForSingleObject  ... ) == 0x0
 01260   500   NtSetEventBoostPriority  ... ) == 0x0
 01266  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 01261  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 01262   748   NtTestAlert  ... ) == 0x0
 01263   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01264   896   NtProtectVirtualMemory  ... (0x257e000), 4096, 4, ) == 0x0
 01267  1324   NtRegisterThreadTerminatePort  (24, ...
 01268  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01269  1708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01270  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01271  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01272   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01273  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01274  1600   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01275  1372   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01276  1028   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01277  2036   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01278  1776   NtTestAlert  (...
 01266  2016   NtOpenKey  ... 268, ) == 0x0
 01279  1388   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01280   748   NtContinue  (23592240, 1, ...
 01281   900   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01282   500   NtTestAlert  (...
 01283   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01267  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 01268  1024   NtDuplicateObject  ... 272, ) == 0x0
 01269  1708   NtDuplicateObject  ... 276, ) == 0x0
 01270  1096   NtDuplicateObject  ... 280, ) == 0x0
 01271  1300   NtDuplicateObject  ... 284, ) == 0x0
 01272   252   NtDuplicateObject  ... 288, ) == 0x0
 01273  1948   NtDuplicateObject  ... 292, ) == 0x0
 01274  1600   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01276  1028   NtCreateEvent  ... 296, ) == 0x0
 01275  1372   NtCreateEvent  ... 300, ) == 0x0
 01278  1776   NtTestAlert  ... ) == 0x0
 01277  2036   NtCreateEvent  ... 304, ) == 0x0
 01284  2016   NtQueryValueKey  (268,  (268, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01285   748   NtRegisterThreadTerminatePort  (24, ...
 01279  1388   NtCreateEvent  ... 308, ) == 0x0
 01282   500   NtTestAlert  ... ) == 0x0
 01283   896   NtCreateThread  ... 312, {1252, 248}, ) == 0x0
 01286  1324   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01287  1024   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01288  1708   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01289  1096   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01290  1300   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01291   252   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01292  1948   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01293  1600   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01281   900   NtCreateEvent  ... 316, ) == 0x0
 01294  1372   NtWaitForSingleObject  (300, 0, 0x0, ...
 01295  1776   NtContinue  (37223728, 1, ...
 01296  2036   NtClose  (304, ...
 01284  2016   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   748   NtRegisterThreadTerminatePort  ... ) == 0x0
 01297  1388   NtClose  (308, ...
 01298   500   NtContinue  (38272304, 1, ...
 01299   896   NtQueryInformationThread  (312, Basic, 28, ...
 01286  1324   NtCreateEvent  ... 320, ) == 0x0
 01287  1024   NtCreateEvent  ... 324, ) == 0x0
 01288  1708   NtCreateEvent  ... 328, ) == 0x0
 01289  1096   NtCreateEvent  ... 332, ) == 0x0
 01290  1300   NtCreateEvent  ... 336, ) == 0x0
 01291   252   NtCreateEvent  ... 340, ) == 0x0
 01292  1948   NtCreateEvent  ... 344, ) == 0x0
 01293  1600   NtCreateEvent  ... 348, ) == 0x0
 01300   900   NtClose  (316, ...
 01301  1776   NtRegisterThreadTerminatePort  (24, ...
 01296  2036   NtClose  ... ) == 0x0
 01302  2016   NtClose  (268, ...
 01303   748   NtWaitForSingleObject  (300, 0, 0x0, ...
 01297  1388   NtClose  ... ) == 0x0
 01304   500   NtRegisterThreadTerminatePort  (24, ...
 01299   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1252,Tid=248,}, 0x0, ) == 0x0
 01305  1324   NtClose  (320, ...
 01306  1024   NtClose  (324, ...
 01307  1708   NtClose  (328, ...
 01308  1096   NtClose  (332, ...
 01309  1300   NtClose  (336, ...
 01310   252   NtClose  (340, ...
 01311  1948   NtClose  (344, ...
 01312  1600   NtClose  (348, ...
 01300   900   NtClose  ... ) == 0x0
 01301  1776   NtRegisterThreadTerminatePort  ... ) == 0x0
 01313  2036   NtWaitForSingleObject  (300, 0, 0x0, ...
 01302  2016   NtClose  ... ) == 0x0
 01314  1028   NtClose  (296, ...
 01315  1388   NtWaitForSingleObject  (300, 0, 0x0, ...
 01304   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 01316   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81863, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81863, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\344\4\0\0\370\0\0\0" ...  ...
 01305  1324   NtClose  ... ) == 0x0
 01306  1024   NtClose  ... ) == 0x0
 01307  1708   NtClose  ... ) == 0x0
 01308  1096   NtClose  ... ) == 0x0
 01309  1300   NtClose  ... ) == 0x0
 01310   252   NtClose  ... ) == 0x0
 01311  1948   NtClose  ... ) == 0x0
 01312  1600   NtClose  ... ) == 0x0
 01317   900   NtWaitForSingleObject  (300, 0, 0x0, ...
 01318  1776   NtWaitForSingleObject  (300, 0, 0x0, ...
 01319  2016   NtWaitForSingleObject  (300, 0, 0x0, ...
 01314  1028   NtClose  ... ) == 0x0
 01320   500   NtWaitForSingleObject  (300, 0, 0x0, ...
 01321  1324   NtWaitForSingleObject  (300, 0, 0x0, ...
 01322  1024   NtWaitForSingleObject  (300, 0, 0x0, ...
 01323  1708   NtWaitForSingleObject  (300, 0, 0x0, ...
 01324  1096   NtWaitForSingleObject  (300, 0, 0x0, ...
 01325  1300   NtWaitForSingleObject  (300, 0, 0x0, ...
 01326   252   NtWaitForSingleObject  (300, 0, 0x0, ...
 01327  1948   NtWaitForSingleObject  (300, 0, 0x0, ...
 01328  1600   NtSetEventBoostPriority  (300, ...
 01316   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81864, 0}  ... {28, 56, reply, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG8\1\0\0\344\4\0\0\370\0\0\0" )  ) == 0x0
 01329  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 01330   896   NtResumeThread  (312, ... 1, ) == 0x0
 01331   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39321600, 1048576, ) == 0x0
 01332   896   NtAllocateVirtualMemory  (-1, 40361984, 0, 8192, 4096, 4, ... 40361984, 8192, ) == 0x0
 01333   896   NtProtectVirtualMemory  (-1, (0x267e000), 4096, 260, ... (0x267e000), 4096, 4, ) == 0x0
 01334   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 296, {1252, 1884}, ) == 0x0
 01335   896   NtQueryInformationThread  (296, Basic, 28, ...
 01294  1372   NtWaitForSingleObject  ... ) == 0x0
 01328  1600   NtSetEventBoostPriority  ... ) == 0x0
 01336   248   NtTestAlert  (...
 01337  1372   NtSetEventBoostPriority  (300, ...
 01338  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01336   248   NtTestAlert  ... ) == 0x0
 01313  2036   NtWaitForSingleObject  ... ) == 0x0
 01337  1372   NtSetEventBoostPriority  ... ) == 0x0
 01338  1600   NtDuplicateObject  ... 348, ) == 0x0
 01339  2036   NtSetEventBoostPriority  (300, ...
 01340   248   NtContinue  (39320880, 1, ...
 01335   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1252,Tid=1884,}, 0x0, ) == 0x0
 01315  1388   NtWaitForSingleObject  ... ) == 0x0
 01339  2036   NtSetEventBoostPriority  ... ) == 0x0
 01341  1600   NtWaitForSingleObject  (300, 0, 0x0, ...
 01342   248   NtRegisterThreadTerminatePort  (24, ...
 01343  1388   NtSetEventBoostPriority  (300, ...
 01344   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81864, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81864, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\344\4\0\0\\7\0\0" ...  ...
 01345  1372   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01317   900   NtWaitForSingleObject  ... ) == 0x0
 01343  1388   NtSetEventBoostPriority  ... ) == 0x0
 01342   248   NtRegisterThreadTerminatePort  ... ) == 0x0
 01344   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81865, 0}  ... {28, 56, reply, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\344\4\0\0\\7\0\0" )  ) == 0x0
 01346   900   NtSetEventBoostPriority  (300, ...
 01345  1372   NtDuplicateObject  ... 344, ) == 0x0
 01347  2036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01348  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01303   748   NtWaitForSingleObject  ... ) == 0x0
 01346   900   NtSetEventBoostPriority  ... ) == 0x0
 01349   896   NtResumeThread  (296, ...
 01350  1372   NtWaitForSingleObject  (300, 0, 0x0, ...
 01347  2036   NtDuplicateObject  ... 340, ) == 0x0
 01351   748   NtSetEventBoostPriority  (300, ...
 01348  1388   NtDuplicateObject  ... 336, ) == 0x0
 01352   248   NtWaitForSingleObject  (300, 0, 0x0, ...
 01349   896   NtResumeThread  ... 1, ) == 0x0
 01319  2016   NtWaitForSingleObject  ... ) == 0x0
 01353  2036   NtWaitForSingleObject  (300, 0, 0x0, ...
 01354  1388   NtWaitForSingleObject  (300, 0, 0x0, ...
 01351   748   NtSetEventBoostPriority  ... ) == 0x0
 01355   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01356  1884   NtTestAlert  (...
 01357  2016   NtSetEventBoostPriority  (300, ...
 01358   748   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01355   900   NtDuplicateObject  ... 332, ) == 0x0
 01356  1884   NtTestAlert  ... ) == 0x0
 01318  1776   NtWaitForSingleObject  ... ) == 0x0
 01357  2016   NtSetEventBoostPriority  ... ) == 0x0
 01358   748   NtDuplicateObject  ... 328, ) == 0x0
 01359   900   NtWaitForSingleObject  (300, 0, 0x0, ...
 01360  1776   NtSetEventBoostPriority  (300, ...
 01361  1884   NtContinue  (40369456, 1, ...
 01362   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01363  2016   NtOpenThreadToken  (-2, 0xc, 1, ...
 01320   500   NtWaitForSingleObject  ... ) == 0x0
 01364  1884   NtRegisterThreadTerminatePort  (24, ...
 01362   896   NtAllocateVirtualMemory  ... 40370176, 1048576, ) == 0x0
 01363  2016   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01365   500   NtSetEventBoostPriority  (300, ...
 01364  1884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01366   896   NtAllocateVirtualMemory  (-1, 41410560, 0, 8192, 4096, 4, ...
 01367  2016   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01321  1324   NtWaitForSingleObject  ... ) == 0x0
 01365   500   NtSetEventBoostPriority  ... ) == 0x0
 01360  1776   NtSetEventBoostPriority  ... ) == 0x0
 01368   748   NtWaitForSingleObject  (300, 0, 0x0, ...
 01366   896   NtAllocateVirtualMemory  ... 41410560, 8192, ) == 0x0
 01367  2016   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01369  1324   NtSetEventBoostPriority  (300, ...
 01370   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01371  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01372   896   NtProtectVirtualMemory  (-1, (0x277e000), 4096, 260, ...
 01373  2016   NtWaitForSingleObject  (300, 0, 0x0, ...
 01322  1024   NtWaitForSingleObject  ... ) == 0x0
 01370   500   NtDuplicateObject  ... 324, ) == 0x0
 01371  1776   NtDuplicateObject  ... 320, ) == 0x0
 01372   896   NtProtectVirtualMemory  ... (0x277e000), 4096, 4, ) == 0x0
 01374  1024   NtSetEventBoostPriority  (300, ...
 01369  1324   NtSetEventBoostPriority  ... ) == 0x0
 01375  1884   NtWaitForSingleObject  (300, 0, 0x0, ...
 01376   500   NtWaitForSingleObject  (300, 0, 0x0, ...
 01377  1776   NtWaitForSingleObject  (300, 0, 0x0, ...
 01323  1708   NtWaitForSingleObject  ... ) == 0x0
 01378  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01379  1708   NtSetEventBoostPriority  (300, ...
 01378  1324   NtDuplicateObject  ... 268, ) == 0x0
 01324  1096   NtWaitForSingleObject  ... ) == 0x0
 01379  1708   NtSetEventBoostPriority  ... ) == 0x0
 01374  1024   NtSetEventBoostPriority  ... ) == 0x0
 01380   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01381  1096   NtSetEventBoostPriority  (300, ...
 01382  1708   NtWaitForSingleObject  (300, 0, 0x0, ...
 01383  1024   NtWaitForSingleObject  (300, 0, 0x0, ...
 01380   896   NtCreateThread  ... 316, {1252, 1308}, ) == 0x0
 01325  1300   NtWaitForSingleObject  ... ) == 0x0
 01384   896   NtQueryInformationThread  (316, Basic, 28, ...
 01385  1300   NtSetEventBoostPriority  (300, ...
 01384   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1252,Tid=1308,}, 0x0, ) == 0x0
 01326   252   NtWaitForSingleObject  ... ) == 0x0
 01386   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81865, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81865, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\4\0\0\34\5\0\0" ...  ...
 01387   252   NtSetEventBoostPriority  (300, ...
 01327  1948   NtWaitForSingleObject  ... ) == 0x0
 01388  1948   NtSetEventBoostPriority  (300, ...
 01329  1028   NtWaitForSingleObject  ... ) == 0x0
 01389  1028   NtSetEventBoostPriority  (300, ...
 01341  1600   NtWaitForSingleObject  ... ) == 0x0
 01390  1600   NtSetEventBoostPriority  (300, ...
 01350  1372   NtWaitForSingleObject  ... ) == 0x0
 01391  1372   NtSetEventBoostPriority  (300, ...
 01352   248   NtWaitForSingleObject  ... ) == 0x0
 01392   248   NtSetEventBoostPriority  (300, ...
 01353  2036   NtWaitForSingleObject  ... ) == 0x0
 01393  2036   NtSetEventBoostPriority  (300, ...
 01354  1388   NtWaitForSingleObject  ... ) == 0x0
 01394  1388   NtSetEventBoostPriority  (300, ...
 01359   900   NtWaitForSingleObject  ... ) == 0x0
 01395   900   NtSetEventBoostPriority  (300, ...
 01368   748   NtWaitForSingleObject  ... ) == 0x0
 01396   748   NtSetEventBoostPriority  (300, ...
 01373  2016   NtWaitForSingleObject  ... ) == 0x0
 01397  2016   NtSetEventBoostPriority  (300, ...
 01375  1884   NtWaitForSingleObject  ... ) == 0x0
 01398  1884   NtSetEventBoostPriority  (300, ...
 01376   500   NtWaitForSingleObject  ... ) == 0x0
 01399   500   NtSetEventBoostPriority  (300, ...
 01377  1776   NtWaitForSingleObject  ... ) == 0x0
 01400  1776   NtSetEventBoostPriority  (300, ...
 01382  1708   NtWaitForSingleObject  ... ) == 0x0
 01401  1708   NtSetEventBoostPriority  (300, ...
 01383  1024   NtWaitForSingleObject  ... ) == 0x0
 01402  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01401  1708   NtSetEventBoostPriority  ... ) == 0x0
 01400  1776   NtSetEventBoostPriority  ... ) == 0x0
 01399   500   NtSetEventBoostPriority  ... ) == 0x0
 01398  1884   NtSetEventBoostPriority  ... ) == 0x0
 01397  2016   NtSetEventBoostPriority  ... ) == 0x0
 01396   748   NtSetEventBoostPriority  ... ) == 0x0
 01395   900   NtSetEventBoostPriority  ... ) == 0x0
 01394  1388   NtSetEventBoostPriority  ... ) == 0x0
 01393  2036   NtSetEventBoostPriority  ... ) == 0x0
 01392   248   NtSetEventBoostPriority  ... ) == 0x0
 01391  1372   NtSetEventBoostPriority  ... ) == 0x0
 01390  1600   NtSetEventBoostPriority  ... ) == 0x0
 01389  1028   NtSetEventBoostPriority  ... ) == 0x0
 01388  1948   NtSetEventBoostPriority  ... ) == 0x0
 01387   252   NtSetEventBoostPriority  ... ) == 0x0
 01385  1300   NtSetEventBoostPriority  ... ) == 0x0
 01381  1096   NtSetEventBoostPriority  ... ) == 0x0
 01403  1324   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01386   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81866, 0}  ... {28, 56, reply, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\344\4\0\0\34\5\0\0" )  ) == 0x0
 01402  1024   NtWaitForSingleObject  ... ) == 0x102
 01404  1776   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01405   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01406  1884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01407  1708   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01408   748   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01409  2016   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01410   900   NtWaitForSingleObject  (300, 0, 0x0, ...
 01411  1388   NtWaitForSingleObject  (300, 0, 0x0, ...
 01412   248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01413  2036   NtWaitForSingleObject  (300, 0, 0x0, ...
 01414  1372   NtWaitForSingleObject  (300, 0, 0x0, ...
 01415  1600   NtWaitForSingleObject  (300, 0, 0x0, ...
 01416  1948   NtWaitForSingleObject  (300, 0, 0x0, ...
 01417   252   NtWaitForSingleObject  (300, 0, 0x0, ...
 01418  1300   NtWaitForSingleObject  (300, 0, 0x0, ...
 01419  1096   NtWaitForSingleObject  (300, 0, 0x0, ...
 01403  1324   NtWaitForSingleObject  ... ) == 0x102
 01420   896   NtResumeThread  (316, ...
 01421  1024   NtWaitForSingleObject  (132, 0, 0x0, ...
 01422  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 01404  1776   NtWaitForSingleObject  ... ) == 0x102
 01405   500   NtWaitForSingleObject  ... ) == 0x102
 01407  1708   NtWaitForSingleObject  ... ) == 0x102
 01406  1884   NtDuplicateObject  ... 308, ) == 0x0
 01409  2016   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01408   748   NtWaitForSingleObject  ... ) == 0x102
 01423  1324   NtWaitForSingleObject  (132, 0, 0x0, ...
 01420   896   NtResumeThread  ... 1, ) == 0x0
 01424  1776   NtWaitForSingleObject  (300, 0, 0x0, ...
 01425   500   NtWaitForSingleObject  (300, 0, 0x0, ...
 01426  1708   NtWaitForSingleObject  (300, 0, 0x0, ...
 01427  1884   NtWaitForSingleObject  (300, 0, 0x0, ...
 01428  2016   NtSetEventBoostPriority  (300, ...
 01429   748   NtWaitForSingleObject  (300, 0, 0x0, ...
 01412   248   NtDuplicateObject  ... 304, ) == 0x0
 01430  1308   NtTestAlert  (...
 01410   900   NtWaitForSingleObject  ... ) == 0x0
 01428  2016   NtSetEventBoostPriority  ... ) == 0x0
 01431   248   NtWaitForSingleObject  (300, 0, 0x0, ...
 01432   900   NtSetEventBoostPriority  (300, ...
 01430  1308   NtTestAlert  ... ) == 0x0
 01433  2016   NtWaitForSingleObject  (300, 0, 0x0, ...
 01411  1388   NtWaitForSingleObject  ... ) == 0x0
 01432   900   NtSetEventBoostPriority  ... ) == 0x0
 01434  1308   NtContinue  (41418032, 1, ...
 01435  1388   NtSetEventBoostPriority  (300, ...
 01436   900   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01413  2036   NtWaitForSingleObject  ... ) == 0x0
 01435  1388   NtSetEventBoostPriority  ... ) == 0x0
 01437  1308   NtRegisterThreadTerminatePort  (24, ...
 01438   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01439  2036   NtSetEventBoostPriority  (300, ...
 01440  1388   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01437  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01414  1372   NtWaitForSingleObject  ... ) == 0x0
 01439  2036   NtSetEventBoostPriority  ... ) == 0x0
 01438   896   NtAllocateVirtualMemory  ... 41418752, 1048576, ) == 0x0
 01436   900   NtCreateEvent  ... 352, ) == 0x0
 01440  1388   NtCreateEvent  ... 356, ) == 0x0
 01441  1372   NtSetEventBoostPriority  (300, ...
 01442  2036   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01443   896   NtAllocateVirtualMemory  (-1, 42459136, 0, 8192, 4096, 4, ...
 01444   900   NtWaitForSingleObject  (352, 0, 0x0, ...
 01415  1600   NtWaitForSingleObject  ... ) == 0x0
 01441  1372   NtSetEventBoostPriority  ... ) == 0x0
 01445  1388   NtClose  (356, ...
 01446  1308   NtWaitForSingleObject  (300, 0, 0x0, ...
 01443   896   NtAllocateVirtualMemory  ... 42459136, 8192, ) == 0x0
 01447  1600   NtSetEventBoostPriority  (300, ...
 01448  1372   NtWaitForSingleObject  (352, 0, 0x0, ...
 01445  1388   NtClose  ... ) == 0x0
 01416  1948   NtWaitForSingleObject  ... ) == 0x0
 01447  1600   NtSetEventBoostPriority  ... ) == 0x0
 01449   896   NtProtectVirtualMemory  (-1, (0x287e000), 4096, 260, ...
 01442  2036   NtCreateEvent  ... 356, ) == 0x0
 01450  1948   NtSetEventBoostPriority  (300, ...
 01451  1388   NtWaitForSingleObject  (352, 0, 0x0, ...
 01452  1600   NtWaitForSingleObject  (352, 0, 0x0, ...
 01449   896   NtProtectVirtualMemory  ... (0x287e000), 4096, 4, ) == 0x0
 01417   252   NtWaitForSingleObject  ... ) == 0x0
 01450  1948   NtSetEventBoostPriority  ... ) == 0x0
 01453  2036   NtClose  (356, ...
 01454   252   NtSetEventBoostPriority  (300, ...
 01455   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01418  1300   NtWaitForSingleObject  ... ) == 0x0
 01454   252   NtSetEventBoostPriority  ... ) == 0x0
 01453  2036   NtClose  ... ) == 0x0
 01456  1300   NtSetEventBoostPriority  (300, ...
 01455   896   NtCreateThread  ... 356, {1252, 1676}, ) == 0x0
 01457  1948   NtWaitForSingleObject  (352, 0, 0x0, ...
 01419  1096   NtWaitForSingleObject  ... ) == 0x0
 01456  1300   NtSetEventBoostPriority  ... ) == 0x0
 01458  2036   NtWaitForSingleObject  (352, 0, 0x0, ...
 01459   896   NtQueryInformationThread  (356, Basic, 28, ...
 01460  1096   NtSetEventBoostPriority  (300, ...
 01461   252   NtWaitForSingleObject  (352, 0, 0x0, ...
 01422  1028   NtWaitForSingleObject  ... ) == 0x0
 01460  1096   NtSetEventBoostPriority  ... ) == 0x0
 01459   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1252,Tid=1676,}, 0x0, ) == 0x0
 01462  1028   NtSetEventBoostPriority  (300, ...
 01463  1300   NtWaitForSingleObject  (352, 0, 0x0, ...
 01424  1776   NtWaitForSingleObject  ... ) == 0x0
 01462  1028   NtSetEventBoostPriority  ... ) == 0x0
 01464   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81866, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81866, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\214\6\0\0" ...  ...
 01465  1776   NtSetEventBoostPriority  (300, ...
 01466  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 01425   500   NtWaitForSingleObject  ... ) == 0x0
 01465  1776   NtSetEventBoostPriority  ... ) == 0x0
 01464   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81867, 0}  ... {28, 56, reply, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\1\0\0\344\4\0\0\214\6\0\0" )  ) == 0x0
 01467  1096   NtWaitForSingleObject  (352, 0, 0x0, ...
 01468   500   NtSetEventBoostPriority  (300, ...
 01469   896   NtResumeThread  (356, ...
 01426  1708   NtWaitForSingleObject  ... ) == 0x0
 01468   500   NtSetEventBoostPriority  ... ) == 0x0
 01470  1708   NtSetEventBoostPriority  (300, ...
 01469   896   NtResumeThread  ... 1, ) == 0x0
 01471  1776   NtWaitForSingleObject  (132, 0, 0x0, ...
 01427  1884   NtWaitForSingleObject  ... ) == 0x0
 01470  1708   NtSetEventBoostPriority  ... ) == 0x0
 01472   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01473  1884   NtSetEventBoostPriority  (300, ...
 01474   500   NtWaitForSingleObject  (132, 0, 0x0, ...
 01475  1676   NtTestAlert  (...
 01429   748   NtWaitForSingleObject  ... ) == 0x0
 01473  1884   NtSetEventBoostPriority  ... ) == 0x0
 01472   896   NtAllocateVirtualMemory  ... 42467328, 1048576, ) == 0x0
 01476   748   NtSetEventBoostPriority  (300, ...
 01475  1676   NtTestAlert  ... ) == 0x0
 01477  1708   NtWaitForSingleObject  (132, 0, 0x0, ...
 01431   248   NtWaitForSingleObject  ... ) == 0x0
 01476   748   NtSetEventBoostPriority  ... ) == 0x0
 01478   896   NtAllocateVirtualMemory  (-1, 43507712, 0, 8192, 4096, 4, ...
 01479  1676   NtContinue  (42466608, 1, ...
 01480   248   NtSetEventBoostPriority  (300, ...
 01481  1884   NtWaitForSingleObject  (300, 0, 0x0, ...
 01482   748   NtWaitForSingleObject  (132, 0, 0x0, ...
 01433  2016   NtWaitForSingleObject  ... ) == 0x0
 01480   248   NtSetEventBoostPriority  ... ) == 0x0
 01483  1676   NtRegisterThreadTerminatePort  (24, ...
 01484  2016   NtSetEventBoostPriority  (300, ...
 01478   896   NtAllocateVirtualMemory  ... 43507712, 8192, ) == 0x0
 01446  1308   NtWaitForSingleObject  ... ) == 0x0
 01484  2016   NtSetEventBoostPriority  ... ) == 0x0
 01483  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01485  1308   NtSetEventBoostPriority  (300, ...
 01486   896   NtProtectVirtualMemory  (-1, (0x297e000), 4096, 260, ...
 01487   248   NtWaitForSingleObject  (300, 0, 0x0, ...
 01488  2016   NtSetEventBoostPriority  (352, ...
 01466  1028   NtWaitForSingleObject  ... ) == 0x0
 01485  1308   NtSetEventBoostPriority  ... ) == 0x0
 01486   896   NtProtectVirtualMemory  ... (0x297e000), 4096, 4, ) == 0x0
 01489  1028   NtSetEventBoostPriority  (300, ...
 01444   900   NtWaitForSingleObject  ... ) == 0x0
 01488  2016   NtSetEventBoostPriority  ... ) == 0x0
 01490  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01481  1884   NtWaitForSingleObject  ... ) == 0x0
 01491   900   NtWaitForSingleObject  (300, 0, 0x0, ...
 01492   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01493  2016   NtWaitForSingleObject  (352, 0, 0x0, ...
 01489  1028   NtSetEventBoostPriority  ... ) == 0x0
 01494  1676   NtWaitForSingleObject  (300, 0, 0x0, ...
 01495  1884   NtSetEventBoostPriority  (300, ...
 01492   896   NtCreateThread  ... 360, {1252, 1620}, ) == 0x0
 01496  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 01487   248   NtWaitForSingleObject  ... ) == 0x0
 01495  1884   NtSetEventBoostPriority  ... ) == 0x0
 01497   896   NtQueryInformationThread  (360, Basic, 28, ...
 01498   248   NtSetEventBoostPriority  (300, ...
 01499  1884   NtWaitForSingleObject  (300, 0, 0x0, ...
 01490  1308   NtDuplicateObject  ... 364, ) == 0x0
 01491   900   NtWaitForSingleObject  ... ) == 0x0
 01498   248   NtSetEventBoostPriority  ... ) == 0x0
 01497   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1252,Tid=1620,}, 0x0, ) == 0x0
 01500   900   NtSetEventBoostPriority  (300, ...
 01501  1308   NtWaitForSingleObject  (300, 0, 0x0, ...
 01502   248   NtWaitForSingleObject  (300, 0, 0x0, ...
 01494  1676   NtWaitForSingleObject  ... ) == 0x0
 01500   900   NtSetEventBoostPriority  ... ) == 0x0
 01503   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81867, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81867, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0T\6\0\0" ...  ...
 01504  1676   NtSetEventBoostPriority  (300, ...
 01496  1028   NtWaitForSingleObject  ... ) == 0x0
 01505  1028   NtSetEventBoostPriority  (300, ...
 01501  1308   NtWaitForSingleObject  ... ) == 0x0
 01506  1308   NtSetEventBoostPriority  (300, ...
 01499  1884   NtWaitForSingleObject  ... ) == 0x0
 01507  1884   NtSetEventBoostPriority  (300, ...
 01502   248   NtWaitForSingleObject  ... ) == 0x0
 01508   248   NtWaitForSingleObject  (352, 0, 0x0, ...
 01506  1308   NtSetEventBoostPriority  ... ) == 0x0
 01505  1028   NtSetEventBoostPriority  ... ) == 0x0
 01504  1676   NtSetEventBoostPriority  ... ) == 0x0
 01503   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81868, 0}  ... {28, 56, reply, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\344\4\0\0T\6\0\0" )  ) == 0x0
 01507  1884   NtSetEventBoostPriority  ... ) == 0x0
 01509   900   NtSetEventBoostPriority  (352, ...
 01510  1308   NtWaitForSingleObject  (352, 0, 0x0, ...
 01511  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01512   896   NtResumeThread  (360, ...
 01513  1884   NtWaitForSingleObject  (352, 0, 0x0, ...
 01451  1388   NtWaitForSingleObject  ... ) == 0x0
 01509   900   NtSetEventBoostPriority  ... ) == 0x0
 01514  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01512   896   NtResumeThread  ... 1, ) == 0x0
 01515  1388   NtSetEventBoostPriority  (352, ...
 01516   900   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01514  1028   NtCreateEvent  ... 368, ) == 0x0
 01511  1676   NtDuplicateObject  ... 372, ) == 0x0
 01517  1620   NtTestAlert  (...
 01448  1372   NtWaitForSingleObject  ... ) == 0x0
 01515  1388   NtSetEventBoostPriority  ... ) == 0x0
 01516   900   NtWaitForSingleObject  ... ) == 0x102
 01518  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01519  1676   NtWaitForSingleObject  (352, 0, 0x0, ...
 01520  1372   NtSetEventBoostPriority  (352, ...
 01517  1620   NtTestAlert  ... ) == 0x0
 01521   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01522   900   NtWaitForSingleObject  (132, 0, 0x0, ...
 01518  1028   NtDuplicateObject  ... 376, ) == 0x0
 01452  1600   NtWaitForSingleObject  ... ) == 0x0
 01523  1620   NtContinue  (43515184, 1, ...
 01521   896   NtAllocateVirtualMemory  ... 43515904, 1048576, ) == 0x0
 01520  1372   NtSetEventBoostPriority  ... ) == 0x0
 01524  1388   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01525  1028   NtWaitForSingleObject  (352, 0, 0x0, ...
 01526  1600   NtSetEventBoostPriority  (352, ...
 01527  1620   NtRegisterThreadTerminatePort  (24, ...
 01528   896   NtAllocateVirtualMemory  (-1, 44556288, 0, 8192, 4096, 4, ...
 01529  1372   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01524  1388   NtWaitForSingleObject  ... ) == 0x102
 01457  1948   NtWaitForSingleObject  ... ) == 0x0
 01527  1620   NtRegisterThreadTerminatePort  ... ) == 0x0
 01528   896   NtAllocateVirtualMemory  ... 44556288, 8192, ) == 0x0
 01530  1388   NtWaitForSingleObject  (132, 0, 0x0, ...
 01531  1948   NtSetEventBoostPriority  (352, ...
 01526  1600   NtSetEventBoostPriority  ... ) == 0x0
 01529  1372   NtWaitForSingleObject  ... ) == 0x102
 01532   896   NtProtectVirtualMemory  (-1, (0x2a7e000), 4096, 260, ...
 01458  2036   NtWaitForSingleObject  ... ) == 0x0
 01531  1948   NtSetEventBoostPriority  ... ) == 0x0
 01533  1600   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01534  1372   NtWaitForSingleObject  (132, 0, 0x0, ...
 01535  2036   NtSetEventBoostPriority  (352, ...
 01532   896   NtProtectVirtualMemory  ... (0x2a7e000), 4096, 4, ) == 0x0
 01536  1948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01461   252   NtWaitForSingleObject  ... ) == 0x0
 01535  2036   NtSetEventBoostPriority  ... ) == 0x0
 01537  1620   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01533  1600   NtWaitForSingleObject  ... ) == 0x102
 01538   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01539   252   NtSetEventBoostPriority  (352, ...
 01536  1948   NtWaitForSingleObject  ... ) == 0x102
 01537  1620   NtDuplicateObject  ... 380, ) == 0x0
 01540  1600   NtWaitForSingleObject  (132, 0, 0x0, ...
 01463  1300   NtWaitForSingleObject  ... ) == 0x0
 01539   252   NtSetEventBoostPriority  ... ) == 0x0
 01538   896   NtCreateThread  ... 384, {1252, 1296}, ) == 0x0
 01541  1948   NtWaitForSingleObject  (132, 0, 0x0, ...
 01542  1620   NtWaitForSingleObject  (352, 0, 0x0, ...
 01543  1300   NtSetEventBoostPriority  (352, ...
 01544   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01545   896   NtQueryInformationThread  (384, Basic, 28, ...
 01467  1096   NtWaitForSingleObject  ... ) == 0x0
 01543  1300   NtSetEventBoostPriority  ... ) == 0x0
 01546  2036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01547  1096   NtSetEventBoostPriority  (352, ...
 01545   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1252,Tid=1296,}, 0x0, ) == 0x0
 01548  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01493  2016   NtWaitForSingleObject  ... ) == 0x0
 01547  1096   NtSetEventBoostPriority  ... ) == 0x0
 01546  2036   NtWaitForSingleObject  ... ) == 0x102
 01549   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81868, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81868, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0\20\5\0\0" ...  ...
 01544   252   NtWaitForSingleObject  ... ) == 0x102
 01550  2016   NtSetEventBoostPriority  (352, ...
 01551  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01552  2036   NtWaitForSingleObject  (132, 0, 0x0, ...
 01508   248   NtWaitForSingleObject  ... ) == 0x0
 01550  2016   NtSetEventBoostPriority  ... ) == 0x0
 01553   252   NtWaitForSingleObject  (132, 0, 0x0, ...
 01548  1300   NtWaitForSingleObject  ... ) == 0x102
 01549   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81869, 0}  ... {28, 56, reply, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\344\4\0\0\20\5\0\0" )  ) == 0x0
 01554   248   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01551  1096   NtWaitForSingleObject  ... ) == 0x102
 01555  1300   NtWaitForSingleObject  (300, 0, 0x0, ...
 01554   248   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01556   896   NtResumeThread  (384, ...
 01557  1096   NtWaitForSingleObject  (300, 0, 0x0, ...
 01558  2016   NtWaitForSingleObject  (352, 0, 0x0, ...
 01556   896   NtResumeThread  ... 1, ) == 0x0
 01559   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44564480, 1048576, ) == 0x0
 01560   896   NtAllocateVirtualMemory  (-1, 45604864, 0, 8192, 4096, 4, ... 45604864, 8192, ) == 0x0
 01561   896   NtProtectVirtualMemory  (-1, (0x2b7e000), 4096, 260, ... (0x2b7e000), 4096, 4, ) == 0x0
 01562   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 388, {1252, 440}, ) == 0x0
 01563   896   NtQueryInformationThread  (388, Basic, 28, ...
 01564   248   NtSetEventBoostPriority  (300, ...
 01565  1296   NtTestAlert  (...
 01555  1300   NtWaitForSingleObject  ... ) == 0x0
 01564   248   NtSetEventBoostPriority  ... ) == 0x0
 01566  1300   NtSetEventBoostPriority  (300, ...
 01565  1296   NtTestAlert  ... ) == 0x0
 01557  1096   NtWaitForSingleObject  ... ) == 0x0
 01566  1300   NtSetEventBoostPriority  ... ) == 0x0
 01567   248   NtSetEventBoostPriority  (352, ...
 01568  1096   NtWaitForSingleObject  (132, 0, 0x0, ...
 01569  1296   NtContinue  (44563760, 1, ...
 01563   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1252,Tid=440,}, 0x0, ) == 0x0
 01510  1308   NtWaitForSingleObject  ... ) == 0x0
 01567   248   NtSetEventBoostPriority  ... ) == 0x0
 01570  1296   NtRegisterThreadTerminatePort  (24, ...
 01571  1308   NtSetEventBoostPriority  (352, ...
 01572   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81869, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81869, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0\270\1\0\0" ...  ...
 01573   248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01513  1884   NtWaitForSingleObject  ... ) == 0x0
 01571  1308   NtSetEventBoostPriority  ... ) == 0x0
 01570  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 01572   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81870, 0}  ... {28, 56, reply, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\1\0\0\344\4\0\0\270\1\0\0" )  ) == 0x0
 01574  1884   NtSetEventBoostPriority  (352, ...
 01575  1308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01576  1300   NtWaitForSingleObject  (132, 0, 0x0, ...
 01573   248   NtWaitForSingleObject  ... ) == 0x102
 01519  1676   NtWaitForSingleObject  ... ) == 0x0
 01574  1884   NtSetEventBoostPriority  ... ) == 0x0
 01577   896   NtResumeThread  (388, ...
 01578  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01579  1676   NtSetEventBoostPriority  (352, ...
 01580   248   NtWaitForSingleObject  (132, 0, 0x0, ...
 01575  1308   NtWaitForSingleObject  ... ) == 0x102
 01577   896   NtResumeThread  ... 1, ) == 0x0
 01525  1028   NtWaitForSingleObject  ... ) == 0x0
 01579  1676   NtSetEventBoostPriority  ... ) == 0x0
 01578  1296   NtDuplicateObject  ... 392, ) == 0x0
 01581  1308   NtWaitForSingleObject  (132, 0, 0x0, ...
 01582  1884   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01583   440   NtTestAlert  (...
 01584  1028   NtSetEventBoostPriority  (352, ...
 01585   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01586  1296   NtWaitForSingleObject  (352, 0, 0x0, ...
 01582  1884   NtWaitForSingleObject  ... ) == 0x102
 01542  1620   NtWaitForSingleObject  ... ) == 0x0
 01584  1028   NtSetEventBoostPriority  ... ) == 0x0
 01583   440   NtTestAlert  ... ) == 0x0
 01585   896   NtAllocateVirtualMemory  ... 45613056, 1048576, ) == 0x0
 01587  1620   NtSetEventBoostPriority  (352, ...
 01588  1884   NtWaitForSingleObject  (132, 0, 0x0, ...
 01589  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01590   440   NtContinue  (45612336, 1, ...
 01558  2016   NtWaitForSingleObject  ... ) == 0x0
 01587  1620   NtSetEventBoostPriority  ... ) == 0x0
 01591   896   NtAllocateVirtualMemory  (-1, 46653440, 0, 8192, 4096, 4, ...
 01589  1676   NtWaitForSingleObject  ... ) == 0x102
 01592  2016   NtSetEventBoostPriority  (352, ...
 01593   440   NtRegisterThreadTerminatePort  (24, ...
 01594  1028   NtWaitForSingleObject  (352, 0, 0x0, ...
 01591   896   NtAllocateVirtualMemory  ... 46653440, 8192, ) == 0x0
 01586  1296   NtWaitForSingleObject  ... ) == 0x0
 01592  2016   NtSetEventBoostPriority  ... ) == 0x0
 01595  1676   NtWaitForSingleObject  (132, 0, 0x0, ...
 01593   440   NtRegisterThreadTerminatePort  ... ) == 0x0
 01596  1296   NtSetEventBoostPriority  (352, ...
 01597   896   NtProtectVirtualMemory  (-1, (0x2c7e000), 4096, 260, ...
 01598  2016   NtWaitForSingleObject  (352, 0, 0x0, ...
 01599  1620   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01594  1028   NtWaitForSingleObject  ... ) == 0x0
 01596  1296   NtSetEventBoostPriority  ... ) == 0x0
 01597   896   NtProtectVirtualMemory  ... (0x2c7e000), 4096, 4, ) == 0x0
 01600   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01601  1028   NtSetEventBoostPriority  (352, ...
 01599  1620   NtWaitForSingleObject  ... ) == 0x102
 01602  1296   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01598  2016   NtWaitForSingleObject  ... ) == 0x0
 01601  1028   NtSetEventBoostPriority  ... ) == 0x0
 01600   440   NtDuplicateObject  ... 396, ) == 0x0
 01603  1620   NtWaitForSingleObject  (132, 0, 0x0, ...
 01604  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006064, ... }, 11006064, ...
 01602  1296   NtWaitForSingleObject  ... ) == 0x102
 01605  1028   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01606   440   NtWaitForSingleObject  (300, 0, 0x0, ...
 01604  2016   NtQueryAttributesFile  ... ) == 0x0
 01607  1296   NtWaitForSingleObject  (300, 0, 0x0, ...
 01608   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01609  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 400, ) }, ... 400, ) == 0x0
 01608   896   NtCreateThread  ... 404, {1252, 1588}, ) == 0x0
 01605  1028   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01610   896   NtQueryInformationThread  (404, Basic, 28, ...
 01611  1028   NtSetEventBoostPriority  (300, ...
 01610   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1252,Tid=1588,}, 0x0, ) == 0x0
 01606   440   NtWaitForSingleObject  ... ) == 0x0
 01611  1028   NtSetEventBoostPriority  ... ) == 0x0
 01612   440   NtSetEventBoostPriority  (300, ...
 01613   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81870, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81870, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\04\6\0\0" ...  ...
 01607  1296   NtWaitForSingleObject  ... ) == 0x0
 01612   440   NtSetEventBoostPriority  ... ) == 0x0
 01614  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 01615  1296   NtSetEventBoostPriority  (300, ...
 01613   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81871, 0}  ... {28, 56, reply, 0, 1252, 896, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\344\4\0\04\6\0\0" )  ) == 0x0
 01616  2016   NtQueryValueKey  (400,  (400, "Transports", Partial, 144, ... , Partial, 144, ...
 01615  1296   NtSetEventBoostPriority  ... ) == 0x0
 01614  1028   NtWaitForSingleObject  ... ) == 0x0
 01617   896   NtResumeThread  (404, ...
 01616  2016   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01618   440   NtWaitForSingleObject  (300, 0, 0x0, ...
 01619  1296   NtWaitForSingleObject  (132, 0, 0x0, ...
 01617   896   NtResumeThread  ... 1, ) == 0x0
 01620  2016   NtQueryValueKey  (400,  (400, "Transports", Partial, 144, ... , Partial, 144, ...
 01621   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01620  2016   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01621   896   NtAllocateVirtualMemory  ... 46661632, 1048576, ) == 0x0
 01622  2016   NtClose  (400, ...
 01623   896   NtAllocateVirtualMemory  (-1, 47702016, 0, 8192, 4096, 4, ...
 01622  2016   NtClose  ... ) == 0x0
 01624  1028   NtSetEventBoostPriority  (300, ...
 01625  1588   NtTestAlert  (...
 01623   896   NtAllocateVirtualMemory  ... 47702016, 8192, ) == 0x0
 01618   440   NtWaitForSingleObject  ... ) == 0x0
 01624  1028   NtSetEventBoostPriority  ... ) == 0x0
 01625  1588   NtTestAlert  ... ) == 0x0
 01626   440   NtWaitForSingleObject  (352, 0, 0x0, ...
 01627   896   NtProtectVirtualMemory  (-1, (0x2d7e000), 4096, 260, ...
 01628  1028   NtSetEventBoostPriority  (352, ...
 01629  1588   NtContinue  (46660912, 1, ...
 01627   896   NtProtectVirtualMemory  ... (0x2d7e000), 4096, 4, ) == 0x0
 01626   440   NtWaitForSingleObject  ... ) == 0x0
 01628  1028   NtSetEventBoostPriority  ... ) == 0x0
 01630  1588   NtRegisterThreadTerminatePort  (24, ...
 01631   440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01632   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01633  1028   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01630  1588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01632   896   NtCreateThread  ... 400, {1252, 2044}, ) == 0x0
 01633  1028   NtOpenFile  ... 408, {status=0x0, info=0}, ) == 0x0
 01634  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01631   440   NtWaitForSingleObject  ... ) == 0x102
 01635   896   NtQueryInformationThread  (400, Basic, 28, ...
 01636  1588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01634  2016   NtOpenKey  ... 412, ) == 0x0
 01637   440   NtWaitForSingleObject  (132, 0, 0x0, ...
 01638  1028   NtDeviceIoControlFile  (408, 0, 0x0, 0x0, 0x390008,  (408, 0, 0x0, 0x0, 0x390008, "\243\223:\15\23\254\246^_\302\255\376\21E\352\17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01636  1588   NtDuplicateObject  ... 416, ) == 0x0
 01639  2016   NtQueryValueKey  (412,  (412, "Mapping", Partial, 144, ... , Partial, 144, ...
 01640  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01641  1588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01639  2016   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01640  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01641  1588   NtWaitForSingleObject  ... ) == 0x102
 01642  2016   NtQueryValueKey  (412,  (412, "Mapping", Partial, 144, ... , Partial, 144, ...
 01643  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01644  1588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01642  2016   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01643  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01635   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1252,Tid=2044,}, 0x0, ) == 0x0
 01645  1028   NtQuerySystemInformation  (Performance, 312, ...
 01646   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81871, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81871, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0\374\7\0\0" ...  ...
 01647  2016   NtQueryValueKey  (412,  (412, "Mapping", Partial, 152, ... , Partial, 152, ...
 01646   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81872, 0}  ... {28, 56, reply, 0, 1252, 896, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\344\4\0\0\374\7\0\0" )  ) == 0x0
 01647  2016   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01648   896   NtResumeThread  (400, ...
 01649  2016   NtClose  (412, ...
 01648   896   NtResumeThread  ... 1, ) == 0x0
 01649  2016   NtClose  ... ) == 0x0
 01645  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01650  2044   NtTestAlert  (...
 01651  2016   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01652  1028   NtQuerySystemInformation  (Exception, 16, ...
 01650  2044   NtTestAlert  ... ) == 0x0
 01651  2016   NtOpenKey  ... 412, ) == 0x0
 01652  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01653  2044   NtContinue  (47709488, 1, ...
 01654   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01655  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01656  2044   NtRegisterThreadTerminatePort  (24, ...
 01654   896   NtAllocateVirtualMemory  ... 47710208, 1048576, ) == 0x0
 01655  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01656  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01657   896   NtAllocateVirtualMemory  (-1, 48750592, 0, 8192, 4096, 4, ...
 01658  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01659  2016   NtQueryValueKey  (412,  (412, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01657   896   NtAllocateVirtualMemory  ... 48750592, 8192, ) == 0x0
 01660  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01659  2016   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01661   896   NtProtectVirtualMemory  (-1, (0x2e7e000), 4096, 260, ...
 01660  2044   NtDuplicateObject  ... 420, ) == 0x0
 01662  2016   NtQueryValueKey  (412,  (412, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01661   896   NtProtectVirtualMemory  ... (0x2e7e000), 4096, 4, ) == 0x0
 01663  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01662  2016   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01658  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01663  2044   NtWaitForSingleObject  ... ) == 0x102
 01664  2016   NtQueryValueKey  (412,  (412, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01665  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01666  2044   NtWaitForSingleObject  (132, 0, 0x0, ...
 01664  2016   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01665  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01667   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01668  2016   NtQueryValueKey  (412,  (412, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01667   896   NtCreateThread  ... 424, {1252, 588}, ) == 0x0
 01668  2016   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01669   896   NtQueryInformationThread  (424, Basic, 28, ...
 01670  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007020, ... }, 11007020, ...
 01669   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1252,Tid=588,}, 0x0, ) == 0x0
 01670  2016   NtQueryAttributesFile  ... ) == 0x0
 01671   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81872, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81872, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0L\2\0\0" ...  ...
 01672  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 428, {status=0x0, info=1}, ) }, 5, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 01673  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 428, ... 432, ) == 0x0
 01674  2016   NtClose  (428, ... ) == 0x0
 01675  2016   NtMapViewOfSection  (432, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 20480, ) == 0x0
 01671   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81873, 0}  ... {28, 56, reply, 0, 1252, 896, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\1\0\0\344\4\0\0L\2\0\0" )  ) == 0x0
 01676   896   NtResumeThread  (424, ... 1, ) == 0x0
 01677   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 48758784, 1048576, ) == 0x0
 01678   896   NtAllocateVirtualMemory  (-1, 49799168, 0, 8192, 4096, 4, ... 49799168, 8192, ) == 0x0
 01679   896   NtProtectVirtualMemory  (-1, (0x2f7e000), 4096, 260, ... (0x2f7e000), 4096, 4, ) == 0x0
 01680   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 428, {1252, 1652}, ) == 0x0
 01681   896   NtQueryInformationThread  (428, Basic, 28, ...
 01682  2016   NtClose  (432, ...
 01683  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01684   588   NtWaitForSingleObject  (100, 0, 0x0, ...
 01682  2016   NtClose  ... ) == 0x0
 01683  1028   NtCreateKey  ... -2147482756, 2, ) == 0x0
 01685  1028   NtSetValueKey  (-2147482756,  (-2147482756, "Seed", 0, 3, "\235\1\266YN\\343\35\336x\26 T\3216\201\0\206\351\30\277\374x\252\363\250\205\211\274\207Z\13\313\230\3614\264z@=\206ve\273]rS\302\301\234\221D\365\360\343+\304\327g\256\226\3010\210\301\5\206\204\209\33\332\277Q\21RK\372\251\314", 80, ... ) , 0, 3,  (-2147482756, "Seed", 0, 3, "\235\1\266YN\\343\35\336x\26 T\3216\201\0\206\351\30\277\374x\252\363\250\205\211\274\207Z\13\313\230\3614\264z@=\206ve\273]rS\302\301\234\221D\365\360\343+\304\327g\256\226\3010\210\301\5\206\204\209\33\332\277Q\21RK\372\251\314", 80, ... ) , 80, ... ) == 0x0
 01686  1028   NtClose  (-2147482756, ... ) == 0x0
 01687  2016   NtUnmapViewOfSection  (-1, 0x850000, ...
 01681   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1252,Tid=1652,}, 0x0, ) == 0x0
 01687  2016   NtUnmapViewOfSection  ... ) == 0x0
 01688   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81873, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81873, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0t\6\0\0" ...  ...
 01638  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\202\225x\347\257p\207\374\270^\204`\301H\344\212S\32\203\277\\202\236\36Xg\357\275\312\346c\346F\245\340\271\14\356X\304aW`\353\351\340\321"\224\215\247\246[\346\210\251|\307\271\354\207\335V;\211(\342\225W6\206w\205\214H&:Pg\225"c\222\302\6\252'u.\364\267\3641\364_\325\233\357'\325\11@\224&\360\352\365^z\272\256\376sBBq&*\252wr\1\210\250\211\344kB\351Q\33\331\360\360Bo?\340\220\226hL\213\36C\207\373{\200Bb0\325L5\37\2\312!\334\315\261\243u\315@&\374\356&\333\340\357\363\347\5\306N\21\325}?\237on_\270o\22\16s\350Zh\201\206a\225\275\254\333W\22\377\253N\327\343;\26s\273\200\223\325\216\25\231*\313\251\213g\221/j;b\17@\4,\37\243\210\236p\327\365\304|q\222\267\326b\340]Ka\331A$\4W\350", ) \224\215\247\246[\346\210\251|\307\271\354\207\335V;\211(\342\225W6\206w\205\214H&:Pg\225 ... {status=0x0, info=256}, "\202\225x\347\257p\207\374\270^\204`\301H\344\212S\32\203\277\\202\236\36Xg\357\275\312\346c\346F\245\340\271\14\356X\304aW`\353\351\340\321"\224\215\247\246[\346\210\251|\307\271\354\207\335V;\211(\342\225W6\206w\205\214H&:Pg\225"c\222\302\6\252'u.\364\267\3641\364_\325\233\357'\325\11@\224&\360\352\365^z\272\256\376sBBq&*\252wr\1\210\250\211\344kB\351Q\33\331\360\360Bo?\340\220\226hL\213\36C\207\373{\200Bb0\325L5\37\2\312!\334\315\261\243u\315@&\374\356&\333\340\357\363\347\5\306N\21\325}?\237on_\270o\22\16s\350Zh\201\206a\225\275\254\333W\22\377\253N\327\343;\26s\273\200\223\325\216\25\231*\313\251\213g\221/j;b\17@\4,\37\243\210\236p\327\365\304|q\222\267\326b\340]Ka\331A$\4W\350", ) , ) == 0x0
 01688   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81874, 0}  ... {28, 56, reply, 0, 1252, 896, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\1\0\0\344\4\0\0t\6\0\0" )  ) == 0x0
 01689  1028   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01690   896   NtResumeThread  (428, ...
 01689  1028   NtCreateEvent  ... 432, ) == 0x0
 01690   896   NtResumeThread  ... 1, ) == 0x0
 01691  1028   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 16248324, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 16248324, 188, ...
 01692  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007328, ... }, 11007328, ...
 01693  1652   NtWaitForSingleObject  (100, 0, 0x0, ...
 01692  2016   NtQueryAttributesFile  ... ) == 0x0
 01691  1028   NtConnectPort  ... 436, 0x0, 0x0, 0x0, 188, ) == 0x0
 01694  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01695   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01694  2016   NtOpenFile  ... 440, {status=0x0, info=1}, ) == 0x0
 01695   896   NtAllocateVirtualMemory  ... 49807360, 1048576, ) == 0x0
 01696  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 440, ...
 01697   896   NtAllocateVirtualMemory  (-1, 50847744, 0, 8192, 4096, 4, ...
 01696  2016   NtCreateSection  ... 444, ) == 0x0
 01697   896   NtAllocateVirtualMemory  ... 50847744, 8192, ) == 0x0
 01698  1028   NtRequestWaitReplyPort  (436, {200, 224, new_msg, 0, 1383928, 12, 2, 1}  (436, {200, 224, new_msg, 0, 1383928, 12, 2, 1} "\0\4\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\330\3\24\0\4\0\0\0\1\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\272h\22\251Z2\2sx\35\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\20\0\0(\0\0\0\200\35\25\0\245\365_\11\0\4\24\0\240\35\25\0d\1\24\0\0\0\0\0\0\0\0\0\240\35\25\0P\0\0\0\250\35\25\0\360\6\221|\330\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\367\0\372\31\221|\30\364\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01699   896   NtProtectVirtualMemory  (-1, (0x307e000), 4096, 260, ... (0x307e000), 4096, 4, ) == 0x0
 01698  1028   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1028, 81876, 0}  ... {200, 224, reply, 0, 1252, 1028, 81876, 0} "\7\4\24\0\274\0\0\0\4>\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\1\0\0\0\272h\22\251Z2\2sx\35\25\0d\1\24\0\12\0\0\0\0\0\0\0\0\20\0\0(\0\0\0\200\35\25\0\245\365_\11\0\4\24\0\240\35\25\0d\1\24\0\0\0\0\0\0\0\0\0\240\35\25\0P\0\0\0\250\35\25\0\360\6\221|\330\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\367\0\372\31\221|\30\364\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01700  2016   NtQuerySection  (444, Image, 48, ...
 01701  1028   NtRequestWaitReplyPort  (436, {64, 88, new_msg, 0, 0, 0, 0, 0}  (436, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01700  2016   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01702  2016   NtClose  (440, ... ) == 0x0
 01703  2016   NtMapViewOfSection  (444, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01704  2016   NtClose  (444, ... ) == 0x0
 01705  2016   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ... (0x71a91000), 4096, 32, ) == 0x0
 01706   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 444, {1252, 1376}, ) == 0x0
 01707   896   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1252,Tid=1376,}, 0x0, ) == 0x0
 01708   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81874, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81874, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0`\5\0\0" ...  ...
 01701  1028   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1252, 1028, 81877, 0}  ... {52, 76, reply, 0, 1252, 1028, 81877, 0} "\2\356Q\200\1\0\0\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300l\273\270\367X\353Q\200\360\317\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01709  1028   NtClose  (432, ... ) == 0x0
 01710  1028   NtClose  (436, ... ) == 0x0
 01711  1028   NtWaitForSingleObject  (100, 0, 0x0, ...
 01712  2016   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01713  2016   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01708   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81878, 0}  ... {28, 56, reply, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\1\0\0\344\4\0\0`\5\0\0" )  ) == 0x0
 01714   896   NtResumeThread  (444, ... 1, ) == 0x0
 01715   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50855936, 1048576, ) == 0x0
 01716   896   NtAllocateVirtualMemory  (-1, 51896320, 0, 8192, 4096, 4, ...
 01717  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... }, ...
 01718  1376   NtWaitForSingleObject  (100, 0, 0x0, ...
 01717  2016   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01719  2016   NtSetEventBoostPriority  (100, ...
 01684   588   NtWaitForSingleObject  ... ) == 0x0
 01720   588   NtSetEventBoostPriority  (100, ...
 01693  1652   NtWaitForSingleObject  ... ) == 0x0
 01721  1652   NtSetEventBoostPriority  (100, ...
 01711  1028   NtWaitForSingleObject  ... ) == 0x0
 01722  1028   NtSetEventBoostPriority  (100, ...
 01718  1376   NtWaitForSingleObject  ... ) == 0x0
 01723  1376   NtTestAlert  (... ) == 0x0
 01721  1652   NtSetEventBoostPriority  ... ) == 0x0
 01720   588   NtSetEventBoostPriority  ... ) == 0x0
 01719  2016   NtSetEventBoostPriority  ... ) == 0x0
 01722  1028   NtSetEventBoostPriority  ... ) == 0x0
 01716   896   NtAllocateVirtualMemory  ... 51896320, 8192, ) == 0x0
 01724  1376   NtContinue  (50855216, 1, ...
 01725  1652   NtTestAlert  (...
 01726  2016   NtClose  (412, ...
 01727   588   NtTestAlert  (...
 01728   896   NtProtectVirtualMemory  (-1, (0x317e000), 4096, 260, ...
 01729  1376   NtRegisterThreadTerminatePort  (24, ...
 01725  1652   NtTestAlert  ... ) == 0x0
 01726  2016   NtClose  ... ) == 0x0
 01727   588   NtTestAlert  ... ) == 0x0
 01728   896   NtProtectVirtualMemory  ... (0x317e000), 4096, 4, ) == 0x0
 01729  1376   NtRegisterThreadTerminatePort  ... ) == 0x0
 01730  1652   NtContinue  (49806640, 1, ...
 01731  1028   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01732   588   NtContinue  (48758064, 1, ...
 01733   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01734  1376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01735  1652   NtRegisterThreadTerminatePort  (24, ...
 01731  1028   NtCreateKey  ... 412, 2, ) == 0x0
 01736   588   NtRegisterThreadTerminatePort  (24, ...
 01733   896   NtCreateThread  ... 436, {1252, 1436}, ) == 0x0
 01734  1376   NtDuplicateObject  ... 432, ) == 0x0
 01735  1652   NtRegisterThreadTerminatePort  ... ) == 0x0
 01737  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01736   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01738   896   NtQueryInformationThread  (436, Basic, 28, ...
 01739  1376   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01740  1652   NtWaitForSingleObject  (300, 0, 0x0, ...
 01737  1028   NtOpenKey  ... 440, ) == 0x0
 01741   588   NtWaitForSingleObject  (300, 0, 0x0, ...
 01742  2016   NtWaitForSingleObject  (300, 0, 0x0, ...
 01738   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1252,Tid=1436,}, 0x0, ) == 0x0
 01739  1376   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01743  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01744   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81878, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\234\5\0\0" ...  ...
 01745  1376   NtSetEventBoostPriority  (300, ...
 01743  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01744   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81880, 0}  ... {28, 56, reply, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\1\0\0\344\4\0\0\234\5\0\0" )  ) == 0x0
 01740  1652   NtWaitForSingleObject  ... ) == 0x0
 01745  1376   NtSetEventBoostPriority  ... ) == 0x0
 01746  1652   NtSetEventBoostPriority  (300, ...
 01747   896   NtResumeThread  (436, ...
 01742  2016   NtWaitForSingleObject  ... ) == 0x0
 01748  1376   NtWaitForSingleObject  (300, 0, 0x0, ...
 01747   896   NtResumeThread  ... 1, ) == 0x0
 01749  2016   NtSetEventBoostPriority  (300, ...
 01746  1652   NtSetEventBoostPriority  ... ) == 0x0
 01750  1028   NtQueryValueKey  (412,  (412, "Hostname", Partial, 144, ... , Partial, 144, ...
 01751  1436   NtTestAlert  (...
 01741   588   NtWaitForSingleObject  ... ) == 0x0
 01749  2016   NtSetEventBoostPriority  ... ) == 0x0
 01752  1652   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01750  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01753   588   NtSetEventBoostPriority  (300, ...
 01751  1436   NtTestAlert  ... ) == 0x0
 01754  2016   NtWaitForSingleObject  (300, 0, 0x0, ...
 01752  1652   NtDuplicateObject  ... 448, ) == 0x0
 01748  1376   NtWaitForSingleObject  ... ) == 0x0
 01755  1028   NtQueryValueKey  (412,  (412, "Hostname", Partial, 144, ... , Partial, 144, ...
 01756  1436   NtContinue  (51903792, 1, ...
 01753   588   NtSetEventBoostPriority  ... ) == 0x0
 01757   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01758  1376   NtSetEventBoostPriority  (300, ...
 01755  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01759  1436   NtRegisterThreadTerminatePort  (24, ...
 01760   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01757   896   NtAllocateVirtualMemory  ... 51904512, 1048576, ) == 0x0
 01754  2016   NtWaitForSingleObject  ... ) == 0x0
 01758  1376   NtSetEventBoostPriority  ... ) == 0x0
 01761  1028   NtClose  (412, ...
 01759  1436   NtRegisterThreadTerminatePort  ... ) == 0x0
 01760   588   NtDuplicateObject  ... 452, ) == 0x0
 01762  2016   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11009664, 67, ... }, 0x0, 0, 3, 3, 0, 11009664, 67, ...
 01763   896   NtAllocateVirtualMemory  (-1, 52944896, 0, 8192, 4096, 4, ...
 01764  1652   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01761  1028   NtClose  ... ) == 0x0
 01765  1376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01766  1436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01763   896   NtAllocateVirtualMemory  ... 52944896, 8192, ) == 0x0
 01764  1652   NtWaitForSingleObject  ... ) == 0x102
 01767   588   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01762  2016   NtCreateFile  ... 412, {status=0x0, info=0}, ) == 0x0
 01765  1376   NtWaitForSingleObject  ... ) == 0x102
 01766  1436   NtDuplicateObject  ... 456, ) == 0x0
 01768   896   NtProtectVirtualMemory  (-1, (0x327e000), 4096, 260, ...
 01769  1652   NtWaitForSingleObject  (132, 0, 0x0, ...
 01767   588   NtWaitForSingleObject  ... ) == 0x102
 01770  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x1207b,  (412, 112, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01771  1376   NtWaitForSingleObject  (132, 0, 0x0, ...
 01772  1436   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01768   896   NtProtectVirtualMemory  ... (0x327e000), 4096, 4, ) == 0x0
 01773   588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01770  2016   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0\230\353s\201", ) , ) == 0x0
 01772  1436   NtWaitForSingleObject  ... ) == 0x102
 01774  1028   NtClose  (440, ...
 01775  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x1207b,  (412, 112, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0\230\353s\201", 16, 16, ... , 16, 16, ...
 01776  1436   NtWaitForSingleObject  (132, 0, 0x0, ...
 01774  1028   NtClose  ... ) == 0x0
 01775  2016   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0\230\353s\201", ) , ) == 0x0
 01777   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01778  1028   NtDeviceIoControlFile  (408, 0, 0x0, 0x0, 0x390008,  (408, 0, 0x0, 0x0, 0x390008, "\243\223:\15\23\254\246\2479Ghp@\17q\364\377\335\247F\7\330\261\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01779  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x12047,  (412, 112, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01777   896   NtCreateThread  ... 440, {1252, 1368}, ) == 0x0
 01780  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01781   896   NtQueryInformationThread  (440, Basic, 28, ...
 01780  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01781   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1252,Tid=1368,}, 0x0, ) == 0x0
 01782  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01783   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81880, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0X\5\0\0" ...  ...
 01779  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01784  2016   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 01785  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x12003,  (412, 112, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=460}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=460},  (412, 112, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=460}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01786  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x12047,  (412, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01787  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x12037,  (412, 112, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (412, 112, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01788  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x1200b,  (412, 112, 0x0, 0x0, 0x1200b, "\0\376\247\0\5\0\0\0\0\256\24\0", 12, 0, ... , 12, 0, ...
 01782  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01783   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81881, 0}  ... {28, 56, reply, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\1\0\0\344\4\0\0X\5\0\0" )  ) == 0x0
 01789  1028   NtQuerySystemInformation  (Performance, 312, ...
 01790   896   NtResumeThread  (440, ...
 01789  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01790   896   NtResumeThread  ... 1, ) == 0x0
 01791  1028   NtQuerySystemInformation  (Exception, 16, ...
 01792   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01791  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01792   896   NtAllocateVirtualMemory  ... 52953088, 1048576, ) == 0x0
 01793  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01794   896   NtAllocateVirtualMemory  (-1, 53993472, 0, 8192, 4096, 4, ...
 01788  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01795  1368   NtTestAlert  (...
 01793  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01796  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x12047,  (412, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\247\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01795  1368   NtTestAlert  ... ) == 0x0
 01797  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01796  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01798  1368   NtContinue  (52952368, 1, ...
 01797  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01799  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01800  1368   NtRegisterThreadTerminatePort  (24, ...
 01801  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01799  2016   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01800  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 01801  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01802  2016   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01794   896   NtAllocateVirtualMemory  ... 53993472, 8192, ) == 0x0
 01803  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01804  1368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01805   896   NtProtectVirtualMemory  (-1, (0x337e000), 4096, 260, ...
 01802  2016   NtCreateEvent  ... 464, ) == 0x0
 01804  1368   NtDuplicateObject  ... 468, ) == 0x0
 01805   896   NtProtectVirtualMemory  ... (0x337e000), 4096, 4, ) == 0x0
 01806  2016   NtWaitForSingleObject  (464, 0, 0x0, ...
 01807  1368   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01808   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01807  1368   NtWaitForSingleObject  ... ) == 0x102
 01808   896   NtCreateThread  ... 472, {1252, 724}, ) == 0x0
 01809  1368   NtWaitForSingleObject  (132, 0, 0x0, ...
 01810   896   NtQueryInformationThread  (472, Basic, 28, ...
 01803  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 01811  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "M`\255\215\353[\252\361J!\315\347Z\323\332\307V\310\266;\377\23\260\20\24l@Y\326;\265\360\303!d_\316\324\302\257\362\5\305|\315P\307`4qZ\327\340\363:\34\351\232\311\347\32\20\302\13I<\374\2337\273\242{\227\226\266s\234\17\205c", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "M`\255\215\353[\252\361J!\315\347Z\323\332\307V\310\266;\377\23\260\20\24l@Y\326;\265\360\303!d_\316\324\302\257\362\5\305|\315P\307`4qZ\327\340\363:\34\351\232\311\347\32\20\302\13I<\374\2337\273\242{\227\226\266s\234\17\205c", 80, ... ) , 80, ... ) == 0x0
 01812  1028   NtClose  (-2147481484, ... ) == 0x0
 01778  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "xP\263\15\306>,\4^\266:\203\346RN\344\310*:\274\33j\246\37A\240\37\306\26\1\322\22X\15\1i4\316&\356*\245\6R\220Ju\275\4\373\220\11@\372\312~\37\201s\3675\17\340Ck1\274\350\317\234\336=\243H'\233\330\3\310\247l\2102\24b\255\15[N\327|\210|D\364\3723\2715\320\317\352\271\264\4j\241\370U\367\31J\233\23\32H\266\13\375\204/\212B\344\346\375\14\177\371\203\271\21\270\214O\203\374\221Z\365\233\215\273\361\331>\265\250\304\320W23\265-\272\31H\Ee\326\\347:Rp\4U\0\3714\332V\267S\226\221\363\350:\34q\212_\245y\241\34\221\375&\205v{.o`\30\207\2055\356H \240\256#N{o>\1778\246m\3338x\371\321\3746\7\364id\231\340=fxo\271\210\355a\305\251 \12\355\23\311e\37tkI\21\33\360\312\236\270\342", ) , ) == 0x0
 01813  1028   NtDeviceIoControlFile  (408, 0, 0x0, 0x0, 0x390008,  (408, 0, 0x0, 0x0, 0x390008, "\243\223:\15\23\254\246\2479Ghp@\17\210\222z\30)\27MCJ\377\335\247F\7\330\261\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01814  1028   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01815  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01816  1028   NtQuerySystemInformation  (Performance, 312, ...
 01810   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1252,Tid=724,}, 0x0, ) == 0x0
 01817   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81881, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\324\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\324\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81882, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81881, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\324\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\344\4\0\0\324\2\0\0" )  ) == 0x0
 01818   896   NtResumeThread  (472, ... 1, ) == 0x0
 01819   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 54001664, 1048576, ) == 0x0
 01820   896   NtAllocateVirtualMemory  (-1, 55042048, 0, 8192, 4096, 4, ... 55042048, 8192, ) == 0x0
 01821   896   NtProtectVirtualMemory  (-1, (0x347e000), 4096, 260, ... (0x347e000), 4096, 4, ) == 0x0
 01816  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01822   724   NtTestAlert  (...
 01823  1028   NtQuerySystemInformation  (Exception, 16, ...
 01822   724   NtTestAlert  ... ) == 0x0
 01823  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01824   724   NtContinue  (54000944, 1, ...
 01825  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01826   724   NtRegisterThreadTerminatePort  (24, ...
 01825  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01826   724   NtRegisterThreadTerminatePort  ... ) == 0x0
 01827  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01828   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01829   724   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01828   896   NtCreateThread  ... 476, {1252, 1276}, ) == 0x0
 01829   724   NtDuplicateObject  ... 480, ) == 0x0
 01830   896   NtQueryInformationThread  (476, Basic, 28, ...
 01831   724   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01830   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1252,Tid=1276,}, 0x0, ) == 0x0
 01831   724   NtWaitForSingleObject  ... ) == 0x102
 01832   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81882, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\374\4\0\0" ...  ...
 01833   724   NtWaitForSingleObject  (132, 0, 0x0, ...
 01832   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81883, 0}  ... {28, 56, reply, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\1\0\0\344\4\0\0\374\4\0\0" )  ) == 0x0
 01827  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01834   896   NtResumeThread  (476, ...
 01835  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01834   896   NtResumeThread  ... 1, ) == 0x0
 01835  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01836   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01837  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01836   896   NtAllocateVirtualMemory  ... 55050240, 1048576, ) == 0x0
 01837  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 01838   896   NtAllocateVirtualMemory  (-1, 56090624, 0, 8192, 4096, 4, ...
 01839  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\1\214K\210\216\260g\337\211\217\2305X\207E\273\252\321X\351E\30OT\204\363\370\232\7\226\220\301V\3\261\254$\6\320\220U\211(\3512\203\73k|\272\244\325\363\222;\326\375@\225\237\303\313\362\310$|,\351\354\37q\200\200\360}\2544\24\336", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "\1\214K\210\216\260g\337\211\217\2305X\207E\273\252\321X\351E\30OT\204\363\370\232\7\226\220\301V\3\261\254$\6\320\220U\211(\3512\203\73k|\272\244\325\363\222;\326\375@\225\237\303\313\362\310$|,\351\354\37q\200\200\360}\2544\24\336", 80, ... , 80, ...
 01840  1276   NtTestAlert  (...
 01838   896   NtAllocateVirtualMemory  ... 56090624, 8192, ) == 0x0
 01840  1276   NtTestAlert  ... ) == 0x0
 01841   896   NtProtectVirtualMemory  (-1, (0x357e000), 4096, 260, ...
 01842  1276   NtContinue  (55049520, 1, ...
 01841   896   NtProtectVirtualMemory  ... (0x357e000), 4096, 4, ) == 0x0
 01843  1276   NtRegisterThreadTerminatePort  (24, ...
 01844   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01843  1276   NtRegisterThreadTerminatePort  ... ) == 0x0
 01844   896   NtCreateThread  ... 484, {1252, 220}, ) == 0x0
 01839  1028   NtSetValueKey  ... ) == 0x0
 01845   896   NtQueryInformationThread  (484, Basic, 28, ...
 01846  1028   NtClose  (-2147481484, ...
 01847  1276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01846  1028   NtClose  ... ) == 0x0
 01847  1276   NtDuplicateObject  ... 488, ) == 0x0
 01813  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\367\354\344\362\377\270\200\306Y\12\377\324\356\306q\324 \314\341r\26\1T%\224\375\321\322\33\220F\303@up\302\22\260\5\204r\303\0\25(\304^f\\267!"\216G\310\323\2514S\341/\335\266/0\202Q\243\302\215\233=I\354\7(4\23\7\37\317\335L\27\350I\13\364\324d\33i\237i\243\373&)\335\352\210\225\251\27\250\310\311Y\366\365\14\277>\34\360\21\14?\356\320A\210<\343\10\177\177\225\0\214\331\204\203Jb\373\21~\307\337\224\2179\23\37\315_z\2372\15\17k\233\201K\Hp"\343\225DE|&\226\14d\305\351\371\245\343\332\3\263\356m\7\305|\10\343\205j\31\4c\22\314e(3-'\353\364\376{;\342T:w\25\15\334\275\235\205\252\301\5\211\2\246*1`\223_\21.\221\230\237\22\316\370z\345\2pw\20!\237\2?\0\241)ys\233\370#%\277\221v\344eD\22", ) \216G\310\323\2514S\341/\335\266/0\202Q\243\302\215\233=I\354\7(4\23\7\37\317\335L\27\350I\13\364\324d\33i\237i\243\373&)\335\352\210\225\251\27\250\310\311Y\366\365\14\277>\34\360\21\14?\356\320A\210<\343\10\177\177\225\0\214\331\204\203Jb\373\21~\307\337\224\2179\23\37\315_z\2372\15\17k\233\201K\Hp ... {status=0x0, info=256}, "\367\354\344\362\377\270\200\306Y\12\377\324\356\306q\324 \314\341r\26\1T%\224\375\321\322\33\220F\303@up\302\22\260\5\204r\303\0\25(\304^f\\267!"\216G\310\323\2514S\341/\335\266/0\202Q\243\302\215\233=I\354\7(4\23\7\37\317\335L\27\350I\13\364\324d\33i\237i\243\373&)\335\352\210\225\251\27\250\310\311Y\366\365\14\277>\34\360\21\14?\356\320A\210<\343\10\177\177\225\0\214\331\204\203Jb\373\21~\307\337\224\2179\23\37\315_z\2372\15\17k\233\201K\Hp"\343\225DE|&\226\14d\305\351\371\245\343\332\3\263\356m\7\305|\10\343\205j\31\4c\22\314e(3-'\353\364\376{;\342T:w\25\15\334\275\235\205\252\301\5\211\2\246*1`\223_\21.\221\230\237\22\316\370z\345\2pw\20!\237\2?\0\241)ys\233\370#%\277\221v\344eD\22", ) , ) == 0x0
 01848  1276   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01849  1028   NtDeviceIoControlFile  (408, 0, 0x0, 0x0, 0x390008,  (408, 0, 0x0, 0x0, 0x390008, "\243\223:\15\23\254\246\2479Ghp@\17\210\222z\30)\27M\272,z\30)\27MCJ\377\335\247F\7\330\261\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01848  1276   NtWaitForSingleObject  ... ) == 0x102
 01850  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01851  1276   NtWaitForSingleObject  (132, 0, 0x0, ...
 01845   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1252,Tid=220,}, 0x0, ) == 0x0
 01850  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01852   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81883, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0\334\0\0\0" ...  ...
 01853  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01852   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81884, 0}  ... {28, 56, reply, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\344\4\0\0\334\0\0\0" )  ) == 0x0
 01853  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01854   896   NtResumeThread  (484, ...
 01855  1028   NtQuerySystemInformation  (Performance, 312, ...
 01854   896   NtResumeThread  ... 1, ) == 0x0
 01855  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01856   220   NtTestAlert  (...
 01857  1028   NtQuerySystemInformation  (Exception, 16, ...
 01856   220   NtTestAlert  ... ) == 0x0
 01858   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01859   220   NtContinue  (56098096, 1, ...
 01858   896   NtAllocateVirtualMemory  ... 56098816, 1048576, ) == 0x0
 01860   220   NtRegisterThreadTerminatePort  (24, ...
 01861   896   NtAllocateVirtualMemory  (-1, 57139200, 0, 8192, 4096, 4, ...
 01860   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 01861   896   NtAllocateVirtualMemory  ... 57139200, 8192, ) == 0x0
 01857  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01862   896   NtProtectVirtualMemory  (-1, (0x367e000), 4096, 260, ...
 01863  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01862   896   NtProtectVirtualMemory  ... (0x367e000), 4096, 4, ) == 0x0
 01863  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01864   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01865  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01864   220   NtDuplicateObject  ... 492, ) == 0x0
 01865  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01866   220   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01867  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01866   220   NtWaitForSingleObject  ... ) == 0x102
 01868   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01869   220   NtWaitForSingleObject  (132, 0, 0x0, ...
 01868   896   NtCreateThread  ... 496, {1252, 1328}, ) == 0x0
 01867  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01870   896   NtQueryInformationThread  (496, Basic, 28, ...
 01871  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01870   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1252,Tid=1328,}, 0x0, ) == 0x0
 01871  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 01872   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81884, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\00\5\0\0" ...  ...
 01873  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\365\2\242r\12uP\236e\230\13{\375El\311t\276}*\3\364\342\241\345^\5=\247}\213g\341o\205\364H/\355]R\203^\251\212/\233}|\241\331\247\276\15\336 2(NeB\14\11\16k\363\316\214&\256\235\220\5~\0\22\320\305_\31", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "\365\2\242r\12uP\236e\230\13{\375El\311t\276}*\3\364\342\241\345^\5=\247}\213g\341o\205\364H/\355]R\203^\251\212/\233}|\241\331\247\276\15\336 2(NeB\14\11\16k\363\316\214&\256\235\220\5~\0\22\320\305_\31", 80, ... ) , 80, ... ) == 0x0
 01874  1028   NtClose  (-2147481484, ... ) == 0x0
 01849  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\372\340\343\224;b\260\213\373\240]\212M\372'\25Ad\10\364\366\262\363:\341p\15\231\222;\357D\14\216\323N.\3118\371X?5#p\313\257\26\212\367\205\305\377\\266\240f\331\255A\32\230&WM\3333\277\323.p\326 z'J, \272\324\361\331\302\307\301`\345\347\260\23\374\24X\305\213\343\257\31\336#C\303\374\301\35\320\204$\206\232+\222\342b\236 \337\226\2443\11\345b68\253\254\276kI\222\277\314\301\244\16I#\341J\340{\240fo\37\343\373`\202t\245\177z\345s\203\235\266]Al\\16\317\1\375\350z\375\7\357\3\301\206\253\252\272\254\225i\371N\253\300\237P\331M\203\215\202{\363\226\233\272F\5\237\69h\312\36\333r\11u\267\236S\270q\21Y\235\4\15C\31\205{\27S\265^\27\233\17\276\346\3\247\245n\374k\305\377\3401(\271n\25VB\207\274\0\240<\3\273n", ) , ) == 0x0
 01875  1028   NtDeviceIoControlFile  (408, 0, 0x0, 0x0, 0x390008,  (408, 0, 0x0, 0x0, 0x390008, "\243\223:\15\23\254\246\2479Ghp@\17\210\222z\30)\27M\272,z\30)\27M\272,z\30)\27MCJ\377\335\247F\7\330\261\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01876  1028   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01877  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01872   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81885, 0}  ... {28, 56, reply, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\344\4\0\00\5\0\0" )  ) == 0x0
 01878   896   NtResumeThread  (496, ... 1, ) == 0x0
 01879   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57147392, 1048576, ) == 0x0
 01880   896   NtAllocateVirtualMemory  (-1, 58187776, 0, 8192, 4096, 4, ... 58187776, 8192, ) == 0x0
 01881   896   NtProtectVirtualMemory  (-1, (0x377e000), 4096, 260, ... (0x377e000), 4096, 4, ) == 0x0
 01882   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 500, {1252, 1636}, ) == 0x0
 01883   896   NtQueryInformationThread  (500, Basic, 28, ...
 01877  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01884  1328   NtTestAlert  (...
 01885  1028   NtQuerySystemInformation  (Performance, 312, ...
 01884  1328   NtTestAlert  ... ) == 0x0
 01885  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01886  1328   NtContinue  (57146672, 1, ...
 01887  1028   NtQuerySystemInformation  (Exception, 16, ...
 01888  1328   NtRegisterThreadTerminatePort  (24, ...
 01887  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01888  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 01889  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01883   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1252,Tid=1636,}, 0x0, ) == 0x0
 01890  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01891   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81885, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0d\6\0\0" ...  ...
 01890  1328   NtDuplicateObject  ... 504, ) == 0x0
 01891   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81886, 0}  ... {28, 56, reply, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\1\0\0\344\4\0\0d\6\0\0" )  ) == 0x0
 01892  1328   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01893   896   NtResumeThread  (500, ...
 01892  1328   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01893   896   NtResumeThread  ... 1, ) == 0x0
 01894  1328   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01889  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01895  1636   NtTestAlert  (...
 01896  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01895  1636   NtTestAlert  ... ) == 0x0
 01896  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01897  1636   NtContinue  (58195248, 1, ...
 01898  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01899  1636   NtRegisterThreadTerminatePort  (24, ...
 01898  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01899  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 01900  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01901   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01894  1328   NtWaitForSingleObject  ... ) == 0x102
 01902  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01901   896   NtAllocateVirtualMemory  ... 58195968, 1048576, ) == 0x0
 01903  1328   NtWaitForSingleObject  (132, 0, 0x0, ...
 01902  1636   NtDuplicateObject  ... 508, ) == 0x0
 01904   896   NtAllocateVirtualMemory  (-1, 59236352, 0, 8192, 4096, 4, ...
 01905  1636   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01904   896   NtAllocateVirtualMemory  ... 59236352, 8192, ) == 0x0
 01905  1636   NtWaitForSingleObject  ... ) == 0x102
 01906   896   NtProtectVirtualMemory  (-1, (0x387e000), 4096, 260, ...
 01907  1636   NtWaitForSingleObject  (132, 0, 0x0, ...
 01906   896   NtProtectVirtualMemory  ... (0x387e000), 4096, 4, ) == 0x0
 01900  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 01908  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\277\332\12U\345\24\270\26\22\304e\250\237\32\25q\207\34\366\250\364\300r\367q\303\347\275\350\23\27\235[\27\35:\216\34\352Lvl9$\352\314\364\214\13\0P\3\30\354\222\243\172R\275\11gI2\302\274d\353\241(\320U\13@\2416S\266b", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "\277\332\12U\345\24\270\26\22\304e\250\237\32\25q\207\34\366\250\364\300r\367q\303\347\275\350\23\27\235[\27\35:\216\34\352Lvl9$\352\314\364\214\13\0P\3\30\354\222\243\172R\275\11gI2\302\274d\353\241(\320U\13@\2416S\266b", 80, ... ) , 80, ... ) == 0x0
 01909  1028   NtClose  (-2147481484, ... ) == 0x0
 01875  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "K$\352t<<\236]\315\345)T\352\264\216[\260=\243\352\343\23>\230+\15!+43rN\316\207\353A=\300\336\215b\357\210\340n\360&\321)?\13K\204Y\340\204#f\242\366L\305\2463\375\306\266\311\32\27\337}n\25\371\3312\30\321\241\231H6&_\34\332\376\226\355*\235\301\2\223J+\351\273\375\344\217\24Y5\303D\205\6\372\4\300\325\362\303\242\350\212%\217\32749\304\10\310f\1|\204\326\233 \20!\16\2331~\227\310f\342_[\201\345\20]#\236\266 \30<\236:~\339Gm\347\10}KUA\2\266P\342\357\305C\204h\325b[\302\312\31\22zg\240\331=:\230\236:\372\345l\336\246V\372\373\15\303t\260\333\320\332\252\242\10\202\366\230\265\267\210\210\24\25\234\234mZ\312\325\311\33j\5\315\217\205n\375-\364\236n\353\331\3?M\353UQ\10\11\374\376\23_\244\11\211", ) , ) == 0x0
 01910  1028   NtDeviceIoControlFile  (408, 0, 0x0, 0x0, 0x390008,  (408, 0, 0x0, 0x0, 0x390008, "\243\223:\15\23\254\246\2479Ghp@\17\210\222z\30)\27M\272,z\30)\27M\272,z\30)\27M\272,z\30)\27MCJ\377\335\247F\7\330\261\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01911  1028   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01912  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01913  1028   NtQuerySystemInformation  (Performance, 312, ...
 01914   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 512, {1252, 704}, ) == 0x0
 01915   896   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1252,Tid=704,}, 0x0, ) == 0x0
 01916   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\300\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81886, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\300\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\2\0\0\344\4\0\0\300\2\0\0" )  ) == 0x0
 01917   896   NtResumeThread  (512, ... 1, ) == 0x0
 01918   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 59244544, 1048576, ) == 0x0
 01919   896   NtAllocateVirtualMemory  (-1, 60284928, 0, 8192, 4096, 4, ...
 01913  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01920   704   NtTestAlert  (...
 01921  1028   NtQuerySystemInformation  (Exception, 16, ...
 01920   704   NtTestAlert  ... ) == 0x0
 01921  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01922   704   NtContinue  (59243824, 1, ...
 01923  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01924   704   NtRegisterThreadTerminatePort  (24, ...
 01923  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01924   704   NtRegisterThreadTerminatePort  ... ) == 0x0
 01925  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01919   896   NtAllocateVirtualMemory  ... 60284928, 8192, ) == 0x0
 01926   704   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01927   896   NtProtectVirtualMemory  (-1, (0x397e000), 4096, 260, ...
 01926   704   NtDuplicateObject  ... 516, ) == 0x0
 01927   896   NtProtectVirtualMemory  ... (0x397e000), 4096, 4, ) == 0x0
 01928   704   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01929   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01928   704   NtWaitForSingleObject  ... ) == 0x102
 01929   896   NtCreateThread  ... 520, {1252, 1152}, ) == 0x0
 01930   704   NtWaitForSingleObject  (132, 0, 0x0, ...
 01931   896   NtQueryInformationThread  (520, Basic, 28, ...
 01925  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01932  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01933  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 01934  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\33\361f\322-\5\237\2515K\344\331%o\271w\31\354g\361\225\207\213\34\340#+\10\350\174q\324)\202\4\37I+uf\217\345\313\204ux~\311U\316G\226a\313or\223\260&\273\14\371*\271\254\352\3762\2227\246v?%\373d\216@\220", 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "\33\361f\322-\5\237\2515K\344\331%o\271w\31\354g\361\225\207\213\34\340#+\10\350\174q\324)\202\4\37I+uf\217\345\313\204ux~\311U\316G\226a\313or\223\260&\273\14\371*\271\254\352\3762\2227\246v?%\373d\216@\220", 80, ... ) , 80, ... ) == 0x0
 01935  1028   NtClose  (-2147481484, ... ) == 0x0
 01910  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\214\23\216\205\37\261\322~\6\177\220\240\2436\233\275D\357\241\25Go\262J\201\216\225N\5\266\352\254\10f$%\223\237\0e2% Xs4\14\10\342[\325\355\13\2211p\303\313q\274\217e\221\361\5\335\302\267#\254\7\212O]j=\272\340\356\27\2233\222v9!\337\3556\315\315\335\275\352Jx\360\301\15a\243\304\262\277K9\213[M\202\305\227\324\314\336G\222\213h\334.z\17\207^\276hq\212\24wi\255\36\252O\226qz\232{\223\nGz[dg\271\370q\312\322\243\373\354<\366\0w\355\270\250\253\32\356\201\30>\273\17\377\233:]\264\267\271\306\K%\357\1x\242\37_u\312\212"\353\230\360\4\276PJ\0(\326\355\362\12 \223\221\211\21a\224\373\210$B\225\2365\304oM\14TNnd\271\31\215O\253\222S\207z\275\367\331\261^\336\326eZ\13\322\31\317\347d\305~Z", ) \353\230\360\4\276PJ\0(\326\355\362\12 \223\221\211\21a\224\373\210$B\225\2365\304oM\14TNnd\271\31\215O\253\222S\207z\275\367\331\261^\336\326eZ\13\322\31\317\347d\305~Z", ) == 0x0
 01936  1028   NtDeviceIoControlFile  (408, 0, 0x0, 0x0, 0x390008,  (408, 0, 0x0, 0x0, 0x390008, "\243\223:\15\23\254\246\2479Ghp@\17\210\222z\30)\27M\272,z\30)\27M\272,z\30)\27M\272,z\30)\27M\272,z\30)\27MCJ\377\335\247F\7\330\261\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01937  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01931   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1252,Tid=1152,}, 0x0, ) == 0x0
 01938   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\200\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\200\4\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81887, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\200\4\0\0" ... {28, 56, reply, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\344\4\0\0\200\4\0\0" )  ) == 0x0
 01939   896   NtResumeThread  (520, ... 1, ) == 0x0
 01940   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60293120, 1048576, ) == 0x0
 01941   896   NtAllocateVirtualMemory  (-1, 61333504, 0, 8192, 4096, 4, ... 61333504, 8192, ) == 0x0
 01942   896   NtProtectVirtualMemory  (-1, (0x3a7e000), 4096, 260, ... (0x3a7e000), 4096, 4, ) == 0x0
 01937  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01943  1152   NtTestAlert  (...
 01944  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01943  1152   NtTestAlert  ... ) == 0x0
 01944  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01945  1152   NtContinue  (60292400, 1, ...
 01946  1028   NtQuerySystemInformation  (Performance, 312, ...
 01947  1152   NtRegisterThreadTerminatePort  (24, ...
 01946  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01947  1152   NtRegisterThreadTerminatePort  ... ) == 0x0
 01948  1028   NtQuerySystemInformation  (Exception, 16, ...
 01949   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01950  1152   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01949   896   NtCreateThread  ... 524, {1252, 1228}, ) == 0x0
 01950  1152   NtDuplicateObject  ... 528, ) == 0x0
 01951   896   NtQueryInformationThread  (524, Basic, 28, ...
 01952  1152   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01951   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1252,Tid=1228,}, 0x0, ) == 0x0
 01952  1152   NtWaitForSingleObject  ... ) == 0x102
 01953   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81888, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\314\4\0\0" ...  ...
 01954  1152   NtWaitForSingleObject  (132, 0, 0x0, ...
 01953   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81889, 0}  ... {28, 56, reply, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\14\2\0\0\344\4\0\0\314\4\0\0" )  ) == 0x0
 01948  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01955   896   NtResumeThread  (524, ...
 01956  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01955   896   NtResumeThread  ... 1, ) == 0x0
 01956  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01957   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01958  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01957   896   NtAllocateVirtualMemory  ... 61341696, 1048576, ) == 0x0
 01958  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01959   896   NtAllocateVirtualMemory  (-1, 62382080, 0, 8192, 4096, 4, ...
 01960  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01961  1228   NtTestAlert  (...
 01959   896   NtAllocateVirtualMemory  ... 62382080, 8192, ) == 0x0
 01961  1228   NtTestAlert  ... ) == 0x0
 01962   896   NtProtectVirtualMemory  (-1, (0x3b7e000), 4096, 260, ...
 01963  1228   NtContinue  (61340976, 1, ...
 01962   896   NtProtectVirtualMemory  ... (0x3b7e000), 4096, 4, ) == 0x0
 01964  1228   NtRegisterThreadTerminatePort  (24, ...
 01965   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01964  1228   NtRegisterThreadTerminatePort  ... ) == 0x0
 01965   896   NtCreateThread  ... 532, {1252, 792}, ) == 0x0
 01960  1028   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01966   896   NtQueryInformationThread  (532, Basic, 28, ...
 01967  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01968  1228   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01967  1028   NtCreateKey  ... -2147481484, 2, ) == 0x0
 01968  1228   NtDuplicateObject  ... 536, ) == 0x0
 01969  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "}\257+\15\272\31D\374\323\334=\33\266\332mvd\205\243\205\244I\274s\201^B;\210L\343s\324\6\332\204\32\252\370\325\267\37\5\2316\23\20\15\15!\255i\265\342\351\325\262\3\2177\372.\371\362\221\335\346\227\2535\12I\342\311o\30\2360sh", 80, ... , 0, 3,  (-2147481484, "Seed", 0, 3, "}\257+\15\272\31D\374\323\334=\33\266\332mvd\205\243\205\244I\274s\201^B;\210L\343s\324\6\332\204\32\252\370\325\267\37\5\2316\23\20\15\15!\255i\265\342\351\325\262\3\2177\372.\371\362\221\335\346\227\2535\12I\342\311o\30\2360sh", 80, ... , 80, ...
 01970  1228   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01969  1028   NtSetValueKey  ... ) == 0x0
 01970  1228   NtWaitForSingleObject  ... ) == 0x102
 01971  1028   NtClose  (-2147481484, ...
 01972  1228   NtWaitForSingleObject  (132, 0, 0x0, ...
 01966   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1252,Tid=792,}, 0x0, ) == 0x0
 01971  1028   NtClose  ... ) == 0x0
 01973   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81889, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0\30\3\0\0" ...  ...
 01936  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "g\203\38\200,V\343\333.\245\347=\210e\3621\224\246\16\350\331*]5\276\324\207\241\340G\260\322\300\25jr\261\200\204&\301]J\242y\3033\234\372\213\311\315\200\12\211p\267.\215\15\211\375s\23hh\21\201\354\31\201\212\336k\3228\242z\307\262t\35$\246\22!\202\223\36\244\277\324O\230jd\35\2527\340\332\26d\301\232\204VJ\334\205\32\351<\365@\300\34v\20^w\225D\265\345\343>\211[\362\24\375\366\240\225f\312\230\230\300h"\311T\354\277_m\300zt\314E\277?[\301\216\11D\203\246\313\205T\27\11\207\3622\362\321j\266\376\31L\215j\222\276\37\316\15\300O\256\306\202Ug\304;\243\37\367)\370vL\22\277\33`\370\224\23\30|wF\363x0\10A|w\255\225\4\374$\356\320\3577.\276\2\265)\12\236\240\317/\177\201\230\246E\201sV\33.\342\240S4\27_N", ) \311T\354\277_m\300zt\314E\277?[\301\216\11D\203\246\313\205T\27\11\207\3622\362\321j\266\376\31L\215j\222\276\37\316\15\300O\256\306\202Ug\304;\243\37\367)\370vL\22\277\33`\370\224\23\30|wF\363x0\10A|w\255\225\4\374$\356\320\3577.\276\2\265)\12\236\240\317/\177\201\230\246E\201sV\33.\342\240S4\27_N", ) == 0x0
 01973   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81890, 0}  ... {28, 56, reply, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\344\4\0\0\30\3\0\0" )  ) == 0x0
 01974  1028   NtDeviceIoControlFile  (408, 0, 0x0, 0x0, 0x390008,  (408, 0, 0x0, 0x0, 0x390008, "\243\223:\15\23\254\246\2479Ghp@\17\210\222z\30)\27M\272,z\30)\27M\272,z\30)\27M\272,z\30)\27M\272,z\30)\27M\272,z\30)\27MCJ\377\335\247F\7\330\261\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01975   896   NtResumeThread  (532, ...
 01976  1028   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01975   896   NtResumeThread  ... 1, ) == 0x0
 01976  1028   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01977   792   NtTestAlert  (...
 01978  1028   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01977   792   NtTestAlert  ... ) == 0x0
 01979   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01980   792   NtContinue  (62389552, 1, ...
 01979   896   NtAllocateVirtualMemory  ... 62390272, 1048576, ) == 0x0
 01981   792   NtRegisterThreadTerminatePort  (24, ...
 01982   896   NtAllocateVirtualMemory  (-1, 63430656, 0, 8192, 4096, 4, ...
 01981   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 01982   896   NtAllocateVirtualMemory  ... 63430656, 8192, ) == 0x0
 01978  1028   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01983   896   NtProtectVirtualMemory  (-1, (0x3c7e000), 4096, 260, ...
 01984  1028   NtQuerySystemInformation  (Performance, 312, ...
 01983   896   NtProtectVirtualMemory  ... (0x3c7e000), 4096, 4, ) == 0x0
 01984  1028   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01985   792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01986  1028   NtQuerySystemInformation  (Exception, 16, ...
 01985   792   NtDuplicateObject  ... 540, ) == 0x0
 01986  1028   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01987   792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01988  1028   NtQuerySystemInformation  (Lookaside, 32, ...
 01987   792   NtWaitForSingleObject  ... ) == 0x102
 01989   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01990   792   NtWaitForSingleObject  (132, 0, 0x0, ...
 01989   896   NtCreateThread  ... 544, {1252, 1484}, ) == 0x0
 01988  1028   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01991   896   NtQueryInformationThread  (544, Basic, 28, ...
 01992  1028   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01991   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1252,Tid=1484,}, 0x0, ) == 0x0
 01992  1028   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01993   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81890, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0\314\5\0\0" ...  ...
 01994  1028   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01995  1028   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481484, 2, ) }, 0, 0x0, 0, ... -2147481484, 2, ) == 0x0
 01996  1028   NtSetValueKey  (-2147481484,  (-2147481484, "Seed", 0, 3, "\234\277\313\247M\220\301\273,\314_+\346\357\275\205\241f\201\227F{E\1}\242D}\335,|{\316\373\34(b@-B\341\252G\247\266A\4\345\350\371\334\247>\310dLo, 80, ... ) , 0, 3,  (-2147481484, "Seed", 0, 3, "\234\277\313\247M\220\301\273,\314_+\346\357\275\205\241f\201\227F{E\1}\242D}\335,|{\316\373\34(b@-B\341\252G\247\266A\4\345\350\371\334\247>\310dLo, 80, ... ) , 80, ... ) == 0x0
 01997  1028   NtClose  (-2147481484, ... ) == 0x0
 01974  1028   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "?\234\260\26\214\306\325Y'cx77\247/\320(\230\354\261_(g\30241\331P\232A{\237\273\304\261\10\223-\304\215,\306\314+\251\331\261\261Q\362\271\10=\244\247T\356\322\354\1\352.(N2\210R\312Sk\351\206\0\251Y\244\225\221\17L\215\277\220\2224\2\222\252r\254\231\35_j\340I0\265\355i\326\265\243h\305\355\362\235\334\213\223iM\376'Q766\36\260n~\237\267ucx\247\315\264\221eh\366w\316\356\307\1g\254[\310i\32\323\253\313,\241\222\34D\330\237<\11\10'\231\222\226\267\274tx\25M5\341\352\216\31J\367\244\367\236\234\310\1283\276!\244\3l\365\224\273\14j\317\31Zb\233\357b\367\20f\276p\370\261\345\223\217\17y\316\224\215\0\314!\16\273a\26&m\2455eu\220\254\204\254\320U\251H\300\33O\213\300T\355R\215>:\301r.\325\315M\257;", ) , ) == 0x0
 01993   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81891, 0}  ... {28, 56, reply, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\344\4\0\0\314\5\0\0" )  ) == 0x0
 01998   896   NtResumeThread  (544, ... 1, ) == 0x0
 01999   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 63438848, 1048576, ) == 0x0
 02000   896   NtAllocateVirtualMemory  (-1, 64479232, 0, 8192, 4096, 4, ... 64479232, 8192, ) == 0x0
 02001   896   NtProtectVirtualMemory  (-1, (0x3d7e000), 4096, 260, ... (0x3d7e000), 4096, 4, ) == 0x0
 02002   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 548, {1252, 888}, ) == 0x0
 02003   896   NtQueryInformationThread  (548, Basic, 28, ...
 02004  1028   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02005  1484   NtTestAlert  (...
 02004  1028   NtCreateEvent  ... 552, ) == 0x0
 02005  1484   NtTestAlert  ... ) == 0x0
 02006  1028   NtSetEventBoostPriority  (464, ...
 02007  1484   NtContinue  (63438128, 1, ...
 01806  2016   NtWaitForSingleObject  ... ) == 0x0
 02006  1028   NtSetEventBoostPriority  ... ) == 0x0
 02008  2016   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02009  1484   NtRegisterThreadTerminatePort  (24, ...
 02008  2016   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02010  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 02009  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02003   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1252,Tid=888,}, 0x0, ) == 0x0
 02011  2016   NtSetEventBoostPriority  (300, ...
 02012   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81891, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0x\3\0\0" ...  ...
 02010  1028   NtWaitForSingleObject  ... ) == 0x0
 02011  2016   NtSetEventBoostPriority  ... ) == 0x0
 02013  1028   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 16248172, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 16248172, 188, ...
 02012   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81892, 0}  ... {28, 56, reply, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\344\4\0\0x\3\0\0" )  ) == 0x0
 02014  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02015   896   NtResumeThread  (548, ...
 02014  2016   NtCreateEvent  ... 556, ) == 0x0
 02015   896   NtResumeThread  ... 1, ) == 0x0
 02016  2016   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ...
 02017  1484   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02013  1028   NtConnectPort  ... 560, 0x0, 0x0, 0x0, 188, ) == 0x0
 02018   888   NtTestAlert  (...
 02017  1484   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02019  1028   NtRequestWaitReplyPort  (560, {200, 224, new_msg, 0, 1383928, 12, 2, 1310721}  (560, {200, 224, new_msg, 0, 1383928, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0&\256/=\20\307v\3678D\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\2408\25\0h\322\231\15x\1\24\00D\25\0h\1\24\0\0\0\0\0\0\0\0\00D\25\0P\0\0\08D\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\367\0\372\31\221|\200\363\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 02018   888   NtTestAlert  ... ) == 0x0
 02020  1484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02021   888   NtContinue  (64486704, 1, ...
 02020  1484   NtDuplicateObject  ... 564, ) == 0x0
 02019  1028   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 1028, 81895, 0}  ... {200, 224, reply, 0, 1252, 1028, 81895, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0&\256/=\20\307v\3678D\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\2408\25\0h\322\231\15x\1\24\00D\25\0h\1\24\0\0\0\0\0\0\0\0\00D\25\0P\0\0\08D\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\367\0\372\31\221|\200\363\367\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02022   888   NtRegisterThreadTerminatePort  (24, ...
 02023  1484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02024  1028   NtRequestWaitReplyPort  (560, {44, 68, new_msg, 0, 1252, 1028, 81877, 0}  (560, {44, 68, new_msg, 0, 1252, 1028, 81877, 0} "\1\356\0\0A\2\4\0\30b\202\201\0\300\375\177\220\273\270\367\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02022   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02025   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02016  2016   NtConnectPort  ... 568, 0x0, 0x0, 0x0, 188, ) == 0x0
 02023  1484   NtWaitForSingleObject  ... ) == 0x102
 02025   896   NtAllocateVirtualMemory  ... 64487424, 1048576, ) == 0x0
 02026  2016   NtRequestWaitReplyPort  (568, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (568, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\0\0(\2\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\240<\24\0\3\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0m\322\234]\364\202b[PO\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\2\0(\0\0\0XO\25\0B\334\3204(\2\24\0xO\25\0\\1\24\0\0\0\0\0\0\0\0\0xO\25\0P\0\0\0\200O\25\0\360\6\221|\0\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 02027  1484   NtWaitForSingleObject  (132, 0, 0x0, ...
 02028   896   NtAllocateVirtualMemory  (-1, 65527808, 0, 8192, 4096, 4, ... 65527808, 8192, ) == 0x0
 02029   896   NtProtectVirtualMemory  (-1, (0x3e7e000), 4096, 260, ... (0x3e7e000), 4096, 4, ) == 0x0
 02026  2016   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1252, 2016, 81897, 0}  ... {200, 224, reply, 0, 1252, 2016, 81897, 0} "\7\1\0\0(\2\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0m\322\234]\364\202b[PO\25\0\\1\24\0\12\0\0\0\0\0\0\0\0\0\2\0(\0\0\0XO\25\0B\334\3204(\2\24\0xO\25\0\\1\24\0\0\0\0\0\0\0\0\0xO\25\0P\0\0\0\200O\25\0\360\6\221|\0\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02030   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02024  1028   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 1028, 81896, 0}  ... {40, 64, reply, 0, 1252, 1028, 81896, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\1\0\0X-\12\0" )  ) == 0x0
 02031  2016   NtRequestWaitReplyPort  (568, {44, 68, new_msg, 56, 0, 0, 0, 0}  (568, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\360T\25\0\322\0\0\0" ...  ...
 02030   888   NtDuplicateObject  ... 572, ) == 0x0
 02032  1028   NtRequestWaitReplyPort  (560, {64, 88, new_msg, 56, 1374816, 16248684, 16248784, 0}  (560, {64, 88, new_msg, 56, 1374816, 16248684, 16248784, 0} "\10\357\367\0@\0\24\0\346\277\347w\320\357\367\0l\357\367\0\20\0\0\0\250.\362v\324\372\24\0\1\0\0\0\350U\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\330\365\24\0" ...  ...
 02033   888   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 02034   888   NtWaitForSingleObject  (132, 0, 0x0, ...
 02035   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 576, {1252, 1120}, ) == 0x0
 02036   896   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1252,Tid=1120,}, 0x0, ) == 0x0
 02037   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81892, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0`\4\0\0" ...  ...
 02031  2016   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 2016, 81898, 0}  ... {40, 64, reply, 0, 1252, 2016, 81898, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300l\353\10\370X\353Q\200\323\1\0\0\350\370\14\0" )  ) == 0x0
 02038  2016   NtRequestWaitReplyPort  (568, {64, 88, new_msg, 56, 1310720, 11006452, 1397992, 0}  (568, {64, 88, new_msg, 56, 1310720, 11006452, 1397992, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\10Y\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1252, 2016, 81901, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\10Y\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1252, 2016, 81901, 0}  (568, {64, 88, new_msg, 56, 1310720, 11006452, 1397992, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\10Y\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1252, 2016, 81901, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\10Y\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02039  2016   NtRequestWaitReplyPort  (568, {44, 68, new_msg, 56, 1252, 2016, 81898, 0}  (568, {44, 68, new_msg, 56, 1252, 2016, 81898, 0} "\1\356\0\0B\2\3\0P\306\233\201\0\340\372\177\220\353\10\370\370\37`\300\377\377\377\377X\353Q\200\1\0\0\0\360T\25\0\322\0\0\0" ...  ...
 02032  1028   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 1028, 81899, 0}  ... {64, 88, reply, 56, 1252, 1028, 81899, 0} "\10\357\367\0@\0\24\0\346\277\347w\320\357\367\0l\357\367\0\20\0\0\0\250.\362v\324\372\24\0\1\0\0\0\350U\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\330\365\24\0" )  ) == 0x0
 02040  1028   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 02041  1028   NtClose  (552, ... ) == 0x0
 02042  1028   NtClose  (560, ... ) == 0x0
 02043  1028   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 560, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 560, 2, ) , 0, ... 560, 2, ) == 0x0
 02037   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81900, 0}  ... {28, 56, reply, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG@\2\0\0\344\4\0\0`\4\0\0" )  ) == 0x0
 02039  2016   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 2016, 81902, 0}  ... {40, 64, reply, 0, 1252, 2016, 81902, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 02044   896   NtResumeThread  (576, ...
 02045  2016   NtRequestWaitReplyPort  (568, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (568, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0p`\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02044   896   NtResumeThread  ... 1, ) == 0x0
 02046   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 65536000, 1048576, ) == 0x0
 02047   896   NtAllocateVirtualMemory  (-1, 66576384, 0, 8192, 4096, 4, ...
 02045  2016   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 2016, 81904, 0}  ... {64, 88, reply, 56, 1252, 2016, 81904, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0p`\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02048  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02049  1120   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ...
 02050  2016   NtRequestWaitReplyPort  (568, {44, 68, new_msg, 56, 1252, 2016, 81902, 0}  (568, {44, 68, new_msg, 56, 1252, 2016, 81902, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\360T\25\0\322\0\0\0" ...  ...
 02048  1028   NtOpenKey  ... 552, ) == 0x0
 02049  1120   NtAllocateVirtualMemory  ... 8806400, 4096, ) == 0x0
 02051  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02052  1120   NtTestAlert  (...
 02051  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052  1120   NtTestAlert  ... ) == 0x0
 02053  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 02054  1120   NtContinue  (65535280, 1, ...
 02053  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02047   896   NtAllocateVirtualMemory  ... 66576384, 8192, ) == 0x0
 02050  2016   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1252, 2016, 81905, 0}  ... {40, 64, reply, 0, 1252, 2016, 81905, 0} "\2\356Q\200\4\0\0\0\250\372\244\201\0\360\372\177\220\253S\371\370\37`\300l\253S\371X\353Q\200|\1\0\0h\236\14\0" )  ) == 0x0
 02055  1120   NtRegisterThreadTerminatePort  (24, ...
 02056   896   NtProtectVirtualMemory  (-1, (0x3f7e000), 4096, 260, ...
 02057  2016   NtRequestWaitReplyPort  (568, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (568, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0pj\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 02055  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02056   896   NtProtectVirtualMemory  ... (0x3f7e000), 4096, 4, ) == 0x0
 02058  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02059   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02057  2016   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1252, 2016, 81906, 0}  ... {64, 88, reply, 56, 1252, 2016, 81906, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0pj\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02058  1120   NtDuplicateObject  ... 580, ) == 0x0
 02059   896   NtCreateThread  ... 584, {1252, 840}, ) == 0x0
 02060  2016   NtClose  (556, ...
 02061  1120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02062   896   NtQueryInformationThread  (584, Basic, 28, ...
 02060  2016   NtClose  ... ) == 0x0
 02061  1120   NtWaitForSingleObject  ... ) == 0x102
 02063  1028   NtQueryValueKey  (560,  (560, "Domain", Partial, 144, ... , Partial, 144, ...
 02062   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1252,Tid=840,}, 0x0, ) == 0x0
 02064  1120   NtWaitForSingleObject  (132, 0, 0x0, ...
 02063  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02065   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81900, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0H\3\0\0" ...  ...
 02066  1028   NtQueryValueKey  (560,  (560, "Domain", Partial, 144, ... , Partial, 144, ...
 02065   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81907, 0}  ... {28, 56, reply, 0, 1252, 896, 81907, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\2\0\0\344\4\0\0H\3\0\0" )  ) == 0x0
 02066  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02067   896   NtResumeThread  (584, ...
 02068  1028   NtClose  (560, ...
 02067   896   NtResumeThread  ... 1, ) == 0x0
 02068  1028   NtClose  ... ) == 0x0
 02069  2016   NtClose  (568, ...
 02070   840   NtTestAlert  (...
 02071   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02069  2016   NtClose  ... ) == 0x0
 02070   840   NtTestAlert  ... ) == 0x0
 02071   896   NtAllocateVirtualMemory  ... 66584576, 1048576, ) == 0x0
 02072  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02073   840   NtContinue  (66583856, 1, ...
 02074   896   NtAllocateVirtualMemory  (-1, 67624960, 0, 8192, 4096, 4, ...
 02072  2016   NtCreateEvent  ... 568, ) == 0x0
 02075   840   NtRegisterThreadTerminatePort  (24, ...
 02074   896   NtAllocateVirtualMemory  ... 67624960, 8192, ) == 0x0
 02076  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02075   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 02077   896   NtProtectVirtualMemory  (-1, (0x407e000), 4096, 260, ...
 02076  2016   NtOpenKey  ... 560, ) == 0x0
 02078  1028   NtClose  (552, ...
 02077   896   NtProtectVirtualMemory  ... (0x407e000), 4096, 4, ) == 0x0
 02079   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02078  1028   NtClose  ... ) == 0x0
 02080  2016   NtOpenKey  (0x20019, {24, 560, 0x40, 0, 0,  (0x20019, {24, 560, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02079   840   NtDuplicateObject  ... 552, ) == 0x0
 02081  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02080  2016   NtOpenKey  ... 556, ) == 0x0
 02082   840   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02081  1028   NtOpenKey  ... 588, ) == 0x0
 02083  2016   NtQueryValueKey  (556,  (556, "ComputerName", Full, 108, ... , Full, 108, ...
 02082   840   NtWaitForSingleObject  ... ) == 0x102
 02084  1028   NtQueryValueKey  (588,  (588, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02083  2016   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02085   840   NtWaitForSingleObject  (132, 0, 0x0, ...
 02084  1028   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02086  2016   NtClose  (556, ...
 02087   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02086  2016   NtClose  ... ) == 0x0
 02087   896   NtCreateThread  ... 556, {1252, 876}, ) == 0x0
 02088  1028   NtClose  (588, ...
 02089   896   NtQueryInformationThread  (556, Basic, 28, ...
 02088  1028   NtClose  ... ) == 0x0
 02089   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1252,Tid=876,}, 0x0, ) == 0x0
 02090  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 16247760, ... }, 16247760, ...
 02091   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81907, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81907, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0l\3\0\0" ...  ...
 02090  1028   NtQueryAttributesFile  ... ) == 0x0
 02092  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 588, {status=0x0, info=1}, ) }, 5, 96, ... 588, {status=0x0, info=1}, ) == 0x0
 02093  1028   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 588, ... 592, ) == 0x0
 02094  1028   NtClose  (588, ... ) == 0x0
 02095  1028   NtMapViewOfSection  (592, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 20480, ) == 0x0
 02096  2016   NtClose  (560, ...
 02091   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81909, 0}  ... {28, 56, reply, 0, 1252, 896, 81909, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG,\2\0\0\344\4\0\0l\3\0\0" )  ) == 0x0
 02096  2016   NtClose  ... ) == 0x0
 02097   896   NtResumeThread  (556, ...
 02098  2016   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 02097   896   NtResumeThread  ... 1, ) == 0x0
 02098  2016   NtCreateIoCompletion  ... 560, ) == 0x0
 02099   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02100  2016   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 02099   896   NtAllocateVirtualMemory  ... 67633152, 1048576, ) == 0x0
 02100  2016   NtCreateIoCompletion  ... 588, ) == 0x0
 02101   896   NtAllocateVirtualMemory  (-1, 68673536, 0, 8192, 4096, 4, ...
 02102  1028   NtClose  (592, ...
 02103   876   NtWaitForSingleObject  (100, 0, 0x0, ...
 02104  2016   NtDuplicateObject  (-1, 560, -1, 0x0, 0, 2, ...
 02102  1028   NtClose  ... ) == 0x0
 02104  2016   NtDuplicateObject  ... 592, ) == 0x0
 02105  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02106  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 596, ) == 0x0
 02107  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02108  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02109  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11006144,  (0xc0100080, {24, 0, 0x40, 0, 11006144, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02110  1028   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 02111  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 16248068, ... ) }, 16248068, ... ) == 0x0
 02112  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 600, {status=0x0, info=1}, ) }, 5, 96, ... 600, {status=0x0, info=1}, ) == 0x0
 02113  1028   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 600, ... 604, ) == 0x0
 02109  2016   NtCreateFile  ... 608, {status=0x0, info=1}, ) == 0x0
 02101   896   NtAllocateVirtualMemory  ... 68673536, 8192, ) == 0x0
 02114  1028   NtQuerySection  (604, Image, 48, ...
 02115   896   NtProtectVirtualMemory  (-1, (0x417e000), 4096, 260, ...
 02114  1028   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02115   896   NtProtectVirtualMemory  ... (0x417e000), 4096, 4, ) == 0x0
 02116  1028   NtClose  (600, ...
 02117   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02116  1028   NtClose  ... ) == 0x0
 02117   896   NtCreateThread  ... 600, {1252, 1104}, ) == 0x0
 02118  1028   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02119   896   NtQueryInformationThread  (600, Basic, 28, ...
 02118  1028   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 02120  2016   NtSetInformationFile  (608, 11006200, 8, Pipe, ...
 02119   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1252,Tid=1104,}, 0x0, ) == 0x0
 02120  2016   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02121   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81909, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81909, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0P\4\0\0" ...  ...
 02122  2016   NtSetInformationFile  (608, 11006188, 8, Completion, ...
 02121   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81910, 0}  ... {28, 56, reply, 0, 1252, 896, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\344\4\0\0P\4\0\0" )  ) == 0x0
 02122  2016   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02123   896   NtResumeThread  (600, ...
 02124  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02123   896   NtResumeThread  ... 1, ) == 0x0
 02124  2016   NtSetInformationThread  ... ) == 0x0
 02125  1028   NtClose  (604, ...
 02126  1104   NtWaitForSingleObject  (100, 0, 0x0, ...
 02127   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02125  1028   NtClose  ... ) == 0x0
 02127   896   NtAllocateVirtualMemory  ... 68681728, 1048576, ) == 0x0
 02128  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02129   896   NtAllocateVirtualMemory  (-1, 69722112, 0, 8192, 4096, 4, ...
 02128  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02129   896   NtAllocateVirtualMemory  ... 69722112, 8192, ) == 0x0
 02130   896   NtProtectVirtualMemory  (-1, (0x427e000), 4096, 260, ... (0x427e000), 4096, 4, ) == 0x0
 02131   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 604, {1252, 860}, ) == 0x0
 02132   896   NtQueryInformationThread  (604, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1252,Tid=860,}, 0x0, ) == 0x0
 02133   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81910, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81910, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0\\3\0\0" ...  ...
 02134  2016   NtWriteFile  (608, 229, 0, 0,  (608, 229, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02135  2016   NtReadFile  (608, 229, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (608, 229, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02136  2016   NtFsControlFile  (608, 229, 0x0, 0x0, 0x11c017,  (608, 229, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\247\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (608, 229, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\247\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02137  2016   NtFsControlFile  (608, 229, 0x0, 0x0, 0x11c017,  (608, 229, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\1\0\0\0\1\0\0\0&\0(\0\370k\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) , 136, 1024, ... {status=0x103, info=48},  (608, 229, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\1\0\0\0\1\0\0\0&\0(\0\370k\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) , ) == 0x103
 02138  2016   NtFsControlFile  (608, 229, 0x0, 0x0, 0x11c017,  (608, 229, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\10<\25\0\1\0\0\0\24<\25\0 \0\0\0\1\0\0\0\30\0\32\0 <\25\0<<\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0(j\25\0\1\0\0\0\5\0i\08j\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=156},  (608, 229, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\10<\25\0\1\0\0\0\24<\25\0 \0\0\0\1\0\0\0\30\0\32\0 <\25\0<<\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0(j\25\0\1\0\0\0\5\0i\08j\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02139  2016   NtClose  (596, ... ) == 0x0
 02140  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02133   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81911, 0}  ... {28, 56, reply, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\2\0\0\344\4\0\0\\3\0\0" )  ) == 0x0
 02140  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02141   896   NtResumeThread  (604, ...
 02142  1028   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02141   896   NtResumeThread  ... 1, ) == 0x0
 02142  1028   NtFlushInstructionCache  ... ) == 0x0
 02143   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02144  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02143   896   NtAllocateVirtualMemory  ... 69730304, 1048576, ) == 0x0
 02144  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02145   896   NtAllocateVirtualMemory  (-1, 70770688, 0, 8192, 4096, 4, ...
 02146  2016   NtClose  (608, ...
 02147   860   NtWaitForSingleObject  (100, 0, 0x0, ...
 02148  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02146  2016   NtClose  ... ) == 0x0
 02148  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02149  2016   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1383928, 0x0, 11008068, 188, ... , {12, 2, 1, 1}, 0x0, 1383928, 0x0, 11008068, 188, ...
 02150  1028   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 02151  1028   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 608, ) }, ... 608, ) == 0x0
 02152  1028   NtMapViewOfSection  (608, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02153  1028   NtClose  (608, ... ) == 0x0
 02154  1028   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02145   896   NtAllocateVirtualMemory  ... 70770688, 8192, ) == 0x0
 02149  2016   NtSecureConnectPort  ... 608, 0x0, 0x0, 0x0, 188, ) == 0x0
 02155   896   NtProtectVirtualMemory  (-1, (0x437e000), 4096, 260, ...
 02156  2016   NtOpenThreadToken  (-2, 0xc, 1, ...
 02155   896   NtProtectVirtualMemory  ... (0x437e000), 4096, 4, ) == 0x0
 02156  2016   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02157   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02158  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02157   896   NtCreateThread  ... 596, {1252, 1516}, ) == 0x0
 02158  2016   NtSetInformationThread  ... ) == 0x0
 02159   896   NtQueryInformationThread  (596, Basic, 28, ...
 02160  2016   NtRequestWaitReplyPort  (608, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (608, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0:R\366Y\353\22qg\371\221\243\1\16J\320c\12\0\0\0\3607\304\20$\370I\32\0\0\0\0\330&\25\0vx\333@\225(y\221(\0\0\0\345*\0@\0\0\24\0\240\366\247\0M\240F\23\0\0\0\0\270;\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 2016, 81913, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0:R\366Y\353\22qg\371\221\243\1\16J\320c\12\0\0\0\3607\304\20$\370I\32\0\0\0\0\330&\25\0vx\333@\225(y\221(\0\0\0\345*\0@\0\0\24\0\240\366\247\0M\240F\23\0\0\0\0\270;\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1252, 2016, 81913, 0}  (608, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0:R\366Y\353\22qg\371\221\243\1\16J\320c\12\0\0\0\3607\304\20$\370I\32\0\0\0\0\330&\25\0vx\333@\225(y\221(\0\0\0\345*\0@\0\0\24\0\240\366\247\0M\240F\23\0\0\0\0\270;\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1252, 2016, 81913, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0:R\366Y\353\22qg\371\221\243\1\16J\320c\12\0\0\0\3607\304\20$\370I\32\0\0\0\0\330&\25\0vx\333@\225(y\221(\0\0\0\345*\0@\0\0\24\0\240\366\247\0M\240F\23\0\0\0\0\270;\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 02161  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02162  2016   NtRequestWaitReplyPort  (608, {56, 80, new_msg, 0, 44, 3, 20, 0}  (608, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0gS\263F\252\227\2L\355h\28\1\0\0\0\0\0\0\0&\0(\0\234\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 02159   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1252,Tid=1516,}, 0x0, ) == 0x0
 02163   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\354\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81915, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81911, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\354\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\344\4\0\0\354\5\0\0" )  ) == 0x0
 02164   896   NtResumeThread  (596, ... 1, ) == 0x0
 02165  1028   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 02166  1516   NtWaitForSingleObject  (100, 0, 0x0, ...
 02165  1028   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 02167  1028   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02168  1028   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 02169  1028   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0
 02170  1028   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 02171   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02162  2016   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1252, 2016, 81914, 0}  ... {44, 68, reply, 0, 1252, 2016, 81914, 0} "\4\376\255\201\0\0\0\0\200Y\274\201\356\12$\342\264\311\275\201:\332R\200X\253v\367\324\376\255\201\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02171   896   NtAllocateVirtualMemory  ... 70778880, 1048576, ) == 0x0
 02172  2016   NtRaiseException  (11008528, 11007788, 1, ...
 02173   896   NtAllocateVirtualMemory  (-1, 71819264, 0, 8192, 4096, 4, ...
 02174  2016   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 02173   896   NtAllocateVirtualMemory  ... 71819264, 8192, ) == 0x0
 02174  2016   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 02175   896   NtProtectVirtualMemory  (-1, (0x447e000), 4096, 260, ...
 02176  2016   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02175   896   NtProtectVirtualMemory  ... (0x447e000), 4096, 4, ) == 0x0
 02177  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 02176  2016   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02177  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 02178  2016   NtContinue  (11006756, 0, ...
 02179  1028   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 02180  2016   NtDeviceIoControlFile  (412, 112, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02179  1028   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 02180  2016   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02181  1028   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 02182  2016   NtWaitForSingleObject  (112, 1, {-5000000, -1}, ...
 02181  1028   NtFlushInstructionCache  ... ) == 0x0
 02183   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 612, {1252, 780}, ) == 0x0
 02184   896   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1252,Tid=780,}, 0x0, ) == 0x0
 02185   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81916, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81915, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\14\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\2\0\0\344\4\0\0\14\3\0\0" )  ) == 0x0
 02186   896   NtResumeThread  (612, ... 1, ) == 0x0
 02187   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71827456, 1048576, ) == 0x0
 02188   896   NtAllocateVirtualMemory  (-1, 72867840, 0, 8192, 4096, 4, ...
 02189   780   NtWaitForSingleObject  (100, 0, 0x0, ...
 02188   896   NtAllocateVirtualMemory  ... 72867840, 8192, ) == 0x0
 02190   896   NtProtectVirtualMemory  (-1, (0x457e000), 4096, 260, ... (0x457e000), 4096, 4, ) == 0x0
 02191   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1252, 940}, ) == 0x0
 02192   896   NtQueryInformationThread  (616, Basic, 28, ...
 02193  1028   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194  1028   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 620, ) == 0x0
 02195  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 624, ) }, ... 624, ) == 0x0
 02196  1028   NtQueryValueKey  (624,  (624, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (624, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02197  1028   NtClose  (624, ... ) == 0x0
 02192   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1252,Tid=940,}, 0x0, ) == 0x0
 02198   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\254\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81917, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81916, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\254\3\0\0" ... {28, 56, reply, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\344\4\0\0\254\3\0\0" )  ) == 0x0
 02199   896   NtResumeThread  (616, ... 1, ) == 0x0
 02200   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 72876032, 1048576, ) == 0x0
 02201   896   NtAllocateVirtualMemory  (-1, 73916416, 0, 8192, 4096, 4, ... 73916416, 8192, ) == 0x0
 02202   896   NtProtectVirtualMemory  (-1, (0x467e000), 4096, 260, ... (0x467e000), 4096, 4, ) == 0x0
 02203  1028   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... }, ...
 02204   940   NtWaitForSingleObject  (100, 0, 0x0, ...
 02203  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205  1028   NtQueryPerformanceCounter  (... {-1448207112, 16}, {3579545, 0}, ) == 0x0
 02206  1028   NtSetEventBoostPriority  (100, ...
 02103   876   NtWaitForSingleObject  ... ) == 0x0
 02207   876   NtSetEventBoostPriority  (100, ...
 02126  1104   NtWaitForSingleObject  ... ) == 0x0
 02208  1104   NtSetEventBoostPriority  (100, ...
 02147   860   NtWaitForSingleObject  ... ) == 0x0
 02209   860   NtSetEventBoostPriority  (100, ...
 02166  1516   NtWaitForSingleObject  ... ) == 0x0
 02210  1516   NtSetEventBoostPriority  (100, ...
 02189   780   NtWaitForSingleObject  ... ) == 0x0
 02211   780   NtSetEventBoostPriority  (100, ...
 02204   940   NtWaitForSingleObject  ... ) == 0x0
 02212   940   NtTestAlert  (... ) == 0x0
 02211   780   NtSetEventBoostPriority  ... ) == 0x0
 02210  1516   NtSetEventBoostPriority  ... ) == 0x0
 02209   860   NtSetEventBoostPriority  ... ) == 0x0
 02208  1104   NtSetEventBoostPriority  ... ) == 0x0
 02207   876   NtSetEventBoostPriority  ... ) == 0x0
 02206  1028   NtSetEventBoostPriority  ... ) == 0x0
 02213   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02214   940   NtContinue  (72875312, 1, ...
 02215   780   NtTestAlert  (...
 02216  1516   NtTestAlert  (...
 02217   860   NtTestAlert  (...
 02218  1104   NtTestAlert  (...
 02219  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 16247760, ... }, 16247760, ...
 02213   896   NtCreateThread  ... 624, {1252, 1268}, ) == 0x0
 02220   940   NtRegisterThreadTerminatePort  (24, ...
 02215   780   NtTestAlert  ... ) == 0x0
 02216  1516   NtTestAlert  ... ) == 0x0
 02217   860   NtTestAlert  ... ) == 0x0
 02218  1104   NtTestAlert  ... ) == 0x0
 02219  1028   NtQueryAttributesFile  ... ) == 0x0
 02221   896   NtQueryInformationThread  (624, Basic, 28, ...
 02220   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 02222   780   NtContinue  (71826736, 1, ...
 02223  1516   NtContinue  (70778160, 1, ...
 02224   860   NtContinue  (69729584, 1, ...
 02225  1104   NtContinue  (68681008, 1, ...
 02226  1028   NtQuerySystemInformation  (Basic, 44, ...
 02221   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1252,Tid=1268,}, 0x0, ) == 0x0
 02227   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02228   780   NtRegisterThreadTerminatePort  (24, ...
 02229  1516   NtRegisterThreadTerminatePort  (24, ...
 02230   860   NtRegisterThreadTerminatePort  (24, ...
 02231  1104   NtRegisterThreadTerminatePort  (24, ...
 02226  1028   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02232   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81917, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81917, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\364\4\0\0" ...  ...
 02227   940   NtDuplicateObject  ... 628, ) == 0x0
 02228   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 02229  1516   NtRegisterThreadTerminatePort  ... ) == 0x0
 02230   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 02231  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02233   876   NtTestAlert  (...
 02234   940   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02235   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02236  1516   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02237   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02238  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02233   876   NtTestAlert  ... ) == 0x0
 02239  1028   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02232   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81918, 0}  ... {28, 56, reply, 0, 1252, 896, 81918, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\344\4\0\0\364\4\0\0" )  ) == 0x0
 02234   940   NtWaitForSingleObject  ... ) == 0x102
 02235   780   NtDuplicateObject  ... 632, ) == 0x0
 02236  1516   NtDuplicateObject  ... 636, ) == 0x0
 02237   860   NtDuplicateObject  ... 640, ) == 0x0
 02240   876   NtContinue  (67632432, 1, ...
 02239  1028   NtAllocateVirtualMemory  ... 8716288, 65536, ) == 0x0
 02241   896   NtResumeThread  (624, ...
 02242   940   NtWaitForSingleObject  (132, 0, 0x0, ...
 02243   780   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02244  1516   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02245   860   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02246   876   NtRegisterThreadTerminatePort  (24, ...
 02247  1028   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ...
 02241   896   NtResumeThread  ... 1, ) == 0x0
 02243   780   NtWaitForSingleObject  ... ) == 0x102
 02244  1516   NtWaitForSingleObject  ... ) == 0x102
 02245   860   NtWaitForSingleObject  ... ) == 0x102
 02246   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02247  1028   NtAllocateVirtualMemory  ... 8716288, 4096, ) == 0x0
 02248   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02249   780   NtWaitForSingleObject  (132, 0, 0x0, ...
 02250  1516   NtWaitForSingleObject  (132, 0, 0x0, ...
 02251   860   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02252   876   NtWaitForSingleObject  (300, 0, 0x0, ...
 02253  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 02248   896   NtAllocateVirtualMemory  ... 73924608, 1048576, ) == 0x0
 02251   860   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02238  1104   NtDuplicateObject  ... 644, ) == 0x0
 02254  1268   NtWaitForSingleObject  (300, 0, 0x0, ...
 02255   896   NtAllocateVirtualMemory  (-1, 74964992, 0, 8192, 4096, 4, ...
 02256  1104   NtWaitForSingleObject  (300, 0, 0x0, ...
 02257   860   NtSetEventBoostPriority  (300, ...
 02253  1028   NtWaitForSingleObject  ... ) == 0x0
 02258  1028   NtSetEventBoostPriority  (300, ...
 02252   876   NtWaitForSingleObject  ... ) == 0x0
 02259   876   NtSetEventBoostPriority  (300, ...
 02254  1268   NtWaitForSingleObject  ... ) == 0x0
 02260  1268   NtSetEventBoostPriority  (300, ...
 02256  1104   NtWaitForSingleObject  ... ) == 0x0
 02261  1104   NtWaitForSingleObject  (352, 0, 0x0, ...
 02260  1268   NtSetEventBoostPriority  ... ) == 0x0
 02258  1028   NtSetEventBoostPriority  ... ) == 0x0
 02257   860   NtSetEventBoostPriority  ... ) == 0x0
 02259   876   NtSetEventBoostPriority  ... ) == 0x0
 02255   896   NtAllocateVirtualMemory  ... 74964992, 8192, ) == 0x0
 02262  1268   NtTestAlert  (...
 02263   860   NtWaitForSingleObject  (132, 0, 0x0, ...
 02264   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02265   896   NtProtectVirtualMemory  (-1, (0x477e000), 4096, 260, ...
 02262  1268   NtTestAlert  ... ) == 0x0
 02264   876   NtDuplicateObject  ... 648, ) == 0x0
 02265   896   NtProtectVirtualMemory  ... (0x477e000), 4096, 4, ) == 0x0
 02266  1268   NtContinue  (73923888, 1, ...
 02267  1028   NtSetEventBoostPriority  (352, ...
 02268   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02269  1268   NtRegisterThreadTerminatePort  (24, ...
 02261  1104   NtWaitForSingleObject  ... ) == 0x0
 02267  1028   NtSetEventBoostPriority  ... ) == 0x0
 02268   896   NtCreateThread  ... 652, {1252, 644}, ) == 0x0
 02270  1104   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02269  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02271  1028   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ...
 02272   896   NtQueryInformationThread  (652, Basic, 28, ...
 02273  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02271  1028   NtAllocateVirtualMemory  ... 8720384, 8192, ) == 0x0
 02274   876   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02270  1104   NtWaitForSingleObject  ... ) == 0x102
 02272   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1252,Tid=644,}, 0x0, ) == 0x0
 02275  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 16247760, ... }, 16247760, ...
 02274   876   NtWaitForSingleObject  ... ) == 0x102
 02276  1104   NtWaitForSingleObject  (132, 0, 0x0, ...
 02277   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81918, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81918, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\204\2\0\0" ...  ...
 02275  1028   NtQueryAttributesFile  ... ) == 0x0
 02278   876   NtWaitForSingleObject  (132, 0, 0x0, ...
 02277   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81919, 0}  ... {28, 56, reply, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\344\4\0\0\204\2\0\0" )  ) == 0x0
 02273  1268   NtDuplicateObject  ... 656, ) == 0x0
 02279   896   NtResumeThread  (652, ...
 02280  1268   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02279   896   NtResumeThread  ... 1, ) == 0x0
 02280  1268   NtWaitForSingleObject  ... ) == 0x102
 02281  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... }, 5, 96, ...
 02282   644   NtWaitForSingleObject  (100, 0, 0x0, ...
 02283  1268   NtWaitForSingleObject  (132, 0, 0x0, ...
 02281  1028   NtOpenFile  ... 660, {status=0x0, info=1}, ) == 0x0
 02284  1028   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 660, ... 664, ) == 0x0
 02285  1028   NtClose  (660, ... ) == 0x0
 02286  1028   NtMapViewOfSection  (664, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x4780000), 0x0, 110592, ) == 0x0
 02287  1028   NtClose  (664, ... ) == 0x0
 02288   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75104256, 1048576, ) == 0x0
 02289   896   NtAllocateVirtualMemory  (-1, 76144640, 0, 8192, 4096, 4, ... 76144640, 8192, ) == 0x0
 02290   896   NtProtectVirtualMemory  (-1, (0x489e000), 4096, 260, ... (0x489e000), 4096, 4, ) == 0x0
 02291   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1252, 1736}, ) == 0x0
 02292   896   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1252,Tid=1736,}, 0x0, ) == 0x0
 02293   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81919, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\310\6\0\0" ...  ...
 02294  1028   NtUnmapViewOfSection  (-1, 0x4780000, ... ) == 0x0
 02295  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 16248068, ... }, 16248068, ...
 02293   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81920, 0}  ... {28, 56, reply, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\344\4\0\0\310\6\0\0" )  ) == 0x0
 02296   896   NtResumeThread  (664, ... 1, ) == 0x0
 02297   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76152832, 1048576, ) == 0x0
 02298   896   NtAllocateVirtualMemory  (-1, 77193216, 0, 8192, 4096, 4, ... 77193216, 8192, ) == 0x0
 02299   896   NtProtectVirtualMemory  (-1, (0x499e000), 4096, 260, ... (0x499e000), 4096, 4, ) == 0x0
 02300   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1252, 320}, ) == 0x0
 02301   896   NtQueryInformationThread  (660, Basic, 28, ...
 02295  1028   NtQueryAttributesFile  ... ) == 0x0
 02302  1736   NtWaitForSingleObject  (100, 0, 0x0, ...
 02303  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wshbth.dll"}, 5, 96, ... 668, {status=0x0, info=1}, ) }, 5, 96, ... 668, {status=0x0, info=1}, ) == 0x0
 02304  1028   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 668, ... 672, ) == 0x0
 02305  1028   NtQuerySection  (672, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02306  1028   NtClose  (668, ... ) == 0x0
 02307  1028   NtMapViewOfSection  (672, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x751d0000), 0x0, 122880, ) == 0x0
 02308  1028   NtClose  (672, ...
 02301   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1252,Tid=320,}, 0x0, ) == 0x0
 02309   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0@\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0@\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81921, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81920, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0@\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\344\4\0\0@\1\0\0" )  ) == 0x0
 02310   896   NtResumeThread  (660, ... 1, ) == 0x0
 02311   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77201408, 1048576, ) == 0x0
 02312   896   NtAllocateVirtualMemory  (-1, 78241792, 0, 8192, 4096, 4, ... 78241792, 8192, ) == 0x0
 02313   896   NtProtectVirtualMemory  (-1, (0x4a9e000), 4096, 260, ... (0x4a9e000), 4096, 4, ) == 0x0
 02308  1028   NtClose  ... ) == 0x0
 02314   320   NtWaitForSingleObject  (100, 0, 0x0, ...
 02315  1028   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02316  1028   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02317  1028   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02318  1028   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02319  1028   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ...
 02320   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1252, 380}, ) == 0x0
 02321   896   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1252,Tid=380,}, 0x0, ) == 0x0
 02322   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0|\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81922, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81921, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0|\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\344\4\0\0|\1\0\0" )  ) == 0x0
 02323   896   NtResumeThread  (672, ... 1, ) == 0x0
 02324   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78249984, 1048576, ) == 0x0
 02325   896   NtAllocateVirtualMemory  (-1, 79290368, 0, 8192, 4096, 4, ...
 02319  1028   NtProtectVirtualMemory  ... (0x751d1000), 4096, 4, ) == 0x0
 02326   380   NtWaitForSingleObject  (100, 0, 0x0, ...
 02327  1028   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02328  1028   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02329  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 16247244, ... }, 16247244, ...
 02325   896   NtAllocateVirtualMemory  ... 79290368, 8192, ) == 0x0
 02330   896   NtProtectVirtualMemory  (-1, (0x4b9e000), 4096, 260, ... (0x4b9e000), 4096, 4, ) == 0x0
 02331   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1252, 1332}, ) == 0x0
 02332   896   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1252,Tid=1332,}, 0x0, ) == 0x0
 02333   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\04\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\04\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81923, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81922, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\04\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\344\4\0\04\5\0\0" )  ) == 0x0
 02334   896   NtResumeThread  (668, ... 1, ) == 0x0
 02335  1332   NtWaitForSingleObject  (100, 0, 0x0, ...
 02336   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79298560, 1048576, ) == 0x0
 02337   896   NtAllocateVirtualMemory  (-1, 80338944, 0, 8192, 4096, 4, ... 80338944, 8192, ) == 0x0
 02338   896   NtProtectVirtualMemory  (-1, (0x4c9e000), 4096, 260, ... (0x4c9e000), 4096, 4, ) == 0x0
 02339   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1252, 1336}, ) == 0x0
 02340   896   NtQueryInformationThread  (676, Basic, 28, ...
 02329  1028   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02341  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 16247244, ... ) }, 16247244, ... ) == 0x0
 02342  1028   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 680, {status=0x0, info=1}, ) }, 5, 96, ... 680, {status=0x0, info=1}, ) == 0x0
 02343  1028   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 680, ... 684, ) == 0x0
 02344  1028   NtQuerySection  (684, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02340   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1252,Tid=1336,}, 0x0, ) == 0x0
 02345   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\08\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\08\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81924, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81923, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\08\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\344\4\0\08\5\0\0" )  ) == 0x0
 02346   896   NtResumeThread  (676, ... 1, ) == 0x0
 02347   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80347136, 1048576, ) == 0x0
 02348   896   NtAllocateVirtualMemory  (-1, 81387520, 0, 8192, 4096, 4, ... 81387520, 8192, ) == 0x0
 02349   896   NtProtectVirtualMemory  (-1, (0x4d9e000), 4096, 260, ... (0x4d9e000), 4096, 4, ) == 0x0
 02350  1028   NtClose  (680, ...
 02351  1336   NtWaitForSingleObject  (100, 0, 0x0, ...
 02350  1028   NtClose  ... ) == 0x0
 02352  1028   NtMapViewOfSection  (684, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02353  1028   NtClose  (684, ... ) == 0x0
 02354  1028   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02355   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1252, 1808}, ) == 0x0
 02356   896   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1252,Tid=1808,}, 0x0, ) == 0x0
 02357   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81924, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\20\7\0\0" ...  ...
 02358  1028   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02357   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81925, 0}  ... {28, 56, reply, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\344\4\0\0\20\7\0\0" )  ) == 0x0
 02359   896   NtResumeThread  (684, ... 1, ) == 0x0
 02360   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81395712, 1048576, ) == 0x0
 02361   896   NtAllocateVirtualMemory  (-1, 82436096, 0, 8192, 4096, 4, ... 82436096, 8192, ) == 0x0
 02362   896   NtProtectVirtualMemory  (-1, (0x4e9e000), 4096, 260, ... (0x4e9e000), 4096, 4, ) == 0x0
 02363   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1252, 468}, ) == 0x0
 02364   896   NtQueryInformationThread  (680, Basic, 28, ...
 02365  1028   NtFlushInstructionCache  (-1, 2006061056, 1368, ...
 02366  1808   NtWaitForSingleObject  (100, 0, 0x0, ...
 02365  1028   NtFlushInstructionCache  ... ) == 0x0
 02367  1028   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02368  1028   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02369  1028   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02370  1028   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02371  1028   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02364   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1252,Tid=468,}, 0x0, ) == 0x0
 02372   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\324\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81926, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81925, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\324\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\344\4\0\0\324\1\0\0" )  ) == 0x0
 02373   896   NtResumeThread  (680, ... 1, ) == 0x0
 02374   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82444288, 1048576, ) == 0x0
 02375   896   NtAllocateVirtualMemory  (-1, 83484672, 0, 8192, 4096, 4, ... 83484672, 8192, ) == 0x0
 02376   896   NtProtectVirtualMemory  (-1, (0x4f9e000), 4096, 260, ... (0x4f9e000), 4096, 4, ) == 0x0
 02377  1028   NtFlushInstructionCache  (-1, 2006061056, 1368, ...
 02378   468   NtWaitForSingleObject  (100, 0, 0x0, ...
 02377  1028   NtFlushInstructionCache  ... ) == 0x0
 02379  1028   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02380  1028   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02381  1028   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02382  1028   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02383  1028   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02384   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1252, 752}, ) == 0x0
 02385   896   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1252,Tid=752,}, 0x0, ) == 0x0
 02386   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\360\2\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81926, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\360\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\344\4\0\0\360\2\0\0" )  ) == 0x0
 02387   896   NtResumeThread  (688, ... 1, ) == 0x0
 02388   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83492864, 1048576, ) == 0x0
 02389   896   NtAllocateVirtualMemory  (-1, 84533248, 0, 8192, 4096, 4, ...
 02390  1028   NtFlushInstructionCache  (-1, 2006061056, 1368, ...
 02391   752   NtWaitForSingleObject  (100, 0, 0x0, ...
 02390  1028   NtFlushInstructionCache  ... ) == 0x0
 02392  1028   NtProtectVirtualMemory  (-1, (0x751d1000), 224, 4, ... (0x751d1000), 4096, 32, ) == 0x0
 02393  1028   NtProtectVirtualMemory  (-1, (0x751d1000), 4096, 32, ... (0x751d1000), 4096, 4, ) == 0x0
 02394  1028   NtFlushInstructionCache  (-1, 1964838912, 224, ... ) == 0x0
 02389   896   NtAllocateVirtualMemory  ... 84533248, 8192, ) == 0x0
 02395   896   NtProtectVirtualMemory  (-1, (0x509e000), 4096, 260, ... (0x509e000), 4096, 4, ) == 0x0
 02396   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1252, 1512}, ) == 0x0
 02397   896   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1252,Tid=1512,}, 0x0, ) == 0x0
 02398   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\350\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\350\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81928, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81927, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\350\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\344\4\0\0\350\5\0\0" )  ) == 0x0
 02399   896   NtResumeThread  (692, ... 1, ) == 0x0
 02400  1028   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... }, ...
 02401  1512   NtWaitForSingleObject  (100, 0, 0x0, ...
 02400  1028   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02402  1028   NtQueryDefaultUILanguage  (2090319928, ...
 02403  1028   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02404  1028   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481484, ) == 0x0
 02405  1028   NtQueryInformationToken  (-2147481484, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02406  1028   NtClose  (-2147481484, ...
 02407   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 84541440, 1048576, ) == 0x0
 02408   896   NtAllocateVirtualMemory  (-1, 85581824, 0, 8192, 4096, 4, ... 85581824, 8192, ) == 0x0
 02409   896   NtProtectVirtualMemory  (-1, (0x519e000), 4096, 260, ... (0x519e000), 4096, 4, ) == 0x0
 02410   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1252, 1380}, ) == 0x0
 02411   896   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1252,Tid=1380,}, 0x0, ) == 0x0
 02412   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81928, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0d\5\0\0" ...  ...
 02406  1028   NtClose  ... ) == 0x0
 02413  1028   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481484, ) }, ... -2147481484, ) == 0x0
 02414  1028   NtOpenKey  (0x80000000, {24, -2147481484, 0x240, 0, 0,  (0x80000000, {24, -2147481484, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02415  1028   NtOpenKey  (0x80000000, {24, -2147481484, 0x640, 0, 0,  (0x80000000, {24, -2147481484, 0x640, 0, 0, "Control Panel\Desktop"}, ... }, ...
 02412   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81929, 0}  ... {28, 56, reply, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\344\4\0\0d\5\0\0" )  ) == 0x0
 02416   896   NtResumeThread  (696, ... 1, ) == 0x0
 02417   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85590016, 1048576, ) == 0x0
 02418   896   NtAllocateVirtualMemory  (-1, 86630400, 0, 8192, 4096, 4, ... 86630400, 8192, ) == 0x0
 02419   896   NtProtectVirtualMemory  (-1, (0x529e000), 4096, 260, ... (0x529e000), 4096, 4, ) == 0x0
 02420   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1252, 1564}, ) == 0x0
 02421   896   NtQueryInformationThread  (700, Basic, 28, ...
 02415  1028   NtOpenKey  ... -2147482104, ) == 0x0
 02422  1380   NtWaitForSingleObject  (100, 0, 0x0, ...
 02423  1028   NtQueryValueKey  (-2147482104,  (-2147482104, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02424  1028   NtClose  (-2147482104, ... ) == 0x0
 02425  1028   NtClose  (-2147481484, ... ) == 0x0
 02402  1028   NtQueryDefaultUILanguage  ... ) == 0x0
 02426  1028   NtAllocateVirtualMemory  (-1, 16236544, 0, 4096, 4096, 260, ... 16236544, 4096, ) == 0x0
 02427  1028   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 02421   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1252,Tid=1564,}, 0x0, ) == 0x0
 02428   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81930, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81929, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\34\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\344\4\0\0\34\6\0\0" )  ) == 0x0
 02429   896   NtResumeThread  (700, ... 1, ) == 0x0
 02430   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86638592, 1048576, ) == 0x0
 02431   896   NtAllocateVirtualMemory  (-1, 87678976, 0, 8192, 4096, 4, ... 87678976, 8192, ) == 0x0
 02432   896   NtProtectVirtualMemory  (-1, (0x539e000), 4096, 260, ... (0x539e000), 4096, 4, ) == 0x0
 02433  1028   NtQueryDefaultLocale  (1, 16247964, ...
 02434  1564   NtWaitForSingleObject  (100, 0, 0x0, ...
 02433  1028   NtQueryDefaultLocale  ... ) == 0x0
 02435  1028   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02436  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 704, ) }, ... 704, ) == 0x0
 02437  1028   NtQueryValueKey  (704,  (704, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (704, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02438  1028   NtClose  (704, ... ) == 0x0
 02439  1028   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 704, ) == 0x0
 02440   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1252, 164}, ) == 0x0
 02441   896   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1252,Tid=164,}, 0x0, ) == 0x0
 02442   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\244\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\244\0\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81931, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81930, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\244\0\0\0" ... {28, 56, reply, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\344\4\0\0\244\0\0\0" )  ) == 0x0
 02443   896   NtResumeThread  (708, ... 1, ) == 0x0
 02444   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87687168, 1048576, ) == 0x0
 02445   896   NtAllocateVirtualMemory  (-1, 88727552, 0, 8192, 4096, 4, ...
 02446  1028   NtCallbackReturn  (0, 0, 0, ...
 02447   164   NtWaitForSingleObject  (100, 0, 0x0, ...
 02448  1028   NtUserGetProcessWindowStation  (... ) == 0x20
 02449  1028   NtUserGetObjectInformation  (32, 1, 16247560, 12, 16247572, ... ) == 0x1
 02450  1028   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02451  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 712, ) }, ... 712, ) == 0x0
 02452  1028   NtQueryValueKey  (712,  (712, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (712, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02453  1028   NtClose  (712, ...
 02445   896   NtAllocateVirtualMemory  ... 88727552, 8192, ) == 0x0
 02454   896   NtProtectVirtualMemory  (-1, (0x549e000), 4096, 260, ... (0x549e000), 4096, 4, ) == 0x0
 02455   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1252, 312}, ) == 0x0
 02456   896   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1252,Tid=312,}, 0x0, ) == 0x0
 02457   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81931, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\08\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\08\1\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81931, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\08\1\0\0" ... {28, 56, reply, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\344\4\0\08\1\0\0" )  ) == 0x0
 02458   896   NtResumeThread  (716, ... 1, ) == 0x0
 02453  1028   NtClose  ... ) == 0x0
 02459   312   NtWaitForSingleObject  (100, 0, 0x0, ...
 02460  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 712, ) }, ... 712, ) == 0x0
 02461  1028   NtQueryValueKey  (712,  (712, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (712, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02462  1028   NtQueryValueKey  (712,  (712, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (712, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02463  1028   NtClose  (712, ... ) == 0x0
 02464  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 712, ) }, ... 712, ) == 0x0
 02465  1028   NtQueryValueKey  (712,  (712, "SystemPartition", Partial, 144, ... , Partial, 144, ...
 02466   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 88735744, 1048576, ) == 0x0
 02467   896   NtAllocateVirtualMemory  (-1, 89776128, 0, 8192, 4096, 4, ... 89776128, 8192, ) == 0x0
 02468   896   NtProtectVirtualMemory  (-1, (0x559e000), 4096, 260, ... (0x559e000), 4096, 4, ) == 0x0
 02469   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1252, 1964}, ) == 0x0
 02470   896   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1252,Tid=1964,}, 0x0, ) == 0x0
 02471   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81932, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\254\7\0\0" ...  ...
 02465  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02472  1028   NtQueryValueKey  (712,  (712, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (712, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02473  1028   NtClose  (712, ... ) == 0x0
 02474  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02471   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81933, 0}  ... {28, 56, reply, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\344\4\0\0\254\7\0\0" )  ) == 0x0
 02475   896   NtResumeThread  (720, ... 1, ) == 0x0
 02476   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89784320, 1048576, ) == 0x0
 02477   896   NtAllocateVirtualMemory  (-1, 90824704, 0, 8192, 4096, 4, ... 90824704, 8192, ) == 0x0
 02478   896   NtProtectVirtualMemory  (-1, (0x569e000), 4096, 260, ... (0x569e000), 4096, 4, ) == 0x0
 02479   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1252, 1568}, ) == 0x0
 02480   896   NtQueryInformationThread  (712, Basic, 28, ...
 02474  1028   NtOpenKey  ... 724, ) == 0x0
 02481  1964   NtWaitForSingleObject  (100, 0, 0x0, ...
 02482  1028   NtQueryValueKey  (724,  (724, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (724, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02483  1028   NtQueryValueKey  (724,  (724, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (724, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02484  1028   NtClose  (724, ... ) == 0x0
 02485  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 724, ) }, ... 724, ) == 0x0
 02486  1028   NtQueryValueKey  (724,  (724, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (724, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02487  1028   NtQueryValueKey  (724,  (724, "ServicePackSourcePath", Partial, 144, ... , Partial, 144, ...
 02480   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1252,Tid=1568,}, 0x0, ) == 0x0
 02488   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0 \6\0\0" ... {28, 56, reply, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0 \6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81934, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81933, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0 \6\0\0" ... {28, 56, reply, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\344\4\0\0 \6\0\0" )  ) == 0x0
 02489   896   NtResumeThread  (712, ... 1, ) == 0x0
 02490   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 90832896, 1048576, ) == 0x0
 02491   896   NtAllocateVirtualMemory  (-1, 91873280, 0, 8192, 4096, 4, ... 91873280, 8192, ) == 0x0
 02492   896   NtProtectVirtualMemory  (-1, (0x579e000), 4096, 260, ... (0x579e000), 4096, 4, ) == 0x0
 02487  1028   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02493  1568   NtWaitForSingleObject  (100, 0, 0x0, ...
 02494  1028   NtClose  (724, ... ) == 0x0
 02495  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 724, ) }, ... 724, ) == 0x0
 02496  1028   NtQueryValueKey  (724,  (724, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (724, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02497  1028   NtQueryValueKey  (724,  (724, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (724, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02498  1028   NtClose  (724, ... ) == 0x0
 02499  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02500   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1252, 1624}, ) == 0x0
 02501   896   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1252,Tid=1624,}, 0x0, ) == 0x0
 02502   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0X\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0X\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81935, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81934, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0X\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\344\4\0\0X\6\0\0" )  ) == 0x0
 02503   896   NtResumeThread  (724, ... 1, ) == 0x0
 02499  1028   NtOpenKey  ... 728, ) == 0x0
 02504  1624   NtWaitForSingleObject  (100, 0, 0x0, ...
 02505  1028   NtQueryValueKey  (728,  (728, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (728, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02506  1028   NtQueryValueKey  (728,  (728, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (728, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02507  1028   NtClose  (728, ... ) == 0x0
 02508  1028   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 728, ) }, ... 728, ) == 0x0
 02509  1028   NtQueryValueKey  (728,  (728, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02510  1028   NtQueryValueKey  (728,  (728, "DevicePath", Partial, 346, ... , Partial, 346, ...
 02511   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 91881472, 1048576, ) == 0x0
 02512   896   NtAllocateVirtualMemory  (-1, 92921856, 0, 8192, 4096, 4, ... 92921856, 8192, ) == 0x0
 02513   896   NtProtectVirtualMemory  (-1, (0x589e000), 4096, 260, ... (0x589e000), 4096, 4, ) == 0x0
 02514   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1252, 1716}, ) == 0x0
 02515   896   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1252,Tid=1716,}, 0x0, ) == 0x0
 02516   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81935, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\264\6\0\0" ...  ...
 02510  1028   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02517  1028   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02518  1028   NtClose  (728, ... ) == 0x0
 02519  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02516   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81936, 0}  ... {28, 56, reply, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\344\4\0\0\264\6\0\0" )  ) == 0x0
 02520   896   NtResumeThread  (732, ... 1, ) == 0x0
 02521   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92930048, 1048576, ) == 0x0
 02522   896   NtAllocateVirtualMemory  (-1, 93970432, 0, 8192, 4096, 4, ... 93970432, 8192, ) == 0x0
 02523   896   NtProtectVirtualMemory  (-1, (0x599e000), 4096, 260, ... (0x599e000), 4096, 4, ) == 0x0
 02524   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1252, 1440}, ) == 0x0
 02525   896   NtQueryInformationThread  (728, Basic, 28, ...
 02519  1028   NtCreateEvent  ... 736, ) == 0x0
 02526  1716   NtWaitForSingleObject  (100, 0, 0x0, ...
 02527  1028   NtCreateMutant  (0x1f0001, 0x0, 0, ... 740, ) == 0x0
 02528  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 744, ) == 0x0
 02529  1028   NtCreateMutant  (0x1f0001, 0x0, 0, ... 748, ) == 0x0
 02530  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 752, ) == 0x0
 02531  1028   NtCreateMutant  (0x1f0001, 0x0, 0, ... 756, ) == 0x0
 02532  1028   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... }, ...
 02525   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1252,Tid=1440,}, 0x0, ) == 0x0
 02533   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\240\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81937, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81936, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\240\5\0\0" ... {28, 56, reply, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\344\4\0\0\240\5\0\0" )  ) == 0x0
 02534   896   NtResumeThread  (728, ... 1, ) == 0x0
 02535   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 93978624, 1048576, ) == 0x0
 02536   896   NtAllocateVirtualMemory  (-1, 95019008, 0, 8192, 4096, 4, ... 95019008, 8192, ) == 0x0
 02537   896   NtProtectVirtualMemory  (-1, (0x5a9e000), 4096, 260, ... (0x5a9e000), 4096, 4, ) == 0x0
 02532  1028   NtOpenKey  ... 760, ) == 0x0
 02538  1440   NtWaitForSingleObject  (100, 0, 0x0, ...
 02539  1028   NtQueryValueKey  (760,  (760, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (760, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02540  1028   NtQueryValueKey  (760,  (760, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (760, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02541  1028   NtQueryValueKey  (760,  (760, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02542  1028   NtOpenKey  (0x1, {24, 760, 0x40, 0, 0,  (0x1, {24, 760, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02543  1028   NtClose  (760, ... ) == 0x0
 02544  1028   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 16247476, ... }, 16247476, ...
 02545   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1252, 1664}, ) == 0x0
 02546   896   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1252,Tid=1664,}, 0x0, ) == 0x0
 02547   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81938, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81937, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\200\6\0\0" ... {28, 56, reply, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\344\4\0\0\200\6\0\0" )  ) == 0x0
 02548   896   NtResumeThread  (760, ... 1, ) == 0x0
 02549   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 95027200, 1048576, ) == 0x0
 02550   896   NtAllocateVirtualMemory  (-1, 96067584, 0, 8192, 4096, 4, ...
 02544  1028   NtQueryAttributesFile  ... ) == 0x0
 02551  1664   NtWaitForSingleObject  (100, 0, 0x0, ...
 02552  1028   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 764, ) }, ... 764, ) == 0x0
 02553  1028   NtQueryValueKey  (764,  (764, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (764, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (764, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02554  1028   NtClose  (764, ... ) == 0x0
 02555  1028   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 764, ) }, ... 764, ) == 0x0
 02556  1028   NtQueryValueKey  (764,  (764, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (764, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (764, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02557  1028   NtClose  (764, ...
 02550   896   NtAllocateVirtualMemory  ... 96067584, 8192, ) == 0x0
 02558   896   NtProtectVirtualMemory  (-1, (0x5b9e000), 4096, 260, ... (0x5b9e000), 4096, 4, ) == 0x0
 02559   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1252, 1972}, ) == 0x0
 02560   896   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1252,Tid=1972,}, 0x0, ) == 0x0
 02561   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\264\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\264\7\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81939, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81938, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\264\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\344\4\0\0\264\7\0\0" )  ) == 0x0
 02562   896   NtResumeThread  (768, ... 1, ) == 0x0
 02557  1028   NtClose  ... ) == 0x0
 02563  1972   NtWaitForSingleObject  (100, 0, 0x0, ...
 02564  1028   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02565  1028   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 764, ) }, ... 764, ) == 0x0
 02566  1028   NtQueryValueKey  (764,  (764, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (764, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (764, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02567  1028   NtClose  (764, ... ) == 0x0
 02568  1028   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshbth.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02569  1028   NtSetEventBoostPriority  (100, ...
 02570   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96075776, 1048576, ) == 0x0
 02571   896   NtAllocateVirtualMemory  (-1, 97116160, 0, 8192, 4096, 4, ... 97116160, 8192, ) == 0x0
 02572   896   NtProtectVirtualMemory  (-1, (0x5c9e000), 4096, 260, ... (0x5c9e000), 4096, 4, ) == 0x0
 02573   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1252, 1036}, ) == 0x0
 02574   896   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1252,Tid=1036,}, 0x0, ) == 0x0
 02575   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81939, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81939, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0\14\4\0\0" ...  ...
 02282   644   NtWaitForSingleObject  ... ) == 0x0
 02576   644   NtSetEventBoostPriority  (100, ...
 02302  1736   NtWaitForSingleObject  ... ) == 0x0
 02577  1736   NtSetEventBoostPriority  (100, ...
 02314   320   NtWaitForSingleObject  ... ) == 0x0
 02578   320   NtSetEventBoostPriority  (100, ...
 02326   380   NtWaitForSingleObject  ... ) == 0x0
 02579   380   NtSetEventBoostPriority  (100, ...
 02335  1332   NtWaitForSingleObject  ... ) == 0x0
 02580  1332   NtSetEventBoostPriority  (100, ...
 02351  1336   NtWaitForSingleObject  ... ) == 0x0
 02581  1336   NtSetEventBoostPriority  (100, ...
 02366  1808   NtWaitForSingleObject  ... ) == 0x0
 02582  1808   NtSetEventBoostPriority  (100, ...
 02378   468   NtWaitForSingleObject  ... ) == 0x0
 02583   468   NtSetEventBoostPriority  (100, ...
 02391   752   NtWaitForSingleObject  ... ) == 0x0
 02584   752   NtSetEventBoostPriority  (100, ...
 02401  1512   NtWaitForSingleObject  ... ) == 0x0
 02585  1512   NtSetEventBoostPriority  (100, ...
 02422  1380   NtWaitForSingleObject  ... ) == 0x0
 02586  1380   NtSetEventBoostPriority  (100, ...
 02434  1564   NtWaitForSingleObject  ... ) == 0x0
 02587  1564   NtSetEventBoostPriority  (100, ...
 02447   164   NtWaitForSingleObject  ... ) == 0x0
 02588   164   NtSetEventBoostPriority  (100, ...
 02459   312   NtWaitForSingleObject  ... ) == 0x0
 02589   312   NtSetEventBoostPriority  (100, ...
 02481  1964   NtWaitForSingleObject  ... ) == 0x0
 02590  1964   NtSetEventBoostPriority  (100, ...
 02493  1568   NtWaitForSingleObject  ... ) == 0x0
 02591  1568   NtSetEventBoostPriority  (100, ...
 02504  1624   NtWaitForSingleObject  ... ) == 0x0
 02592  1624   NtSetEventBoostPriority  (100, ...
 02526  1716   NtWaitForSingleObject  ... ) == 0x0
 02593  1716   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ... 8810496, 4096, ) == 0x0
 02592  1624   NtSetEventBoostPriority  ... ) == 0x0
 02591  1568   NtSetEventBoostPriority  ... ) == 0x0
 02590  1964   NtSetEventBoostPriority  ... ) == 0x0
 02589   312   NtSetEventBoostPriority  ... ) == 0x0
 02588   164   NtSetEventBoostPriority  ... ) == 0x0
 02587  1564   NtSetEventBoostPriority  ... ) == 0x0
 02586  1380   NtSetEventBoostPriority  ... ) == 0x0
 02585  1512   NtSetEventBoostPriority  ... ) == 0x0
 02584   752   NtSetEventBoostPriority  ... ) == 0x0
 02583   468   NtSetEventBoostPriority  ... ) == 0x0
 02582  1808   NtSetEventBoostPriority  ... ) == 0x0
 02581  1336   NtSetEventBoostPriority  ... ) == 0x0
 02580  1332   NtSetEventBoostPriority  ... ) == 0x0
 02579   380   NtSetEventBoostPriority  ... ) == 0x0
 02578   320   NtSetEventBoostPriority  ... ) == 0x0
 02577  1736   NtSetEventBoostPriority  ... ) == 0x0
 02576   644   NtSetEventBoostPriority  ... ) == 0x0
 02569  1028   NtSetEventBoostPriority  ... ) == 0x0
 02575   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81940, 0}  ... {28, 56, reply, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\344\4\0\0\14\4\0\0" )  ) == 0x0
 02594  1716   NtSetEventBoostPriority  (100, ...
 02595  1624   NtTestAlert  (...
 02596  1568   NtTestAlert  (...
 02597  1964   NtTestAlert  (...
 02598   312   NtTestAlert  (...
 02599   164   NtTestAlert  (...
 02600  1564   NtTestAlert  (...
 02601  1380   NtTestAlert  (...
 02602  1512   NtTestAlert  (...
 02603   752   NtTestAlert  (...
 02604   468   NtTestAlert  (...
 02605  1808   NtTestAlert  (...
 02606  1336   NtTestAlert  (...
 02607  1332   NtTestAlert  (...
 02608   380   NtTestAlert  (...
 02609   320   NtTestAlert  (...
 02610  1736   NtTestAlert  (...
 02611  1028   NtWaitForSingleObject  (100, 0, 0x0, ...
 02612   896   NtResumeThread  (764, ...
 02538  1440   NtWaitForSingleObject  ... ) == 0x0
 02594  1716   NtSetEventBoostPriority  ... ) == 0x0
 02595  1624   NtTestAlert  ... ) == 0x0
 02596  1568   NtTestAlert  ... ) == 0x0
 02597  1964   NtTestAlert  ... ) == 0x0
 02598   312   NtTestAlert  ... ) == 0x0
 02599   164   NtTestAlert  ... ) == 0x0
 02600  1564   NtTestAlert  ... ) == 0x0
 02601  1380   NtTestAlert  ... ) == 0x0
 02602  1512   NtTestAlert  ... ) == 0x0
 02603   752   NtTestAlert  ... ) == 0x0
 02604   468   NtTestAlert  ... ) == 0x0
 02605  1808   NtTestAlert  ... ) == 0x0
 02606  1336   NtTestAlert  ... ) == 0x0
 02607  1332   NtTestAlert  ... ) == 0x0
 02608   380   NtTestAlert  ... ) == 0x0
 02609   320   NtTestAlert  ... ) == 0x0
 02610  1736   NtTestAlert  ... ) == 0x0
 02613  1440   NtSetEventBoostPriority  (100, ...
 02612   896   NtResumeThread  ... 1, ) == 0x0
 02614  1716   NtTestAlert  (...
 02615  1624   NtContinue  (91880752, 1, ...
 02616  1568   NtContinue  (90832176, 1, ...
 02617  1964   NtContinue  (89783600, 1, ...
 02618   312   NtContinue  (88735024, 1, ...
 02619   164   NtContinue  (87686448, 1, ...
 02620  1564   NtContinue  (86637872, 1, ...
 02621  1380   NtContinue  (85589296, 1, ...
 02622  1512   NtContinue  (84540720, 1, ...
 02623   752   NtContinue  (83492144, 1, ...
 02624   468   NtContinue  (82443568, 1, ...
 02625  1808   NtContinue  (81394992, 1, ...
 02626  1336   NtContinue  (80346416, 1, ...
 02627  1332   NtContinue  (79297840, 1, ...
 02628   380   NtContinue  (78249264, 1, ...
 02629   320   NtContinue  (77200688, 1, ...
 02551  1664   NtWaitForSingleObject  ... ) == 0x0
 02613  1440   NtSetEventBoostPriority  ... ) == 0x0
 02630  1736   NtContinue  (76152112, 1, ...
 02631   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02614  1716   NtTestAlert  ... ) == 0x0
 02632  1624   NtRegisterThreadTerminatePort  (24, ...
 02633  1568   NtRegisterThreadTerminatePort  (24, ...
 02634  1964   NtRegisterThreadTerminatePort  (24, ...
 02635   312   NtRegisterThreadTerminatePort  (24, ...
 02636   164   NtRegisterThreadTerminatePort  (24, ...
 02637  1564   NtRegisterThreadTerminatePort  (24, ...
 02638  1380   NtRegisterThreadTerminatePort  (24, ...
 02639  1512   NtRegisterThreadTerminatePort  (24, ...
 02640   752   NtRegisterThreadTerminatePort  (24, ...
 02641   468   NtRegisterThreadTerminatePort  (24, ...
 02642  1808   NtRegisterThreadTerminatePort  (24, ...
 02643  1336   NtRegisterThreadTerminatePort  (24, ...
 02644  1332   NtRegisterThreadTerminatePort  (24, ...
 02645   380   NtRegisterThreadTerminatePort  (24, ...
 02646  1664   NtSetEventBoostPriority  (100, ...
 02647   320   NtRegisterThreadTerminatePort  (24, ...
 02648   644   NtTestAlert  (...
 02649  1036   NtWaitForSingleObject  (100, 0, 0x0, ...
 02650  1736   NtRegisterThreadTerminatePort  (24, ...
 02631   896   NtAllocateVirtualMemory  ... 97124352, 1048576, ) == 0x0
 02651  1716   NtContinue  (92929328, 1, ...
 02632  1624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02633  1568   NtRegisterThreadTerminatePort  ... ) == 0x0
 02634  1964   NtRegisterThreadTerminatePort  ... ) == 0x0
 02635   312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02636   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 02637  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 02638  1380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02639  1512   NtRegisterThreadTerminatePort  ... ) == 0x0
 02640   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02641   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02642  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 02643  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02644  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02563  1972   NtWaitForSingleObject  ... ) == 0x0
 02646  1664   NtSetEventBoostPriority  ... ) == 0x0
 02645   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02647   320   NtRegisterThreadTerminatePort  ... ) == 0x0
 02648   644   NtTestAlert  ... ) == 0x0
 02650  1736   NtRegisterThreadTerminatePort  ... ) == 0x0
 02652   896   NtAllocateVirtualMemory  (-1, 98164736, 0, 8192, 4096, 4, ...
 02653  1716   NtRegisterThreadTerminatePort  (24, ...
 02654  1624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02655  1568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02656  1964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02657   312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02658   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02659  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02660  1380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02661  1512   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02662   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02663   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02664  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02665  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02666  1972   NtSetEventBoostPriority  (100, ...
 02667  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02668  1440   NtTestAlert  (...
 02669   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02670   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02671   644   NtContinue  (74972464, 1, ...
 02672  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02673  1664   NtTestAlert  (...
 02652   896   NtAllocateVirtualMemory  ... 98164736, 8192, ) == 0x0
 02653  1716   NtRegisterThreadTerminatePort  ... ) == 0x0
 02654  1624   NtDuplicateObject  ... 772, ) == 0x0
 02655  1568   NtDuplicateObject  ... 776, ) == 0x0
 02656  1964   NtDuplicateObject  ... 780, ) == 0x0
 02657   312   NtDuplicateObject  ... 784, ) == 0x0
 02658   164   NtDuplicateObject  ... 788, ) == 0x0
 02659  1564   NtDuplicateObject  ... 792, ) == 0x0
 02660  1380   NtDuplicateObject  ... 796, ) == 0x0
 02661  1512   NtDuplicateObject  ... 800, ) == 0x0
 02662   752   NtDuplicateObject  ... 804, ) == 0x0
 02663   468   NtDuplicateObject  ... 808, ) == 0x0
 02664  1808   NtDuplicateObject  ... 812, ) == 0x0
 02611  1028   NtWaitForSingleObject  ... ) == 0x0
 02666  1972   NtSetEventBoostPriority  ... ) == 0x0
 02665  1336   NtDuplicateObject  ... 816, ) == 0x0
 02668  1440   NtTestAlert  ... ) == 0x0
 02667  1332   NtDuplicateObject  ... 820, ) == 0x0
 02669   380   NtDuplicateObject  ... 824, ) == 0x0
 02674   644   NtRegisterThreadTerminatePort  (24, ...
 02670   320   NtDuplicateObject  ... 828, ) == 0x0
 02673  1664   NtTestAlert  ... ) == 0x0
 02675   896   NtProtectVirtualMemory  (-1, (0x5d9e000), 4096, 260, ...
 02676  1716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02677  1624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02678  1568   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02679  1964   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02680   312   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02681   164   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02682  1564   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02683  1380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02684  1512   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02685   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02686   468   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02687  1028   NtSetEventBoostPriority  (100, ...
 02688  1808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02672  1736   NtDuplicateObject  ... 832, ) == 0x0
 02689  1336   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02690  1440   NtContinue  (93977904, 1, ...
 02691  1332   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02692   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02674   644   NtRegisterThreadTerminatePort  ... ) == 0x0
 02693   320   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02694  1664   NtContinue  (95026480, 1, ...
 02675   896   NtProtectVirtualMemory  ... (0x5d9e000), 4096, 4, ) == 0x0
 02676  1716   NtDuplicateObject  ... 836, ) == 0x0
 02677  1624   NtWaitForSingleObject  ... ) == 0x102
 02678  1568   NtWaitForSingleObject  ... ) == 0x102
 02679  1964   NtWaitForSingleObject  ... ) == 0x102
 02680   312   NtWaitForSingleObject  ... ) == 0x102
 02681   164   NtWaitForSingleObject  ... ) == 0x102
 02682  1564   NtWaitForSingleObject  ... ) == 0x102
 02683  1380   NtWaitForSingleObject  ... ) == 0x102
 02684  1512   NtWaitForSingleObject  ... ) == 0x102
 02685   752   NtWaitForSingleObject  ... ) == 0x102
 02649  1036   NtWaitForSingleObject  ... ) == 0x0
 02687  1028   NtSetEventBoostPriority  ... ) == 0x0
 02686   468   NtWaitForSingleObject  ... ) == 0x102
 02688  1808   NtWaitForSingleObject  ... ) == 0x102
 02695  1736   NtWaitForSingleObject  (300, 0, 0x0, ...
 02689  1336   NtWaitForSingleObject  ... ) == 0x102
 02696  1440   NtRegisterThreadTerminatePort  (24, ...
 02691  1332   NtWaitForSingleObject  ... ) == 0x102
 02692   380   NtWaitForSingleObject  ... ) == 0x102
 02697   644   NtWaitForSingleObject  (300, 0, 0x0, ...
 02693   320   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02698  1664   NtRegisterThreadTerminatePort  (24, ...
 02699   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02700  1716   NtWaitForSingleObject  (300, 0, 0x0, ...
 02701  1624   NtWaitForSingleObject  (300, 0, 0x0, ...
 02702  1568   NtWaitForSingleObject  (300, 0, 0x0, ...
 02703  1964   NtWaitForSingleObject  (300, 0, 0x0, ...
 02704   312   NtWaitForSingleObject  (300, 0, 0x0, ...
 02705   164   NtWaitForSingleObject  (300, 0, 0x0, ...
 02706  1564   NtWaitForSingleObject  (300, 0, 0x0, ...
 02707  1380   NtWaitForSingleObject  (300, 0, 0x0, ...
 02708  1512   NtWaitForSingleObject  (300, 0, 0x0, ...
 02709  1036   NtWaitForSingleObject  (300, 0, 0x0, ...
 02710   752   NtWaitForSingleObject  (300, 0, 0x0, ...
 02711  1972   NtTestAlert  (...
 02712   468   NtWaitForSingleObject  (300, 0, 0x0, ...
 02713  1808   NtWaitForSingleObject  (300, 0, 0x0, ...
 02714  1336   NtWaitForSingleObject  (300, 0, 0x0, ...
 02696  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02715  1332   NtWaitForSingleObject  (300, 0, 0x0, ...
 02716   380   NtWaitForSingleObject  (300, 0, 0x0, ...
 02717  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 02718   320   NtSetEventBoostPriority  (300, ...
 02698  1664   NtRegisterThreadTerminatePort  ... ) == 0x0
 02699   896   NtCreateThread  ... 840, {1252, 1248}, ) == 0x0
 02711  1972   NtTestAlert  ... ) == 0x0
 02719  1440   NtWaitForSingleObject  (300, 0, 0x0, ...
 02695  1736   NtWaitForSingleObject  ... ) == 0x0
 02718   320   NtSetEventBoostPriority  ... ) == 0x0
 02720  1664   NtWaitForSingleObject  (300, 0, 0x0, ...
 02721   896   NtQueryInformationThread  (840, Basic, 28, ...
 02722  1972   NtContinue  (96075056, 1, ...
 02723  1736   NtSetEventBoostPriority  (300, ...
 02724   320   NtWaitForSingleObject  (300, 0, 0x0, ...
 02700  1716   NtWaitForSingleObject  ... ) == 0x0
 02723  1736   NtSetEventBoostPriority  ... ) == 0x0
 02725  1972   NtRegisterThreadTerminatePort  (24, ...
 02721   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1252,Tid=1248,}, 0x0, ) == 0x0
 02726  1716   NtSetEventBoostPriority  (300, ...
 02725  1972   NtRegisterThreadTerminatePort  ... ) == 0x0
 02701  1624   NtWaitForSingleObject  ... ) == 0x0
 02726  1716   NtSetEventBoostPriority  ... ) == 0x0
 02727   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81940, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0\340\4\0\0" ...  ...
 02728  1624   NtSetEventBoostPriority  (300, ...
 02729  1972   NtWaitForSingleObject  (300, 0, 0x0, ...
 02730  1736   NtWaitForSingleObject  (300, 0, 0x0, ...
 02702  1568   NtWaitForSingleObject  ... ) == 0x0
 02728  1624   NtSetEventBoostPriority  ... ) == 0x0
 02727   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81941, 0}  ... {28, 56, reply, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\344\4\0\0\340\4\0\0" )  ) == 0x0
 02731  1716   NtWaitForSingleObject  (300, 0, 0x0, ...
 02732  1568   NtSetEventBoostPriority  (300, ...
 02733   896   NtResumeThread  (840, ...
 02703  1964   NtWaitForSingleObject  ... ) == 0x0
 02732  1568   NtSetEventBoostPriority  ... ) == 0x0
 02734  1964   NtSetEventBoostPriority  (300, ...
 02733   896   NtResumeThread  ... 1, ) == 0x0
 02735  1624   NtWaitForSingleObject  (132, 0, 0x0, ...
 02704   312   NtWaitForSingleObject  ... ) == 0x0
 02734  1964   NtSetEventBoostPriority  ... ) == 0x0
 02736  1568   NtWaitForSingleObject  (132, 0, 0x0, ...
 02737  1248   NtWaitForSingleObject  (100, 0, 0x0, ...
 02738   312   NtSetEventBoostPriority  (300, ...
 02739   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02705   164   NtWaitForSingleObject  ... ) == 0x0
 02738   312   NtSetEventBoostPriority  ... ) == 0x0
 02740   164   NtSetEventBoostPriority  (300, ...
 02739   896   NtAllocateVirtualMemory  ... 98172928, 1048576, ) == 0x0
 02741  1964   NtWaitForSingleObject  (132, 0, 0x0, ...
 02706  1564   NtWaitForSingleObject  ... ) == 0x0
 02740   164   NtSetEventBoostPriority  ... ) == 0x0
 02742   896   NtAllocateVirtualMemory  (-1, 99213312, 0, 8192, 4096, 4, ...
 02743  1564   NtSetEventBoostPriority  (300, ...
 02744   312   NtWaitForSingleObject  (132, 0, 0x0, ...
 02707  1380   NtWaitForSingleObject  ... ) == 0x0
 02743  1564   NtSetEventBoostPriority  ... ) == 0x0
 02742   896   NtAllocateVirtualMemory  ... 99213312, 8192, ) == 0x0
 02745  1380   NtSetEventBoostPriority  (300, ...
 02746   164   NtWaitForSingleObject  (132, 0, 0x0, ...
 02709  1036   NtWaitForSingleObject  ... ) == 0x0
 02745  1380   NtSetEventBoostPriority  ... ) == 0x0
 02747   896   NtProtectVirtualMemory  (-1, (0x5e9e000), 4096, 260, ...
 02748  1036   NtSetEventBoostPriority  (300, ...
 02749  1564   NtWaitForSingleObject  (132, 0, 0x0, ...
 02708  1512   NtWaitForSingleObject  ... ) == 0x0
 02748  1036   NtSetEventBoostPriority  ... ) == 0x0
 02747   896   NtProtectVirtualMemory  ... (0x5e9e000), 4096, 4, ) == 0x0
 02750  1512   NtSetEventBoostPriority  (300, ...
 02751  1380   NtWaitForSingleObject  (132, 0, 0x0, ...
 02752  1036   NtSetEventBoostPriority  (100, ...
 02710   752   NtWaitForSingleObject  ... ) == 0x0
 02750  1512   NtSetEventBoostPriority  ... ) == 0x0
 02753   752   NtSetEventBoostPriority  (300, ...
 02737  1248   NtWaitForSingleObject  ... ) == 0x0
 02752  1036   NtSetEventBoostPriority  ... ) == 0x0
 02754   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02712   468   NtWaitForSingleObject  ... ) == 0x0
 02755  1248   NtWaitForSingleObject  (300, 0, 0x0, ...
 02753   752   NtSetEventBoostPriority  ... ) == 0x0
 02756  1036   NtTestAlert  (...
 02757   468   NtSetEventBoostPriority  (300, ...
 02754   896   NtCreateThread  ... 844, {1252, 1656}, ) == 0x0
 02758  1512   NtWaitForSingleObject  (132, 0, 0x0, ...
 02713  1808   NtWaitForSingleObject  ... ) == 0x0
 02757   468   NtSetEventBoostPriority  ... ) == 0x0
 02756  1036   NtTestAlert  ... ) == 0x0
 02759   896   NtQueryInformationThread  (844, Basic, 28, ...
 02760  1808   NtSetEventBoostPriority  (300, ...
 02761   752   NtWaitForSingleObject  (132, 0, 0x0, ...
 02762  1036   NtContinue  (97123632, 1, ...
 02714  1336   NtWaitForSingleObject  ... ) == 0x0
 02760  1808   NtSetEventBoostPriority  ... ) == 0x0
 02759   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1252,Tid=1656,}, 0x0, ) == 0x0
 02763  1336   NtSetEventBoostPriority  (300, ...
 02764  1036   NtRegisterThreadTerminatePort  (24, ...
 02765   468   NtWaitForSingleObject  (132, 0, 0x0, ...
 02715  1332   NtWaitForSingleObject  ... ) == 0x0
 02763  1336   NtSetEventBoostPriority  ... ) == 0x0
 02766   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81941, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\344\4\0\0x\6\0\0" ...  ...
 02767  1808   NtWaitForSingleObject  (132, 0, 0x0, ...
 02768  1332   NtSetEventBoostPriority  (300, ...
 02764  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 02716   380   NtWaitForSingleObject  ... ) == 0x0
 02768  1332   NtSetEventBoostPriority  ... ) == 0x0
 02769   380   NtSetEventBoostPriority  (300, ...
 02770  1036   NtWaitForSingleObject  (300, 0, 0x0, ...
 02771  1336   NtWaitForSingleObject  (132, 0, 0x0, ...
 02766   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81942, 0}  ... {28, 56, reply, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGL\3\0\0\344\4\0\0x\6\0\0" )  ) == 0x0
 02717  1028   NtWaitForSingleObject  ... ) == 0x0
 02769   380   NtSetEventBoostPriority  ... ) == 0x0
 02772  1028   NtSetEventBoostPriority  (300, ...
 02773   896   NtResumeThread  (844, ...
 02774  1332   NtWaitForSingleObject  (132, 0, 0x0, ...
 02697   644   NtWaitForSingleObject  ... ) == 0x0
 02772  1028   NtSetEventBoostPriority  ... ) == 0x0
 02773   896   NtResumeThread  ... 1, ) == 0x0
 02775   644   NtSetEventBoostPriority  (300, ...
 02776  1028   NtSetEventBoostPriority  (132, ...
 02719  1440   NtWaitForSingleObject  ... ) == 0x0
 02777   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02775   644   NtSetEventBoostPriority  ... ) == 0x0
 02778   380   NtWaitForSingleObject  (132, 0, 0x0, ...
 02779  1656   NtWaitForSingleObject  (100, 0, 0x0, ...
 02780  1440   NtSetEventBoostPriority  (300, ...
 02777   896   NtAllocateVirtualMemory  ... 99221504, 1048576, ) == 0x0
 02781   644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02720  1664   NtWaitForSingleObject  ... ) == 0x0
 02782   896   NtAllocateVirtualMemory  (-1, 100261888, 0, 8192, 4096, 4, ...
 02781   644   NtDuplicateObject  ... 848, ) == 0x0
 02783  1664   NtSetEventBoostPriority  (300, ...
 02780  1440   NtSetEventBoostPriority  ... ) == 0x0
 00869   384   NtWaitForSingleObject  ... ) == 0x0
 02776  1028   NtSetEventBoostPriority  ... ) == 0x0
 02782   896   NtAllocateVirtualMemory  ... 100261888, 8192, ) == 0x0
 02724   320   NtWaitForSingleObject  ... ) == 0x0
 02784  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02785   384   NtWaitForSingleObject  (300, 0, 0x0, ...
 02786  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 02787   896   NtProtectVirtualMemory  (-1, (0x5f9e000), 4096, 260, ...
 02788   320   NtSetEventBoostPriority  (300, ...
 02784  1440   NtDuplicateObject  ... 852, ) == 0x0
 02787   896   NtProtectVirtualMemory  ... (0x5f9e000), 4096, 4, ) == 0x0
 02730  1736   NtWaitForSingleObject  ... ) == 0x0
 02788   320   NtSetEventBoostPriority  ... ) == 0x0
 02783  1664   NtSetEventBoostPriority  ... ) == 0x0
 02789   644   NtWaitForSingleObject  (300, 0, 0x0, ...
 02790   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02791  1736   NtSetEventBoostPriority  (300, ...
 02792   320   NtWaitForSingleObject  (300, 0, 0x0, ...
 02793  1664   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02790   896   NtCreateThread  ... 856, {1252, 760}, ) == 0x0
 02729  1972   NtWaitForSingleObject  ... ) == 0x0
 02791  1736   NtSetEventBoostPriority  ... ) == 0x0
 02793  1664   NtDuplicateObject  ... 860, ) == 0x0
 02794  1972   NtSetEventBoostPriority  (300, ...
 02795   896   NtQueryInformationThread  (856, Basic, 28, ...
 02796  1736   NtWaitForSingleObject  (352, 0, 0x0, ...
 02797  1440   NtWaitForSingleObject  (300, 0, 0x0, ...
 02731  1716   NtWaitForSingleObject  ... ) == 0x0
 02794  1972   NtSetEventBoostPriority  ... ) == 0x0
 02798  1664   NtWaitForSingleObject  (300, 0, 0x0, ...
 02795   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1252,Tid=760,}, 0x0, ) == 0x0
 02799  1716   NtSetEventBoostPriority  (300, ...
 02800  1972   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02801   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81942, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\370\2\0\0" ...  ...
 02755  1248   NtWaitForSingleObject  ... ) == 0x0
 02799  1716   NtSetEventBoostPriority  ... ) == 0x0
 02800  1972   NtDuplicateObject  ... 864, ) == 0x0
 02802  1248   NtSetEventBoostPriority  (300, ...
 02801   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81943, 0}  ... {28, 56, reply, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\3\0\0\344\4\0\0\370\2\0\0" )  ) == 0x0
 02803  1716   NtWaitForSingleObject  (352, 0, 0x0, ...
 02770  1036   NtWaitForSingleObject  ... ) == 0x0
 02802  1248   NtSetEventBoostPriority  ... ) == 0x0
 02804   896   NtResumeThread  (856, ...
 02805  1972   NtWaitForSingleObject  (300, 0, 0x0, ...
 02806  1036   NtSetEventBoostPriority  (300, ...
 02804   896   NtResumeThread  ... 1, ) == 0x0
 02785   384   NtWaitForSingleObject  ... ) == 0x0
 02806  1036   NtSetEventBoostPriority  ... ) == 0x0
 02807  1248   NtSetEventBoostPriority  (100, ...
 02808   760   NtWaitForSingleObject  (100, 0, 0x0, ...
 02809   384   NtSetEventBoostPriority  (300, ...
 02810   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02779  1656   NtWaitForSingleObject  ... ) == 0x0
 02807  1248   NtSetEventBoostPriority  ... ) == 0x0
 02786  1028   NtWaitForSingleObject  ... ) == 0x0
 02809   384   NtSetEventBoostPriority  ... ) == 0x0
 02811  1656   NtWaitForSingleObject  (300, 0, 0x0, ...
 02810   896   NtAllocateVirtualMemory  ... 100270080, 1048576, ) == 0x0
 02812  1028   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 02813  1248   NtTestAlert  (...
 02814  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02812  1028   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 02815   896   NtAllocateVirtualMemory  (-1, 101310464, 0, 8192, 4096, 4, ...
 02813  1248   NtTestAlert  ... ) == 0x0
 02814  1036   NtDuplicateObject  ... 868, ) == 0x0
 02816   384   NtWaitForSingleObject  (300, 0, 0x0, ...
 02815   896   NtAllocateVirtualMemory  ... 101310464, 8192, ) == 0x0
 02817  1248   NtContinue  (98172208, 1, ...
 02818  1036   NtWaitForSingleObject  (300, 0, 0x0, ...
 02819   896   NtProtectVirtualMemory  (-1, (0x609e000), 4096, 260, ...
 02820  1248   NtRegisterThreadTerminatePort  (24, ...
 02819   896   NtProtectVirtualMemory  ... (0x609e000), 4096, 4, ) == 0x0
 02821  1028   NtSetEventBoostPriority  (300, ...
 02820  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02789   644   NtWaitForSingleObject  ... ) == 0x0
 02821  1028   NtSetEventBoostPriority  ... ) == 0x0
 02822   644   NtSetEventBoostPriority  (300, ...
 02823  1248   NtWaitForSingleObject  (300, 0, 0x0, ...
 02792   320   NtWaitForSingleObject  ... ) == 0x0
 02822   644   NtSetEventBoostPriority  ... ) == 0x0
 02824  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 02825   320   NtSetEventBoostPriority  (300, ...
 02826   644   NtWaitForSingleObject  (300, 0, 0x0, ...
 02797  1440   NtWaitForSingleObject  ... ) == 0x0
 02825   320   NtSetEventBoostPriority  ... ) == 0x0
 02827   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02828  1440   NtSetEventBoostPriority  (300, ...
 02798  1664   NtWaitForSingleObject  ... ) == 0x0
 02829  1664   NtSetEventBoostPriority  (300, ...
 02805  1972   NtWaitForSingleObject  ... ) == 0x0
 02830  1972   NtSetEventBoostPriority  (300, ...
 02811  1656   NtWaitForSingleObject  ... ) == 0x0
 02831  1656   NtSetEventBoostPriority  (300, ...
 02816   384   NtWaitForSingleObject  ... ) == 0x0
 02832   384   NtSetEventBoostPriority  (300, ...
 02818  1036   NtWaitForSingleObject  ... ) == 0x0
 02833  1036   NtSetEventBoostPriority  (300, ...
 02823  1248   NtWaitForSingleObject  ... ) == 0x0
 02834  1248   NtSetEventBoostPriority  (300, ...
 02824  1028   NtWaitForSingleObject  ... ) == 0x0
 02835  1028   NtSetEventBoostPriority  (300, ...
 02826   644   NtWaitForSingleObject  ... ) == 0x0
 02836   644   NtWaitForSingleObject  (352, 0, 0x0, ...
 02835  1028   NtSetEventBoostPriority  ... ) == 0x0
 02834  1248   NtSetEventBoostPriority  ... ) == 0x0
 02833  1036   NtSetEventBoostPriority  ... ) == 0x0
 02832   384   NtSetEventBoostPriority  ... ) == 0x0
 02831  1656   NtSetEventBoostPriority  ... ) == 0x0
 02830  1972   NtSetEventBoostPriority  ... ) == 0x0
 02829  1664   NtSetEventBoostPriority  ... ) == 0x0
 02828  1440   NtSetEventBoostPriority  ... ) == 0x0
 02827   896   NtCreateThread  ... 872, {1252, 484}, ) == 0x0
 02837   320   NtSetEventBoostPriority  (352, ...
 02838  1028   NtWaitForSingleObject  (352, 0, 0x0, ...
 02839  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02840   384   NtSetEventBoostPriority  (132, ...
 02841  1036   NtWaitForSingleObject  (352, 0, 0x0, ...
 02842  1972   NtWaitForSingleObject  (352, 0, 0x0, ...
 02843  1664   NtWaitForSingleObject  (352, 0, 0x0, ...
 02844  1440   NtWaitForSingleObject  (352, 0, 0x0, ...
 02845   896   NtQueryInformationThread  (872, Basic, 28, ...
 02796  1736   NtWaitForSingleObject  ... ) == 0x0
 02837   320   NtSetEventBoostPriority  ... ) == 0x0
 02839  1248   NtDuplicateObject  ... 876, ) == 0x0
 02846  1656   NtSetEventBoostPriority  (100, ...
 00870   376   NtWaitForSingleObject  ... ) == 0x0
 02840   384   NtSetEventBoostPriority  ... ) == 0x0
 02847  1736   NtSetEventBoostPriority  (352, ...
 02845   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1252,Tid=484,}, 0x0, ) == 0x0
 02848   320   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02849  1248   NtWaitForSingleObject  (352, 0, 0x0, ...
 02808   760   NtWaitForSingleObject  ... ) == 0x0
 02846  1656   NtSetEventBoostPriority  ... ) == 0x0
 02850   376   NtSetEventBoostPriority  (132, ...
 02803  1716   NtWaitForSingleObject  ... ) == 0x0
 02851   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02852   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81943, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0\344\1\0\0" ...  ...
 02848   320   NtWaitForSingleObject  ... ) == 0x102
 02853   760   NtTestAlert  (...
 02854  1656   NtTestAlert  (...
 00873   420   NtWaitForSingleObject  ... ) == 0x0
 02850   376   NtSetEventBoostPriority  ... ) == 0x0
 02855  1716   NtSetEventBoostPriority  (352, ...
 02851   384   NtCreateEvent  ... 880, ) == 0x0
 02853   760   NtTestAlert  ... ) == 0x0
 02856   320   NtWaitForSingleObject  (132, 0, 0x0, ...
 02857   420   NtSetEventBoostPriority  (132, ...
 02854  1656   NtTestAlert  ... ) == 0x0
 02847  1736   NtSetEventBoostPriority  ... ) == 0x0
 02852   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81944, 0}  ... {28, 56, reply, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\3\0\0\344\4\0\0\344\1\0\0" )  ) == 0x0
 02836   644   NtWaitForSingleObject  ... ) == 0x0
 02858   384   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02855  1716   NtSetEventBoostPriority  ... ) == 0x0
 02859   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02860   760   NtContinue  (100269360, 1, ...
 00874   596   NtWaitForSingleObject  ... ) == 0x0
 02857   420   NtSetEventBoostPriority  ... ) == 0x0
 02861  1656   NtContinue  (99220784, 1, ...
 02862  1736   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02863   644   NtWaitForSingleObject  (300, 0, 0x0, ...
 02864   896   NtResumeThread  (872, ...
 02858   384   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02865  1716   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02859   376   NtCreateEvent  ... 884, ) == 0x0
 02866   596   NtWaitForSingleObject  (300, 0, 0x0, ...
 02867   760   NtRegisterThreadTerminatePort  (24, ...
 02868  1656   NtRegisterThreadTerminatePort  (24, ...
 02864   896   NtResumeThread  ... 1, ) == 0x0
 02869   384   NtSetEventBoostPriority  (300, ...
 02870   376   NtWaitForSingleObject  (300, 0, 0x0, ...
 02867   760   NtRegisterThreadTerminatePort  ... ) == 0x0
 02871   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02862  1736   NtWaitForSingleObject  ... ) == 0x102
 02872   484   NtWaitForSingleObject  (300, 0, 0x0, ...
 02865  1716   NtWaitForSingleObject  ... ) == 0x102
 02873   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02868  1656   NtRegisterThreadTerminatePort  ... ) == 0x0
 02874   760   NtWaitForSingleObject  (300, 0, 0x0, ...
 02871   420   NtCreateEvent  ... 888, ) == 0x0
 02875  1736   NtWaitForSingleObject  (300, 0, 0x0, ...
 02876  1716   NtWaitForSingleObject  (300, 0, 0x0, ...
 02873   896   NtAllocateVirtualMemory  ... 101318656, 1048576, ) == 0x0
 02877  1656   NtWaitForSingleObject  (300, 0, 0x0, ...
 02878   420   NtWaitForSingleObject  (300, 0, 0x0, ...
 02879   896   NtAllocateVirtualMemory  (-1, 102359040, 0, 8192, 4096, 4, ...
 02863   644   NtWaitForSingleObject  ... ) == 0x0
 02869   384   NtSetEventBoostPriority  ... ) == 0x0
 02880   644   NtSetEventBoostPriority  (300, ...
 02866   596   NtWaitForSingleObject  ... ) == 0x0
 02881   596   NtSetEventBoostPriority  (300, ...
 02870   376   NtWaitForSingleObject  ... ) == 0x0
 02882   376   NtSetEventBoostPriority  (300, ...
 02872   484   NtWaitForSingleObject  ... ) == 0x0
 02883   484   NtSetEventBoostPriority  (300, ...
 02874   760   NtWaitForSingleObject  ... ) == 0x0
 02884   760   NtSetEventBoostPriority  (300, ...
 02875  1736   NtWaitForSingleObject  ... ) == 0x0
 02885  1736   NtSetEventBoostPriority  (300, ...
 02876  1716   NtWaitForSingleObject  ... ) == 0x0
 02886  1716   NtSetEventBoostPriority  (300, ...
 02877  1656   NtWaitForSingleObject  ... ) == 0x0
 02887  1656   NtSetEventBoostPriority  (300, ...
 02878   420   NtWaitForSingleObject  ... ) == 0x0
 02888   420   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 02887  1656   NtSetEventBoostPriority  ... ) == 0x0
 02886  1716   NtSetEventBoostPriority  ... ) == 0x0
 02885  1736   NtSetEventBoostPriority  ... ) == 0x0
 02884   760   NtSetEventBoostPriority  ... ) == 0x0
 02883   484   NtSetEventBoostPriority  ... ) == 0x0
 02882   376   NtSetEventBoostPriority  ... ) == 0x0
 02881   596   NtSetEventBoostPriority  ... ) == 0x0
 02889   384   NtWaitForSingleObject  (300, 0, 0x0, ...
 02880   644   NtSetEventBoostPriority  ... ) == 0x0
 02879   896   NtAllocateVirtualMemory  ... 102359040, 8192, ) == 0x0
 02890   420   NtSetEventBoostPriority  (300, ...
 02891  1656   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02892  1716   NtWaitForSingleObject  (132, 0, 0x0, ...
 02893  1736   NtWaitForSingleObject  (132, 0, 0x0, ...
 02894   760   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02895   484   NtTestAlert  (...
 02896   376   NtWaitForSingleObject  (300, 0, 0x0, ...
 02897   596   NtWaitForSingleObject  (300, 0, 0x0, ...
 02898   896   NtProtectVirtualMemory  (-1, (0x619e000), 4096, 260, ...
 02889   384   NtWaitForSingleObject  ... ) == 0x0
 02890   420   NtSetEventBoostPriority  ... ) == 0x0
 02891  1656   NtDuplicateObject  ... 892, ) == 0x0
 02894   760   NtDuplicateObject  ... 896, ) == 0x0
 02895   484   NtTestAlert  ... ) == 0x0
 02899   384   NtSetEventBoostPriority  (300, ...
 02898   896   NtProtectVirtualMemory  ... (0x619e000), 4096, 4, ) == 0x0
 02900   420   NtWaitForSingleObject  (300, 0, 0x0, ...
 02901  1656   NtWaitForSingleObject  (300, 0, 0x0, ...
 02902   760   NtWaitForSingleObject  (300, 0, 0x0, ...
 02896   376   NtWaitForSingleObject  ... ) == 0x0
 02899   384   NtSetEventBoostPriority  ... ) == 0x0
 02903   484   NtContinue  (101317936, 1, ...
 02904   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02905   376   NtSetEventBoostPriority  (300, ...
 02906   644   NtSetEventBoostPriority  (352, ...
 02907   484   NtRegisterThreadTerminatePort  (24, ...
 02897   596   NtWaitForSingleObject  ... ) == 0x0
 02905   376   NtSetEventBoostPriority  ... ) == 0x0
 02904   896   NtCreateThread  ... 900, {1252, 1580}, ) == 0x0
 02838  1028   NtWaitForSingleObject  ... ) == 0x0
 02906   644   NtSetEventBoostPriority  ... ) == 0x0
 02908   596   NtSetEventBoostPriority  (300, ...
 02907   484   NtRegisterThreadTerminatePort  ... ) == 0x0
 02909   376   NtWaitForSingleObject  (300, 0, 0x0, ...
 02910  1028   NtWaitForSingleObject  (300, 0, 0x0, ...
 02911   896   NtQueryInformationThread  (900, Basic, 28, ...
 02900   420   NtWaitForSingleObject  ... ) == 0x0
 02908   596   NtSetEventBoostPriority  ... ) == 0x0
 02912   644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02913   484   NtWaitForSingleObject  (300, 0, 0x0, ...
 02914   384   NtWaitForSingleObject  (300, 0, 0x0, ...
 02915   420   NtSetEventBoostPriority  (300, ...
 02916   596   NtWaitForSingleObject  (300, 0, 0x0, ...
 02912   644   NtWaitForSingleObject  ... ) == 0x102
 02911   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1252,Tid=1580,}, 0x0, ) == 0x0
 02901  1656   NtWaitForSingleObject  ... ) == 0x0
 02915   420   NtSetEventBoostPriority  ... ) == 0x0
 02917   644   NtWaitForSingleObject  (300, 0, 0x0, ...
 02918  1656   NtSetEventBoostPriority  (300, ...
 02919   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81944, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\344\4\0\0,\6\0\0" ...  ...
 02920   420   NtWaitForSingleObject  (300, 0, 0x0, ...
 02902   760   NtWaitForSingleObject  ... ) == 0x0
 02918  1656   NtSetEventBoostPriority  ... ) == 0x0
 02919   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81945, 0}  ... {28, 56, reply, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\344\4\0\0,\6\0\0" )  ) == 0x0
 02921   760   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 02922   896   NtResumeThread  (900, ...
 02923  1656   NtWaitForSingleObject  (300, 0, 0x0, ...
 02922   896   NtResumeThread  ... 1, ) == 0x0
 02924   760   NtSetEventBoostPriority  (300, ...
 02925  1580   NtWaitForSingleObject  (300, 0, 0x0, ...
 02910  1028   NtWaitForSingleObject  ... ) == 0x0
 02924   760   NtSetEventBoostPriority  ... ) == 0x0
 02926  1028   NtSetEventBoostPriority  (300, ...
 02909   376   NtWaitForSingleObject  ... ) == 0x0
 02927   376   NtSetEventBoostPriority  (300, ...
 02914   384   NtWaitForSingleObject  ... ) == 0x0
 02928   384   NtSetEventBoostPriority  (300, ...
 02913   484   NtWaitForSingleObject  ... ) == 0x0
 02929   484   NtSetEventBoostPriority  (300, ...
 02916   596   NtWaitForSingleObject  ... ) == 0x0
 02930   596   NtSetEventBoostPriority  (300, ...
 02920   420   NtWaitForSingleObject  ... ) == 0x0
 02931   420   NtSetEventBoostPriority  (300, ...
 02917   644   NtWaitForSingleObject  ... ) == 0x0
 02932   644   NtSetEventBoostPriority  (300, ...
 02923  1656   NtWaitForSingleObject  ... ) == 0x0
 02933  1656   NtSetEventBoostPriority  (300, ...
 02925  1580   NtWaitForSingleObject  ... ) == 0x0
 02934  1580   NtTestAlert  (... ) == 0x0
 02933  1656   NtSetEventBoostPriority  ... ) == 0x0
 02931   420   NtSetEventBoostPriority  ... ) == 0x0
 02928   384   NtSetEventBoostPriority  ... ) == 0x0
 02926  1028   NtSetEventBoostPriority  ... ) == 0x0
 02935   760   NtWaitForSingleObject  (352, 0, 0x0, ...
 02932   644   NtSetEventBoostPriority  ... ) == 0x0
 02930   596   NtSetEventBoostPriority  ... ) == 0x0
 02929   484   NtSetEventBoostPriority  ... ) == 0x0
 02927   376   NtSetEventBoostPriority  ... ) == 0x0
 02936   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02937  1656   NtWaitForSingleObject  (352, 0, 0x0, ...
 02938   420   NtAllocateVirtualMemory  (-1, 14143488, 0, 4096, 4096, 260, ...
 02939   384   NtAllocateVirtualMemory  (-1, 15192064, 0, 4096, 4096, 260, ...
 02940  1580   NtContinue  (102366512, 1, ...
 02941   644   NtWaitForSingleObject  (132, 0, 0x0, ...
 02942   596   NtSetEventBoostPriority  (132, ...
 02943   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02944   376   NtAllocateVirtualMemory  (-1, 13094912, 0, 4096, 4096, 260, ...
 02936   896   NtAllocateVirtualMemory  ... 102367232, 1048576, ) == 0x0
 02945  1028   NtSetEventBoostPriority  (352, ...
 02938   420   NtAllocateVirtualMemory  ... 14143488, 4096, ) == 0x0
 02946  1580   NtRegisterThreadTerminatePort  (24, ...
 00979  2012   NtWaitForSingleObject  ... ) == 0x0
 02942   596   NtSetEventBoostPriority  ... ) == 0x0
 02943   484   NtDuplicateObject  ... 904, ) == 0x0
 02944   376   NtAllocateVirtualMemory  ... 13094912, 4096, ) == 0x0
 02947   896   NtAllocateVirtualMemory  (-1, 103407616, 0, 8192, 4096, 4, ...
 02841  1036   NtWaitForSingleObject  ... ) == 0x0
 02945  1028   NtSetEventBoostPriority  ... ) == 0x0
 02948   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02949  2012   NtSetEventBoostPriority  (132, ...
 02946  1580   NtRegisterThreadTerminatePort  ... ) == 0x0
 02939   384   NtAllocateVirtualMemory  ... 15192064, 4096, ) == 0x0
 02950   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02951   484   NtWaitForSingleObject  (352, 0, 0x0, ...
 02952  1036   NtSetEventBoostPriority  (352, ...
 02947   896   NtAllocateVirtualMemory  ... 103407616, 8192, ) == 0x0
 02953  1028   NtWaitForSingleObject  (352, 0, 0x0, ...
 00981  1168   NtWaitForSingleObject  ... ) == 0x0
 02949  2012   NtSetEventBoostPriority  ... ) == 0x0
 02948   420   NtCreateEvent  ... 908, ) == 0x0
 02954  1580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02955   384   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02950   596   NtCreateEvent  ... 912, ) == 0x0
 02842  1972   NtWaitForSingleObject  ... ) == 0x0
 02952  1036   NtSetEventBoostPriority  ... ) == 0x0
 02956   896   NtProtectVirtualMemory  (-1, (0x629e000), 4096, 260, ...
 02957  1168   NtSetEventBoostPriority  (132, ...
 02958   376   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02959   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02954  1580   NtDuplicateObject  ... 916, ) == 0x0
 02955   384   NtCreateEvent  ... 920, ) == 0x0
 02960  1972   NtSetEventBoostPriority  (352, ...
 02961   596   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 02962  1036   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00985  1180   NtWaitForSingleObject  ... ) == 0x0
 02957  1168   NtSetEventBoostPriority  ... ) == 0x0
 02956   896   NtProtectVirtualMemory  ... (0x629e000), 4096, 4, ) == 0x0
 02958   376   NtCreateEvent  ... 924, ) == 0x0
 02959   420   NtDuplicateObject  ... 928, ) == 0x0
 02963  1580   NtWaitForSingleObject  (300, 0, 0x0, ...
 02843  1664   NtWaitForSingleObject  ... ) == 0x0
 02964   384   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02961   596   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 02960  1972   NtSetEventBoostPriority  ... ) == 0x0
 02965  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02966  1180   NtWaitForSingleObject  (300, 0, 0x0, ...
 02962  1036   NtWaitForSingleObject  ... ) == 0x102
 02967  1168   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02968   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02969   420   NtWaitForSingleObject  (300, 0, 0x0, ...
 02970   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02971  1664   NtWaitForSingleObject  (300, 0, 0x0, ...
 02964   384   NtDuplicateObject  ... 932, ) == 0x0
 02972   596   NtSetEventBoostPriority  (300, ...
 02973  1972   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02965  2012   NtCreateEvent  ... 936, ) == 0x0
 02974  1036   NtWaitForSingleObject  (132, 0, 0x0, ...
 02967  1168   NtCreateEvent  ... 940, ) == 0x0
 02968   376   NtDuplicateObject  ... 944, ) == 0x0
 02970   896   NtCreateThread  ... 948, {1252, 1756}, ) == 0x0
 02975   384   NtWaitForSingleObject  (300, 0, 0x0, ...
 02966  1180   NtWaitForSingleObject  ... ) == 0x0
 02972   596   NtSetEventBoostPriority  ... ) == 0x0
 02976  2012   NtWaitForSingleObject  (300, 0, 0x0, ...
 02977  1168   NtWaitForSingleObject  (300, 0, 0x0, ...
 02978   376   NtWaitForSingleObject  (300, 0, 0x0, ...
 02979   896   NtQueryInformationThread  (948, Basic, 28, ...
 02973  1972   NtWaitForSingleObject  ... ) == 0x102
 02980  1180   NtSetEventBoostPriority  (300, ...
 02979   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1252,Tid=1756,}, 0x0, ) == 0x0
 02963  1580   NtWaitForSingleObject  ... ) == 0x0
 02980  1180   NtSetEventBoostPriority  ... ) == 0x0
 02981  1972   NtWaitForSingleObject  (132, 0, 0x0, ...
 02982  1580   NtSetEventBoostPriority  (300, ...
 02983   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81945, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\344\4\0\0\334\6\0\0" ...  ...
 02984   596   NtWaitForSingleObject  (300, 0, 0x0, ...
 02971  1664   NtWaitForSingleObject  ... ) == 0x0
 02985  1664   NtSetEventBoostPriority  (300, ...
 02969   420   NtWaitForSingleObject  ... ) == 0x0
 02986   420   NtSetEventBoostPriority  (300, ...
 02975   384   NtWaitForSingleObject  ... ) == 0x0
 02987   384   NtSetEventBoostPriority  (300, ...
 02976  2012   NtWaitForSingleObject  ... ) == 0x0
 02988  2012   NtSetEventBoostPriority  (300, ...
 02977  1168   NtWaitForSingleObject  ... ) == 0x0
 02989  1168   NtSetEventBoostPriority  (300, ...
 02978   376   NtWaitForSingleObject  ... ) == 0x0
 02990   376   NtSetEventBoostPriority  (300, ...
 02984   596   NtWaitForSingleObject  ... ) == 0x0
 02991   596   NtAllocateVirtualMemory  (-1, 12046336, 0, 4096, 4096, 260, ... 12046336, 4096, ) == 0x0
 02992   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02990   376   NtSetEventBoostPriority  ... ) == 0x0
 02989  1168   NtSetEventBoostPriority  ... ) == 0x0
 02988  2012   NtSetEventBoostPriority  ... ) == 0x0
 02987   384   NtSetEventBoostPriority  ... ) == 0x0
 02986   420   NtSetEventBoostPriority  ... ) == 0x0
 02985  1664   NtSetEventBoostPriority  ... ) == 0x0
 02982  1580   NtSetEventBoostPriority  ... ) == 0x0
 02993  1180   NtSetEventBoostPriority  (132, ...
 02983   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81946, 0}  ... {28, 56, reply, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\3\0\0\344\4\0\0\334\6\0\0" )  ) == 0x0
 02992   596   NtCreateEvent  ... 952, ) == 0x0
 02994   376   NtWaitForSingleObject  (352, 0, 0x0, ...
 02995  1168   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 02996   384   NtWaitForSingleObject  (300, 0, 0x0, ...
 02997   420   NtWaitForSingleObject  (300, 0, 0x0, ...
 02998  2012   NtWaitForSingleObject  (300, 0, 0x0, ...
 02999  1580   NtWaitForSingleObject  (352, 0, 0x0, ...
 00993   928   NtWaitForSingleObject  ... ) == 0x0
 02993  1180   NtSetEventBoostPriority  ... ) == 0x0
 03000   896   NtResumeThread  (948, ...
 03001   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02995  1168   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 03002   928   NtWaitForSingleObject  (300, 0, 0x0, ...
 03003  1180   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03000   896   NtResumeThread  ... 1, ) == 0x0
 03001   596   NtDuplicateObject  ... 956, ) == 0x0
 03004  1168   NtSetEventBoostPriority  (300, ...
 03003  1180   NtCreateEvent  ... 960, ) == 0x0
 03005   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03006   596   NtWaitForSingleObject  (300, 0, 0x0, ...
 02996   384   NtWaitForSingleObject  ... ) == 0x0
 03004  1168   NtSetEventBoostPriority  ... ) == 0x0
 03007  1180   NtWaitForSingleObject  (300, 0, 0x0, ...
 03005   896   NtAllocateVirtualMemory  ... 103415808, 1048576, ) == 0x0
 03008   384   NtSetEventBoostPriority  (300, ...
 03009  1168   NtWaitForSingleObject  (300, 0, 0x0, ...
 02997   420   NtWaitForSingleObject  ... ) == 0x0
 03008   384   NtSetEventBoostPriority  ... ) == 0x0
 03010   896   NtAllocateVirtualMemory  (-1, 104456192, 0, 8192, 4096, 4, ...
 03011   420   NtSetEventBoostPriority  (300, ...
 03012  1664   NtSetEventBoostPriority  (352, ...
 03013  1756   NtWaitForSingleObject  (300, 0, 0x0, ...
 03014   384   NtWaitForSingleObject  (300, 0, 0x0, ...
 02998  2012   NtWaitForSingleObject  ... ) == 0x0
 03011   420   NtSetEventBoostPriority  ... ) == 0x0
 02849  1248   NtWaitForSingleObject  ... ) == 0x0
 03012  1664   NtSetEventBoostPriority  ... ) == 0x0
 03015  2012   NtSetEventBoostPriority  (300, ...
 03010   896   NtAllocateVirtualMemory  ... 104456192, 8192, ) == 0x0
 03016  1248   NtWaitForSingleObject  (300, 0, 0x0, ...
 03002   928   NtWaitForSingleObject  ... ) == 0x0
 03015  2012   NtSetEventBoostPriority  ... ) == 0x0
 03017  1664   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03018   928   NtSetEventBoostPriority  (300, ...
 03019   896   NtProtectVirtualMemory  (-1, (0x639e000), 4096, 260, ...
 03020  2012   NtWaitForSingleObject  (300, 0, 0x0, ...
 03006   596   NtWaitForSingleObject  ... ) == 0x0
 03018   928   NtSetEventBoostPriority  ... ) == 0x0
 03017  1664   NtWaitForSingleObject  ... ) == 0x102
 03019   896   NtProtectVirtualMemory  ... (0x639e000), 4096, 4, ) == 0x0
 03021   420   NtWaitForSingleObject  (300, 0, 0x0, ...
 03022   596   NtSetEventBoostPriority  (300, ...
 03023  1664   NtWaitForSingleObject  (132, 0, 0x0, ...
 03024   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03007  1180   NtWaitForSingleObject  ... ) == 0x0
 03022   596   NtSetEventBoostPriority  ... ) == 0x0
 03025   928   NtWaitForSingleObject  (300, 0, 0x0, ...
 03026  1180   NtSetEventBoostPriority  (300, ...
 03024   896   NtCreateThread  ... 964, {1252, 1304}, ) == 0x0
 03009  1168   NtWaitForSingleObject  ... ) == 0x0
 03026  1180   NtSetEventBoostPriority  ... ) == 0x0
 03027  1168   NtSetEventBoostPriority  (300, ...
 03028   896   NtQueryInformationThread  (964, Basic, 28, ...
 03029   596   NtWaitForSingleObject  (300, 0, 0x0, ...
 03013  1756   NtWaitForSingleObject  ... ) == 0x0
 03027  1168   NtSetEventBoostPriority  ... ) == 0x0
 03030  1180   NtWaitForSingleObject  (300, 0, 0x0, ...
 03031  1756   NtSetEventBoostPriority  (300, ...
 03028   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1252,Tid=1304,}, 0x0, ) == 0x0
 03014   384   NtWaitForSingleObject  ... ) == 0x0
 03031  1756   NtSetEventBoostPriority  ... ) == 0x0
 03032   384   NtSetEventBoostPriority  (300, ...
 03033   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81946, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\344\4\0\0\30\5\0\0" ...  ...
 03034  1168   NtWaitForSingleObject  (300, 0, 0x0, ...
 03016  1248   NtWaitForSingleObject  ... ) == 0x0
 03032   384   NtSetEventBoostPriority  ... ) == 0x0
 03033   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81947, 0}  ... {28, 56, reply, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\3\0\0\344\4\0\0\30\5\0\0" )  ) == 0x0
 03035  1248   NtSetEventBoostPriority  (300, ...
 03036   384   NtWaitForSingleObject  (300, 0, 0x0, ...
 03020  2012   NtWaitForSingleObject  ... ) == 0x0
 03035  1248   NtSetEventBoostPriority  ... ) == 0x0
 03037   896   NtResumeThread  (964, ...
 03038  1756   NtTestAlert  (...
 03039  2012   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 03037   896   NtResumeThread  ... 1, ) == 0x0
 03039  2012   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 03038  1756   NtTestAlert  ... ) == 0x0
 03040  1248   NtSetEventBoostPriority  (352, ...
 03041  1304   NtWaitForSingleObject  (300, 0, 0x0, ...
 03042  2012   NtSetEventBoostPriority  (300, ...
 03043  1756   NtContinue  (103415088, 1, ...
 02844  1440   NtWaitForSingleObject  ... ) == 0x0
 03040  1248   NtSetEventBoostPriority  ... ) == 0x0
 03021   420   NtWaitForSingleObject  ... ) == 0x0
 03044  1440   NtWaitForSingleObject  (300, 0, 0x0, ...
 03045  1756   NtRegisterThreadTerminatePort  (24, ...
 03046  1248   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03047   420   NtSetEventBoostPriority  (300, ...
 03045  1756   NtRegisterThreadTerminatePort  ... ) == 0x0
 03046  1248   NtWaitForSingleObject  ... ) == 0x102
 03025   928   NtWaitForSingleObject  ... ) == 0x0
 03047   420   NtSetEventBoostPriority  ... ) == 0x0
 03048  1756   NtWaitForSingleObject  (300, 0, 0x0, ...
 03049   928   NtSetEventBoostPriority  (300, ...
 03050  1248   NtWaitForSingleObject  (300, 0, 0x0, ...
 03051   420   NtWaitForSingleObject  (300, 0, 0x0, ...
 03042  2012   NtSetEventBoostPriority  ... ) == 0x0
 03052   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03029   596   NtWaitForSingleObject  ... ) == 0x0
 03049   928   NtSetEventBoostPriority  ... ) == 0x0
 03053   596   NtSetEventBoostPriority  (300, ...
 03052   896   NtAllocateVirtualMemory  ... 104464384, 1048576, ) == 0x0
 03030  1180   NtWaitForSingleObject  ... ) == 0x0
 03053   596   NtSetEventBoostPriority  ... ) == 0x0
 03054   928   NtWaitForSingleObject  (300, 0, 0x0, ...
 03055  1180   NtSetEventBoostPriority  (300, ...
 03056   896   NtAllocateVirtualMemory  (-1, 105504768, 0, 8192, 4096, 4, ...
 03057   596   NtWaitForSingleObject  (300, 0, 0x0, ...
 03058  2012   NtWaitForSingleObject  (300, 0, 0x0, ...
 03034  1168   NtWaitForSingleObject  ... ) == 0x0
 03055  1180   NtSetEventBoostPriority  ... ) == 0x0
 03056   896   NtAllocateVirtualMemory  ... 105504768, 8192, ) == 0x0
 03059  1168   NtSetEventBoostPriority  (300, ...
 03060  1180   NtWaitForSingleObject  (300, 0, 0x0, ...
 03036   384   NtWaitForSingleObject  ... ) == 0x0
 03059  1168   NtSetEventBoostPriority  ... ) == 0x0
 03061   896   NtProtectVirtualMemory  (-1, (0x649e000), 4096, 260, ...
 03062   384   NtSetEventBoostPriority  (300, ...
 03063  1168   NtWaitForSingleObject  (300, 0, 0x0, ...
 03041  1304   NtWaitForSingleObject  ... ) == 0x0
 03061   896   NtProtectVirtualMemory  ... (0x649e000), 4096, 4, ) == 0x0
 03062   384   NtSetEventBoostPriority  ... ) == 0x0
 03064  1304   NtSetEventBoostPriority  (300, ...
 03065   384   NtWaitForSingleObject  (352, 0, 0x0, ...
 03044  1440   NtWaitForSingleObject  ... ) == 0x0
 03064  1304   NtSetEventBoostPriority  ... ) == 0x0
 03066  1440   NtSetEventBoostPriority  (300, ...
 03067   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03048  1756   NtWaitForSingleObject  ... ) == 0x0
 03067   896   NtCreateThread  ... 968, {1252, 2052}, ) == 0x0
 03068  1756   NtSetEventBoostPriority  (300, ...
 03069   896   NtQueryInformationThread  (968, Basic, 28, ...
 03050  1248   NtWaitForSingleObject  ... ) == 0x0
 03068  1756   NtSetEventBoostPriority  ... ) == 0x0
 03066  1440   NtSetEventBoostPriority  ... ) == 0x0
 03070  1304   NtTestAlert  (...
 03071  1248   NtSetEventBoostPriority  (300, ...
 03072  1756   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03069   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1252,Tid=2052,}, 0x0, ) == 0x0
 03070  1304   NtTestAlert  ... ) == 0x0
 03051   420   NtWaitForSingleObject  ... ) == 0x0
 03072  1756   NtDuplicateObject  ... 972, ) == 0x0
 03073   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\0\4\10\0\0" ...  ...
 03074  1304   NtContinue  (104463664, 1, ...
 03075   420   NtSetEventBoostPriority  (300, ...
 03071  1248   NtSetEventBoostPriority  ... ) == 0x0
 03076  1440   NtSetEventBoostPriority  (352, ...
 03073   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81948, 0}  ... {28, 56, reply, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\3\0\0\344\4\0\0\4\10\0\0" )  ) == 0x0
 03077  1304   NtRegisterThreadTerminatePort  (24, ...
 03054   928   NtWaitForSingleObject  ... ) == 0x0
 03078  1248   NtWaitForSingleObject  (132, 0, 0x0, ...
 02935   760   NtWaitForSingleObject  ... ) == 0x0
 03076  1440   NtSetEventBoostPriority  ... ) == 0x0
 03079   896   NtResumeThread  (968, ...
 03077  1304   NtRegisterThreadTerminatePort  ... ) == 0x0
 03080   928   NtSetEventBoostPriority  (300, ...
 03081   760   NtWaitForSingleObject  (300, 0, 0x0, ...
 03082  1440   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03079   896   NtResumeThread  ... 1, ) == 0x0
 03083  1304   NtWaitForSingleObject  (300, 0, 0x0, ...
 03058  2012   NtWaitForSingleObject  ... ) == 0x0
 03082  1440   NtWaitForSingleObject  ... ) == 0x102
 03080   928   NtSetEventBoostPriority  ... ) == 0x0
 03075   420   NtSetEventBoostPriority  ... ) == 0x0
 03084  1756   NtWaitForSingleObject  (300, 0, 0x0, ...
 03085  2052   NtWaitForSingleObject  (300, 0, 0x0, ...
 03086   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03087  2012   NtSetEventBoostPriority  (300, ...
 03088  1440   NtWaitForSingleObject  (300, 0, 0x0, ...
 03089   928   NtWaitForSingleObject  (300, 0, 0x0, ...
 03090   420   NtWaitForSingleObject  (300, 0, 0x0, ...
 03086   896   NtAllocateVirtualMemory  ... 105512960, 1048576, ) == 0x0
 03057   596   NtWaitForSingleObject  ... ) == 0x0
 03087  2012   NtSetEventBoostPriority  ... ) == 0x0
 03091   596   NtSetEventBoostPriority  (300, ...
 03092   896   NtAllocateVirtualMemory  (-1, 106553344, 0, 8192, 4096, 4, ...
 03060  1180   NtWaitForSingleObject  ... ) == 0x0
 03093  2012   NtWaitForSingleObject  (300, 0, 0x0, ...
 03092   896   NtAllocateVirtualMemory  ... 106553344, 8192, ) == 0x0
 03094  1180   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ...
 03091   596   NtSetEventBoostPriority  ... ) == 0x0
 03095   896   NtProtectVirtualMemory  (-1, (0x659e000), 4096, 260, ...
 03094  1180   NtAllocateVirtualMemory  ... 1445888, 4096, ) == 0x0
 03096   596   NtWaitForSingleObject  (300, 0, 0x0, ...
 03095   896   NtProtectVirtualMemory  ... (0x659e000), 4096, 4, ) == 0x0
 03097  1180   NtSetEventBoostPriority  (300, ...
 03063  1168   NtWaitForSingleObject  ... ) == 0x0
 03098  1168   NtSetEventBoostPriority  (300, ...
 03081   760   NtWaitForSingleObject  ... ) == 0x0
 03099   760   NtSetEventBoostPriority  (300, ...
 03084  1756   NtWaitForSingleObject  ... ) == 0x0
 03100  1756   NtSetEventBoostPriority  (300, ...
 03085  2052   NtWaitForSingleObject  ... ) == 0x0
 03101  2052   NtSetEventBoostPriority  (300, ...
 03083  1304   NtWaitForSingleObject  ... ) == 0x0
 03102  1304   NtSetEventBoostPriority  (300, ...
 03089   928   NtWaitForSingleObject  ... ) == 0x0
 03103   928   NtSetEventBoostPriority  (300, ...
 03090   420   NtWaitForSingleObject  ... ) == 0x0
 03104   420   NtSetEventBoostPriority  (300, ...
 03088  1440   NtWaitForSingleObject  ... ) == 0x0
 03105  1440   NtSetEventBoostPriority  (300, ...
 03096   596   NtWaitForSingleObject  ... ) == 0x0
 03106   596   NtSetEventBoostPriority  (300, ...
 03093  2012   NtWaitForSingleObject  ... ) == 0x0
 03107  2012   NtAllocateVirtualMemory  (-1, 17289216, 0, 4096, 4096, 260, ... 17289216, 4096, ) == 0x0
 03108  2012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 976, ) == 0x0
 03106   596   NtSetEventBoostPriority  ... ) == 0x0
 03104   420   NtSetEventBoostPriority  ... ) == 0x0
 03103   928   NtSetEventBoostPriority  ... ) == 0x0
 03101  2052   NtSetEventBoostPriority  ... ) == 0x0
 03100  1756   NtSetEventBoostPriority  ... ) == 0x0
 03099   760   NtSetEventBoostPriority  ... ) == 0x0
 03105  1440   NtSetEventBoostPriority  ... ) == 0x0
 03102  1304   NtSetEventBoostPriority  ... ) == 0x0
 03098  1168   NtSetEventBoostPriority  ... ) == 0x0
 03097  1180   NtSetEventBoostPriority  ... ) == 0x0
 03109   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03110  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03111   596   NtWaitForSingleObject  (352, 0, 0x0, ...
 03112   420   NtWaitForSingleObject  (352, 0, 0x0, ...
 03113   928   NtSetEventBoostPriority  (132, ...
 03114  1756   NtWaitForSingleObject  (352, 0, 0x0, ...
 03115  2052   NtTestAlert  (...
 03116  1440   NtWaitForSingleObject  (132, 0, 0x0, ...
 03117  1304   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03118  1168   NtAllocateVirtualMemory  (-1, 18337792, 0, 4096, 4096, 260, ...
 03119   760   NtSetEventBoostPriority  (352, ...
 03109   896   NtCreateThread  ... 980, {1252, 2056}, ) == 0x0
 03110  2012   NtDuplicateObject  ... 984, ) == 0x0
 00999   428   NtWaitForSingleObject  ... ) == 0x0
 03113   928   NtSetEventBoostPriority  ... ) == 0x0
 03120  1180   NtAllocateVirtualMemory  (-1, 19386368, 0, 4096, 4096, 260, ...
 03115  2052   NtTestAlert  ... ) == 0x0
 03117  1304   NtDuplicateObject  ... 988, ) == 0x0
 03118  1168   NtAllocateVirtualMemory  ... 18337792, 4096, ) == 0x0
 02937  1656   NtWaitForSingleObject  ... ) == 0x0
 03119   760   NtSetEventBoostPriority  ... ) == 0x0
 03121   896   NtQueryInformationThread  (980, Basic, 28, ...
 03122   428   NtSetEventBoostPriority  (132, ...
 03123  2012   NtWaitForSingleObject  (352, 0, 0x0, ...
 03124   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03120  1180   NtAllocateVirtualMemory  ... 19386368, 4096, ) == 0x0
 03125  2052   NtContinue  (105512240, 1, ...
 03126  1304   NtWaitForSingleObject  (352, 0, 0x0, ...
 03127  1656   NtSetEventBoostPriority  (352, ...
 03128   760   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01009  1732   NtWaitForSingleObject  ... ) == 0x0
 03122   428   NtSetEventBoostPriority  ... ) == 0x0
 03121   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1252,Tid=2056,}, 0x0, ) == 0x0
 03124   928   NtCreateEvent  ... 992, ) == 0x0
 03129  1180   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03130  2052   NtRegisterThreadTerminatePort  (24, ...
 02951   484   NtWaitForSingleObject  ... ) == 0x0
 03131  1732   NtSetEventBoostPriority  (132, ...
 03128   760   NtWaitForSingleObject  ... ) == 0x102
 03127  1656   NtSetEventBoostPriority  ... ) == 0x0
 03132  1168   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03133   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81948, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\344\4\0\0\10\10\0\0" ...  ...
 03134   928   NtAllocateVirtualMemory  (-1, 20434944, 0, 4096, 4096, 260, ...
 03129  1180   NtCreateEvent  ... 996, ) == 0x0
 03130  2052   NtRegisterThreadTerminatePort  ... ) == 0x0
 01421  1024   NtWaitForSingleObject  ... ) == 0x0
 03131  1732   NtSetEventBoostPriority  ... ) == 0x0
 03135   484   NtSetEventBoostPriority  (352, ...
 03136   760   NtWaitForSingleObject  (132, 0, 0x0, ...
 03137  1656   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03132  1168   NtCreateEvent  ... 1000, ) == 0x0
 03134   928   NtAllocateVirtualMemory  ... 20434944, 4096, ) == 0x0
 03138  1180   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03139  1024   NtSetEventBoostPriority  (132, ...
 03140  2052   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03141   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03133   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81949, 0}  ... {28, 56, reply, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\344\4\0\0\10\10\0\0" )  ) == 0x0
 02953  1028   NtWaitForSingleObject  ... ) == 0x0
 03135   484   NtSetEventBoostPriority  ... ) == 0x0
 03142  1732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03143  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03137  1656   NtWaitForSingleObject  ... ) == 0x102
 01423  1324   NtWaitForSingleObject  ... ) == 0x0
 03139  1024   NtSetEventBoostPriority  ... ) == 0x0
 03138  1180   NtDuplicateObject  ... 1004, ) == 0x0
 03144   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03141   428   NtCreateEvent  ... 1008, ) == 0x0
 03145  1028   NtSetEventBoostPriority  (352, ...
 03146   896   NtResumeThread  (980, ...
 03147   484   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03142  1732   NtCreateEvent  ... 1012, ) == 0x0
 03143  1168   NtDuplicateObject  ... 1016, ) == 0x0
 03148  1324   NtSetEventBoostPriority  (132, ...
 03149  1656   NtWaitForSingleObject  (132, 0, 0x0, ...
 03140  2052   NtDuplicateObject  ... 1020, ) == 0x0
 03150  1024   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03144   928   NtCreateEvent  ... 1024, ) == 0x0
 02994   376   NtWaitForSingleObject  ... ) == 0x0
 03145  1028   NtSetEventBoostPriority  ... ) == 0x0
 03151   428   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ...
 03146   896   NtResumeThread  ... 1, ) == 0x0
 03152  1180   NtWaitForSingleObject  (300, 0, 0x0, ...
 03153  1732   NtWaitForSingleObject  (300, 0, 0x0, ...
 01471  1776   NtWaitForSingleObject  ... ) == 0x0
 03148  1324   NtSetEventBoostPriority  ... ) == 0x0
 03154  1168   NtWaitForSingleObject  (300, 0, 0x0, ...
 03155  2052   NtWaitForSingleObject  (300, 0, 0x0, ...
 03150  1024   NtCreateEvent  ... 1028, ) == 0x0
 03156   376   NtWaitForSingleObject  (300, 0, 0x0, ...
 03157   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03147   484   NtWaitForSingleObject  ... ) == 0x102
 03158  2056   NtWaitForSingleObject  (300, 0, 0x0, ...
 03151   428   NtAllocateVirtualMemory  ... 1449984, 4096, ) == 0x0
 03159   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03160  1776   NtWaitForSingleObject  (300, 0, 0x0, ...
 03161  1028   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03162  1024   NtWaitForSingleObject  (300, 0, 0x0, ...
 03157   928   NtDuplicateObject  ... 1032, ) == 0x0
 03163   484   NtWaitForSingleObject  (300, 0, 0x0, ...
 03164   428   NtSetEventBoostPriority  (300, ...
 03159   896   NtAllocateVirtualMemory  ... 106561536, 1048576, ) == 0x0
 03161  1028   NtCreateEvent  ... 1036, ) == 0x0
 03165   928   NtWaitForSingleObject  (300, 0, 0x0, ...
 03152  1180   NtWaitForSingleObject  ... ) == 0x0
 03164   428   NtSetEventBoostPriority  ... ) == 0x0
 03166   896   NtAllocateVirtualMemory  (-1, 107601920, 0, 8192, 4096, 4, ...
 03167  1028   NtWaitForSingleObject  (352, 0, 0x0, ...
 03168  1180   NtSetEventBoostPriority  (300, ...
 03169  1324   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03170   428   NtWaitForSingleObject  (300, 0, 0x0, ...
 03153  1732   NtWaitForSingleObject  ... ) == 0x0
 03168  1180   NtSetEventBoostPriority  ... ) == 0x0
 03169  1324   NtCreateEvent  ... 1040, ) == 0x0
 03171  1732   NtSetEventBoostPriority  (300, ...
 03172  1180   NtWaitForSingleObject  (300, 0, 0x0, ...
 03154  1168   NtWaitForSingleObject  ... ) == 0x0
 03171  1732   NtSetEventBoostPriority  ... ) == 0x0
 03173  1324   NtWaitForSingleObject  (300, 0, 0x0, ...
 03166   896   NtAllocateVirtualMemory  ... 107601920, 8192, ) == 0x0
 03174  1168   NtSetEventBoostPriority  (300, ...
 03155  2052   NtWaitForSingleObject  ... ) == 0x0
 03175  2052   NtSetEventBoostPriority  (300, ...
 03156   376   NtWaitForSingleObject  ... ) == 0x0
 03176   376   NtSetEventBoostPriority  (300, ...
 03158  2056   NtWaitForSingleObject  ... ) == 0x0
 03177  2056   NtSetEventBoostPriority  (300, ...
 03160  1776   NtWaitForSingleObject  ... ) == 0x0
 03178  1776   NtSetEventBoostPriority  (300, ...
 03162  1024   NtWaitForSingleObject  ... ) == 0x0
 03179  1024   NtSetEventBoostPriority  (300, ...
 03163   484   NtWaitForSingleObject  ... ) == 0x0
 03180   484   NtSetEventBoostPriority  (300, ...
 03165   928   NtWaitForSingleObject  ... ) == 0x0
 03181   928   NtSetEventBoostPriority  (300, ...
 03170   428   NtWaitForSingleObject  ... ) == 0x0
 03182   428   NtSetEventBoostPriority  (300, ...
 03172  1180   NtWaitForSingleObject  ... ) == 0x0
 03183  1180   NtSetEventBoostPriority  (300, ...
 03173  1324   NtWaitForSingleObject  ... ) == 0x0
 03184  1324   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ... 1454080, 4096, ) == 0x0
 03182   428   NtSetEventBoostPriority  ... ) == 0x0
 03181   928   NtSetEventBoostPriority  ... ) == 0x0
 03180   484   NtSetEventBoostPriority  ... ) == 0x0
 03179  1024   NtSetEventBoostPriority  ... ) == 0x0
 03178  1776   NtSetEventBoostPriority  ... ) == 0x0
 03177  2056   NtSetEventBoostPriority  ... ) == 0x0
 03176   376   NtSetEventBoostPriority  ... ) == 0x0
 03175  2052   NtSetEventBoostPriority  ... ) == 0x0
 03174  1168   NtSetEventBoostPriority  ... ) == 0x0
 03185   896   NtProtectVirtualMemory  (-1, (0x669e000), 4096, 260, ...
 03183  1180   NtSetEventBoostPriority  ... ) == 0x0
 03186  1732   NtWaitForSingleObject  (300, 0, 0x0, ...
 03187   428   NtWaitForSingleObject  (300, 0, 0x0, ...
 03188  1324   NtSetEventBoostPriority  (300, ...
 03189   928   NtWaitForSingleObject  (300, 0, 0x0, ...
 03190   484   NtWaitForSingleObject  (132, 0, 0x0, ...
 03191  1024   NtWaitForSingleObject  (300, 0, 0x0, ...
 03192  1776   NtWaitForSingleObject  (300, 0, 0x0, ...
 03193  2056   NtTestAlert  (...
 03194   376   NtSetEventBoostPriority  (352, ...
 03195  2052   NtWaitForSingleObject  (300, 0, 0x0, ...
 03185   896   NtProtectVirtualMemory  ... (0x669e000), 4096, 4, ) == 0x0
 03196  1180   NtWaitForSingleObject  (300, 0, 0x0, ...
 03197  1168   NtWaitForSingleObject  (300, 0, 0x0, ...
 03186  1732   NtWaitForSingleObject  ... ) == 0x0
 03188  1324   NtSetEventBoostPriority  ... ) == 0x0
 03193  2056   NtTestAlert  ... ) == 0x0
 02999  1580   NtWaitForSingleObject  ... ) == 0x0
 03194   376   NtSetEventBoostPriority  ... ) == 0x0
 03198   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03199  1732   NtSetEventBoostPriority  (300, ...
 03200  1324   NtWaitForSingleObject  (300, 0, 0x0, ...
 03201  1580   NtWaitForSingleObject  (300, 0, 0x0, ...
 03202  2056   NtContinue  (106560816, 1, ...
 03203   376   NtWaitForSingleObject  (464, 0, 0x0, ...
 03189   928   NtWaitForSingleObject  ... ) == 0x0
 03199  1732   NtSetEventBoostPriority  ... ) == 0x0
 03198   896   NtCreateThread  ... 1044, {1252, 2060}, ) == 0x0
 03204  2056   NtRegisterThreadTerminatePort  (24, ...
 03205   928   NtSetEventBoostPriority  (300, ...
 03206  1732   NtWaitForSingleObject  (300, 0, 0x0, ...
 03207   896   NtQueryInformationThread  (1044, Basic, 28, ...
 03191  1024   NtWaitForSingleObject  ... ) == 0x0
 03205   928   NtSetEventBoostPriority  ... ) == 0x0
 03204  2056   NtRegisterThreadTerminatePort  ... ) == 0x0
 03208  1024   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ...
 03209   928   NtWaitForSingleObject  (300, 0, 0x0, ...
 03208  1024   NtAllocateVirtualMemory  ... 1458176, 4096, ) == 0x0
 03210  2056   NtWaitForSingleObject  (300, 0, 0x0, ...
 03207   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1252,Tid=2060,}, 0x0, ) == 0x0
 03211  1024   NtSetEventBoostPriority  (300, ...
 03212   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\344\4\0\0\14\10\0\0" ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\344\4\0\0\14\10\0\0" )  ... {28, 56, reply, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81949, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\344\4\0\0\14\10\0\0" ... {28, 56, reply, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\4\0\0\344\4\0\0\14\10\0\0" )  ) == 0x0
 03213   896   NtResumeThread  (1044, ... 1, ) == 0x0
 03214   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 107610112, 1048576, ) == 0x0
 03215   896   NtAllocateVirtualMemory  (-1, 108650496, 0, 8192, 4096, 4, ... 108650496, 8192, ) == 0x0
 03216   896   NtProtectVirtualMemory  (-1, (0x679e000), 4096, 260, ... (0x679e000), 4096, 4, ) == 0x0
 03192  1776   NtWaitForSingleObject  ... ) == 0x0
 03211  1024   NtSetEventBoostPriority  ... ) == 0x0
 03217  2060   NtWaitForSingleObject  (300, 0, 0x0, ...
 03218  1776   NtSetEventBoostPriority  (300, ...
 03219  1024   NtWaitForSingleObject  (300, 0, 0x0, ...
 03195  2052   NtWaitForSingleObject  ... ) == 0x0
 03218  1776   NtSetEventBoostPriority  ... ) == 0x0
 03220  2052   NtSetEventBoostPriority  (300, ...
 03196  1180   NtWaitForSingleObject  ... ) == 0x0
 03221  1180   NtSetEventBoostPriority  (300, ...
 03197  1168   NtWaitForSingleObject  ... ) == 0x0
 03222  1168   NtSetEventBoostPriority  (300, ...
 03201  1580   NtWaitForSingleObject  ... ) == 0x0
 03223  1580   NtSetEventBoostPriority  (300, ...
 03200  1324   NtWaitForSingleObject  ... ) == 0x0
 03224  1324   NtSetEventBoostPriority  (300, ...
 03187   428   NtWaitForSingleObject  ... ) == 0x0
 03225   428   NtSetEventBoostPriority  (300, ...
 03206  1732   NtWaitForSingleObject  ... ) == 0x0
 03226  1732   NtAllocateVirtualMemory  (-1, 1462272, 0, 4096, 4096, 4, ... 1462272, 4096, ) == 0x0
 03227  1732   NtSetEventBoostPriority  (300, ...
 03209   928   NtWaitForSingleObject  ... ) == 0x0
 03228   928   NtSetEventBoostPriority  (300, ...
 03210  2056   NtWaitForSingleObject  ... ) == 0x0
 03229  2056   NtSetEventBoostPriority  (300, ...
 03217  2060   NtWaitForSingleObject  ... ) == 0x0
 03230  2060   NtSetEventBoostPriority  (300, ...
 03219  1024   NtWaitForSingleObject  ... ) == 0x0
 03231  1024   NtAllocateVirtualMemory  (-1, 35115008, 0, 4096, 4096, 260, ... 35115008, 4096, ) == 0x0
 03230  2060   NtSetEventBoostPriority  ... ) == 0x0
 03224  1324   NtSetEventBoostPriority  ... ) == 0x0
 03223  1580   NtSetEventBoostPriority  ... ) == 0x0
 03222  1168   NtSetEventBoostPriority  ... ) == 0x0
 03221  1180   NtSetEventBoostPriority  ... ) == 0x0
 03220  2052   NtSetEventBoostPriority  ... ) == 0x0
 03232  1776   NtSetEventBoostPriority  (132, ...
 03229  2056   NtSetEventBoostPriority  ... ) == 0x0
 03228   928   NtSetEventBoostPriority  ... ) == 0x0
 03227  1732   NtSetEventBoostPriority  ... ) == 0x0
 03225   428   NtSetEventBoostPriority  ... ) == 0x0
 03233   896   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03234  1024   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03235  2060   NtTestAlert  (...
 03236  1324   NtAllocateVirtualMemory  (-1, 36163584, 0, 4096, 4096, 260, ...
 03237  1168   NtWaitForSingleObject  (352, 0, 0x0, ...
 03238  1580   NtSetEventBoostPriority  (352, ...
 03239  2052   NtWaitForSingleObject  (352, 0, 0x0, ...
 03240  1180   NtWaitForSingleObject  (352, 0, 0x0, ...
 03241  2056   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03242   928   NtWaitForSingleObject  (352, 0, 0x0, ...
 01474   500   NtWaitForSingleObject  ... ) == 0x0
 03232  1776   NtSetEventBoostPriority  ... ) == 0x0
 03243   428   NtAllocateVirtualMemory  (-1, 21483520, 0, 4096, 4096, 260, ...
 03233   896   NtCreateThread  ... 1048, {1252, 2064}, ) == 0x0
 03234  1024   NtCreateEvent  ... 1052, ) == 0x0
 03235  2060   NtTestAlert  ... ) == 0x0
 03236  1324   NtAllocateVirtualMemory  ... 36163584, 4096, ) == 0x0
 03244  1732   NtAllocateVirtualMemory  (-1, 22532096, 0, 4096, 4096, 260, ...
 03065   384   NtWaitForSingleObject  ... ) == 0x0
 03238  1580   NtSetEventBoostPriority  ... ) == 0x0
 03241  2056   NtDuplicateObject  ... 1056, ) == 0x0
 03245   500   NtSetEventBoostPriority  (132, ...
 03246  1776   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03243   428   NtAllocateVirtualMemory  ... 21483520, 4096, ) == 0x0
 03247   896   NtQueryInformationThread  (1048, Basic, 28, ...
 03248  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03249  2060   NtContinue  (107609392, 1, ...
 03250  1324   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03251   384   NtSetEventBoostPriority  (352, ...
 03244  1732   NtAllocateVirtualMemory  ... 22532096, 4096, ) == 0x0
 03252  1580   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01477  1708   NtWaitForSingleObject  ... ) == 0x0
 03245   500   NtSetEventBoostPriority  ... ) == 0x0
 03246  1776   NtCreateEvent  ... 1060, ) == 0x0
 03253  2056   NtWaitForSingleObject  (352, 0, 0x0, ...
 03247   896   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1252,Tid=2064,}, 0x0, ) == 0x0
 03248  1024   NtDuplicateObject  ... 1064, ) == 0x0
 03254  2060   NtRegisterThreadTerminatePort  (24, ...
 03111   596   NtWaitForSingleObject  ... ) == 0x0
 03251   384   NtSetEventBoostPriority  ... ) == 0x0
 03250  1324   NtCreateEvent  ... 1068, ) == 0x0
 03255  1732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03256  1708   NtSetEventBoostPriority  (132, ...
 03252  1580   NtWaitForSingleObject  ... ) == 0x102
 03257   500   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03258  1776   NtAllocateVirtualMemory  (-1, 37212160, 0, 4096, 4096, 260, ...
 03259   896   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0}  (24, {28, 56, new_msg, 0, 1252, 896, 81950, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\20\10\0\0" ...  ...
 03260  1024   NtWaitForSingleObject  (352, 0, 0x0, ...
 03261   596   NtSetEventBoostPriority  (352, ...
 03254  2060   NtRegisterThreadTerminatePort  ... ) == 0x0
 03262   428   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03263  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01482   748   NtWaitForSingleObject  ... ) == 0x0
 03256  1708   NtSetEventBoostPriority  ... ) == 0x0
 03255  1732   NtCreateEvent  ... 1072, ) == 0x0
 03264  1580   NtWaitForSingleObject  (132, 0, 0x0, ...
 03265   384   NtWaitForSingleObject  (464, 0, 0x0, ...
 03258  1776   NtAllocateVirtualMemory  ... 37212160, 4096, ) == 0x0
 03112   420   NtWaitForSingleObject  ... ) == 0x0
 03261   596   NtSetEventBoostPriority  ... ) == 0x0
 03266  2060   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03262   428   NtCreateEvent  ... 1076, ) == 0x0
 03267   748   NtSetEventBoostPriority  (132, ...
 03263  1324   NtDuplicateObject  ... 1080, ) == 0x0
 03268  1708   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03269  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03257   500   NtCreateEvent  ... 1084, ) == 0x0
 03259   896   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1252, 896, 81951, 0}  ... {28, 56, reply, 0, 1252, 896, 81951, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\30\4\0\0\344\4\0\0\20\10\0\0" )  ) == 0x0
 03270   420   NtSetEventBoostPriority  (352, ...
 03271  1776   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03272   596   NtWaitForSingleObject  (464, 0, 0x0, ...
 01522   900   NtWaitForSingleObject  ... ) == 0x0
 03267   748   NtSetEventBoostPriority  ... ) == 0x0
 03273   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03266  2060   NtDuplicateObject  ... 1088, ) == 0x0
 03274  1324   NtWaitForSingleObject  (352, 0, 0x0, ...
 03269  1732   NtDuplicateObject  ... 1092, ) == 0x0
 03275   500   NtAllocateVirtualMemory  (-1, 1466368, 0, 4096, 4096, 4, ...
 03114  1756   NtWaitForSingleObject  ... ) == 0x0
 03270   420   NtSetEventBoostPriority  ... ) == 0x0
 03276   896   NtResumeThread  (1048, ...
 03268  1708   NtCreateEvent  ... 1096, ) == 0x0
 03271  1776   NtCreateEvent  ... 1100, ) == 0x0
 03277   900   NtWaitForSingleObject  (300, 0, 0x0, ...
 03278   748   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03273   428   NtDuplicateObject  ... 1104, ) == 0x0
 03279  2060   NtWaitForSingleObject  (300, 0, 0x0, ...
 03280  1756   NtWaitForSingleObject  (300, 0, 0x0, ...
 03275   500   NtAllocateVirtualMemory  ... 1466368, 4096, ) == 0x0
 03281   420   NtWaitForSingleObject  (464, 0, 0x0, ...
 03276   896   NtResumeThread  ... 1, ) == 0x0
 03282  1708   NtWaitForSingleObject  (300, 0, 0x0, ...
 03283  1776   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03284  1732   NtWaitForSingleObject  (300, 0, 0x0, ...
 03285  2064   NtWaitForSingleObject  (300, 0, 0x0, ...
 03286   428   NtWaitForSingleObject  (300, 0, 0x0, ...
 03287   500   NtSetEventBoostPriority  (300, ...
 03278   748   NtCreateEvent  ... 1108, ) == 0x0
 03288   896   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03283  1776   NtDuplicateObject  ... 1112, ) == 0x0
 03277   900   NtWaitForSingleObject  ... ) == 0x0
 03287   500   NtSetEventBoostPriority  ... ) == 0x0
 03289   748   NtWaitForSingleObject  (300, 0, 0x0, ...
 03288   896   NtAllocateVirtualMemory  ... 108658688, 1048576, ) == 0x0
 03290   900   NtSetEventBoostPriority  (300, ...
 03291  1776   NtWaitForSingleObject  (300, 0, 0x0, ...
 03292   500   NtWaitForSingleObject  (300, 0, 0x0, ...
 03280  1756   NtWaitForSingleObject  ... ) == 0x0
 03293   896   NtAllocateVirtualMemory  (-1, 109699072, 0, 8192, 4096, 4, ...
 03290   900   NtSetEventBoostPriority  ... ) == 0x0
 03294  1756   NtSetEventBoostPriority  (300, ...
 03293   896   NtAllocateVirtualMemory  ... 109699072, 8192, ) == 0x0
 03279  2060   NtWaitForSingleObject  ... ) == 0x0